Crowdsourcing Firewalls & Network Security. Magic of Crowdsourcing Approaches To Security.

Show Notes

Philippe Humeau joins us to discuss new crowdsourcing approaches to security. Phillippe is a former Hacker and Founder of CrowdSec, an crowd-sourced WAZE-Like Security platform. 

Learn more here: https://crowdsec.net

Get peace of mind. Get Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 
Imagine setting yourself apart from the competition because your organization is always secure, always available, and always ahead of the curve. That’s NetGain Technologies – your total one source for cybersecurity, IT support, and technology planning.

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466.

A word from our Sponsor-Kiteworks. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: Introduction to CrowdSec
• 3:33: Philippe Humeau's Journey into Cybersecurity
• 7:35: Moving Beyond Static Rule Sets
• 12:13: Real-Time Knowledge Sharing and Threat Intelligence
• 15:08: Blocking Attacks at the Network Layer
• 17:55: Harnessing the Power of Diversity in Threat Intelligence
• 25:51: CrowdSec's Approach to Data Processing
• 28:37: The Power of Crowdsourcing in Cybersecurity
• 33:13: Proactive Protection with CrowdSec
• 35:51: The Story Behind the CrowdSec Logo
• 36:58: The Business Model of CrowdSec
• 45:10: Neutralizing Offensive AI Attacks

Transcript

The Waze App of Security. The Power of Crowdsourcing. New Crowdsourcing Approaches To Security 

Philippe Humeau joins us to discuss new crowdsourcing approaches to security. Phillippe is a former Hacker and Founder of CrowdSec, an crowd-sourced WAZE-Like Security platform. The company’s ingenious software is built on the idea of “safer together.” Not only does CrowdSec block individual user attacks, it also identifies each malevolent IP address during an attack and uses this information to protect everyone in the CrowdSec community from future attacks.

Learn more here: https://crowdsec.net 

TOPICS:  new crowdsourcing approaches to security,  how crowdsourcing helps cyber security, how crowdsourcing works, crowdsourcing, the power of crowdsourcing, crowdsourcing cyber security, crowdsource security, open-source security platform, dynamic firewalls, threat intelligence, CrowdSec, open-source, cybersecurity, crowdsourcing, dodge attacks, decentralized, 

Chapters

 

• 00:00 Introduction to CrowdSec
• 02:54 Philippe Humeau's Journey into Cybersecurity
• 06:16 Moving Beyond Static Rule Sets
• 10:18 Real-Time Knowledge Sharing and Threat Intelligence
• 13:05 Blocking Attacks at the Network Layer
• 16:11 Harnessing the Power of Diversity in Threat Intelligence
• 23:13 CrowdSec's Approach to Data Processing
• 25:42 The Power of Crowdsourcing in Cybersecurity
• 30:05 Proactive Protection with CrowdSec
• 33:43 The Story Behind the CrowdSec Logo
• 38:36 The Business Model of CrowdSec
• 44:09 Neutralizing Offensive AI Attacks
•  

 

TRANSCRIPT

 

Cyber Crime Junkies (00:03.082)

All right. Well, welcome everybody to Cybercrime Junkies. I'm your host, David Mauro. And in the studio today, we have a really interesting guest, Philip Humeau founder of CrowdSec. It's an open source, crowdsource security platform. And he's going to walk us through, but it's really cool. He's joined us in the studio all the way from the other side of the world, which is really exciting. CrowdSec, it's like a multi

 

player firewall and analyzes visitor behavior, provides adaptive responses to all types of attacks. And we know based on what's in the news, things like this are absolutely needed. And who doesn't love crowdsourcing when we all kind of put things together. Philip, sir, welcome to the studio.

 

Philippe Humeau (CrowdSec) (00:52.765)

Hey David, thank you for having me on the show.

 

Cyber Crime Junkies (00:55.06)

I'm so glad that that you've been able to join us. So real briefly, you know, just high level kind of walk us through how you got into cybersecurity and how you kind of came up with this idea. And then let's talk about what it is and what it means for organizations of every

 

Philippe Humeau (CrowdSec) (01:15.485)

Yes, I was born in a little fisherman village. I was not really good at fishing, so I went to Paris, a big city locally, to learn my trade in engineering. And I met a guy, and the guy was actually one of the most prolific cracker of the time on Atari ST. So Atari ST for the other hands is an old computer.

 

That was very good at gaming, except you had to buy the software and we had no money because we were 10. And one group was actually cracking them for us, so we would have them for free. That was so cool. And... Yeah.

 

Cyber Crime Junkies (01:50.862)

So when you say, so hang on, I don't mean to interrupt, but when you say cracking it, you're talking about like jailbreaking the game so that you can access

 

Philippe Humeau (CrowdSec) (02:00.221)

Yes. Yes, they were removing the protection so we can duplicate them and share them amongst ourselves.

 

Cyber Crime Junkies (02:07.175)

as every great security expert started as a kid doing.

 

Philippe Humeau (CrowdSec) (02:10.217)

That's a starting point. And so, you know, I met this guy 10 years after. He was like, yeah, that was me. Yeah. He was in my school, the same school. It was like, yeah, it was me doing this. Yeah. I was like, wait, you're my age. Yeah. So when you were doing this, you were 10 too. Yes. Yeah. Yeah. Yeah. That was ridiculous.

 

Cyber Crime Junkies (02:22.365)

Really?

 

Cyber Crime Junkies (02:28.398)

So you were 10 years old and you met this guy and then like a decade later you came back and met him again and he was like, yeah, I was the guy that was able to crack into all these games and everything.

 

Philippe Humeau (CrowdSec) (02:39.581)

That was ridiculous. It was so good. It was just insane. And I was like, so what are you doing now? Like I'm doing something in hacking and security, you know, like cracking programs and so on, getting into the systems and they're like, show me, show me. I need to learn that. It looks so fantastically cool. So I started my, yeah, I started my care like this and

 

Cyber Crime Junkies (02:57.961)

that's so cool.

 

Philippe Humeau (CrowdSec) (03:03.373)

shoulder to shoulder with this guy and I started to learn a bit how you penetrate systems and I became a Red Team Pentaster. And then fast forwarding time I created my company.

 

Cyber Crime Junkies (03:12.087)

Okay.

 

Okay, so you were enchanted by the power that this guy demonstrated, right? Especially at a young age. You're a little bit older in your 20s, you meet up with them again, and then all of a sudden you're like, I want to be a red teamer. I want to be a hacker, but for organizations, That master power of being able to crack into things. What types of things would you hack into? Like, was it networks? Was

 

applications, web browsers, what type of stuff are you getting into?

 

Philippe Humeau (CrowdSec) (03:48.777)

The browser thing came later on. It was step by step. Back then, we were a lot in ingress. were exposed to servers and services. We were happy few. We knew each other, most of us. We broke into other universities just to dredge on other girls we found cute in other places. Nothing bad. We were not stealing anything. Yet, we knew how to do it. It was interesting. Then the dot -com bubble came in. I had my own company and we had to

 

those websites and we're like guys do you want to even try to defend them before putting them online because it's just too easy like there's nothing to do like you would sneeze and you would get a shell you would you would get a full access to the machine and you're like and you want to build an empire on something that is made of paper well you know be my guest but I'm not sure it's gonna work so we had some few good years like this but you know the problem it's like service is like you have to haunt for your meal every day you know there's no recurring money

 

Cyber Crime Junkies (04:45.794)

Yes. Right. Exactly. And so, so you're telling me like back in the day when organizations were throwing websites on, you were able to get in super easy.

 

Philippe Humeau (CrowdSec) (04:57.609)

That was insane. North of 99 % of success rate. And then we started to implement things that only were known.

 

probably a decade or a decade and half after, like things like DNS tunneling to hide your connect back channel. When your malware was connecting back to you, it would go through DNS queries, which would be totally invisible. Even nowadays, it would go mostly invisible. So we had advanced techniques. We didn't even know it was advanced back then. We're just using it because it was efficient, And then someone from O 'Brien took over this part of the job, which was pen testing, and I did

 

hosting part, the MSP part, like making sure that it runs. I became a Blue Teamer because honestly, sticking to red teaming, you cannot have a private life. You are constantly on the lookout to learn new things, new techniques. You're traveling a lot, you're working around the clock. And I was starting to age, so I could not do that as a full -time job anymore.

 

Cyber Crime Junkies (05:57.592)

Well, it's intense, right? Like red teaming is very intense and it's very, as soon as you accomplish something, you've got to go on and move on to the next

 

Philippe Humeau (CrowdSec) (06:08.359)

yeah, it's a dope. It's a dope and at some point, you know, people come in the game and they're just better than you are. I would compare it quite easily to a high level sport, you know, like if you are, I don't know, doing triple jump or, I don't know, handball at a super high level, you won't be there forever.

 

Cyber Crime Junkies (06:19.48)

Yep.

 

Mm -hmm.

 

Philippe Humeau (CrowdSec) (06:26.875)

you will be there until your 30s or something like this. It's the same but for the brain. It's super intensive. You love what you do, but at some point you have to move on, carry on and do some other things. So I went for blue teaming, defensive stuff, hosting, protecting things and start to break things. And this is where I was thinking, know what? Firewalls, as such, brilliant invention, but why would we consider a statical set? Why would you say like,

 

A is good, B is bad. Well maybe B became bad? Yeah. Absolutely, David. It makes no sense, right? It's like this person I knew 10 years ago, was really good at what he's doing. Yeah, sure. But 10 years have passed. Know what? Maybe he's not anymore. And

 

Cyber Crime Junkies (06:58.998)

Right, because it changes every day. changes all the time. It's fluid, right?

 

Philippe Humeau (CrowdSec) (07:14.473)

You didn't know everything about him. Maybe he's a drug dealer or a drug baron or something. Maybe he's a very, very bad person. So why would we have a static rule set to defend our online asset? Like saying, this is good, this is bad. It's not accurate depiction of what happens. So around 2002, I wanted to have like dynamic firewalls. I would kind of adapt to what we see instead of just blindly trusting X or Y or Z.

 

Cyber Crime Junkies (07:17.901)

Mm -hmm.

 

Cyber Crime Junkies (07:44.13)

Right.

 

Philippe Humeau (CrowdSec) (07:44.457)

It was not doable back then. It was just not doable. was way too early. And then in 2015, 2016, we started to revive the idea with my CTO. It was like, think now we can pull it. We can do it. We can have some kind crowd source firewall, something like we would protect the machines.

 

And every time an offense would be detected, we would block it, obviously, but we would share it with the world. We would share it with the servers, with the community, to be sure that the others are proactively protected. So if your patient is zero, then the next one is already inoculated or protected, you know, and doesn't risk anything. And we're like, yeah, now we can do it.

 

Cyber Crime Junkies (08:29.024)

Okay, so and then you created

 

Philippe Humeau (CrowdSec) (08:34.173)

my, if it would be that simple, that would be lovely. No, I could not, could not. Because I sold my company and I had some super complicated rule sets around the transactions. So I could not recreate the company for a while. I could not hire my guys for a while, blah, Long story short.

 

Cyber Crime Junkies (08:36.994)

Ha ha

 

Philippe Humeau (CrowdSec) (08:51.817)

Time passes, the concept is super ripe in my mind and we started the company in 2019, end of 2019. We were ready, we started the first version, we released the first version around like end of 2020 and the network started to grow. And something helped us tremendously, it's a lock for J vulnerability. So for your diets, pretty sure they know what they're

 

Cyber Crime Junkies (09:12.77)

Yes. Log4j was huge several years ago, right? Caused a lot of problems. lot of administrators had to do a lot of fixing, repairing a lot of systems.

 

Philippe Humeau (CrowdSec) (09:28.989)

Yeah, so it was a Java library. Pretty much everybody would potentially use it. They didn't know if they were still using it. Java has this tendency to be extremely resilient. So you put it in production, fire, forget forever until something really nasty happens. Log4j was a nasty thing. It's a nine out of nine quake magnitude. I know the scale is open, but you know, it was like terrible. And the guys were like, we don't know.

 

Cyber Crime Junkies (09:50.733)

Yep.

 

Philippe Humeau (CrowdSec) (09:54.195)

We don't even know if we're available, but we don't want to find out, right? So fix it. And we're like, okay, well, we know what IP addresses are trying to actually poke a hole in your systems using log4j, so we're going to share it free, right? We are just a startup. Let's make ourselves a name. We'll give it for free, the IP addresses that are trying to use your system and brute force your log4j, right? It's a fair deal. It costs you nothing.

 

And the network all of a sudden went from 3 ,000 users to maybe 6 ,000 users. And some big names like Pentagon or others were using the list to protect themselves. we're like, hey, we're up to something, right? mean, this crowdsourcing was so much more efficient than any of those large outlet, CTI outlet or whatever. We had this thing in return.

 

Cyber Crime Junkies (10:43.018)

Yeah, because you're able to share knowledge in real time, right? Your real time knowledge sharing and its public private institutions, government and private industry, which is what everybody talks about. We need to have a public private, you know, partnership, which government always gets in the way or private industry gets in the way. So this thing kind of really, really took off right away.

 

Philippe Humeau (CrowdSec) (11:05.223)

Yeah, and we

 

Philippe Humeau (CrowdSec) (11:09.615)

Yes, and I think we really, I we are the best humans, David, when we collaborate together in something. Like when we had this crisis with COVID, it was terrible. But by organizing worldwide, we could, I mean, come on, we are free to live again in the street and walk and this thing is from the past, When we wanted to picture a black hole, a black hole by essence cannot be pictured because it's freaking black, right? It's very dark. Well, we use a hundred telescopes.

 

Cyber Crime Junkies (11:15.926)

Absolutely.

 

Philippe Humeau (CrowdSec) (11:38.822)

over a year until we got a picture of the thing. When we had a problem on the road, Waze was created and Waze started to be so important that cities were planning the way they would reorganize based on the traffic they would see on the way. So crowdsourcing.

 

Cyber Crime Junkies (11:55.436)

Yeah, and if there's any listener that has not tried the Waze app when you're traveling, it is the best because it's crowdsourced, right? You can find real time traffic. You can find out where the police are, where the speed traps are, where the construction is, where delays are, where there's an accident. It's fantastic. And this kind of operates in the same same model in a sense, right? Only for

 

Philippe Humeau (CrowdSec) (12:10.579)

accident.

 

Philippe Humeau (CrowdSec) (12:19.175)

Yeah, they were role models for us. They are really important people. When we thought of our concept, were like, it's so close to Waze. Instead of sharing the speed, the heading, where you're going, and the position on the map, which is what Waze collects to do its magic, we would collect the timestamp when you were attacked, the behavior, how you were attacked.

 

and the IP addresses that was attacking you. Who is attacking you? And with only those three data, we are capable of curating the signal at scale with a quarter of a million servers working together saying, yeah, I saw it also. Yeah, me too. If all of us saw it, it's not a false positive. It has to be a real thing. So we should broadcast this IP address until it's not nefarious anymore. But for as long as it is nefarious, for as long as it is reported by the network effect, then we should block it all together.

 

Cyber Crime Junkies (13:08.494)

Yeah, that's fantastic. That's fantastic. how does somebody like walk us through what the platform is? I think what you just explained was very good because it it you identify you have what 250 ,000 servers out there, right? And and you timestamp when something happens, the IP address of who the you know, threat actor or right?

 

Philippe Humeau (CrowdSec) (13:36.563)

for tutorial.

 

Cyber Crime Junkies (13:38.58)

attacker is you describe kind of how they're attacking, like what is the what is the malware used, etc. And then everybody shares it. And when more and more when when there's a bunch of people doing it, just like ways it kind of trends up, right? Like this is happening now this is happening now. And then after a while when people stop reporting it, it kind of goes away. Is that kind of how it works?

 

Philippe Humeau (CrowdSec) (14:03.847)

It's absolutely correct because the biggest problem in our industry David is like the difference in between intelligence and actionable intelligence. So yeah, if I tell you there's a bunch of terrorists in Afghanistan, it's an information, okay, we'll consider it. So maybe we'll tell the US citizens that don't go right now into this area of the world because you may be at risk.

 

Cyber Crime Junkies (14:24.726)

Right, the general area,

 

Philippe Humeau (CrowdSec) (14:27.75)

It's a general information, you cannot do much about it. You're not going to send green barrettes there because you think there are someone. But if I tell you at this GPS location, at that time, there is this kind of people, yeah.

 

Cyber Crime Junkies (14:37.302)

Right. There are five of them right there with a with with with something dangerous, right? Then you can go in and say, right, you can take

 

Philippe Humeau (CrowdSec) (14:45.321)

You can strike. So it's actionable. And it's actionable because it's crowdsourced, because we have enough reports so that it cannot possibly be a false positive, because the false positive is the death of any cybersecurity system. Why that? Because no matter who you talk to, if you say, yeah, well, we have a 99 .9999 accuracy and we're not broadcasting false positives, the guy will be like,

 

Oh my, there is 0 .0001 % chance that you would cast me a false IP address and that in the end I lose this one transaction that will bring me this billion dollar. Wow, that's too risky. I cannot put it in production. I'm like.

 

You know what? mean, the odds that you're going to get a gold and someone is going to score on your servers and wreck you for $4 million is like 25%. But the fact that there is 0 .00001 % that you may lose a transaction of a pair of socks for $20, you prefer to take that risk? Really? Well, then, okay, that's very abstract.

 

But that's the way minds of humans are working. That's all. You don't fight against that. You don't fight against your client's fear. So what you say is like, have designed a system, and if we give you an IP address, you can block it blindly. Because this one has been carrying so many attacks that it cannot possibly be a false positive. And that's how you get out of this weird cycle.

 

Cyber Crime Junkies (16:14.606)

Right. Well, because all of these people, all these other entities are voluntarily reporting the same thing. Right? This is, is crowdsource. We are sharing this information for free. We are being attacked by this IP in this way. And you get 10, 15, hundreds of them. Not everybody's lying. It's not a big conspiracy. Right? Right. So, so there is truth in just more and more people.

 

Philippe Humeau (CrowdSec) (16:27.581)

Yes.

 

Philippe Humeau (CrowdSec) (16:31.027)

this.

 

Philippe Humeau (CrowdSec) (16:39.047)

and that's all.

 

Cyber Crime Junkies (16:44.876)

you know, witnessing

 

Philippe Humeau (CrowdSec) (16:46.921)

It's a bit like in a cryptocurrency system. This blockchain, this layer 1 blockchain like Bitcoin or Ethereum, if you would try

 

to rig the system and write something false into the ledger, it would cost you more than what you would get out of it. So I'm not saying CrowdSec cannot be compromised. I'm not saying CrowdSec will never ever, ever, ever broadcast false positives. I'm saying that for someone to put a false IP address into our block list, it would cost him so much, so much that it's just not worth it. We'd have to spread over like 50 different servers.

 

accounting for at least 10 different autonomous systems or different areas of the internet, have passed their quarantine time of six months, because before that we just don't listen to them, and in the end, eventually stitch a false IP address into the block list, into what we call the consensus of the network, just to lose it over maybe one or two hours, because we would look into it, right?

 

Cyber Crime Junkies (17:29.432)

Mm -hmm.

 

Cyber Crime Junkies (17:51.084)

Yeah. So is there a timeline? Yeah. Is there a timeline that has to happen with this, with this certain type of threat attack or from that or, mean, cause it can happen pretty quick, right? Like it can, yeah. Okay. Because you, you said over six months that I'm like, it's not like you wait six months for

 

Philippe Humeau (CrowdSec) (17:52.198)

and then all this network will be scratched.

 

Philippe Humeau (CrowdSec) (18:05.191)

yeah. The fastest we had.

 

No, no, Sorry. When you join the network, like if you install Waze, we would not listen to you for the six first months because we don't trust you. We would only start to listen to you after six months. So if you would want to pull the highest trick with our system, you would have to contribute voluntarily and accurately for six months before you'd be able to eventually send something that is false. So the ratio is just not good.

 

Cyber Crime Junkies (18:32.398)

Yeah. Okay, so that's good. Well, this is because it was designed by hackers, right? Like, you know, you know how a threat actor would think, and they'd be like, well, I'm just going to join real quick. And I'm just going to mess up their system just to do it. Right. And you know, no, no, you have to voluntarily engage in this for six months. like, hackers are going to be like, I can do so much more damage today somewhere else. I'm just going to move on. There you

 

Philippe Humeau (CrowdSec) (18:39.559)

Yeah.

 

Philippe Humeau (CrowdSec) (18:43.677)

Yes.

 

Philippe Humeau (CrowdSec) (18:58.345)

During soft CS? Yeah, entirely.

 

Cyber Crime Junkies (19:00.918)

That's the hacker mentality. I love that mentality.

 

Philippe Humeau (CrowdSec) (19:03.854)

And think about it, like if you have a network doing, I don't know, DDoS, for example, like the famous DDoS, InfraShutdown, Anon Sudan, all of these guys, know, they have the same system, all of them. It's a master node that is sending a JSON payload to all these followers saying you should make a get slash login request on this server.

 

Cyber Crime Junkies (19:07.533)

Yes.

 

Cyber Crime Junkies (19:25.324)

Yeah, everybody go and do this. Everybody go do this.

 

Philippe Humeau (CrowdSec) (19:28.689)

everybody does this and then in return we are giving you some cryptocurrencies. Well the thing is these networks are very vulnerable everybody is dead scared of them but when you crowdsource you kill them super easily because the first time you receive a packet okay you block it you report it you block it you report it after a certain amount of time you have the three thousand four thousand six thousand machines that are involved in test work all of them are

 

And the next one that is coming when they change their focus to another target is the target is in CrowdSec. Well, it's already aware that these 6 ,000 IP addresses are part of the botnet, and they should never ever be even listened to. So meaning they block at layer 3, at the firewall, at the connection layer.

 

attacks that would be extremely costly to deal with at layer 7, at the applicative layer, because it would involve some database requests, some CPU processing, and so on so forth. When you kill them at the network layer, you spare so much resources that it costs you nearly nothing to block a DDoS attack.

 

Cyber Crime Junkies (20:31.448)

So let me ask you this. That's fantastic. That's a good explanation. Let me ask you this. Why haven't other companies like larger companies, the Palo Alto's of the world, the Hewlett Packard's of the world, why haven't they developed something like this? Is it because or the Fortinets, right? Like, is it because they're concerned that it cuts into profit? They don't know how to monetize

 

Like, why do you think I know you're not them so you can't answer but but just just a discussion, right? Like, why why why isn't this like this is a great idea. And it's in it's actually executed very well. So why aren't some of these other organizations doing this? Like, why wasn't this done earlier by some of these big organizations that have 1000 people already dedicated to something like

 

Philippe Humeau (CrowdSec) (21:04.391)

No, but

 

Philippe Humeau (CrowdSec) (21:29.481)

There's a lot to unfold here, but it's a very interesting question, David. Thank you for that one. So the first thing I would put forward is that we're discussing with actors like Microsoft or Cisco or F5, and they very impressed with what we gather. Like, Virusotol tells us 35 % of what you collect, is unknown to any CTI vendor on Earth. Eventually, half of it, they start seeing it two weeks after.

 

Cyber Crime Junkies (21:49.291)

Wow.

 

Philippe Humeau (CrowdSec) (21:53.778)

So how come no one did it in this way? The first thing is when you're a Palo Alto client, you're paying Palo Alto. So why on earth would you share things with them on top of that? It's really hard to incentivize your paid client to give you something for free in return because then they would ask for a discount, they would ask for a lot of things. You could do it in their backs, but they wouldn't like it, and GDPR -wise, would be regulation that would apply. The second

 

Cyber Crime Junkies (22:13.4)

Mm -hmm.

 

Cyber Crime Junkies (22:19.5)

Yeah, I was going to say they could try and bury it in the T's and C's, right? They can try and bury it in the fine print, then be like, hey, we're going to still collect this data and share it with everybody. But there you got GDPR. You've got all these other issues,

 

Philippe Humeau (CrowdSec) (22:24.241)

Yes.

 

Philippe Humeau (CrowdSec) (22:31.207)

Yeah, doesn't work that much. The second thing is, say you're Google. We are very good at getting relations with Google. Say Google does it. Well, Google don't do it. And we have it from Google itself. the reason is the following. What they like is a diversity. Because

 

CrowdSec is used by universities in Togo or professionals in Finland or very large corporations in the US like sweatshops in Thailand, everything. So the diversity of locations, type of businesses, the technologies they use and so on is immense. It's 185 countries. Okay, countries don't make sense about the internet but gives you a taste for 100 ,000 user spread all across the world.

 

Cyber Crime Junkies (23:11.726)

Well, because there's different threat actors that operate and target all these different sectors, right? Right? Like like a certain type of threat actor and type of attack that's attacking a sweatshop in Thailand is not necessarily going to be the same one going after Google or going after a manufacturing plant in the US. So you're getting all of that data. Yeah.

 

Philippe Humeau (CrowdSec) (23:16.303)

yeah, and pervertical and so

 

Yes.

 

Philippe Humeau (CrowdSec) (23:28.521)

Absolutely.

 

Philippe Humeau (CrowdSec) (23:34.341)

all of those signals. And the thing is, if you Google, you're incentivized to deploy those probes on your own network, because if you won't start paying AWS or Azure to host your honeypots to collect the data. Here, we don't do this. mean, our clients are using their CPU, their computing power, their machines, their landline connections to process this locally.

 

And we offer a huge diversity that they would never be able to provide in terms of business size, locations, type of traffic they see, and so on. If you want to dodge entirely Google's network or Akamai's network or Cloudflare network, it's super simple. It's like their ranges, their IP ranges are advertised. So you know where you have to dodge. A good example is Akamai. They are very, very, very strict on everything. Akamai. Akamai is a CDN.

 

Cyber Crime Junkies (24:20.206)

Who's that? Who? okay. Of course.

 

Philippe Humeau (CrowdSec) (24:26.171)

If you start poking on their systems, you'll be instantly banned and your IP will be flagged. So what do they do when they scan? They don't scan Akamai. So if you deploy probes on Akamai's network, you're not gonna see the whole thing. You're gonna see everybody that is stupid enough to scan the range of Akamai, which arguably for cyber criminals is not so often because they know it by heart,

 

Cyber Crime Junkies (24:50.048)

Right, and they know they'll be banned immediately and they'll be

 

Philippe Humeau (CrowdSec) (24:53.049)

Exactly. it's think about the 5th Avenue in New York, right? You have cops there maybe a hundred. So if you want to do something really bad like plant a bomb, you will try to be away from the cops, away from the cameras and so on and plant your stuff, right? The problem with CrowdCirc is like every other person on the 5th Avenue is a cop in disguise or as a camera and you won't know about it. Exactly. You just won't know

 

Cyber Crime Junkies (25:15.658)

Right? Yeah, they're all reporting on it. It's almost analogous. Yeah, analogy is like today compared to 20 years ago, everybody has an iPhone. So if something happens, right, if you get into a bar fight, right, now there's going to be 30 eyewitnesses with documented video, right? As opposed to 20 years ago, you could do it and then it's a he said, she said in court. But now you're like, it's not he said, she said, everybody has video.

 

Philippe Humeau (CrowdSec) (25:27.603)

exactly.

 

Philippe Humeau (CrowdSec) (25:35.517)

Yes.

 

Philippe Humeau (CrowdSec) (25:45.575)

Yeah, no, absolutely. This is the point of crowdsourcing. It's like, you cannot dodge us. You cannot rig the consensus. You cannot tamper with it. You cannot say something that is not true.

 

And you cannot dodge us because you don't know where we are. And the third point that is very important is if you try to run some honeypots, which is the classical strategy that was used before us, you would potentially put... So honeypots for the audience is you put a machine over the internet and say, I'm vulnerable, I'm vulnerable, please attack me, attack me, attack me, attack me. Okay, so I run outdated binaries and websites and God knows what.

 

and you fake that you're vulnerable and you collect attacks. So that's a great way of doing it if you don't have a network, but there are a lot of limitations in this. The first one is it costs you, because every machine you would deploy would cost you around like 20 or 30 bucks a month. So just in terms of OPEX, you cannot scale, right? It's complicated to scale. If you want to match, for example, CrowdSec and have a quarter of a million servers reporting to you, it would cost

 

Cyber Crime Junkies (26:35.853)

Mm -hmm.

 

Philippe Humeau (CrowdSec) (26:48.937)

250 ,000 times 20 bucks a month, which is quite a colossal amount of money, first and foremost. The second thing is you will only catch low -hanging fruits like the gatling guns of the internet that are just, you know, painting bullets and spraying them around and praying to get something out of it. But nobody will use an advanced method of breaking into your system or something that would cost them money and resources to compromise a mission that is not tied to any business.

 

I want to attack this business and I want to extort money out of it. I don't want to attack like a random machine that is belonging to no one and has no value, face value for me. So what you see is very different from a honey button standpoint compared to a realistic network of real users running real services in real life for real companies.

 

Cyber Crime Junkies (27:39.35)

That's fantastic. So let me ask you about the different ways that organizations can leverage CrowdSec. So first of all, it looks like there's a community engagement, right? Like they can come in and they can have unlimited amount of scenarios. And it's kind of based on their level of contribution that then they can get updates frequent.

 

more frequent updates based, you the more you contribute and share, the more you can be informed. Is that fair?

 

Philippe Humeau (CrowdSec) (28:15.065)

It's very close to what we have created and congratulations for that because it took me years to figure out the proper balance system, but extremely close to it. They read in like just minutes. So the way it works is if you protect against, don't know, let's say credential, credential stuffing, credential brute force, credential reuse, impossible travelers, all those things. right, let's call it the credential ecosystem.

 

Cyber Crime Junkies (28:31.084)

Mm -hmm. Right.

 

Philippe Humeau (CrowdSec) (28:41.169)

So if you run scenarios of IP addresses that would be credential brute forces, we will send you back once per day for free, IPs that are also doing credential brute force somewhere else in the world because you contribute to establishing this list. So it's just normal and fair game that we pay you back for free with those IP addresses. Now the next question would be, how do we make money

 

We make money by having the global network and overview effect and sending extremely advanced block list and data to people that may not want to run the system. So maybe they don't want to the security engine. They just want the data, the output of the network effect. And we will also

 

Cyber Crime Junkies (29:19.874)

Right, because they, I mean, does this data, can this data be thrown into like a SIM or this threat feed, right? So this is a premium threat feed essentially that is curated by everybody in the world in real time. Pretty powerful.

 

Philippe Humeau (CrowdSec) (29:27.58)

yeah.

 

Philippe Humeau (CrowdSec) (29:33.693)

Yes.

 

Philippe Humeau (CrowdSec) (29:38.713)

Yes, and even more than that, because if you put it into a TIP, a TIG, a CM or anything like this, it is information. But what we do is not only information, we also do block lists, which is proactive. So you can directly inject them into your firewall, fire and freaking forget. That's the next level. It's not reactive like body counting, like what happened? let's look into the CM. This IP was known how we should have blocked it. No, no, no, no, no, no.

 

Cyber Crime Junkies (29:55.362)

Right. Yes.

 

Philippe Humeau (CrowdSec) (30:08.147)

put it into your firewall directly. Yeah, absolutely. So say if you're a large company, say Apple or Microsoft or something like this, you wanted the data, refine them, torture them in the way you see fit for your infrastructure and diffuse them the way you want. That's another game. So they take the whole data lake and they do their stuff with it or they learn from it with Copilot. But if you are a smaller player,

 

Cyber Crime Junkies (30:09.083)

just you throw it right in, you block it right off the bat, you do it proactively.

 

Philippe Humeau (CrowdSec) (30:35.057)

and you don't want an SMB and you don't want a thinker who is like, I'm not sure if I should put that in production. So, okay, what are you? You're hospital in Great Britain. Okay. And what do you fear? This isn't okay. We have a block list specifically for that. IP addresses that are attacking specifically hospitals on the credential level. And we will add IPs that are specifically aggressive against UK infrastructure.

 

Put this directly into your firewall. This is your magic secret recipe. This is the sauce of your burger. Put it in your firewall. Forget forever about it because your firewall will then be updated every five minutes based on the network effect and what we see at scale.

 

Cyber Crime Junkies (31:15.022)

So and for listeners, like companies that have trusted this include Deloitte, Microsoft, Security Copilot, Google for startups. Is it the Paris Olympics? The Paris 2024 Olympics, Le Monde, Credit Mutuelle, Arkea, that's the one we were talking about earlier, and then some French things that I took Spanish in school. So sorry, I can't pronounce

 

Philippe Humeau (CrowdSec) (31:22.216)

Yes.

 

Philippe Humeau (CrowdSec) (31:29.79)

Yes.

 

Philippe Humeau (CrowdSec) (31:39.921)

Yeah, no worries. No, no,

 

Cyber Crime Junkies (31:43.842)

So I don't want to insult everybody. have lots of friends in France, so I don't want to insult them. So in, I always want to ask, I'm a branding guy. like logos. like mascots. What's with the purple dog with the glasses? Who's that? Is that like a dog that you came up with? Did your daughter come up with it? How'd you come up with

 

Philippe Humeau (CrowdSec) (32:04.169)

So good one. The question was like, you know, we have an open source software. So basically when you're an open source company, you have to have an animal, an emblematic animal. So for example, for PHP, it's an elephant. Yeah, it's unsaid, but yes, there is David. Yeah, for example, if you look Linux, it's sort of a penguin. It's not really a penguin, but whatever.

 

Cyber Crime Junkies (32:18.55)

Is there a rule that says that when you're an open source company, you got to have an animal?

 

Cyber Crime Junkies (32:30.368)

yeah, yeah, yeah, you're right. You're right. Of course. Yeah. Yes, yes.

 

Philippe Humeau (CrowdSec) (32:32.189)

Python is a snake, obviously, right? So we decided we would have an alpaca. So they are actually not llama, they are alpacas. An alpaca in Peruvian means policeman. And it means policeman because they are keeping the herd together.

 

Cyber Crime Junkies (32:40.992)

Paca. yeah, the alpacas. Yeah.

 

Cyber Crime Junkies (32:47.087)

Mmm. It's a policeman animal. It's a police animal. See, there's a story behind it. There's always a story behind it. I love it, man. That's so cool.

 

Philippe Humeau (CrowdSec) (32:52.441)

And they prevent them from falling from the cliff, There is a story. Always. So you cannot be alone because we are a crowdsource system. And if it's two, it's a couple. So there needed to be at least three of them, right? And yeah, or they would die otherwise. Yep. And so we...

 

Cyber Crime Junkies (33:08.738)

Right, well, and alpacas are always in groups. Yeah, right. Just like podcast hosts. Just kidding. So that's why we always interview people, because you don't want to hear me talk. So this is really cool. I love it. I freaking love this. So we're going to have links to the site. It is crowdsec .net. So we'll have links in the show notes. Check this out, because it is phenomenal. Now,

 

Philippe Humeau (CrowdSec) (33:22.439)

That's why we have three alpacas.

 

Cyber Crime Junkies (33:37.998)

Can organizations join this at no cost? There's limits. It's kind of like ways in a sense that you can do the free version and then you get a limited amount, right? And you can do a paid version. You get more data and more actionable

 

Philippe Humeau (CrowdSec) (33:46.365)

Yes, so yeah, the entry level.

 

Philippe Humeau (CrowdSec) (34:00.101)

Yes absolutely. The free version is extremely generous. The free tier is extremely generous. It's made to be used by the largest number because we consider that if you use the free version you're paying us with signals. So you're already paying us. It's fine for us. It's fine for us. Yes.

 

Cyber Crime Junkies (34:10.442)

Right, exactly. Everybody benefits when you do it. So you can do this for free and then your information about what you're seeing gets shared with the world and that's okay.

 

Philippe Humeau (CrowdSec) (34:24.625)

Yeah, and the point for us is to give you a reason to buy it. We don't consider that it's open source and that would be fair that you buy it. No, no, no, no, no. We have to be the one providing you.

 

Cyber Crime Junkies (34:28.097)

Mm -hmm.

 

Philippe Humeau (CrowdSec) (34:34.715)

functionalities that you would love and a good reason to buy them. So what we put in the mix, for example, here is you have a SaaS system, a SaaS company that can industrialize all of your work with your machines, with your security engine, automate and replicate decisions, tell you if you're under a targeted attack or if it's like just random background noise, things like this, and much, much more. And on the other side of the spectrum, we sell the data to large companies like Cisco, Microsoft, and so on so they can use

 

or SMBs if they want so they can protect themselves better. So worry not if you're using the free product you're helping us.

 

Cyber Crime Junkies (35:09.976)

Well, would help with, yeah. yeah. I can see MSSP's using this. It'll help organizations with their application security with threat hunting. It's really good. And then you also have, you can protect systems with like the real time block lists.

 

Philippe Humeau (CrowdSec) (35:15.431)

Yes. Yes.

 

Philippe Humeau (CrowdSec) (35:34.747)

Absolutely. there are, so the limitations of the system, I should be transparent about it, is like we deal with ingress data. So exposed servers over the internet, so that are receiving connection from the internet. We are not dealing with a workstation that are essentially looking for egress. no, we're not to connect. We tell you who not to POS, whereas egress is who not to connect with proactively yourself, but it's ingress.

 

Cyber Crime Junkies (36:00.653)

course.

 

Philippe Humeau (CrowdSec) (36:01.947)

And another pitfall that you should remember maybe here, two of them, we are not CrowdStrike. I'm sorry about what happened to them. Very sorry. We had requests. Yeah, we had requests at the support. We're like, guys, you destroyed our systems with your XDR. We're like, we don't do XDR.

 

Cyber Crime Junkies (36:09.459)

Yes, your crowds suck. Yes, it is different.

 

Cyber Crime Junkies (36:17.216)

Were they reaching out to you? Now hang on. And so we're recording this. This will be released, you know, a couple of weeks later, but we're recording this right after the CrowdStrike incident, which even if you don't know who CrowdStrike is, and I've seen a lot of people that aren't in the security community call it CloudStrike. They're mispronouncing it or they're calling it CrowdSec by accident. So CrowdStrike is the, you know,

 

Philippe Humeau (CrowdSec) (36:22.365)

Yes.

 

Cyber Crime Junkies (36:46.106)

largest, you know, behemoth of security platforms and their EDR, their Falcon platform rolled out an update and caused the blue screen of death to happen in a crippled industries across the world. So we're not making a comment on that. But the point is, is people were reaching out to you guys saying, hey, why did you guys, how come I'm stuck in an airport? You guys wrecked us. We're like, no, no.

 

Philippe Humeau (CrowdSec) (37:09.33)

Yes.

 

Cyber Crime Junkies (37:15.724)

That's

 

Philippe Humeau (CrowdSec) (37:17.533)

That's another, yeah. Yeah, that was funny and not funny. I mean, mainly for them because we're very sorry

 

Cyber Crime Junkies (37:24.14)

You gotta laugh. It's kind of, you know, in the, the, know, when you're faced with catastrophe at that scale, how can you not laugh? Right? Like you have to laugh at some point because you're like, holy cow, you know, it's just terrible. they're in everybody means well, yeah, assume good intent. Like people were trying to do the right thing. They didn't, you know, could they have done things differently? Could they have tested a little?

 

Philippe Humeau (CrowdSec) (37:35.08)

Yeah.

 

Philippe Humeau (CrowdSec) (37:39.559)

No, it's terrible for them. I'm very sorry for them because on top of that, software is rather good.

 

Cyber Crime Junkies (37:53.654)

You know, that's the debate, right? That's what's up. Surely.

 

Philippe Humeau (CrowdSec) (37:53.705)

story.

 

Philippe Humeau (CrowdSec) (37:57.366)

And the second pitfall is like remember that on your keyboard the X and the C are very close to one another and if you type by mistake an X at the end of our domain name you're gonna end up in a very different place because it would be crowdsegs .net instead of crowdsegs .net which obviously now don't do

 

Cyber Crime Junkies (38:13.442)

Yeah, please don't do that. A good thing I don't have my co -host on because he'd be all over that. So we don't want to do that. So and then what are you doing with Microsoft Copilot? So walk us through that because Copilot is something that is really exciting for a lot of organizations. So how are you guys helping with security with Copilot? I see that on the

 

Philippe Humeau (CrowdSec) (38:21.01)

You

 

Philippe Humeau (CrowdSec) (38:35.049)

So.

 

Philippe Humeau (CrowdSec) (38:39.545)

Yeah, they came to us, actually the guys at Microsoft, this is where they're extremely pragmatic. You can tell Microsoft is pragmatic to the latest bit. They came to us and said, hey guys, we asked our cyber security expert community what data feed they would like to see included into copilot security. And your name popped out. So we looked at your systems and the API was pretty clear. So we used the free plan and integrated it into copilot for tests, to run tests. Should we show you? Can we show you?

 

Cyber Crime Junkies (38:56.846)

Sure. Great.

 

Philippe Humeau (CrowdSec) (39:09.383)

Like, yeah, sure. So they are, hey, Copilot, tell us more about IP ABCD. And Copilot started to say, hey, it's coming from Detroit. It's known to do this and this and that for the last couple of weeks. Before that, it was doing this. CrowdSight recommend that you would block it because it's considered a threat as we speak. And I saw it into your logs here and there and there. And they were like, this is all your data.

 

I mean, except for the log part, know, everything comes from your API. So should we strike a deal and people can use an API key on your system and add your information feed to Copalat? We're like, heck yeah, they can. Of course they can.

 

Cyber Crime Junkies (39:49.25)

Yeah, that's phenomenal. That's absolutely phenomenal. That's great. So what's next and what is some of, is there anything you can share? there any stories on new threats that came up that you guys were able to see right away? anything with, you know, there's a lot of zero days that have been happening in the last, I mean, there've always been zero days. know, you know, I say one thing and

 

people will comment they're like, well, technically there were zero days before I don't mean that. But like, I always think of the move it breach, right? Like move it was massive. You know, that type of thing. Are you guys able to see that as it's happening? It kind of trends up people start reporting it. What what

 

Philippe Humeau (CrowdSec) (40:19.708)

Hahaha

 

Philippe Humeau (CrowdSec) (40:36.881)

Yeah, so when we see a CVE that is known, we release a signature very quickly for the engine and network starts rolling out the signature automatically. So we start seeing who is exploiting, say, there was one recently about like SSH and one about like a PHP Windows environments.

 

We got a lot of IPs pretty fast, but what is interesting is we rolled out a feature, I don't know, like half a year ago or something like this called alert context. So you send us the timestamp, the IP address, the behavior, but if you want optionally, and you have to opt in for that because of GDPR, it would be complicated to explain, but.

 

you have to opt in for that, you can send us the context. So if someone is brute forcing your system, David, and is using your email address, we would send the context that the login would be david .marrow at blah, blah, blah, blah, blah, then the password they want to try, right? So it's not just the behavior like he's trying to brute force the password, it's a bit more context about the alert. So now what we see with the system, which is super interesting, we see the trends. Sometimes we see people trying things and we're like,

 

It's not a documented CVE. Why are they trying? Because we don't know about that one. We've never seen this kind of signature. It stands out, right? And this is where, by the way, we are using AI because when we see something that is standing out from the normal classical expected behavior, we're like, yeah, it's an anomaly. It stands out. Exactly. And so then we tell, hey, you know what? This is probably a CVE to come that we don't know yet about.

 

Cyber Crime Junkies (41:45.262)

Mm -hmm.

 

Cyber Crime Junkies (41:57.304)

You're like an anomaly, right? You see a trending anomaly.

 

Philippe Humeau (CrowdSec) (42:12.645)

And we would share it with specific threats researchers and labs, but I'm thinking about monetizing this saying, hey, you're this top notch vulnerability research firm. We have early alert network around, you know, those emerging threats that are not yet known, but we think it's worth digging into it. Let's cut a deal. I don't know what would be the business model yet, but I'm thinking about it.

 

Cyber Crime Junkies (42:39.448)

That's phenomenal. So we encourage everybody. And I mean this, like check out CrowdSec .net. It's just fantastic what you guys are doing. I wish you nothing but the best. This is great. Anything before we wrap up? Any ideas that you can share about what's coming? Anything on the horizon?

 

Philippe Humeau (CrowdSec) (43:05.105)

Yes, think what comes in mind is like people are training offensive AIs as we speak. They learn from CTF logs, so capture the flag logs, you these white hat competitions. So they learn from the humans, from the best on earth, by the way. They learn from CVE database. They learn from academic papers. learn from all of this. And you can compile an AI that is fairly freaking efficient already. And that would unleash hell on you within

 

milliseconds or seconds at best. The thing that I am concerned right now is those AI, they don't have feet and legs, they cannot move physically toward you. So the only way they can carry their attacks is through IP addresses. So our goal is to neutralize not really the nuclear warhead, the payload, but to neutralize the rockets themselves.

 

Cyber Crime Junkies (44:01.4)

the effect of it, the effect of it, right? By spreading awareness and having all these people block it, then they have this warhead, but it can't land

 

Philippe Humeau (CrowdSec) (44:03.655)

with vectors, right? Exactly. Exactly.

 

reach the destination because what we see is like the early versions of what we see is like usually a human or a smart scanner or stuff like that would narrow down on you know trying to be efficient after 15 -20 iterations poking around trying to find exactly how to bridge you. The AIs we are talking about need three to four to five attempts so it's much much faster.

 

So what we want to do is be able, because they still leave trails, right? So what we want to be able to do is to say, hey, this AI is using this kind of range, IP ranges, block it because we know it's a global offensive AI behind it. And this one is extremely nefarious. And if we can prevent it from being efficient by ruining its IP ranges before they even reach you, it's already a good thing.

 

Cyber Crime Junkies (45:02.808)

Yeah, that is phenomenal. Founder of

 

Cyber Crime Junkies (45:11.086)

So that is just absolutely great. So love what you guys are doing. This will not be the last time that we speak, Philip. And we absolutely wish you guys all the best. We will have links to CrowdSec in the show notes. It is a great community. I wish you guys, I see you guys are growing, you guys are hiring, know, reach out to them, engage in this community because it's a great way for all of us to...

 

Stay more secure. Thank you so much,

 

Philippe Humeau (CrowdSec) (45:45.169)

My pleasure David.