For those of you that prefer the audio version, feel free to check out the actual podcast recording here:
Travis Theune is a SuperNerd SecOps engineer who makes Skyrim-style swords and worked on satellites for NASA in his early teen years.
Travis has over 2 decades of operations and security experience through his roles at SmugMug, and Monster, including many years of independent consulting experience.
To start, what is your background?
I've been in the computer SysAdmin, DevOps, operations, whatever you want to call it field, for 22 years now.
I started early because I didn't have the traditional education route that a lot of people have, and I guess my first job in the computer industry would have been doing some programming as an intern at Goddard when I was 15 years old, Goddard Space Flight Center NASA.
What was the first application you built?
For that internship, I was porting an operating system for one satellite system to another satellite system. So I wouldn't really call that writing an application or anything like that. And then when I left that, I got into the ISP industry and such, so it was a lot more hardware and system configuration and that sort of thing. I didn't really write what I would consider even a loose application until I wrote my first monitoring tool.
That would have been right around 2000, 2001, somewhere in there.
Yeah, that was before Nagios was a thing. It was the predecessor of Nagios that was out, it was something called Big Brother, and it just didn't cut it for us. So I ended up teaching myself Perl so that I could write it.
How did you get into server and network security at Foxpass?
I started in the industry in the mid-90's, so I went through both dotcom booms.
Yeah, there's a lot of change in those. Your opportunities come up, and you jump from job to job. In the late 90's, early 2000's, changing jobs every eight months was normal. I was considered an old fogy when I was some place for two and a half years.
What's been one of your favorite changes that you've seen in the industry, or the most exciting, or the most surprising?
The concept of automation. Computers have always been about automating things, but humans like to get their hands dirty and do things themselves.
When the car came around, they were like, "What about horses?"
As cars evolved and different engine types came, they were like, "Well, what about all of the things with this? And I can't ..."
The end user not being able to tweak things the way that they could before ... Because there's better ways to do it, and automating and doing extensive testing in the entire process just makes things more robust and work better.
But, that adds layers and layers of distraction. So as the end user, you're not going to be able to get in there and twiddle the bits as it were to fine-tune things exactly where you can, but you also can't break things the way that you could before. Things aren't as fragile. So I really like the march towards automation.
In your own words, how would you describe how Foxpass automates server and network security?
I think that's an excellent question.
The old way was to... If you even used a directory service as a central point of user control for things, which 90% of places don't, you'd have to go into the LDAP server and enter the data for the new user.
Generally, there would be some sort of GUI for it, but sometimes you're literally just plugging away at the directory server itself, and adding each little thing.
But more common than that is actually just installing, configuring users on servers, doing it .. There's user add user del for Linux, as Linux commands for creating and removing users.
Sometimes you would use a configuration control tool, like Puppet or Ansible, or Chef, or Salt ... One of those that would do configuration management, so you would configure the user in your management tool, and then that would push that user out or get pulled in, depending on which direction your configuration management's working.
But it's still another system that you had to set up for users, and your configuration management tool could definitely add users to just these systems and not these systems, or make them sudo on these versus those.
But it's a very complicated and often home-built system that's ...If you didn't build it yourself, someone coming in and trying to take advantage of any of the shortcuts that you used to do that would be difficult to do.
Where Foxpass comes in, it just takes the simple act of adding a user into your Office 365, or your Google Apps environment.
Because you have to do that for their email, so you're adding into the group that they need to be in, and that's automatically pushed through into your infrastructure.
You can ... Via Foxpass with VLAN, segmenting, you can get down as granular as saying, "They have access to this SSID in your office and not to another one."
It can all be time-based, event-based, there's a whole lot of flexibility.
Yeah, the automation is what I absolutely love about it.
What's maybe one of the most common security mistakes that you see when it comes to servers and networks?
So, Sarah was on the engineering team since ... She was the third engineering hire at the company. The company is now 250 people, you've got 120 engineers in 10 teams, and she had access to all of these things all over the place.
And she's been poached away, she's now the CTO at some place else, and that's awesome, she moves on.
Turns out that they turned off her access to get help, they remembered to do that, and the primary production server, the main entry point, they remembered to turn that off.
But, her SSH key is still installed on two-thirds of the infrastructure, and the wifi password hasn't changed.
So she comes back for lunch one day, just to visit old friends, and just for gits and shiggles, she hops on the wifi and goes, "Oh look, I can still SSH into this old system, into the production database through this route," because you forgot to just get rid of those old ... Nobody touches those things.
We cut off the access at one point, that's good enough, and oops, forgot about all of the rest of the things.
Not even through a malicious intent of the employee.
You did a great job, you hired wonderful people, this is a fantastic thing...
...And she's at the airport in Chicago, and somebody comes and steals her laptop.
Her laptop still has access to.... She doesn't even work for you anymore, and her laptop has her SSH key on it. So now me, as a thief, I have access to everything that she had access to.
So, Foxpass pretty much puts all of that on autopilot, correct?
Absolutely. When she leaves, you remove her user from ... You get rid of her email user, you take her out of your Google Apps or your Office 365, or you just mark her inactive in that, and now that user is removed from everywhere.
That user can't log into the wifi, that user can't log into the production servers.
Even places that she did have access, it's no longer there. It's all pulled out.
What would you say to new founders, or maybe existing startups that haven't really put too much thought into security? Where should they start? What's just some general advice that you would give them?
Identity matters is what I like to tell people.
Who you are is important.
As a founder, who you are to your employees is important, who you are to your investors is important, who you are to your customers is important, and you go to great lengths to cultivate as a very specific image.
And if somebody is impersonating that, that impacts you greatly.
Do the same thing for security; being who you are, being identified for the actions that you do, and how you do them, is extremely important.
It gives you audibility, and it gives you insight into who does what, when and where.
This isn't even for being Big Brother and, "Oh, I can see that Tom came in to work 10 minutes late." You can use it for that, but that's not the purpose here.
The purpose is so that, somebody stole Tom's credentials and now is a bad actor.
You only have to revoke Tom's credentials, you don't have to revoke everybody's credentials
So giving people individual identities makes a huge, huge difference.
It's also easier to start with a culture of security. If you build a culture in your company that's based on everybody sharing an identity, and then you try to retrofit individual identities into things, that gets very difficult to do the longer you go without doing that.
What do you like to do for fun, aside from working on satellites?
I haven't worked on satellites in 25 years, man.
I'm a ridiculously big nerd. I like to do old school pen and paper dice role-playing games, like Dungeons & Dragons and Shadow Run, GURPS, things like that. I go to conventions, I know people in the industry...
That's one of the fun things that I do.
I also like to build things. I play poker, I built a poker table. I like doing stuff with wood.
I used to be a blacksmith, that sort of thing.
So everything from super bleeding-edge security technology to burning coal and melting metal.
Tell me a little bit more about the blacksmith part, I'm kind of interested in that. Do you actually work with steel and welding?
Yeah. So I'm a horrible modern welder, using a TIG or a MIG welder. I can do it, I'm just horrible at it.
But yeah, I've done forge welding and stuff. I've taken two pieces of metal, heat them up real hot in a forge over to an anvil, smack them as hard as I can with the hammer a couple of times, and get them to stick together. Yeah, I've done that.
What's something on your bucket list?
Man, so many things. My wife and I travel a lot, that's probably where we spend most of our free time. Actually she does it for work, so I spend a lot of my free time tagging along with her as she cavorts around the world.
So I always like going to new places with her, that's super fun. I want to start my own podcast, that's a thing on my bucket list to do, talking about these very topics.
Security is really near and dear to my heart, so it's something that I want to talk about a little bit more broadly.