Episode 865 transcript

FLOSS-865 Jonathan: Hey folks. This week I talked with Philip Humo about Crowds sec. That is an open source security company and their flagship product is a web application firewall that puts the open source into it in a couple of different ways. It's really fascinating and you don't wanna miss it. Since stay tuned, this is Floss Weekly episode 865, recorded Tuesday, March the third, multiplayer firewall. It is time for Floss Weekly. That's the show about free Libre and open source software. I'm your host, Jonathan Bennett, and today we're talking well open source. Of course, we're also talking security and probably ai. I know our audience, some of our audience. Sick of talking about ai and I am too. But at the same time, it's the world that we live in right now. It is the bubble. So we've gotta do some coverage of it. Today I'm talking with Philip Huo up the guy behind Crowds sec and a bunch of other things he just told me in the pre-brief that he has literally written the book or a book on ai. Doing offensive security stuff. And these are all things that I am super interested in, care very deeply about and I know a lot of our listeners are too. Without any further ado I'm gonna bring pen, bring Philip on, and we are going to dive into it. Philip, welcome to the show. Philippe: Hi, Jonathan. Thank you for having me. Jonathan: Yeah, it is great. It is great to have you here. And it's it's really interesting to look at some of the things that you've had your fingers in. You've been doing cyber cybersecurity since 1999, which is a long time now. Yeah. Don't think too hard about how many years that's been, but it's been a long time. And you've got a note here that you also like to crack business models on top of security. I'm fascinated to to hear about that. But let's start with a background. How did you get into. All of this what was your introduction to open source and cybersecurity? How did those things come together for you? Philippe: Yeah, so the inception moment for cybersecurity was when I was in my engineering school. So I met a guy and he told me his name on screen was JDI Sector one. And I was like, wow, okay. Wait. The name rings a bell. What I've, why does it he says I've been cracking games on Atari St. When I was a kid. Wait, I was playing to those games. But you are my age. So when I was playing and I was 11, you were, I know. It is I'm one year younger than you are. I was 10. So you were cracking games being 10 yeah. Okay. I wanna do what you're doing now. Now I'm interesting. Show me the rabbit hole. Jonathan: Yeah. Philippe: And then this guy introduced me to security or what it was back in the day. So we used it for stupid stuff, dredging on girls and trying to find the name of this beautiful lady we saw in a party, whatever. Nothing bad really, but also there were no law framework around it. So with a bit of crap, nothing reprehensible, nothing that could get you in a court nowadays, or probably everything could get you in a court nowadays. But what I mean by that is it was just a free space and we enjoyed the time and we hone our skills and then I became a pentest quite obviously. Jonathan: Yeah. And then when did you make the connection with that and open source? Because I know that this is part of your, this is part of your background and the two have some natural overlap, but it's not something that everyone thinks about. I'm curious where this connection came. Philippe: Yeah, so it, it dates back from the days where we wanted to have the proper waf. And we found known, and with my CTO Tebow we're like, okay, that, let's develop one ourselves. So we used nix as a base and we developed what's, what was called back in the days xi which stands for NIX and TX and a SQL injection. And it used we used it a lot and it was very robust, very efficient. And we were like, okay, you know what? It's just a tool for us. It's not about making money about the tool, it's about giving the tool to the community so they can contribute rules. Because the problem with the WAF is not really writing the engine. The problem with the WAF is having the rules and updating them consistently. So in many way, open source is helping you by having a community. Now, what I tell to other fellow members of either business or cybersecurity or fast is you have probably 10 reason, which would be bad reason to go the false way. And one or two that would be the right reason to go the fast way. So think twice before building a business of a fast for your personal intere