Category: Technology

Cybersecurity: For Better or For Worse?

March 20, 2018 / / 0 Comments

On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.

Show Notes

The Netragard Website

Get in Touch With Netragard

Find Netragard on Facebook

Find Adriel Desautels on Twitter

Find Adriel Desautels on LinkedIn

Find Netragard on Twitter

Follow Adriel Desautels’ Blog on Netragard

Netragard in the News

“Is Your Data Safe From Hackers?”

“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor

“Cars: The Next Hacking Frontier?”

“How to Find a Genuine Penetration Testing Firm”

“What Is Penetration Testing? Here’s the Right Definition”

“Is Your Data Safe From Hackers?”

“How To Hack A Company With A Trojan Mouse”

“Don’t Become a Target”

Bitdefender’s Website Where You Can Buy Bitdefender, recommended by Adriel Desautels

The Hands Off! Mac Update Download recommended by Adriel Desautels can be found here

VMware Fusion, also recommended by Adriel Desautels, can be found here

Download for Little Snitch

“Honeypots: The Sweet Spot in Network Security” – An article about Honeypots

The Frank Abagnale movie, “Catch Me If You Can”

Link to SaviorLabs’ Free Assessment

Sections

CVE: Common Vulnerability Enumeration
The Watering Hole
You Can’t Detect What You Don’t Know To Look For
Programs and Operating Systems Adriel Uses
Dealing With Data
Is Computer Security Getting Better or Worse?
What is a Honey Pot?
Internet Security: Ten Years From Now
There’s No Excuse
Data With a Long Lifetime
Why Europe is Doing Credit Right
What To Do If You Have Been Compromised
How to Tell If Penetration Services are Genuine

Cybersecurity: For Better or For Worse?

CVE: Common Vulnerability Enumeration

Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard.

So now I recently read about a CVE. And just for our audience, CVE stands for…

Adriel: It’s the Common Vulnerability Enumeration, I think it is.

Paul: Something like that. So it was a vulnerability that if you browse to a certain website, to a website with a certain browser, and it loads an ad, your machine is infected. Can you explain? How does that work? And we’ll go through this probably…we’ll unwrap the onion a couple of times on this. How does that work? So I use Chrome and obviously, we think it’s secure today, but six weeks ago, we thought the same thing. And they fixed things in the past six weeks. So what happens? I go to a website. It opens up a news site. What happens? Tell me.

Adriel: So, this goes back into the helper application world. So, let’s use Flash as an example. Flash is a great example because Flash is always being exploited. In fact, our own company is notorious for having sold a Flash exploit. It made the news a while ago. But, Flash is used a lot for ads or videos or things like that on news websites or other websites, or at least it used to be. It’s a way of almost playing movies. Or playing ads and things like that.

Well, you can take Flash and you can embed specialized payloads into Flash. And then the Flash players themselves were vulnerable to these payloads. And when they would load the payload, the payload would exploit a vulnerability in the player, and then give whoever an attacker was — or whatever the end thing was — full access to your system. So in the case of malware, when the system is exploited, rather than give command and control of your compare system to some third party, the malware would be uploaded into the system, and it would do whatever it was going to do. So if it was ransomware, it would encrypt your system. Then maybe propagate it upwards, other directions. So really it’s taking advantage of helper applications.

Any time you browse the web, your browser is the main application that sometimes contains its own vulnerabilities that can be exploited. There are lots of other helper applications that come in. There’s different movie players, there are different content renderers. There are all kinds of things you can plug into a web browser or that you can use in a browser and any one of those things does have vulnerabilities and can be exploited.

So when you browse websites, when you look at anything online, you’re effectively trusting that source to have content that’s safe.

Paul: Okay, but now aren’t you also trusting their ad networks?

Adriel: You are trusting their ad networks, but more importantly, you’re trusting them. The ad networks are less likely… Well, they’re less likely to cause problems for you, than the systems themselves, usually.

Paul: Really?

The Watering Hole

Adriel: Yeah, I think so. I mean, from a theoretical perspective, I suppose anything could be a problem. But, I mean, if you look at…Are you familiar with the term watering hole?

Paul: Not from a computer point of view. I mean, from a wild gazelle point of view, yes.

Adriel: Yeah. Right. Exactly. So, in a safari, you have a watering hole. The animals, they all go to get their water, and they drink from this watering hole. And it’s the one place where the lion won’t eat the gazelle, and all these things are great and happy.

Now imagine some guy comes by with a bio agent that’s designed to wipe out these animals, and he puts it into the water hole. And these animals drink, and then they go back to their herd. And unbeknownst to them, spread this infection and then all of a sudden, their prides and their herds and all that just drop dead. That’s because of a poisoned watering hole.

So a watering hole attack is when you take a website, a common website or a news location or an ad network or anything like that, and you infect it with malware. The people who go and visit that website are then compromised or infected by the malware that exists in that website. If the malware is designed, as we would be at Netragard, if it’s designed properly, then what will end up happening is when that person takes their infected computer to another network, it will notify the controller, the person in charge, whoever deployed the malware, that they’re on a new network, and it will give them access to that network too.

So just like the infected animals that spread their infection to the rest of the herd, the infected computer will spread their infection to the rest of the computers in the network that it connects to. So it’s a watering hole.

This attack has been around… Boy, this type of attack has been around, since probably 2000, 2003, just never really heard about it until, I think it was called the Aurora incident, the Aurora something. It was when Google was targeted by the Chinese with a watering hole attack. And since then watering hole attacks have been happening. I can’t remember any off the top of my head or recall any on the top of my head that were as large-scale as that. That was just one example. I mean, there are, of course, you know… We have the ransomware attacks today that are happening. Bad Rabbit or whatever that was. They’re continuously going. But I don’t remember anything quite the scale of what was going on with Google, only because Google, of course, is massive.

Paul: They are a big target.

Adriel: Yeah. And so they have a lot of viewers. The bigger the watering hole, the more people that feed from it, the greater the impact.

You Can’t Detect What You Don’t Know To Look For

Paul: So now if I’m just a general citizen sitting at my computer, why is it that Google doesn’t catch the fact that their site is infected or CNN or whatever? How come they’re not smarter than me?

Adriel: Yeah. You can’t detect what you don’t know to look for. A weird example. Imagine we somehow encounter extraterrestrials and they come in. “We come in peace.” Shoot to kill. They think they’re friendly. We think they’re friendly. Everything is going great. Meanwhile, they’re offloading masses of weapons, and we don’t recognize the weapons as weapons because we have no idea what they are. Right? And they begin to attack us with these weapons, but they’re not like anything we’ve ever seen before. So we have no idea we’re being attacked. And then all of sudden, people just start dropping dead, and it takes us a while to begin to realize, we’ve been attacked.

Hackers are the aliens. We build weapons that nobody else has seen before. And we attack people in ways that they absolutely don’t expect and in ways that the security industry doesn’t expect. We come up with new things. And so you really can’t defend against the unknown, which kind of goes full circle, and that’s why this whole “I protect you against zero-day things” is ridiculous because zero days are unknown vulnerabilities you can’t defend.

Paul: So it’s all marketing is what you’re saying is…

Adriel: Exactly. That’s exactly right.

Programs and Operating Systems Adriel Uses

Paul: Now what kind of computer do you use? Do you use a PC with Windows or Mac or what?

Adriel: I use a Mac. But within the Mac, I use a hypervisor and I run about four or five different operating systems within that. So I use the virtual machines. Within containers is my real machines.

Paul: Which hypervisor do you use?

Adriel: Right now it’s VMware Fusion.

Paul: Okay. So you’re using VMware Fusion which allows you to run virtual machines, as they’re generally called. Are those sacrificial virtual machines, or are they secure?

Adriel: One of them secure, but it can still be sacrificed if that makes any sense. I take snapshots regularly. So if I’m doing something, and I think anything bizarre happens, I just revert back to the snapshot that I know was good.

Paul: Okay. So this is a good line of discussion. So you have several VMs and you use those. Now in those VMs, do you have any antivirus, antimalware, any software on them that helps you stay secure?

Adriel: Yeah. Only in one of them, in the Mac VM, within the Mac. On my Mac within a Mac, yeah. I use Bitdefender and Hands Off! I use Bitdefender because it is proven to be one of the most effective pieces of antivirus software out there. When we do our own zero-day development, Bitdefender oftentimes will pick up our exploits or our tools and we’ll be able to say, “Hey, well okay. We have to adjust this because Bitdefender just found it.” Others just don’t seem to do it quite as well.

And then Hands Off! Is sort of like Little Snitch, only it’s a bit more advanced. It’s a bit more advanced than Little Snitch. Hands Off! allows me to control what files are accessed, what ports are being connected to, what hosts are being connected to. So if I decide that I want to browse to XYZ.com, Hands Off! is going to say, “Hey, do you want to allow this connection? Do you want to allow this access to this file?” And I have to explicitly allow everything.

And it’s nice because if I actually brought us to a malicious site and I hit a Flash exploit or whatever it might be, when that exploit begins to work, I will see that my system is trying to access files and do things that it shouldn’t normally do. And I’ll say, “Hey, wait a second. Why are you doing all of this stuff? Something just happened. Let me revert back.” So I can catch it, even if I don’t know exactly what’s going on.

Paul: So it sounds like you have to be a little bit smart.

Adriel: Yeah. You do. You have to be vigilant. Absolutely.

Paul: And know what you’re looking at. So if the ordinary user was faced with Hands Off!, they might not know how to respond.

Adriel: Yeah, it’s not trivial, unfortunately.

Paul: So what are the other operating systems you run in these VMs and, and why?

Adriel: So BSD and Linux., BSD just because I like it. There’s not a lot of people that are targeting BSD. I like the port system a lot. And Linux because Kali is great for penetration testing and doing research, and a lot of tools run on it. I run Ubuntu, but I do that largely for administrative reasons because it has some cool functions and features that will help you manage other servers that are similar or systems that are similar.

Paul: And do you run Windows at all?

Adriel: I don’t. I mean, I do have a Windows VM, but I use that specifically for signing malware. So we have a code signing certificate and we sign all the malware that we push out, which is interesting. So I use Windows specifically for signing malware.

Dealing With Data

Paul: So how do you deal with your data?

Adriel: What kind of data?

Paul: Well, I mean, you’re doing work. You’re a productive member of society. You probably have a bank account. You probably have photos. You have business files, an agreement with a client, a contract here and there, etc. Where are those? Are they on the machine? Are they in a VM? Are they somewhere else? Are they on a flash drive?

Adriel: No. So everything that we have is stored in our data center that is related to the business. And it’s stored in different ways. If something is highly sensitive, it’s stored on an encrypted disk, and it’s also PGP encrypted. And there are only three people that can decrypt those files. If it’s medium sensitivity, then it’s stored in the system with an encrypted file system or it’s stored in a system with an encrypted file system within an encrypted database.

The idea of encryption, though, on end points like that, kind of promotes a false sense of security also. If you were to walk into our data center, and you were to lift one of our machines, the drive would be encrypted, and you wouldn’t know the passphrase to unlock the drive, so of course, it wouldn’t be useful. But if you’re a hacker, and you were to hack one of these systems, the contents are already decrypted because the system is running, and you’re going to gain access to the system and its respective data.

Likewise, encrypted databases, everybody always talks about them. “Oh, let’s use encrypted databases. They’re great.”

Well, if you hack a system with an encrypted database, the key exists somewhere because the database users, the people that are responsible for using that system, they have to have a way of decrypting the data. Right? And we have yet to find it an instance where we breached a network, counter encrypted the database, and couldn’t find a way to decrypt it. So really, encryption is not going to protect. It’s going to slow things down. The best way to encrypt something and protect is with something like PGP. But again, that’s not trivial. You know, I mean, PGP and managing that kind of…I mean, you lose your keys, you’re screwed.

Paul: Right. What do you do with your photos, your personal stuff?

Adriel: That goes into that Mac VM that I have that’s protected by Little Snitch and Bitdefender. Aand I, I just have those there.

Paul: Do you back them up?

Adriel: Yeah. I back them up.

Paul: How do you do back up?

Adriel: I back them up to the cloud. I dump them to the cloud. The iCloud. You just make sure that nothing is sensitive. That’s all. Nothing is compromising or sensitive.

Paul: Right. Okay.

Adriel: So, yeah. That’s the best way. I mean, anything that could ever be compromising or sensitive or somehow used to harm my family or harm myself, I just don’t put on computers. I try to make sure that that stuff you do stays in memory or is on paper in a vault or it just doesn’t exist.

Paul: Right. Well, it’s interesting. I’ve had, being a computer person, everybody asks you to solve their computer problems, and the number of people I’ve seen become infected, I’m like, “I don’t know. How did you get infected?” And it almost always comes down to they didn’t know what they were doing. They didn’t realize that doing this was going to do this. And, there’s really no way to give them that level of scrutiny that things that you and I might do, certainly you more than I would just say, “Wait a minute. That doesn’t seem right.” And they don’t perceive it. They don’t even see it.

I just saw a good example of the WPA Crack hack where they got in the middle and basically redirected somebody to a non-SSL site and captured their username and password. And that’s a good, for me, that really make it plain that, yeah, we really shouldn’t have any non-SSL sites. And that would have fixed that problem.

Is Computer Security Getting Better or Worse?

Paul: So what is your prognosis? Is computer security getting better, getting worse?

Adriel: No, it’s getting convoluted unnecessarily so, and it’s getting complex. And more and more difficult to understand because of the security market. Good security should follow the KISS rule. Right? Keep It Simple, Stupid.

The reason why our customers keep coming back to us, for example, is because we Keep It Simple, Stupid. We look at very efficient solutions. We don’t focus on bloatware because of security fatigue, which apparently is a new thing that people are talking about. We focus on effectiveness. The solutions that exist today are really pretty. And they look really cool.

And maybe they are catching a really high volume of attacks. The problem is, is they’re also catching a lot of non-attacks. And so somebody sitting down and staring at a screen with stuff scrolling by all the time is going to get worn out pretty quickly. Right? And so the interface of the person or the data that’s presented to the person is ineffective. And so the whole solution becomes ineffective.

Your network intrusion prevention systems, they make a lot of sense. But the part that’s not being considered there is the person that has to sit there and churn through all of that data every single day. You just can’t do it. Right?

So the security industry is chock full of solutions, which you really don’t call solutions. They’re, chock full of distracted new technologies, distracted technologies like this and these technologies are continually being marketed, pushed by other businesses. And in the end, if you follow it at all, it has to do with money. Everybody wants to make their money. The breaches that are happening today are also beneficial to the security industry because these breaches mean people are going to come and look for more technology, more services, more solutions.

In all reality, people don’t need to do a lot to be secure. And in all reality, people should not be focusing on breach prevention. They should be to a degree. But the real thing they should be looking at is preventing a damaging breach. It’s impossible to prevent the breach. Someday, somehow, somebody is going to breach your network. But if you can detect that breach when it happens, before it becomes damaging, you can prevent the damage, and you can prevent yourself from ever making the news. That’s how you protect networks.

What is a Honey Pot?

And the way that you detect a breach, right after it happens, is with things like internal honey pots and solutions that can pick up on lateral movement.

Paul: Well, so explain that to me.

Adriel: So a hacker breaks into a network…

Paul: You mentioned that. And so explain that to me. I’m a small business. I make semiconductors. I’ve got 50 employees. What is an internal honey pot?

Adriel: Well, actually, so we sell these now. It’s something that we’ve started manufacturing and selling and developing — whatever you want to call it — probably about a year ago because of their effectiveness. So what it is, it’s a computer system that does absolutely nothing except to sit there and look like other computer systems. You deploy these fake computer systems in different parts of the network, depending on how threats are likely to enter your network and move through your network. And they’re tempting.

So a hacker breaks into an infrastructure, and a hacker begins to probe the network. The very act of probing the network when it contacts one of these systems, these honey pots, is going to set off an alarm. That honey pot is going to say, “Hey, user Joe just connected to me.” Now there’s absolutely no reason for any legitimate user to ever connect to a honey pot because they do nothing. Right? So any time anybody connects to a honey pot, by default, it’s illegitimate. So there is no false positive. There is no continuous streams of data like you’re going to see with other solutions. A hacker breaks in, hacker probes network, hacker trips two or three of these things. System admin will get an alert within seconds likely of a hacker breaching a network, maybe within minutes of a hacker breaching a network.

If that admin responds to those alarms and in quick time, that admin can likely kick that intruder out of the network before any damage is every caused. They can say, “Hey, my web server just started scanning my network. That should never happen. Let me go and kill the connection, and let me go put up a temporary site, or let me revert to a back to a backup and just see what will happen.” But this was a breach. It was a breach that doesn’t matter because sensitive information was never captured.

Meanwhile, what’s going on is the inverse of this. People are focusing on breaches, and this is why I say the industry is convoluted. People are focusing on breach prevention. We hear this all the time. It’s an impossible task. But they’re not focusing on post-breach detection. And so what ends up happening is they suffer a breach, and the hacker sits there and says, “Okay. Was that detected?” It’s almost never detected. I mean, I can’t think of the last time that we were detected breaking into a network. So hacker says, “Okay. Were we detected? The answer is no. Great. Now let’s just spread like wildfire throughout the network because nobody has any post-breach detection capabilities.” And it’s true.

Paul: Right. I see.

Adriel: So there’s this gap. Mind the gap. There’s a gap that exists, and that’s what we’re exploiting. The security industry as a whole is upside down, and the solutions that it’s providing are also upside down. Rather than providing you with a solution that says, “Hey, you’re being hacked and it’s real. Do something about it,” they’re providing you with solutions that say, a million times a day, “You might be getting hacked here.”

Paul: Right.

Adriel: So, it doesn’t work.

Paul: Fascinating.

Adriel: So is it getting better, is it getting worse? I think the threats are evolving. I think some of the technology is evolving. I think software vendors like Microsoft are definitely evolving. They’re doing a much better job, and they have a part to do with good security. I think a lot of the other software vendors, especially the ones who build the applications that used by Microsoft need to really catch up and start taking security seriously. But I think that rather than being something that could be a fairly simple type of thing, I think it’s become a big convoluted mess. And I think that convoluted mess is making it hard for normal, everyday people to be able to really understand where to go, what to do.

Internet Security: Ten Years From Now

Paul: Sure. So alright. Let’s take the crystal ball out here. Ten years from now, is it going to be better or worse?

Adriel: Oh, boy. I don’t know. If we keep on allowing bureaucrats to dictate the direction of the industry and if we keep on allowing entrepreneurs that are financially motivated rather than technically motivated to dictate the direction, as long it’s being directed by really policies and money, it’s going to continue to get worse.

Paul: So that sounds like it’s going to get worse.

Adriel: Yes, that’s exactly right. And so inevitably, I think that that’s the case.

Paul: Do you think that there’s some period or some event or inflection point that we’ll reach where we just have to do something differently?

Adriel: I think we’ve already passed that point.

Paul: Okay. That’s fair.

Adriel: Yeah, there’s no reason why businesses should be suffering breaches.

There’s No Excuse

Adriel: Yeah, there’s no reason why businesses should be suffering breaches the way they have, the Equifax breach in my opinion along with Target, and the multiple breaches of Sony and Hanaford and Ashley Madison, these stand out because these were the ones that were particularly silly. And these breaches shouldn’t have happened. Knowing what I know about how these businesses operate, the reasons why these breaches most likely happened is that either the CEO or some senior level executive didn’t do their job properly and didn’t pay attention to what they were supposed to be paying attention to or didn’t give security people enough of a budget or there was a political reason. Or they believed that they were doing their job properly and they were listening to the advice of bonified experts when in fact they were just being fed Coolaid and they were given a false sense of security.

Paul: So with the Exquifax – ill say it – it was just industrial strength stupidity on their part. It wasn’t clever. They drove with their door open and their seatbelt off.

Adriel: Yeah, with a big neon sign that said, “Hey come take it.” Yeah that’s exactly right.

Paul: It’s almost like manslaughter if not murder. Its manslaughter.

So just briefly talk about the Equifax thing. A lot of people don’t understand what actually happened. I’m not really concerned with the details of the technical of thing.

Data With a Long Lifetime

So I recently attended a conference by Frank Abagnale. I don’t know if you know who he is? “Catch Me If You Can?” There was a movie about him. And he works for the FBI. And when he was arrested, he was in prison and the FBI came to him and said if you work for the rest of your prison term for us we’ll let you get out of prison and he’s been working with them now for 45 years. He made the point, the distinction that is obvious again, when I say it, that what hackers are interested in, is data that has a long lifetime. Your name, your address, your eye color, your social security number. He said credit cards are great for people to steal, there’s zero liability for users. So he made the example, for my kids, I had them get a credit card when they went off to college, and I said to them I’ll pay it off every month, don’t spend – you can spend what you want to spend, but I’m actually going to be paying for things through that. So, when they got out of college they had a great credit rating. His point, was he said there’s no risk with a credit card, if someone steals it, they give you a new one. But with your social security number, they don’t give you a new one and Equifax lost 150 million people’s social security numbers.

Adriel: Exactly.

Paul: And it’s not just a number like I could say 1,2,3,4,5,6,7,8,9, that’s a social security number of someone but that’s not the point. The point is that they, Equifax wrote it down on a piece of paper and said, “Oh this is Bob Smith and he lives at 123 Main Street and oh by the way he has this car and this house.” I don’t see a way to recover from that.

Adriel: You can’t. There’s no way. And it’s not the kind of thing where we’re going to begin seeing the impact of it until several years go by. But if you think about the information that Equifax has, how many banks and how many healthcare providers and how many wealth management firms use that exact same information to authenticate you and forget your password.

Paul: Right. What was the first car you owned and of the five addresses which one have you lived at.

Why Europe is Doing Credit Right

Adriel: Right and this information, I’d be surprised, if it wasn’t at some point used for some major heists. You can clean people out with this information if you do it carefully and thoughtfully and spend some time doing it. Of course, you have social security fraud and all kinds of other things that could be happening in the future. People die and you take their identities. The scale of what this could do is significant and what is almost laughable, and really ridiculous about the whole thing is that you look at Europe and they don’t have a credit bureau. Europeans have credit cards but they don’t have credit bureaus like Equifax. They don’t need this person’s place, this business, to maintain all this history. They have different ways of doing things. I know this because my business partner came over here from Europe, bought a house here not too long ago with his wife and all that. The whole process, you don’t have any credit yet I can still do all this stuff in Europe. Why do I need to have this thing called credit over here? So it’s interesting.

Paul: Interesting. Given all of this data is out there and all these financing companies have to continue to do business, doesn’t it almost become their problem now? Because how are they going to, they can’t just say well we’re not going to lend to you because your identity was released on the internet? Well if they stop lending to everyone they stop making money.

Adriel: Yeah, well honestly, I think we should follow suit with what most of Europe is doing. Getting rid of these credit agencies and I think we should go into a more modernized way of tracking and verifying credit. From the little that I understand, I believe that what happens that if you take a credit card in Europe and if you don’t pay off that card there’s a way of communicating to other credit card companies, without a credit score, that there’s this debt that exists. The level of information that Equifax has is too much. They have way too much information.

Paul: It’s criminal, t seems like! It’s centralized.

Adriel: Yeah and they don’t need that level of information to know that you are a good buyer and really, they don’t need to know that Paul or Adriel – They don’t need to know their name, they just need to know credit card score and some kind of unique identifier. That’s all they need yet, because they are using this antiquated system and because they are collecting information and because they make most of their money by reselling our information without us really being aware if it to god knows who, they have that and they’ve put us all at risk! And now here they are. So yeah, those companies should be done away with and that we should have a more modernized way of doing this.

What To Do If You Have Been Compromised

Paul: Do you have any suggestions somebody who was potentially compromised? What should they do?

Adriel: Freeze your credit. Call Equifax, call Trans Union, call Experian, and pay the 15 dollars or whatever it is to freeze it. And quite frankly, Equifax should be doing that for free. They shouldn’t be charging you to freeze your credit, but do that. Because if you freeze your credit it will at least help to prevent people from taking loans out and things out in your name because it won’t be possible to pull your credit history. Doesn’t mean your safe though because people can still use that information to access resources that belong to you, financial things like wealth management, retirement funds, whatever, you can still use that and if you get in, there’s no reason why you can transfer out and steal money that way. It’s unfortunate.

How to Tell If Penetration Services are Genuine

Paul: So things are worse. We’ve passed the inflection point. Things are not necessarily getting any better. We still want to use the internet. Be careful of what you share because it could be used against you. Boy it sounds like, it doesn’t sound too positive here. I guess one of the things is through your services companies can be a lot more secure. So that’s a positive thing.

Adriel: It is but you have to be careful even with that. When you purchase penetration services, you have to make sure that you’re purchasing genuine services that produce a realistic level of threat and not services that give you a squirt gun test. The analogy is that penetration tests are the equivalent of testing body armor with a squirt gun. And there are ways to do it and we actually published a white paper that was published on Forbes, that was picked up by Forbes, and the article was “This Year Why Not Take Data Security Seriously” and if you google that, you’ll find a white paper that we published and it really gives you non biased key points on how to identify a genuine penetration testing, and how to differentiate between the people that are going to be selling snake oil. One of the most important differentiators there is that the snake oil vendors will sell based on the number of IP address or the number of web applications that you have. It’s called count-based pricing. And if you have ten Ips, like I said initially, and you bill five hundred dollars per IP address, that’s all great and good, you’re going to have a five hundred dollar price tag but what happens if zero of those IPs are providing any services. You just spent five grand on zero seconds worth of work.

Paul: Right.

Adriel: Likewise, what happens if each one is offering 40 man hours worth of service. Well no pent tester is going to be working for 12 dollars and 50 cents an hour so any vendor that uses count-based pricing as part of their pricing methodology, you can rest assured that youre going to be getting that squirt gun test. There’s a lot you can do and it’s a lot of stuff you have to cut through to understand before you can get to the good stuff.

Closing Words

Paul: Is there anything you’d like to cover that we haven’t talked about?

Adriel: No, I think this was pretty thorough. There’s a lot of stuff!

Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. You’re based in Boston right?

Adreil: Yes.

Paul: But I know you work internationally and are pretty well known. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.

So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.

Adriel: My pleasure, any time.

Paul: Thank you Adriel.

OLYMPUS DIGITAL CAMERA

Architecture & Technology: Then & Now

November 14, 2017 / / 0 Comments

Today on the Edge of Innovation, we are talking with Benjamin Nutter from Benjamin Nutter Architects, an architectural firm based in Topsfield, Massachusetts, about technology and how it’s changing the architectural field.

Show Notes

Benjamin Nutter Architects’ Website: benjaminnutter.com

Find Benjamin Nutter Architects on Twitter

Find Benjamin Nutter Architects on Facebook

Benjamin Nutter Architects Portfolio

A Definitive Guide to 3D Printing

What Is 3D Printing and How Does It Work? | Mashable Explains Video

Video of a 3D Architectural Model being made

Link to SaviorLabs’ Free Assessment

3D-Printed Architectural Model

Sections

Running into Problems on the Job
Technology in the Architectural Field
The Drafting Process
The Next Big Thing in Technology – 3D Printing

Architecture & Technology: Then & Now

 

Running into Problems on the Job

 

Paul: It’s amazing to take a pile of lumber or construction materials and make it into a house is just an amazing thing. And you help with the plan. But I’m sure that they hit plan issues. How often does that happen where you drew the plans up, and they go out there, and something is not working because of who knows what? I mean, there’s lots of different things. So it’s a collaborative effort, I think.

Ben: Yes. Well that’s an interesting question in the sense that in the last, say, 12 to 18 months, for whatever reason, I just had an opportunity to kind of reflect back and think back on the volume of construction that we’ve accomplished just in my small firm. And I think over those 30+ years, it’s probably north of $125 million worth of construction. And that’s a reasonable number.

Paul: That’s 1/8 of a billion dollars.

Ben: Yeah. I never thought of it that way. But yes. So and then I also was able to recall when there have been the very few errors or omissions, if you will, that we’ve ever had — whether it was myself or someone else — have been the sum total of four windows, one foundation that we had to do some concrete cutting on. It’s about four to six examples of times when I said to a general contractor, “Okay, we screwed that up.” So three of those windows, I bought replacement windows for them, and those three windows ended up in my house, which is one way to learn a lesson. But it’s been very minor. I mean, it might have a total value of ten or fifteen thousand dollars.

Paul: Wow. That’s incredible.

Ben: So I’m obviously very happy about that. But I’ve always felt that one of the things that really drives us and is really important to us is that we’re not only very creative, but we’re also very thorough. And that’s probably not only a lesson learned from when I was a child working on my parents’ property and sort of understanding the accountability lesson, but also, for four years, I worked in a firm that was architecture and construction. So that combined both professions under one umbrella, and it kind of ramped up my appreciation for if you’re going to draw it, you need to be absolutely certain that it can be built. And I was involved in the process of all of the material ordering and window specs and so on. You know, it’s all well and good to be creative, but if you cannot put a thorough set of construction documents out to the general contractor and the trades, it’s not good information for them, and it could be, it could be a very expensive.

Paul: I was just going to say, based on the number of things you’ve had to fix, the low number six or seven times or five times, contractors must love to work with you because they know the plans are going to be executable. I mean, the last thing a contractor wants is to have to redo stuff.

Ben: Right. Yes. And that’s the last thing we want them to do either. And you’re right. And we have great working relationships with a core set of general contractors. And we have had, on occasion, we’ve had comments back from framing contractor or other people that, “This is the best set of drawings we’ve ever worked with.” And those are obviously…it doesn’t happen all the time, only because you don’t necessarily always get that feedback. But when you do, it’s very helpful because then we understand that we’re providing them with information that’s appropriate and is allowing them to do their job well.

Paul: It’s important to… Because if you weren’t, you’d like to know that. And you probably would.

Ben: Right. Yes, we would.

Paul: But it’s really nice to know that the processes and systems and work methodologies you’re doing are resulting in things that are useful. And as we’ve said before, those contractors, those people that do the building, they’re incredibly talented. So to get them to say something that this is good is high praise. That’s really neat to hear. And I’m sure it made you feel good, but, you know, it’s really nice to know that — whether they say it or not — you’re producing things that are ultimately useful, you know, hugely beneficial to their work.

Ben: Yes. That’s right. Yeah. It’s a very satisfying end result all around. And the more times we can repeat that, the happier we are.

 

Technology in the Architectural Field

 

Paul: So now, you started well before computers were contemporary at all. I mean, they just… So you worked with a pencil.

Ben: Yes. Yeah, in fact, it’s almost frightening to think so. But when I first entered college, they were still doing math on a slide rule. And by the time, you know, my second year, we actually had a calculator that probably cost an arm and a leg but at least would add, subtract, multiply, and divide.

Paul: So… Wow, that’s just… So you were doing math to calculate rise and run and all those different things on a slide rule. And then you moved to a calculator. I mean, even a calculator seems primitive.

Ben: It does.

Paul: So when you drew plans in the old world, you’d have to erase them and change them.

Ben: Yes.

Paul: I mean, there wasn’t any other way.

Ben: No, there wasn’t. Yes.

Paul: So, it must have been much more laborious.

Ben: It was so different. Yes. And actually, when I worked at Royal Barry Wills office, there was a gentleman there at the time who had been in the profession for decades as a draftsman. And he used to comment that he would get paid as much to erase as he did to draw. And it was so accurate because in that day and age, you couldn’t just… that’s one of the really great things about computer-aided design now, what we refer to as CAD, because you can do revisions so quickly, and it’s great in both the design process and as you’re doing a set of construction drawings.

Paul: So, now you brought up the point of the draftsman, were you drawing the plans or was the draftsman drawing the plans at Royal?

Ben: Way back… Right. So at Royal Barry Wills office, generally there would be a principal, so that would be one of the lead people in the office. So for example, Dick Wills, he would have a lot of interaction with the client and would do conceptual drawings, which were generally on trace paper, and that would be…that’s a flimsy kind of paper that you draw on, for both floor plans and doing exterior elevation drawings.

Paul: So let me stop you there. I don’t want to derail that. But why is it transparent, semitransparent?

Ben: Oh, it’s so that you could…. Great question. It’s so that you could put one piece of paper over another. So you’re making…as you’re doing sketches for a floorplan, for example, you might put a first pass of thoughts down, for organizing a first floor, for example, but then generally you would explore that and find out, well what if I… Maybe the house should be flipped. Maybe the garage should be on the other end. So you have the flexibility to take that transparent paper and flip it over or upside down or backwards or roll another piece on top of it and try a different arrangement between the garage and where the kitchen is. So it allowed you to do a progressive set of explorations of your design solution. And I have to say that for some of us in the office, even in 2017, it’s still a very productive way to do some of the design. It’s kind of a very fluid way to explore design. So that’s kind of the reason for that.

Paul: Well, I’ve always wondered that, you know. Why wouldn’t you just write it on white paper. But anyway. Okay. So we’re back to Dick Wills, and he would be the principal, and he’d make up the sketches and work with the client. And then what would happen?

Ben: And at the end of that process… So he’d do a concept design, meet with the client, probably do some revisions to that as a sort of more sophisticated solution that would be considered more of a final set of design drawings. And then those of us in the drafting room, if you will — at the time there were five or six of us—

Paul: So you were doing drafting at that time.

Ben: Yes. Right. So then we would take that design, floorplans, and building elevations and begin to convert that into a set of construction drawings — foundation plan, floor plans, exterior elevations. Building sections are when you basically take the giant chainsaw and cut the house in half so you can draw how it’s built — floor joists and rafters and so on. And all the details associated with that — roof trim and window trim, chimney details, whatever is required — that would be part of the responsibility of the draftsman. And then you would also begin to work quite a bit with the client at that point as well.
That process is different for us know, or at least in my office. Each one of the project architects becomes involved with the client right at the beginning of our project as well, whether it’s a renovation or new construction.

And there is a couple of reasons for that. One is that I feel like then everybody has ownership on that project from day one, which, to me, provides an opportunity for that individual who is the project architect, to be more excited about that process. And it also is two sets of eyes, ears, and experiences, and imagination applied to that client project. So it’s a little… The overall process is not dramatically different in its sort of intention, but what’s very different is in the application of going from design, through the design process, and to a set of construction drawings.

 

The Drafting Process

 

Paul: So you had a specific pool of drafts-people draftsmen at the time. But that sort of has collapsed, I would imagine because you all use CAD now?

Ben: Yes.

Paul: And you can make the changes and… In other words, I don’t have to hand it off to somebody else. I might, but just for scheduling purposes, but we’re all able to do that. And I mean, it would have been pretty weird to take a set of plans, to take somebody else’s set of plans and go in and erase and change it. Is that right?

Ben: Right. That would be very rare.

Paul: 30 years ago?

Ben: That’s right. That would be very rare, and it would only be a circumstance where maybe somebody was out on vacation, or they were sick for a few weeks, and you had to do something like that. Generally, you took responsibility for those, and we still do that now unless it’s a time crunch or something of that nature. But, yes. And it is. The way that we can provide various design and detailed solutions by way of computer in the 21st century is just remarkable to me compared to when I started doing this.

 

The Next Big Thing in Technology – 3D Printing

A 3D-Printed Architectural Model

Paul: Well, what do you think is the next big thing in that? Because, you know, you were doing drawings on flat pieces of paper. And then we moved into CAD where we basically mimic that. Then we moved into 3D where we could extrude and do elevations and shading and coloring and all. What’s going to happen next, do you think?

Ben: Well, some of it, in a way, has already started to happen in that there is also more technology available create 3-dimensional actual models.

Paul: Oh, that’s interesting.

Ben: We do not have that capability in my firm. But there are firms where they probably have the equipment to take their drawings and virtually create a 3-dimensional model.

Paul: So like with a 3D printer they would print it?

Ben: Yes. A 3D printer. Right.

Paul: Wow. I wouldn’t have thought of that.

Ben: Right. That is going to… And it’s quite well used in industrial design for example and has been for a while. But that, I’m sure, will trickle down as the technology and the cost of the 3D printers becomes more affordable. More of us will have access to that. That’s a great tool.

The other thing that has changed and certainly is — again, we’re doing relatively small work as far as size of each project. But if you’re doing a 30-story high rise somewhere, the basic premise is the same, but the way you go about it is quite different. And in those firms, many of them are now using a product called Revit. And with Revit, you can have an end result that is both three-dimensional modeling, computer modeling, as well as the two-dimensional construction drawings. So one software program provides you with the opportunity to, to accomplish both of those. Whereas, in our case, we use one, an AutoCAD product to do 2D, and we use a 3-dimensional computer modeling software for our 3D.

Paul: So I find myself, with technology a lot of times, being surprised that that didn’t exist.

Ben: Mmm… I suppose.

Paul: So wait a minute. You’re telling me… Now, thinking about it, I know you use two different packages. But I’ve never really gotten into that detail. But there really aren’t a lot of packages that you do both of them in?

Ben: No. And I suppose that’s probably just the evolution of the capability of software.

Paul: I guess that’s the danger of assuming something. So you draw things in an AutoCAD product, the 2D stuff.
Ben: That’s correct.

Paul: And then you don’t have to redraw it in the 3D. Do you?

Ben: We do.

Paul: Really. Now see that just doesn’t seem right. It’s 2017.

Ben: I know.

Paul: I mean, come on.

Ben: I’m sure that that will evolve to make that even… That will become an affordable package for small firms. And the only reason we are not using a product like Revit is that it’s another investment, and it’s also some time for our people to sort of come up to speed with using that as opposed to what we currently do. So that’s where I would imagine the biggest difference will be over a decade or whatever timeframe it is.

Paul: Probably shorter than we know.

Ben: Probably. Yeah. I bet it will be the opportunity for us to work in a CAD or in a software package that would be similar to a very large firm, and then the opportunity to have an affordable 3D printer.

Paul: Yeah. Interesting. So, now you could probably 3D print some of your stuff, if you just sent it out. Right?

Ben: Yes.

Paul: So you have that capability now, it’s just a matter whether you have a printer.

Ben: Yeah. And we’ve done that, but we don’t do it very often.

Paul: Right. So what was the reaction of the people who saw the 3D print?

Ben: Well, one of them happened to be… Ironically, it was for my own house because I had a friend who was working in a firm that was on kind of the leading edge of creating, the 3D printers. And they wanted to kind of find out how can we work with architects of all shapes and sizes. And so we created the 3D model, computer model, I should say, just to be clear. So we created the 3D computer model and gave it to them. They had somebody then convert it to the software that ran their 3D printer and made the model of my house, which is fascinating for me to look at or people who come in the office.

Paul: Was this before you built your house or after?

Ben: No. It was after. It was after. Right.

Paul: It would have been interesting just the emotional… I mean, what in the world. Is that, is that right? I want to change that.

Ben: Well, you bet. You bet. And there’s no doubt that the ability to do 3D computer modeling has also allowed us to become even better at what we do because we can see things more easily 3-dimensionally and, again, it’s back to both the subjective and the objective. The subjective, do we think it looks better that way, but objective, is there any little sort of hidden, “Oh, that’s not a good roof shape in that location.” So it’s really fun to work in this profession in this time.

Paul: Do you still have that model?

Ben: I do.

Paul: We’d like to get a picture of that to show our audience. I think they would like to see that. That would be cool.

Ben: You bet.

Paul: Because, I mean, I’m very keen on 3D printers, and I’m just so glad I haven’t bought one, you know. It’s this funny thing. You know, the longer you wait, the better they’re going to get, and it’s amazing. One of my brothers is doing some really cool stuff. He lives in Ohio. And there, the public libraries have 3D printers that you can use for free, just pay for the material. That’s a really cool idea.

Ben: That’s a progressive thought. I like that.

Paul: Yeah. I said, “Wow!” So we gotta make that happen. But, so if you don’t know what a 3D printer is, we’ll put some links in the show notes about that and a link to what Ben has done. We will have all Ben’s contact information and links to his website in the show notes. And you can reach out to him for questions, etc. And, get a look at some of the incredible buildings that just fit so well. I think that’s one of the biggest comments I’d have about the architecture I’ve seen you do is it fits so well into its environment.

Ben: Thank you.

Paul: And that’s, I think that’s high praise. I mean, that is not just… I haven’t seen the inside as much, but they just fit so well. And, we live in New England and it’s a rural area, and it is one of the most beautiful places in the world. And we take it for granted a lot, I think. But I had a good friend who went overseas to school and came back, and he’s like, “Wow. New England is just spectacular.” And it really is. And if you haven’t had a chance to visit here, you know, get a chance to look around and see what it is. But, there’s some great examples on your website and other things. And I’d like people to take a look at that.
So we’ve been talking with Ben Nutter, Benjamin Nutter Architects in Topsfield. I hope you’ve enjoyed the time. Hope everybody has enjoyed listening.

Ben: Thank you very much, Paul. I’ve enjoyed doing this.

Paul: Thank you, Ben.

Latest Podcasts

Archives

Categories

© 2024 Paul Parisi

Theme by Anders NorénUp ↑