Fork Around And Find Out

Data and security breaches are a dime a dozen nowadays, and despite their frequency, they’re still just as dangerous. That’s where Yasmin Abdi, the CEO of noHack, comes in. Despite her relatively short career, she’s already worked for some of the giants of the tech industry like Google and Snapchat. Along with Justin and Autumn, Yasmin breaks down real-world security challenges and solutions, a firsthand view into managing role-based access, phishing simulations for employee training, and the delicate balance between security and usability.


Show Highlights
(0:00) Intro
(0:32) Tremolo sponsor read
(2:04) How Yasmin built noHack
(3:15) Breaking down Yasmin's impressive resume
(4:17) What sparked Yasmin's interest in security?
(7:54) Yasmin's biggest challenge since starting noHack
(11:05) How Zero Trust has evolved over the past decade
(12:34) Balancing usability and security
(15:43) The problems with role-based access and how Yasmin's work addresses it
(19:31) Phishing schemes and AI's role in the future of security
(23:14) Tremolo sponsor read
(24:13) Yasmin's efforts to educate organizations on the dangers of phishing and poor security
(29:31) "Security theater" and the lack of serious education
(34:20) How to get people to take security seriously
(39:37) Yasmin's opinions on third-party scanning vendors
(43:17) How Yasmin would have handled the CrowdStrike attack
(46:52) Where you can find more from Yasmin


About Yasmin Abdi
Yasmin Abdi is the CEO and Founder of noHack, a cybersecurity company focused on delivering high-impact solutions for public and private (startups, & SMB) clients. Yasmin’s expertise spans enterprise security, secure software development, vulnerability and risk management, threat detection and intelligence, security assurance and education, and privacy best practices. Yasmin has also shared her knowledge at major industry platforms (featured on Forbes, Cisco, Voice of America) and has established herself as a leading voice in the cybersecurity space. 


Before launching noHack, Yasmin led global security and privacy initiatives at tech giants like Google, Meta, and Snap. With over seven years of experience, she played a pivotal role as a founding member of Meemo, an AI-powered social finance app later acquired by Coinbase for $95M.


Links Referenced


Sponsor
Tremolo: http://fafo.fm/tremolo


Sponsor the FAFO Podcast!
http://fafo.fm/sponsor

Creators & Guests

Host
Autumn Nash
Host
Justin Garrison

What is Fork Around And Find Out?

Fork Around and Find Out is your downtime from uptime. Your break from the pager, and a chance to learn from expert’s successes and failures. We cover state-of-the-art, legacy practices for building, running, and maintaining software and systems.

Yasmin: Think something here that would be really important is like the principle of least privilege, really ensuring that users only have the needed permissions while they’re doing their work that wouldn’t disrupt their workflow.

Justin: Welcome to Fork Around and Find Out the podcast about building, running and maintaining software and systems.

Sponsor: Managing role-based access control for Kubernetes isn't the easiest thing in the world, especially as you have more clusters and more users and more services that want to use Kubernetes. OpenUnison helps solve those problems by bringing single sign on to your Kubernetes clusters. This extends Active Directory, Okta, Azure AD, and other sources as your centralized user management for your Kubernetes access control. You can forget managing all those YAML files to give someone access to the cluster and centrally manage all of their access in one place. This extends to services inside the cluster like Grafana, Argo CD, and Argo Workflows.

Open Unison is a great open source project, but relying on open source without any support for something as critical as access management may not be the best option. Tremelo Security offers support for Open Unison and other features around identity and security. Tremelo provides open source and commercial support for Open Unison in all of your Kubernetes clusters, whether in the cloud or on prem. So check out Tremolo Security for your single sign on needs in Kubernetes.

You can find them at fafo.fm/tremolo. That's T-R E-M-O-L-O.

Justin: Thank you for opening up your firewall ports in your head to listen to this episode with Yasmin Abdi. Welcome to the show, Yasmin.

Yasmin: Thank you for having me.

Justin: I wanted to talk a little bit about security. This is really cool, seeing that you were saying that you built noHack—you’re the founder and creator of noHack, LLC—and you were doing security at Snap before that. But you built this on the side, kind of, as a project. And what drove you to do this? Why were you, like, oh, do a side project and start doing security for other people?

Yasmin: It initially started off with me just helping a few friends with their security and their digital presence, as well as small business owners and startups. I just saw a lot of vulnerabilities in how they were securing their data. And most of them were not. Or how—

Justin: [laugh]. Not security.

Yasmin: And just, like, a lot of bad hygiene and bad practices. So, it kind of just started off as a hobby, which helped people a few hours out of the week a few years ago, around when Covid started and everything became digital, and then it kind of just snowballed and grew from there. So, while I was at Snap, building, building, building, but never really took it to be like a formal, like, side company or a side hustle, just kind of something to help friends and family. And then over the past year, it just snowballed and kind of grew into a full-functioning security services and solutions company. So, decided to leave Snap back two months ago and focus full time on it.

Autumn: Can you tell us about your resume? Because it is very impressive. It’s baller.

Yasmin: Yeah, sure. Um, I’ve had the opportunity to work at some of the big name companies. I started my career off at Snapchat, where I interned twice back in 2017 and 2018, and then I went over to Google. I was there for a few months, was a software engineer on the Android team. Learned a lot.

I think that’s every computer science and software engineer’s dream is to work at Google, so had the opportunity to be there, learned from some of the smartest people. And then also had the opportunity to work at Facebook—which it was called back then—on an Instagram-specific team. And that was back in 2019. So yeah, I worked at Google, Meta, Snap. I also was a founding member of Mimo, which was an AI FinTech startup that me and my friends started, and that was acquired to Coinbase back in 2021. So I—

Autumn: Dang, girl.

Yasmin: Had the opportunity to do all of the fun things at these places.

Autumn: What did you do at Snap before you left? Like, can you run us through, like, your security career towards the [crosstalk 00:04:22]—

Justin: Yeah, I was like, how did you get into security? Like, what started all this?

Yasmin: I’ve always had a passion. I tell myself that earlier on in my career, I always thought like a hacker. So there’s, like, a way to do things the normal way, you know, like, log into the WiFi, here’s your password, and, you know, you’re logged in, and everything is good to go, and then there’s always a back door. There’s always another way to get into something. There’s another way to break into a system. So, I always thought, hey, like, how can I manipulate the system? Like, how can I—I don’t know if that’s the best response or if that’s even legal, but [laugh]—

Justin: Totally valid. Everyone has some use case where they’re like, “I want to hack a game,” or—

Autumn: Hey, the best security people—

Yasmin: Yeah.

Autumn: —do, like, some other stuff, and that’s how they learned how to do security. That’s just white-hacking. That’s, you know—

Justin: Well, I mean, you have a personal bend, almost. Like I did war driving back in the day because I wanted, like, free WiFi, right? I was like, “Oh, my neighbors have WiFi. How do I get on that?”

Yasmin: Yeah, I think for me, also, my parents would, like, shut down, like, internet access after a certain time, like, put passwords on the, like, desktops in her houses and, like, just do things like that. And I was like, no, like, there’s no way you’re going to turn off my internet after a certain—like, there’s no way you can block these certain TV shows and TV channels after a certain time. So, I was kind of for my own personal preference, but at that time, I didn’t know what I was like d—I didn’t know it was called hacking. And throughout my college career, or even high school, as early as high school, I said, “Hey, like, you know, I enjoy doing those things.” And then I found out job security, I found out this was something that was going to be long-lasting in the world that we live in.

So, studied at the University of Maryland, took my first formal cybersecurity software engineering course there. Graduated back in 2019 with a bachelor’s in computer science and a focus in cybersecurity, and then started my full-time career in cybersecurity at Snapchat. Then at Snap, I was a software security engineer, working on developing internal tooling for the security team, and then moved my way up, and then became manager, and kind of led the insider risk program before I left.

Autumn: Y’all, she’s like, gorgeous, and smart, and got, like, a crazy career. How did you do all that since 2019? Like, did you sleep? Like, what—like—

Yasmin: To be honest, no, I didn’t sleep. There was lots of late nights. But I think for me, I’ve always just had a passion to learn more, so even in times, in days where I didn’t think I was working, working—like, the startup that me, my friends started, I didn’t really think of that as a job. I thought of that as more of a side hustle, like, you and your friends are working on building something cool. And then, I mean, acquisition was the goal, but I didn’t think it would happen that fast. I think that turnaround was like 18 months.

I had a lot of very senior people on my team, I’ll tell you that. Like, ex-Google directors of search, et cetera, so like, it was a heavy group of people working on that product. But still, the turnaround time was super fast. But yeah, I think, like, working on that project with my friends, like, you lose track of time. You lose track of the days.

And then also, when I was at Snap, like, working on a product that, like, you feel so much passion and you care about. And then with noHack, like, I think I work seven days a week. Like, I can’t even tell the difference between, like, work and not work because sometimes I work on stuff that’s, like, super fun and engaging. Like, I do a lot of public speaking, do a lot of panels, I do a lot of conferences. I travel the world now, and it’s like for work, but it’s like, fun work. So, sometimes I get lost some track of time with all the different moving pieces that I do.

Autumn: It seems like you really enjoy what you do, and that you just are born with the hustle and curiosity.

Yasmin: I would say, I agree with that. Thank you [laugh].

Autumn: What’s the biggest challenge you’ve faced so far, starting noHack? Or maybe, what’s the biggest thing that you didn’t expect?

Yasmin: So, as a CEO, I’m learning a lot of not technical, like, skill sets. So, when I was at Snap, or when I was at Mimo, or even Google and Meta, I was very much software engineer, like, or security engineer. So, I was very much within the engineering realm of things. And now I’m learning about cap tables, and investing, and like, how to pitch, and how to sell yourself, and how to sell your company, and like, how to form, like, partnership deals. Which for me, I’ve always had, like, the—I feel like I’ve always been born with the opportunity to communicate, but I think it’s like the selling aspect of noHack is something that I’ve been learning.

And it’s definitely fun. I feel like I’m back in school where I’m learning something all over again, from the ground up. I feel like within engineering, there’s everything’s changing, but there’s a certain way that things are changing that you can grasp on. But, like with sales, or with business, or with marketing, like, I tend to spend a lot of my time figuring out, like, all these social media strategies and things that I’ve just never been privy to. So, I would say those are some of the things that have been challenging, but they’re fun challenges because I’m always learning, and I feel like I’m a lifelong learner, so it’s fun to learn new areas.

Justin: What sort of software did you start building? Like, because you mentioned you—initially this was, like, friends and family, and a lot of that’s just, like, here’s a web page with a blog post or something, right? Like, use a password manager, put on TFA if you can, something like that. And then at some point you have to, like, transition that into, like, oh, if I’m going to have a company do this, I need tools, or I need some automation, or I need some way to do this reporting. What sort of things did you focus on first to do? Like, here’s your public port scans, or here’s a CVE report, or what are you kind of doing first?

Yasmin: So, at noHack, we really started off with penetration testing and vulnerability scanning. So regular, just assessing systems for weaknesses and vulnerabilities, typically, that’s how we would start. So hey, like, you know, if you’re a startup, primarily with, like, a digital footprint, we would scan your infrastructure, your systems, your architecture, your endpoints, like, your APIs, all of the things that you have digitally connected to the world, and scan them for vulnerabilities. And then we would also do some red-teaming, so we would pen test, and really see how we could maybe break into your system or find weaknesses in your system. So, that’s kind of how we started.

And then we built a bunch of other, like, services and solutions from that. They can range anywhere between, like, AI threat detection and response. So, really utilizing a lot of, like, machine learning and a lot of, like, the insider risks, the experience that I had to kind of understand, okay, like, where is the threat happening? Where are the pain points here? And then, what responses can we build?

So, whether that’s alerting, whether that’s setting up continuous monitoring, and things of that sort. So, I would say we started with vulnerability assessment and scanning, moved over to threat detection and response, and then, now we really focus a lot on, like, zero-trust architecture, so making sure that we are never trusting, and always verifying every request that comes in. No matter if the user or device has access to any systems, we always would verify and have very strict authorization and authentication. So, I think those are probably the three biggest things that we focus on at noHack.

Justin: How has zero trust evolved over time? Like, when I remember back in the twenty-teens or whatever, like, zero trust was just, like, oh, at some level of your network, you need to be able to figure out if this device is trusted on the network, and you just do it with mutual certificates. You’re like, oh, you got to cert. I got a cert. We trust the signing authority. We’re fine. Let’s keep talking.

But when you talk about AuthZ versus AuthN or whatever, like, you’re, like, moving into the application layer, you’re saying, oh, you can do that at the network layer. You can do it at the request load-balancing layer, you can do it at the application layer. How has that changed over time for something that is a zero trust mindset?

Yasmin: I think it started off with adding, like, an additional layer of protection. So, when you think about adding 2FA or MFA, I think that’s kind of like the early days, and then now it’s kind of evolved into, like, a continuous monitoring approach, where every single request that comes in, you’re going to verify the identity before allowing any type of level of access. And then I also think that identity and access management has also been increasingly important, so always managing the users’ identities and permissions to minimize any unauthorized risk. So, there’s frameworks like our RBAC—so Role-Based Access Controls—access management systems to really ensure that employees, regardless of, like, their role, can only access data that’s necessary and needed for their workforce. So, I think it really started off with the MFAs and 2FAs moved over to a continuous monitoring approach with that identity and access management, managing users permissions, and very granular to the RBAC framework that I mentioned.

Autumn: How do you balance usability and security, and kind of like, educating people? Because I feel like that is the hardest part, kind of getting people to realize how important security is and why. Because people will just be like, well, I don’t want to get alerted all the time and I don’t want to sign in twice, and this is so much harder, but trying to really educate them, but also make it easy to use. But secure is always a battle.

Justin: I just moved one of my Google accounts to a passkey, and I don’t like it. I’m like, “Oh, this is more secure. It’s better blah, blah, blah,” and like the sign-in flow is just worse now, compared to one password auto filling my username and password. And now I’m, like, oh I got, like, three—

Autumn: See, I’m the opposite. I hate remembering all the ridiculous passwords I make. But Google definitely there is some sort of a bug in the passkey, that sometimes it doesn’t always work the way it’s supposed to. But I really appreciate that Apple products use the same passkey. Like, you know, you can use it from one of your phones because it’s all connected. I do appreciate that my face is my passkey, and it doesn’t require me to remember, like, passwords and constantly change them. So.

Yasmin: Yeah, I mean, I think that that’s a core challenge that’s always being spoken about in security, I think the over-complex and restrictive systems can lead to, like, frustration. I remember when I was at Snap, we had, like, four different layers of authentication that we needed to get through to get into our Google accounts. So, it was definitely a lot of feedback that we heard from employees. Hey, like, we understand, like, why this is needed, but can we kind of, like, lessen the friction that’s happening? So, yeah, I mean, I think it’s something that it’s always going to be a challenge to balance it out in the best way.

I think something that is always needed is password complexity. So, if a system requires, like, a long, complex password, maybe not asking them—I think sometimes even these days, that you require to get changed every 90 or 180 days, I saw some organizations, and I was like, hey, like, that’s a bit too much. That would be too annoying for me personally, if I had to create a new password 180 days.

Autumn: And especially they’re so long. Yes—

Yasmin: Yeah.

Autumn: And I think there’s like, that battle where, like, you want it to be usable because, if not, they’re going to go around it. Just like you said how you went around your parents stuff, like, I talk about all the time, my kids are going to end up working for the NSA to get around all of the, like—you know, like, so people will go around it and be super lazy and not use all the safeguards or try to get out of them. But you want it to also be safe, so it’s, like, the struggle.

Yasmin: Yeah. No, I agree. I think something here that would be really important is, like, the principle of least privilege. So again, with going back to, like, role-based access control, really ensuring that users only have the needed permissions while they’re doing their work that wouldn’t disrupt their workflow. So, the principle is least privilege, I think, is extremely important when trying to find that balance.

And then I also think, kind of creating, like, a human-centric design, really designing these security measures that are intuitive, minimally disrupt the workflow. So, something like a single sign-on could be helpful, but I think, yeah, it’d always be interesting to kind of find what that balance is going to be.

Justin: One of my pain points of any role-based access control system is it’s so hard to define a person as a single role, right? Like, most people once they’re—when they start their job, like, your role is clearly defined. And in larger corporations, it might be easier to fit you in, like, this is your role. This is the only access you ever have access to, but once they move positions internally, they’re now doing like, a role-and-a-half because they’re like, “Oh, I still do some of that stuff for that old job, I have this new one.” And they switch again, or the team moves, or org charts move, or the products move, whatever it is, all of those roles get really, really messy once we try to maintain them after six months or a year of real life experience.

Autumn: Not even just that, but, like, packages. Like, you know, when you’re, like, are responsible for certain code packages, and having ownership of the testing, and the pipelines and all that stuff. Like, there’s always some point you have to give somebody access to binaries or something, but then how long do you give them access to binaries? And, like—

Justin: Yeah. You have a temporary role in this case, right? Like, here, you need this for a week or two. I don’t know. And that just gets messy, and a lot of times it’s just like, oh, I have root access because I got it three years ago, and I still have root access, and no one knew to take it away.

Autumn: And trying to do it fast, you know? Like, where, “Hey, I need this,” and you’re like, uh, “I know you need it, but”—

Justin: You’re a blocker for someone.

Autumn: —[laugh] exactly. So, when you’re in production and you’re trying to fix something, it makes it so complicated.

Justin: Have you seen easier ways to manage that, or to change that, or just to make RBAC fit the real world?

Yasmin: Yeah, so that’s actually one of the services that I built when I was a software engineer, one of the internal services I built at Snap. It was so hard to get right. It was so difficult to get right. So, I’ll start with that. But we built a tool that allows us to know who has access to what. So given, like, an employee’s email address, it would show us everything they had access to, when they got access, what role they had, what permission, et cetera. Like, if it was GitHub, like, what repository?

So, it looked at internal services, it looked at external as well. And I think for us, like, first, visibility and awareness was the most important. So, we can’t revoke your access if we don’t know what we had. So, I think, like, kind of what you were saying around, like, the temporary access, or if someone changes teams, I know I changed teams, like, two or three times at Snap, and when I was building this tool, I was like, oh, wow, I still have access to the old teams that I had, or I requested access for a temporary for this one project, and I still have access from, like, an external partner that I don’t even need access to. So, I think, like, awareness was first part.

And then we built this mechanism that had, like, if you didn’t use this access within, I think it was 90 days or 180 days, then you most likely won’t need it moving forward. And then if you did, well, you’ll just have to request it again. So, I think that’s a way that it was more applicable to, like, real world. Like, I wasn’t on that team for two years. I didn’t need that temporary access, so it was revoked. Like, that worked pretty well, just because people wouldn’t—and if they needed it, they would just re-request it.

It’s always really challenging because of all the lateral movements within organizations, temporary access, time-bound access, or if someone leaves the company. But what we did was, we hooked it onto Workday APIs. So, depending on, like, your role, or depending on the org or the organization that you were in, you would get whatever access was applicable for that. But if you changed orgs, it would ideally drop or remove that access. So, early days of it, but it was working. It was working well when I left, so I hope it still is.

Justin: Keeping those roles in org chart in sync is extremely difficult.

Autumn: Not just that, but when you move from different job families, like, going from an SA where you touch code but you don’t touch production code, and then all of a sudden you’re in production code, like, I had so many permission issues, just because it still thought I was an SA when I was a dev, and it was always confused. What role do you feel like automation and machine learning are going to play in the future of AI? Because you said that, you do. You did work on a machine learning tool, right?

Yasmin: The biggest one is around, like, being able to detect threats faster and smarter. So, once you have, like, a vast amount of data, and you can kind of, like, see similarities, and identify anomalies, and like, within real time, I think AI will definitely help. With faster, better, smarter, real-time threat detection, responding to potential threats, like blocking access, if it’s unauthorized, if it looks malicious, or if you see incoming traffic in the network that it looks suspicious, it could stop it before escalating. So, I think that will be a high-ticket area where AI and automation will help a lot.

Autumn: Do you feel like there’s any areas that AI are going to make us more vulnerable in the future, with us giving it access to so many things.

Yasmin: It will get better around social engineering, and like, phishing and that area and realm of things. Even yesterday, I was with a friend, and they got, like, a credit card fraud email alert when we were in Colombia, and I was like, “You don’t even have”—it was a Chase Card. I was like, “I’ve never even seen you use Chase over the past four days.” Like, it’s probably not real. And they were like, “Yeah, Yasmin. Like, I think it’s real.”

And I was like, oh, okay, whatever. And then they kept doing their thing 20, 30, minutes later, and they were like, “Yeah, they even have the same, like, four digits of, like, my card. And I was like, I’m telling you, like, I don’t even, I haven’t even seen you pull out Chase Card. Like, you shouldn’t”—this is phishing. The email looked so real.

And then I think, after—I think it was very fine-tuned, I don’t remember what the exact detail was, and he was like, “Oh, my God, this is actually phishing.” And I was like, “I told you, from the jump. Like, I don’t understand why you didn’t listen to me.” But I think it’ll just get really smart and really good at all social engineering, and like, phishing campaigns and spear-phishing and all of those things. And I don’t know how and where they got, like, our trip location, the card, the last four, all those details, like, to the T was exactly right. And then, you know, he almost fell victim to it, but thankfully, I was there save the day. But I think it’ll [laugh]—

Autumn: Being your friend has to be a total flex. But, like, isn’t it crazy though, with all the information that we give out? Like, there’s been so many times I’ve had to stop my friends and they’re like, “I’m going to go, like, do one of those, like, surveys on Facebook.” And I’m like, “You just gave eight people your passwords, but okay.” Like, [laugh] you’re just, like, there’s so many different ways. Like, people are always giving their location on social media, then they’re always talking about how they’re not home. And I’m just like, “Can y’all just”—[laugh].

Yasmin: Yeah.

Justin: I think you bring up a really good point, too, because, like, for as long as I’ve been adjacent to security and interested in security, we’ve basically always told people, like, your instincts suck, right? Like, your passwords suck, all of these things that you think are unique or random and computers can’t hack into, like, nah, just don’t trust any of that stuff. Hand off all that stuff to a password manager, certificates, all these other things that are external to you. But when it comes to, like, this, phishing attacks and AI generation, none of them pass the vibe check if you, like, have any experience, right? And like, immediately you’re like, this vibe is off. Don’t trust it.

But they were like, “No, no. The bank has told me I have to trust them, and so I’m externally mou—like, all of these systems I have to go through to make sure I don’t lose my money,” right? And that’s, like, a big risk, but you know that picture of that person has 18 fingers, right? Like, don’t trust it. Like, there’s some level here that you just have to be able to, like, trust yourself. But in security specifically, we’ve just always told people they’re terrible at it, and now we’re, like, reversing some of that.

Sponsor: Running Kubernetes at scale is challenging. Running Kubernetes at scale securely is even more challenging. Are you struggling with access management and user management? Access management and user management are some of the most important tools that we have today to be able to secure your Kubernetes cluster and protect your infrastructure.

Using Tremolo security with open unison is the easiest way, whether it be on prem or in the cloud, to simplify access management to your clusters. It provides a single sign on and helps you with its robust security features to secure your clusters and automate your workflows. So check out Tremolo Security for your single sign on needs in Kubernetes.

You can find them at fafo.fm slash Tremolo. That's T-R-E-M-O-L-O.

Yasmin: Yeah, and I think that’s it. Phishing is still the number one way that organizations get hacked. It’s always through people, it’s always through their lack of education, so I always try to help organizations educate their employees through, like, mock phishing emails. I actually set a campaign up at Snap where we would send mock phishing emails to employees just to see what the click-through rate was, how many of them clicked the link, but then also entered their credentials in the link, and then downloaded files. And then we had some very nice follow-up calls from that. So—

Justin: You’re like, “Look at this pie chart. You all opened a PDF.” [laugh].

Autumn: Wouldn’t it be funny if, like, you sent an email to see, like, what people would click on, or whatever, and then, like, a big pop up came and it was like, “You failed.” [laugh].

Justin: Oh yeah, that is absolutely… yeah.

Yasmin: That’s actually, that’s exactly what we did. So like, if they did click on the link, or if they downloaded it, it would be, like, boom, like, “You have failed. Like, now you have mandatory education and training that you have to go to.” So, it wasn’t just, like, a simulation for us to kind of see, like, how, like, the posture and the health of the organization, but also, like, we very much sent them to, like, a mandatory training and awareness.

Justin: It’s because, like, we keep leaning back on that, like, we need to educate people to get beyond this, but at the other end, we’re like, we want machine learning to do the vibe check. And at some point, like, I don’t know that machines are going to get the vibes, but people aren’t getting the education either, and so I don’t know where that meets in the middle of like, both these sides suck.

Autumn: But not just that, but we also constantly talk about, like, least privilege, right, the principle of least privilege. But now we want to give machines access to everything. We’ve given, like, AI, so much data. There’s so many companies that are piping their own data back into their AI, and then they’re giving it privileges to infrastructure, giving it privileges to data, giving it privileges to, like, their codebases, and to writing their codebases. And I’m just, like, I mean, I wish I knew more about it, but I’m like, how many safeguards are in the different, like, areas that these things aren’t talking to each other? You know what I mean?

Justin: People [unintelligible 00:26:38] jobs. And like, you know, AI systems are the new Jenkins, right? Because, like, CI/CD systems were the place that every hacker went to attack because it had all the credentials, it has all the access, all the automation.

Autumn: That’s what I’m saying. Like, and like, just working in production, like, I think getting a degree that was about, like, secure software development—I actually went to the same school you went to, but the online, like, military version of it—and it’s wild, like, what people do in real life production because things don’t always work the simplest ways. Like, you know what I mean? Sometimes there is, like, a weird way that you have to give something permission to do that, or make it so it’s automated, so you can release a bunch of versions at once, or just something. And you’d be surprised at the amount—like, I was on a business intelligence team, and they were testing on Redshift, like, clusters [laugh].

I was, like, what are we doing? Like, you know, like, I was the most junior person, and I’m like, can we—this is a bad idea. There’s so many different layers to what you can do in production, and sometimes you have to do something quickly. And I’m just like, if it’s this bad, when we know the principles of least privilege, and they’re humans, and then we’re going to give machines access to all these different levels of data at the same time, it’s going to make it so much easier. You hack one thing, and you get the keys to the candy store for everything.

Yasmin: And I think that’s why we set up, like, systems in place at Snap, where we would be able to see if you were putting anything into these AI systems. Like, we would send alerts, like, we would—like, data exfiltration, so like, copying any source code or copying any documentation, see the source, and then we would be able to flag it in ChatGPT or any of these models. But I think you’re right. If you hand them over your source code or anything like that, and God forbid, I mean, I hope that no one’s storing keys or any credentials in code these days because [laugh]—

Autumn: But how many times do—like, there’s literally a bot that goes around Google—not Google, but GitHub—telling people, “You put your keys on the internet.” Like, because how often do we do it on a—I remember I was sitting at Google Next, and they were like, “It’s going to write your infrastructure, it’s going to write your app, and then it’s going to make a database.” And I’m just sitting there, like, “Oh, no.” And then they exposed an EC2 instance name, and I was like, “Oh.” [laugh] like, on the stage, [laugh] at their keynote. I was just, like, [gasp]. My little security heart about died [laugh]. It’s like, “Y’all, this is like a 101 of what we should not do in public.” [laugh].

Yasmin: And I think for me, it’s like the biggest things, like, the most easy to catch, or, like, the easiest, the most obvious vulnerabilities are right in front of you, but sometimes people just overlook them. And a lot of these, a lot of these vulnerabilities that happen are sometimes the most obvious.

Autumn: The biggest hacks are the ones that walk through the door. Like, Target got taken down by literal least privileges because they gave access to a contractor. Like, it’s never something crazy. Like, I think the only thing that we’ve really thought was really crazy was that guy who did the social engineering to make the maintainer really depressed to get the binaries in and then create—

Justin: Yeah, [cutils 00:29:36]?

Autumn: Yes. That was the old, like, think about it. Out of all the news—

Justin: That was legit. Like, mmm—

Autumn: Okay, that dude, like, he deserves to get, like, something named after him. Like, I was like, I like, I can’t be mad at you. That was the trojan horse of 2024, okay? Like, but most of the time, they walk right in the door.

Justin: What’s something, Yasmin, that you think is commonly said, “You should do this thing, but is mostly just security theater and doesn’t matter?” Right? Is there something in there, like, “Oh, this is the advice that the news will tell you.” And you’re, like, actually, just don’t. Like, it doesn’t matter, or something that a company’s, like, investing millions of dollars in a thing, and then you’re, like, you know, you’re probably not going to get the security outcomes that you want by doing that process.

Yasmin: You know, I think it just goes back to there’s a lot of compliance rules and regulations around mandating data, and maybe just, like, actually security education for companies. There’s, like, laws and regulations that now the government has regulated that says, oh, like, you need to educate your employees, but sometimes the employees are just clicking through these docs and submitting okay, or, like, fast-forwarding this video, not actually watching it. So, I think there’s a disconnect around, like, we actually need to educate employees, but how we are doing it is not actually materializing into anything that’s beneficial. Because I’ve surveyed so many people, like, “Hey, like, did you actually, like, watch this or read through this?” Like, no, just clicked, “Accept, acknowledge, and move on.”

And I think it just highlights a lot of policies around, like, privacy or data, data usage, data deletion, data retention, all of those things, that people just don’t really—like, they think that, oh, my data is secure, or like, they’re not using my data, or they’re not retaining it, or anything like that, when in actuality they are. And there’s a lot of fine lines that people are missing and misreading or not even reading. So, I think, oh, like, a company doesn’t have access to my Snaps. Like, do they really not? Are you sure they don’t?

Autumn: I was an SA, and we have all this training, but the training for SDs were different. And I remember getting on an SD team, and they were like, “Oh, this customer is having this issue.” And then the other, like, SD was like, “I’ll just log into their account.” And I was like, “You’re going to do what?” Like, [laugh]“No, you’re not.”

Like, it’s crazy that, like, I mean, we all know, like, I love security and I think it’s interesting, but I definitely have got a program, like, one of those, like, requirement learnings, and I’m just, like, this is so boring. But how do we make better education, though? You know?

Justin: It’s not only the fact that, like, usually it’s just dry content, that no one’s really in interested in—

Autumn: That’s what I’m saying. And it doesn’t really give you the real use case. Like, you know what I mean it doesn’t really—

Justin: I mean, like, all the cartoons and the silly, like, situations they try to, but like, most of the time, that any security training I’ve been at usually is, like, oh, fit this into your normal schedule, right? Here’s the 37 meetings you have this week. Here’s the things you have to get done for work. Oh, and this all this training thing, right? So, like, well, I’m going to have to do this, you know, like, as I’m doing something else, and those are all the times that, like, I would hack into, like, or I’d look at the JavaScript and change the timestamp, then like, oh, yeah, I watched this for 30 minutes. Yeah, I changed my system clock, and we can fast forward those thing.

Autumn: Think about that, Justin. Dammit. [laugh].

Justin: Oh, they’re all time-based, and you just, like, oh a computer doesn’t know what time is. I do. Let me skip past these parts. And those were the things that were interesting.

Autumn: I just take the test at the end.

Justin: But that’s, like, the things I learned about it was like, “Oh, you did client-side validation. You’re an idiot.” Right? Like, we can bypass some of that stuff. Because, again, it wasn’t, it was a priority enough to get the checkboxes for people who are trained, but not give them time to learn something, or give them a person to ask questions to, right?

Like, sit down with someone. Like, pair programming is a thing because it’s like, wow, we learn so much by just watching someone else, an expert in their field, do something. Or even, not even expert, just someone else with a different approach [laugh].

Autumn: They don’t even want to invest time into pair programming, though. And like, look at all the studies that show how fast that helps people to ramp up, and they’re like, “Oh, no, sorry.”

Justin: I mean, pair debugging is, like, the best experience I’ve had in my, like, engineering career. It was like watching someone else use 18 different tools to debug something. Like, what was that command you ran? I’m writing that down, and going and reading the man page later. This is amazing.

Autumn: Which is wild because, like, everybody can steal code from somewhere, but debugging is—like, you will always have to debug something.

Yasmin: Yeah, I was like, I was going to agree. I think that’s why we—well, to the first point, that’s why we did the real live phishing mock simulations where it wasn’t, like, a manual or, like, a video, or, like, a document that said, “Hey, I read this,” but it was a real live simulation where, okay, like, you actually read the email, you clicked on it, and then boom. Like, now you’re, like, “Oh, ----.” And then, especially when you CC their managers, or, like, leadership, and it’s like, “Your org is in charge of 30% of this simulation that we—and this could lead to how many millions of dollars or how much user data could be exposed?” So, then now, from leadership, is like, okay, like, we actually really have to invest and it’s like, okay, if you already got caught, and your team and your org is, like, performing very poorly at this, it just becomes so much more impactful. So, then people start to take it seriously. So.

Autumn: After you get caught in that kind of a pop-up, you’re probably going to pay attention to that class that you got sent to, and you’re never clicking on another email link that you don’t know about again [laugh].

Justin: Is there an offset for that? Like, because you can’t care about everything, and you can’t pay attention to everything, but there are a set of maybe this is more relevant now. And I’ve been subscribed to have I been pwned? For I don’t know how long. And I’ve gotten so many emails.

After so many times, I don’t read them anymore because I’m like, yeah, there’s nothing I can do about this. My data got leaked somewhere. Someone else didn’t secure it a right way, or someone got a phishing attack and they got in the—like, I can’t do anything about this anymore. Now, it’s just noise. And at that point I stopped caring.

Originally, it was like, I really care about these things. Let me make sure every time I rotate my passwords, all that stuff. And now I’m just, like, I just don’t have the time to care, and I don’t have the [laugh] memory bandwidth to care anymore. How do we, like, eliminate—or not eliminate, but just, like, reduce the fatigue and help people focus? Like, you can’t focus on everything.

Yasmin: I would say, um, if you have, like, multi-factor authentication set up on your accounts, and you are, like, not connecting to, like, public WiFis, and you have, like, secure best practices, then you’ll most likely be at a less risk for these attacks, or all the noise that you’re saying that you get from these different applications and stuff. I would say that, yeah, I mean always just to enable 2FA, MFA, secure best practices in your day-to-day workflow, and I think you could take a lesser look on some of these notifications. And also regularly update your password, not 180 days, but definitely something frequent. And then I think also, like, I mean, I’m not telling you guys, but maybe other listeners that are not aware, but don’t just update it with, like, one extra character. I think that’s the most obvious way for you to get hacked. And a lot of times, like, your emails have already been in databases where it’s been compromised, so you adding one additional character is not really going to make it more secure.

Justin: One of my first and favorite projects when I started at Disney animation was they wanted to see, like, “Hey, can you use John the Ripper to look at, well, whose passwords are easy to hack?” And I’m like, “Sure. Could you give me the LDAP dump?” And they’re like, “Oh, yeah, here’s”—they literally were, like, “Here’s admin access. Go get the dump and get all the hashes from it, and then see what John the Ripper could do.”

And we had a render farm. And it was a Christmas break, and we didn’t have a lot of stuff to do, so I’m like, how much of the render farm can I use to start this John the Ripper process? They’re like, you can have a rack. And I’m like, cool. I get a bunch of machines, let me just—and, like, the amount of things that were just, like, very basic, and very things, like, oh, I would expect this to be a password at Disney. And [laugh] it was like, and just incremented numbers.

I’m like, oh, these aren’t secure at all. And that was 2014, and basically, ever since then, I stopped knowing any of my passwords. I’m like, no, a password manager is generating everything that’s not, you know, like, if I know the password, I have 2FA on it, right? Like, we have to have some level security. If I had to create this thing out of my head, it’s not that random [laugh] in there.

And so, yeah, having that is, like, one of those things. The security best practices, like, that quote, to me, is always really hard because that always depends, right? Like, it always depends on the context. That always depends on what the information is, what the actual system you’re using, if this is an internal AI system at Snap, like, I have different best practices compared to, you know, a forum login that is a throwaway they don’t care about.

Yasmin: Yeah, I agree. I was just going to add to that. I mean, it definitely depends on what context you’re speaking about, but password managers, like, you mentioned, I think something that’s always really important is endpoint protection, so always making sure updates are in sync, you have security patches, firewalls, antiviruses and anything like that is super important. I know a lot of people probably are familiar with password managers, but not as much with hey, like, we’re not just sending you these pop-ups because your device is not updated. It’s probably some security patches that need to be updated in that as well. So.

Justin: In my opinion, one of the best and worst things that Microsoft did for the security ecosystem is reliably release updates on the second Tuesday of the month. And I was a Windows system admin. When that was happening, it was always, oh, second Tuesday is here. We got to go through tests. We would block out time because they were predictable. And then we could say, oh, I can build predictability into my schedule for how I’m going to roll these out, where I’m going to roll them out, how I’m going to test them.

But on the downside of that is, like, they weren’t equally prioritized. As far as, like, sometimes there was a zero-day that was actively exploited across the world, and it just came out normally on a Tuesday that’s just, like, oh yeah. Also Excel crashes once or twice, right? It’s, like, oh, this thing is critically important in this other thing. And I can’t tell you how many times I’ve been in situations where the infrastructure wasn’t kept up to date, and that helped us not have a CVE because the CVE was in the recent four releases, and we’re, like, oh, we’re six versions old. We’re good, right? This wasn’t introduced yet. That bug, that CVE, that security hack that was being critically exploited somewhere, like, no, we don’t have to update because we were never vulnerable. And I can’t tell you how many times that has happened to me.

Autumn: Giving it time to bake and let somebody else find all the bugs is always—a lot of big things do that, though. Like, they don’t let you update right away. Like, they will look definitely let it bake and see if other people exploit it first. What do you think about making, like, third-party scanning vendors better, and not getting so many false positives? Because it seems like the more we get automated, the more we get alarm fatigue.

Yasmin: That’s a good question. I just also wanted to add-on to the previous, quickly. I think at Snap, we actually would shut down access for you to, like, log in if you did an update within, like, the certain time. I know IT was very, very, very big on hey, like, there’s this zero day happening. Like, your computer—because, you know, it’s all managed software from the company, so you will not be able to log into your computer unless you update it. Or you won’t be able to do anything on your computer until you update or unless you update. So, that’s interesting that you said that.

Autumn: We used to get logged out because we, like, closed our computers on a Friday, and Monday, you’re like, “You are not”—

Justin: Oh, the amount of time I spent fighting Amazon’s Acme system internally for updates because they were so aggressive on doing every piece of software update all of the time. And if you didn’t do it after, like, three or four days, it’s like, yeah, you can’t get email now. Stop what you’re doing and update. And I’m like, wow, this is on the extreme end of—

Autumn: I spent more time doing that than writing code.

Justin: [laugh]. Yeah, exactly. I can’t tell you how much time waiting for my system to update. And on chats because it wouldn’t work, and things were, you know—oh, look, this new five updates you rolled out don’t work together, and I need that fourth one or whatever. And those were all things that is such a hard balance to keep this… we need to keep it secure, we need to keep it compatible, and just giving people time back to, like, when do they don’t think about it?

I do think beyond what Microsoft did with keeping it predictable, what Google did with Chrome and Chrome OS, of making it more immutable updates, of saying, like, hey, we’re doing whole patches of systems that roll from one image to another, and if it fails, we can roll back. And you could never roll back with Windows, you can’t roll back with a Mac, and those things make it really difficult. The downside is you have to reboot. And like, no one wants to reboot. But the bonus of, oh, I know this is safe to try because if it doesn’t work, I always have a fallback.

Autumn: Java did something similar, but not so much for rollbacks, but they made the release cadence shorter so people would no longer get stuck their—

Justin: Giant updates.

Autumn: Yeah. So like, after eight, we learned our lesson, and they were like, okay, we’re going to make the—

Justin: After 8? Really? Really, 8? [laugh].

Autumn: Mmm…

Justin: Sorry. [crosstalk 00:42:20]

Autumn: Like, 8 will die when the universe nukes itself, okay? Like, that’s when it’ll die. But, like, the release cadence made it easier to release software more, like, more regularly, but it also made it where you’re getting new LTSes, but they’re long-living enough for them—people don’t want to switch to them. But at the same time, kind of giving people—where that versions weren’t so different that they were hard for you to manage.

Yasmin: I think going back to the question around the third-party scanning, it’s super critical. It’s a critical component for modern cybersecurity practices, but I think that there’s also a lot of supply chain risk that’s introduced. I’m not sure if you guys are familiar, if you heard of the SolarWinds attack that was back maybe a few years ago, but that originated from vulnerabilities in third-party systems. So, I think that having these third-party scanning capabilities is super important, but we also have to remember that it increases the attack surface. So, as you’re integrating more third-party solutions, those potential entry points for attackers increases significantly. So, there’s a shared responsibility. There’s a lot of benefits, but there’s a lot of increased vulnerabilities that happen when you just think about all the new entry points that attackers have.

Justin: How would you have fixed or changed CrowdStrike [laugh]? [laugh].

Autumn: Oh, that’s a good—

Justin: It’s a third-party vendor—

Autumn: This is spicy. But like—

Justin: [crosstalk 00:43:46] spicy one, I’m [unintelligible 00:43:46] go in there.

Autumn: Just, like, a little spicy, but, like… like, this is, like, mild compared to his normal shade that he throws at cloud companies. Like—

Justin: I’m just—I would love to hear some insights on, like, what you think is something that could have been done different, or should have been done different.

Yasmin: Fundamentally, like, the testing could have been a lot better. But I also think that they should have had, like, layered approach for monitoring, maybe like, combining some type of, like, endpoint detection, or some type of, like, network traffic analysis, or like, behavior analysis for ways to detect these anomalies in their system could have been a way. But I think that, like, just going back to, like, how could they miss something as fundamental as testing? Like, for a company that big, for them to be faulted at that level—

Autumn: Because it changed the behavior, you know what I mean? Like, it changed such a behavior that, like, you know your product, you know it’s running in airports, you know it’s running to things that can’t be rebooted, don’t have keyboards, you know what I mean? So like, I’m just, like—I don’t know. I feel like we all have use cases and bugs that you can’t account for, every now and then. It’s so out of the realm on how a user is going to use it that, like, we all have our issues. But that wasn’t even, like, a user using it in a weird way.

Yasmin: Yeah, I agree. I think that they could also had, like, a better incident response approach. Maybe if they had some type of speed or clarity of response during that incident, that would have helped a lot. So yeah, I think there’s a lot of ways in which they could have made this better.

Justin: Just to play a little devil’s advocate here, the thing that they had a bug crashed roughly 1% of Windows clients. I would never—I don’t ever test my software enough that 1% of my customers could not be affected, right? There’s always this edge case of, like, how thoroughly can I test something like security? And, yeah, it’s in all these places, and all this stuff is obviously bad, and I think that the global deployment of a thing was a YOLO moment for them, of just, like, [laugh] here it goes. It’s tested on my machine, works on my machine, and then 1%, eight-and-a-half million, Windows devices crashed from it. Which, again, like, it just seems like a really small edge case in a lot of ways.

Autumn: They way dug into it, though, it just seemed like there were so many opportunities.

Justin: Anytime I’m looking from the outside on anything, I’m like, oh, this should have been easy, right? Like, oh, I could have figured that out, right? Like, when I really look at those, like, 1% edge cases, I don’t know that it would matter.

Yasmin: Yeah. I agree. I feel like they there are so many ways and so many lessons that they could have—well now that they learned. But yeah, that was—

Justin: I think one of the really interesting outcomes from this is the fact that Microsoft is giving the kernel hooks so that they don’t have to run in kernel space, right? Like that was the thing. The API limits that Microsoft walled off in Windows Vista is now becoming open again, so that these security vendors have the proper access to not run this highly privileged code that is sometimes untested and causes those things. So, I think the eventual outcome that’s interesting is the Microsoft changes, not the CrowdStrike changes necessarily. Because everyone’s going to have 1% errors, and everyone, at some point is going to say, this has a fix that has to go out now. And how much access, or where, how critically does that software run is the real, kind of, interesting learning thing to me.

Yasmin: Yeah, vendor accountability, super important.

Justin: And partnerships, right? Like they build the thing for Microsoft Windows, and that’s where it runs in the primary use case, and that was what was affected. And Microsoft never allowed the vendors to get in there. Yasmin, this has been great. Thank you so much for coming on the show. Thank you teaching us all about your career path and different security aspects at different companies. Where should people find you if they want to reach out online or get in contact?

Yasmin: Yeah, absolutely. This was so much fun. Thank you for having me. My socials are Yasmin Abdi, so you can find me on LinkedIn at@yasminabdi, Instagram at@yazabdi, Y-A-Z-A-B-D-I. Also on nohackllc.com. Feel free to message us. Feel free to reach out if you want to learn more about cybersecurity, or you want to partner or work together. Yeah, this was super fun, and I’m super glad that we did this.

Autumn: I’m so excited to have met you. I’m going to be rooting for you and, like, fan-girling the whole time. It’s going to be great.

Yasmin: Right back at you.

Justin: Thank you so much, and thank you everyone for listening. We will see you again soon.

Justin: Thank you for listening to this episode of Fork Around and Find Out. If you like this show, please consider sharing it with a friend, a coworker, a family member, or even an enemy. However we get the word out about this show helps it to become sustainable for the long-term. If you want to sponsor this show, please go to fafo.fm/sponsor, and reach out to us there about what you’re interested in sponsoring, and how we can help. We hope your systems stay available and your pagers stay quiet. We’ll see you again next time.