 Hey everyone, my name is Mark Maunder. I'm the founder and CEO of WordFence. We're going to chat about security and as you probably heard there was another speaker that was supposed to speak about an attempt, I think, and I couldn't make it so we're filling in. We've had a couple hours to put something together. We're going to improvise a little bit and what we're going to do is a panel and it's going to be a Q&A session. So we're really going to get you guys to guide the conversation here and what I want to, what I think we should do, since we've only got 30 minutes, is try to keep each question and discussion to two minutes if it goes over that's fine, but let's try to keep it moving along where we can and not go too deep down any rabbit holes and I'll act as moderator where necessary, probably won't be very necessary, and I'll just introduce the rest of the team. This is Tim Cantrell. Tim is a customer support engineer for WordFence and he thinks about security a lot. This is Matthew Barry. Matt is the lead developer at WordFence, which means he's the most senior developer in our organization. He actually wrote our firewall. So Matt's, and he's done a lot of research as well. So Matt's deeply technical. This is Sean Murphy. Sean is also a senior developer with WordFence and Sean heads up our threat intelligence project. So what that means is that he is in charge of organizing all of the attack data that we get and turning that into threat intelligence, which we operationalize by putting into our products and that does a better job of protecting you guys from hackers. We're going to keep this conversation vendor-neutral. We're not going to try to sell you WordFence and we don't want to really turn it into a WordFence support session. I think what we'd like to do is just chat about WordPress security in general. If it comes up, that's cool, but we'll try to keep it fully neutral. So in Atlanta recently, there was a ransomware attack that's targeted the city. Who's heard about that? Probably spot everyone here. They got the bill recently and it was $2.7 million. The hackers were only asking for $50,000 as reasonable as hackers are. So I think security for all of us is top of mind and of course we'll run WordPress here and are passionate about it. So, you know, how to protect our websites, our WordPress websites is very much something we think about. And I think to start what we're going to do is turn the tables a little bit. We're going to ask you guys a question. And the question is, what do you think is the biggest security threat facing WordPress today? And we're going a little bit of thought, but we'd like to hear from you first and then we'll chat about it. So, go ahead, sir. The WPJson API and the user interface showing all of the user names and IDs. Okay. And if you don't mind if you guys can introduce yourselves, just name and... Ricky Lee, Woody Moran, I'll be the engineer at Tenno. Awesome. Cool. Good company, by the way. Yes, sir. Yeah, my name is Drew. I'm a newbie, but I would guess that the biggest threat is actually from users not updating. Okay. Anyone else? I'm seeing a lot of SQL injection across site scripting as well. Okay. Anyone else? All right. So, to share our point of view on this, I'm going to hand it to Tim. Go ahead. Those are all good points. Drew is actually the closest because the biggest threat to WordPress security today is you. And I'm going to just to sink in for a second because that sounds like, oh my God, what did that guy just say? It's literally you. Any plug-in, any security product can protect against a lot of things. We can protect against that. We can protect against your SQL injections. We can protect a lot of things, but I can't force you to choose a good password. I can tell you why you shouldn't have a bad password like mark one, two, three or something. Inside joke. I bet you used that password a long time ago and he keeps giving me a hard time about it. All the time. Sorry. But we can't make you have better practices when it comes to that. Plug-in updates. We can tell you to update your plug-ins, keep them updated. Don't run that plug-in that says turn off all updates, notifications. We can tell you to not do that. And you miss security updates like that, but we can't make you update your plug-ins or your themes or your core. The biggest threat to WordPress security is quite frankly you and that's where I think there needs to be a change in focus with the WordPress community. We all need to partner together. The security plug-ins, the security products and the actual customers have to partner together. What was the number on Atlanta? What did you say? 2.7 million. 2.7 million. Okay, and that's not what probably it's not going to cost you 2.7 to recover your site. Does anybody here spend time on their site? I mean, do you invest your time and your heart and your soul and your content? The people that do the blocks of stuff, that's like hurting a kid. When somebody comes in, you feel that way when you're compromised and that's the takeaway. You need to think about, I mean people say this all the time, you just blow it off sometimes, but you need to think about security before you get compromised. And so what we're really facing is an awareness challenge and a user education challenge. Certainly there are many areas that we as security vendors and open source developers and so on could be doing a better job, but if you look at Atlanta for example, I don't know the details of the case, but I suspect that there were windows machines that hadn't been updated for a while to the latest patch level. And again, that's just a user education problem, systems administrator education. So that's really the point we're getting at there. Anyone got any questions about that in particular? Yes, sir. I have a very simplistic view of security, but things that can happen is people can go out and just mess with your side, destroy data, they can steal data, or they can play the ransomware game and we'll give it back to you. So to me the biggest problem, if I can make backups that they can't find, is stealing my data. So if they steal the data, then I've got a problem, it's out of my hands. It's beyond me, I can't reverse that. So the only thing I could possibly do would be to obscure it. So it seems to me there ought to be a bag of tricks that just for the run-of-the-mill guide, it says here's how to obscure the most important data that you have so that your run-of-the-mill hacker, when he goes out and grabs it, is actually going to be in deeper problems than he ever imagined when he tries to use it. Okay, so there's two sort of points of discussion I think I'd like to cover there. The first one is the best way to obscure your data is to get rid of it, delete it. And internally we have an ongoing project to get rid of as much data as we can. Delete unnecessary user data, look at what data we're storing, is it necessary, perhaps we can change our application, tokenize things rather than storing the actual data. And so just thinking about what you can get rid of, what you can delete, and going ahead and doing that is a really great approach. The first guy who mentioned that to me was Mike Don, the Chief Security Officer of Square. I was chatting to him at B-Sides in San Francisco, and he introduced me to that idea years ago. And I think it's very simple but quite brilliant. Matt, if you don't mind chatting a little bit about hashing as a way to obscure data when it comes to Paws Woods. Yeah, and also too with things like personally identifiable information, things like that. Hashes are generated from a one-way function, meaning that there's no way to take a hash and get back to the original piece of text that was created through this hashing function. So it's a way for us to have a representation of data that we can look at in a large dataset, but it doesn't actually get tied back to the original piece of data. And also too with passwords as well. I was talking with you a little bit about this earlier. The way that passwords are stored matters a lot when it comes to large-scale breaches where there's huge databases of user accounts that are released out onto the web. And a lot of the passwords in there are weaker passwords that get cracked pretty easily through password cracking depending on what hashing algorithm was used. But the weaker the hashing algorithm, the easier it is for stronger passwords to get cracked. And that's one of the risks that we face even when you use a stronger password, depending on how it's set up. So really in terms of protecting data by obscuring it or getting rid of it, getting rid of it is easy. You can probably log into C-Panel and delete files, go into your database and get rid of records you don't need, get rid of user accounts you don't need, that kind of thing. Hashing is really more of a developer tool. It's a technique that we use to put data in a form that is usable and recognizable and uniquely identifiable but not reversible. So that's something that's used quite a lot by developers. Go ahead, sir. You mentioned tokenizing. Was that just another word for hashing? Yeah, well actually what I was thinking about when I mentioned that was one of the payment processors we use, and we're actually moving away from them, but Authorize.net is owned by Visa. And one of the things they do is we don't want to store credit card numbers. So when we accept a transaction from our customers, if our servers get breached, we don't want a database of credit card numbers to live there. And so what we actually do is as soon as the transaction occurs, we pass that data through to Visa and they process the transaction and we want the ability to rebuild that credit card. Instead of storing it, they store it on site and they're extremely secure. They're a credit card issuer and they then give us a unique identifier that we can use to reference that record. And so that's the token I was really referring to. And so that's a form of tokenization. So when we want to rebuild, we just say, you know, bull, ID, such and such, so much money. And if we're breached, there's nothing there that's useful. Thank you. Yes, sir. Aaron. Just kind of as a follow-up, I was curious when he was talking about obscuring data if there was specific data that we had in mind because most of these things seem like they would make sense for data that you didn't really need when you get rid of or data that you are just trying to match up against itself in mass but you don't need the original data, but it doesn't necessarily work for any data that you still need, right, content or whatever. So I was curious what kind, if he had examples of data that he was talking about in the original question. Did you have a particular kind of data in mind? He was talking about that. Oh, okay. Sorry. We're asking what kind of data you want to do. Oh, I'm sorry. You know, my first thought came from practical experience. We have a medical office and we have electronic medical record systems sort of tied in with some things that we do. And one of the dilemmas that I ran into is there's no way to ever delete patients. Now, in theory, doctors do need to keep the data for a certain number of years but after that point, it's just a honey pop. That's all it is. And I haven't encountered an electronic medical record vendor yet that has a delete old patients option in their software. It's amazing. So anyway, in the course of interconnecting things and maybe making them work together, some of those things are in the back of my mind as problems. But just from the standpoint of trying to do it the best way that I can, I just plan to hear what your thoughts are really. I don't know necessarily what the regulations are for storing medical data but there's a way to make data that is, like as you said, older patient records make it not accessible so if there is a breach or compromise for a website or into a network or something like that, if it's not on that network, if it's stored on an off-site backup or something like that, still, you still have it. That would be an option that's... I think the speaker has a burglary on his shirt. Yeah, it's a difficult problem to solve. Ladies and gentlemen, Aaron is head of WordPress security and we're very glad to have him here. One of the things I love about WordPress is everyone's very accessible. I always love chatting with him at WordCamps when I had the opportunity. We had a good chat last night, but just in case you didn't know who he is, if you have any questions, hit him up afterwards. We're good friends with him. Yes? So I use WordFence. So I didn't even know that was you guys. So happy to see you. People behind the e-mails down there. Because you never know. These guys are bots. So I didn't really like it. I probably don't even use like three-quarters of the services that you offer. But like if a website's been compromised and then I put WordFence on there and there's some... I'm not really dealing with the language, but there's some string that's in there already and then it gets called up after... Do you know what I'm saying? That appears in the scan findings? But they wait for like a year or two to call it up. Do you know what I'm saying? To get the data out. So like a sleeper? A backdoor? A trojan? Yeah, I guess... Yeah, because I had a website that was compromised. I fixed. I put WordFence on it. But I think there was something still in the code. We didn't get it all out. So I had to basically redo the website. And my question is, was there something I could have done through WordFence to like scan everything to find that? Sure. Putting it in after the fact. Yeah. So again, I'll try to make this vendor neutral. I don't want to turn it into kind of a sales section. No, absolutely. But what you're really talking about is malware scanning or doing a security scan that includes a malware scan. And that's one of the things that we do. And there's other companies that do that as well. And yeah, by all means, if you were to use a reputable scanner and scan your site and there's anything malicious in there, it should come up. And I'll give you a few examples. Whether it's a standalone script that is in one of your web directories that allows someone remote access to your site, that should come up. If it is code that is injected into one of your source files that gets loaded every time someone accesses that area of the website, that should come up. If it's something in the database, then that should come up as well. And so you think it's put on before your malware scan is done? Oh yes, of course. So if it was put on quite some time ago and it's still there, we should be able to pick it up. Something I wanted to mention is that if your website is compromised, you obviously need to find the malware and remove it. And if you don't have the skills to do that yourself, you might need to hire somebody to help you with that remediation process. So a lot of times if there's malware that is missed by a tool that you're using, a professional analyst should be able to find it still. But another thing is besides just removing the malware, you also need to figure out how the hacker got in, how you were compromised in the first place and fix that. Otherwise they can just walk through that same door again and put the malware right back. I think it was the hosting company, honestly, that I was using. And so I just moved the whole site over to... I'm not going to tell you. Some other company. So I moved it, created a new one because I knew that... I mean, I do know how to go in there and take everything out. So that's not an issue. But I thought I had it all. And it wasn't your... it wasn't worth it. It was the hosting company's malware. Okay. Can you speak to server-side scanner trying not to use the competitor's name that are offered, whether or not they're any good, and do you offer that also? Server-side scanner is where you would put a basic code on your actually... Yeah, I think it's okay if you mention another vendor's name. It's fine. Who are you talking about? Security.net uses that. And which... I'm not aware of a server-side scanner. Are you talking about their plugin? No, it's not a plugin. It's actually a code you can get by enough to pay extra for this server-side scanner. And we put it on the server-side. When people are not using a web host that we prefer, we'll put that on there and it almost invariably will find something and it's a great way for us to say, this is what's happening. Okay. If you want visiting us our booth afterwards and we can get more technical data on what you're describing, we can fully understand it. Go ahead, man. Is it called an agent? No, that's just a piece of PHP code. Yeah, I know that they have... I think it's site scan. It's their web-based one, but they also have an agent. I think that's their free thing. I'm not talking about... What they're talking about is the agent. The site scan that they do is a thing that, they're scanning everything that they can publicly access. What they're talking about is the server-side version of that, which they have a piece of PHP that they can access that lets them then see the code inside all the other PHP files. So that's what the server-side doesn't have. So rather than just looking at what can be accessed, they can look at the code behind it. Okay, yeah, so that's... Whether it's WordFence or that, we're both running on the server, examining PHP code and finding malware. So this is not a separate standalone item, though, right? It runs on the server, but the interface is within your web browser. Interesting. So we're looking at source code. Say again. That's with the paid... Free service, actually, and paid, and both of them work extremely well. Because I use them together. I mean, I have to work on some 50-some sites. Yeah, yeah. Now, we're friends with some of the folks from security and Oracle, a lot tiny. And we've actually worked with security vendors. I was going to hide and ask. Yeah, sure. Security vendors collaborate sometimes. When there's a really bad threat out there, we'll jump on the phone and, you know, kind of get a group together and say, you know, how can we better serve the community? Thank you. Yes, ma'am. You mentioned malware scans. On a site that's got workfence on it from the beginning, is it recommended to do... Do I need to do malware scans? Yeah. Beyond what workfence is doing? Yeah, so in security and the security... Or any other product like that. So this applies to any product and anything that you're protecting. In the security industry, we use the phrase a layered approach to security. And so you don't just want one thing that you're using to protect your site or your asset. You want multiple layers, so that if one or two of them fail, you have fail safes. And so when it comes to protecting your website, you definitely want a firewall. That's going to protect your site from the newest threats before you have an opportunity to update, for example. Is that what workfence is doing? Yeah, we're a firewall. Cloudflare, security, there's other vendors out there. They all have a firewall. There's some security plugins that don't have a firewall. So keep an eye out for that. And then a good malware scanner, I would say, is essential. And that's kind of your second layer, your second line of defense. If something, God forbid, should get through the firewall and land on your website, the malware scanner will pick it up and let you know about it, and you can react quickly rather than having it sit there and, for example, create SEO spam for several months, ruin your website's reputation, and cost you a lot of effort and potentially money and business. That's two layers. Is that it? That's a great question. Guys, we got any more layers? I think it's about it. What defense does malware scan, right? That's what I'm doing when I scan the... Yeah, it's a security scan. It includes scanning for malware and vulnerabilities of plugins with known issues, a whole bunch of stuff. We can tell you more about that at the booth, for sure. You have to proactively put the firewall on the rack. It turns on by default, and if you want it fully optimized, you can enable that. Definitely hit us up with product questions at our booth. We have all the rest today and tomorrow to answer that. Next question? All right. Well, let me see how much time we've got. We have five minutes left, so just for fun... I was going to talk about crypto mining, but I actually want to jump to JavaScript because this is more... We'll have more of a positive impact, I think. If you install JavaScript on your website... Who's done that before? Put a piece of code, JavaScript code on your website that's loading a script from somewhere. Who's done that in the room? I've done it. Anyone go Google Analytics? If you've got it, you've done it, right? And so what that's doing is someone visits your website. Your code loads in their browser. Their browser sees the JavaScript tag and loads that JavaScript from somewhere else. And when you do that, what you're doing is you're actually handing the person who controls that server and that code the keys to the kingdom, in a sense. They have the ability to execute code within your site visitor's web browser, and they can do all kinds of things with that code. They can throw up a fake login screen. They can run code that mines cryptocurrency that exploits the CPU power of your site visitor's browser. And a lot of people aren't actually aware of those risks. When it comes to Google, I think we all trust Google, maybe. Take a poll. But I think we all trust the GA team, the Google Analytics team. And we're okay, we get a huge benefit from GA, so we put it on our sites and we're okay with that. We have a good QA process, great security team. But sometimes you're putting code from a smaller company, a company in another jurisdiction, a new company, perhaps a company that just got sold to someone. And what I really wanted to have a brief conversation about, since we've got a few minutes left, is just to kind of create awareness among you folks that it's really worth thinking about what kind of relationship you have with that entity, that person or that company, and who they are and where they are and what their business is when you're taking JavaScript and putting it on your website that's loading from their server. Because at any time they can change that code and have it do something else. They can immediately release a new code whenever they like. And I'll open it up for discussion just for the last couple of minutes that we have. Yes ma'am. Do you include any of your scripts you install for the Facebook faces then? Is there any JavaScript? Yeah. It's any JavaScript that you put on your site. So you're saying you need to trust Facebook to not see it? You do. There are some security mechanisms in place. You can do something that prevents the vendor from ever changing that script. But a lot of these vendors, in fact I think Google Analytics is one of these, they rely on the ability to release new code as they do new releases on their site, in their product. And so that kind of breaks Google Analytics and it breaks other vendors code when you do that. So there's been a debate in the community of how to deal with this and I think it's worth just creating a bit of awareness on thinking about who these people are that you're allowing onto your site. Did you have a question? I'm just starting in Loot Commerce and I'm very interested in a lot of work. But anyway, I needed a plug-in. So I got a plug-in and a couple of plug-ins. One guy had a secure way of interfacing. The other guy was like, just send me an email, this is all good or whatever. But the first guy said, well I can't really help you with this but I'm going to give you to another. On Loot Commerce, how do you know about, it's like Loot WordPress, how do you know about the plug-ins? Whether they're good or not and whether or not they're trustworthy. That's what the question is. I actually had a whole section called supply chain attacks and that's exactly what you're talking about. Matt, do you want to chat about that a little bit? Yeah, so one of the things that we do and we're actually looking into better ways to do this is to kind of establish a reputation within plug-ins. There are indicators just within the directory already when it comes to reviews. If the plug-in actually has security vulnerabilities disclosed in the past some people may think that that actually is an indicator that the plug-in is insecure but if it's been fixed it actually means that the plug-in has been audited by someone which is good and there's a lot of plug-ins that haven't. And most users don't know about that. Is there a place you can go to see if it's been audited? No. Wow, that's a great industry. Well, we were doing quite a bit of thinking about that last night at the bar where a lot of thinking happens and Sean, you've done quite a bit of thinking about plug-in reputation I think and we were sharing some of your thoughts last night with me and Aaron as we were chatting. Do you want to talk about that a little bit? Yeah, I don't want to speak for the WordPress team but I think that's an issue that's definitely on their mind and they're trying to improve. I know there's one project out there right now called Tide and WordPress is working along with Google engineers to create a system and a process for auditing the code quality of plug-ins and presenting that to users. But we believe that a very important part of that is security also and monitoring these plug-ins there's a lot of data points that you can use to basically calculate a risk score for each plug-in or each update and so that's something that we're actively working on developing but yeah, it's definitely a hairy problem. The second plug-in I was like, I just can't do it so I went and got a developer and I said that I know that I need to do X, Y, and Z because it was like I'm not even going there with this guy. There's other layers to that too. I don't know if you read any of our research on Mason Soezer, Stacey Wellington too where these bad actors are basically buying plug-ins and installing backdoors in them with the purpose of either Black Hat SEO or other things like that and it's not exploiting a vulnerability or anything like that, it's intentionally placed there by the developer and you're paying for it. Yeah, the user's suffer a lot as a result. So basically if a plug-in was safe at one point it doesn't mean that it's always safe and so especially if it changes hands or somebody else gets access to commit code to it it could very easily be malicious the next day. Is there a way to scan for our plug-ins periodically for that kind of thing? Yeah, when you run a malware scan you'd be scanning those plug-ins but really the issue is scanning those updates before they get installed on your site because if there's a malicious update and you install it you just compromise your own site. So how do you do that? That's a good question. Have a dummy site installed there and scan it? But you'd call that out, right? Because that's what we were just talking about. So you would call that out as a... So that might be compromised but then it gets called out and you fix it forever. Yeah, so there's a big... there's a lot of energy put into research to identify a vulnerable code and bad actors and malicious behavior, that kind of thing. There's kind of a security business model around it I suppose. Some of the researchers are consultants and so they'll do some research. Work confidentially with folks to kind of fix the underlying issue and then at an agreed time when it's safe and the problem's been solved they'll disclose to the public. They'll tell the story, really. And that process has been evolving over time but it's reached a pretty stable point where there's companies like Packer One and Bug Crowd that provide a platform to do this. And the way the researchers benefit is they will drum up more consulting business or sell more products or whatever. So there's quite a big ecosystem around the WordPress community that does this kind of research. It keeps an eye on things. If there's something bad out there, especially if it affects a popular plugin or Corio, definitely hear about it. Well, you guys do a good job when I get your emails all the time. Well, folks, I think we're running up on... We've actually run over quite a bit. You have it until... You actually have it until $5. Okay. Sorry, but... Well, we're running then. We want to talk about crypto mining. Yeah, let's talk about Bitcoin. No one's changed my question. But no, GDPR, very well-president recently, a lot of the WordPress... I don't even see anything here about it. Is this worth it? Yeah. Does anybody? You've got, like, three weeks? I haven't seen anything. And that's a really great question. I'll tell you what we're doing about it. Can you repeat the question? Kerry Voigt, who's my co-founder... GDPR. He was asking about... Oh, sorry. So there was a question about GDPR, which is a European privacy regulation that's coming into force. And do you know the date of hand? No. Is it? Okay. Obviously, I'm not the one working on it internally. But... And it's... I don't want to call it onerous, but it changes things quite radically and places new obligations on vendors, software vendors, service vendors, websites, and so on. Internally, what we've done is my co-founder, Kerry, is working with our legal team at K&L Gates. They've been working now for several months to get our house in order. My understanding... I don't want to speak for Kerry, but my understanding is that... and in my involvement has been doing an audit on what data we have, what data we store, where that data falls, which sort of category under GDPR, that data falls, and what we need to do about that in terms of information to our users and our customers and what we need to do in terms of sites that use WordFence, our product, to protect themselves. That, as I mentioned, that project's been underway for quite a long time with us, and it's coming to a conclusion now. We'll be done soon and before the deadline. I think what's important to sort of note... I can't advise you on GDPR. It's not my sort of area of expertise. I don't think my colleagues... I think my colleagues would say the same, but it's not a checkbox. It's a big change, and if you think you might be affected by it, I would definitely start reading about it and seek legal counsel if necessary and get your house in order. That's kind of all I have to say about it. Go ahead, Aaron. Regarding GDPR, or in the project around it itself, it's been an ongoing project for months and months as well for us to get our house in order as well, to make sure that everything is compliant. And a lot of it, because this is a product that you can install and use on your own, a lot of what GDPR requires still falls to you. So the core itself is compliant at this point along with... As far as we can tell, all of our infrastructure now, although there's still an audit that's just wrapping up higher now, a third-party audit to make sure that everything is WordPress. We're getting the WordCamp sites and all those things, the events module and things like that, that they're all compliant as well. Yeah, it's a big deal. It's a serious change. And if you interact with... basically Europe in any way, it's a thing that you definitely need to research into or hire somebody to research into. And it comes into where do you store your data in Europe, in the United States? Do you have European customers storing their data in the U.S.? That kind of thing. It's an interesting and fun problem. So we'll touch on crypto mining for a few minutes. Bitcoin is something you've all heard of. And mining Bitcoin requires powerful GPU processors or custom-built processors to kind of speed things up. You can't just do it on a regular CPU, but there's a currency called Monero that was invented a little bit after Bitcoin. And you can mine Monero using CPU resources, and you don't get any significant advantage from using a GPU. And so that is interesting to malicious folks because all of a sudden, using your browser resources becomes attractive. And so we've seen a proliferation of Monero miners using CoinHive, which provides kind of back-end for Monero mining. In fact, websites and the malicious code that they drop mines Monero in visitor browsers and sends the money to the attacker. And so this is just another example of a new emerging business model that attackers are using. At our booth, I get a question all the time why do they attack my website, and there's a variety of reasons, but it's really mostly financial these days. It's about SEO spam, it's about Monero mining, that kind of thing, and ransomware as well. And all of these are sort of new business models that have emerged and kind of stabilized. That's the main motivator these days. There's not very much graffiti going on because it's more profitable to do those other things. Any follow-up comments, their guys' thoughts on that, on crypto mining or anything like that? Just one. You've already mentioned browser-based crypto mining. We have seen a shift from server-side crypto mining where you would actually an attacker would compromise a site or sites and then utilize the server's resources to mine for cryptocurrency. And it's been a shift that's moved over to browser-based, which is quieter. Hosting providers don't know about it, whereas they would know if a server is maxed out at CPU or GPUs. So it's a quieter attack and we're seeing it a lot more often now. How does it present itself? It's a snippet of JavaScript. As you said, the fan of your computer is making a whole lot of noise. When you visit direct websites... Just from the standpoint of the code itself. Yeah, that's a good sign-up. Fans start speeding up. Your resources speak. Are there some browsers that are more at risk than others? Well, it's really a website problem. The attacker targets the website itself and drops their code into the website as JavaScript that then loads into the browser. I think... Don't quote me on this, but I think that code is compatible across browsers, do you guys know? So, you know, it'll exploit you either way. Does that just work while they're on this side? Yeah, that's right. Yeah, the code has to be running. Go ahead. Okay. Could that spread to a PHP or a server-side software that would actually start attacking server-side resources? Yeah, I think as Matt was saying, we started seeing that initially where server-side resources would be used, but why use one server when you can have 1,000 servers? Which is really what 1,000 concurrent visitors on a single website are. They're providing 1,000 workstations whose resources can be used to mine currency. So on a busy website, they can do a lot of work. Select Silicon Valley with refrigerators. You know what I'm talking about? Silicon Valley, they use Wi-Fi pineapples and they started basically carnicing. They need to get their software out and it ended up...it's kind of complicated but they ended up using IoT on 16,000 refrigerators. Anybody know what I'm talking about? They're using Wi-Fi. Building a botanical... There's software on people... such a small amount on IoTs which were the smart refrigerators and they were able to accomplish their goal. I don't know why that happens. I literally considered buying new PlayStation 2s at the time because Sony sells those at kind of break-even because they really make money off the games. So I was like, well, the cell processor is really powerful and so maybe I can rack a bunch of PS2s and run... I think there's a Linux variant you could run on it and there's maybe even MySQL in Apache and I was like, what if we racked, you know, 20 PS2s? Would it be cheaper than buying actual servers? The days before drones were sold in stores, we used to use the PS2 because it's got the cell runner and all that kind of stuff and all the things that you need to fly a drone before they were ever available in stores. They were 11 bucks as opposed to going out and buying a solar which was 150 to 200 bucks. Yeah, that's cool. So, I'm going to... I just have one quick... Go ahead. Go ahead. Oh boy, here we go. You know, whether or not we were hacked, some of our voter machines were hacked and they were actually able to change the vote. Well, I'll tell you what. I'm not going to address that directly, but we published some research that supported a particular narrative and boy, Russia today got on the phone quickly to me and suggested I do an interview with them and stupidly I did and just wanted to share data, you know, but quickly realizing that I'm just supporting a narrative and it's not about the data and we withdrew very rapidly and we were almost harassed to do follow-up interviews and we just said, you know what, we're not a political organization. We don't want to get wrapped up in the debate or the narrative. We put the data on our blog, do with it as you will and leave it at that. Voting machines is definitely not an area of expertise for us, so I can't really comment on that at all. But is it possible though for something to... Well, let me ask it this way. Is it possible for code to get put on a system and reside there for three years and then be turned on for a specific period of time turned off after a specific period of time and then removed? Is that possible? Yeah, and you know, an interesting example of that, Matt, is the attack on the Natanz uranium enrichment facility with Stuxnet where you had code that was kind of latent and made its way into a refinement facility and it targeted industrial control systems and it was probably deployed perhaps months, maybe even a year or two before it activated under certain conditions recognizing a certain environment and there's a lot being written about that. There's some really fun books that are quite accessible where you can kind of read the history of that, but that's an example of... It's a sophisticated attack and you probably find a fairly sophisticated threat actor engaging in those kinds of tactics and a very attractive target. So just to kind of wrap things up, guys, sort of a shameless non-commercial plug, we're running a capture the flag contest and our goal is really to get you to think like a hacker and so what a CTF is is usually to have them at hacking conferences like DEF CON and Black Hat and so on and there are a series of security challenges that you solve and sometimes it's just solving a puzzle, sometimes it's actually hacking into something and what we've done is we've tailored that for WordPress and what's that? I'm so sorry! So we've made this very accessible and if you're a beginner or intermediate get going on it because if you know how to view source in a browser, who knows how to do that? So you're going to solve the first challenge and when you do that you get a coffee mug but it gets progressively more and more challenging and we've got prizes along the way and we're not there's no big commercial intent there it's just a way to shift your mindset and get you thinking like an adversary and to better help you protect your website from hackers so it started earlier today you still got playing at time it's running until 2pm tomorrow It's at noon tomorrow Oh is it noon tomorrow? Yeah it ends at noon and then we're doing prizes at 2pm but you probably know If you do let us know the prizes are at 1pm and the contest finishes at 12pm Tell us about the lock picking Oh and if you want to learn how to pick a lock Sean and Matt are pretty darn good at doing that they taught me to pick my first lock yesterday and I can't tell you how satisfying it is they brought some of their gear with them it's over at our booth and they have a series of locks that start from really easy with just one tumbler to progressively more difficult that's how they taught me last night we ended up having a lock picking party that went until 3.30am so we're all like drinking a little bit of extra caffeine today but come visit us at the booth and we'll show you how to pick a lock I think that's about it guys Thank you