An Odyssey Through the Cybersecurity Universe with Crypto Knight

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
And it is me the cyber warrior.
This is Cyber Warrior Studiosand I know you were all here for
another amazing episode ofSecurity Happy Hour and, yes,
this guest was last minute, butyou knew the show was gonna go
on, so if you weren't herethat's your fault, because I do
this live every Friday at 7 pmEastern time.
But either way, look I'm here,we're gonna have an amazing show

(00:24):
, a lot of great topics, so I'llbe back in just a second.
And we're back, and that'sright.
It is me the cyber warrior, andhold on real quick.
There it is the officialkickoff of Security Happy Hour,
and with me this evening I haveCrypto Knight, who goes by some
other names.
I will let him give those namesif he so chooses.

(00:45):
Otherwise, thank you forjoining us this evening and I'll
see you next time.
Bye, bye, and with that, I willleave those names, if he so
chooses.

Speaker 2 (00:54):
Otherwise, thank you for joining us this evening, no
worries, happy to be here, youknow, chilling in the backyard
in the glorious sunshine incentral Ohio, and happy to
contribute to community, asalways, because it's all about
giving back and that's thebiggest thing and that's why I
do this show.

Speaker 1 (01:13):
It's all about giving back to the community and
making sure you know new peopleget to understand and kind of
get their voice heard,especially for newer people that
are trying to break in.
So it is very vital that a lotof the information that we give
out on this show benefits that.
So, first and foremost, whydon't you give a little bit of
introduction about yourselfBecause you have been in the

(01:35):
field for a while, so you'll beable to give them kind of life
experience and people canactually understand why you know
your shit, yeah yeah, well, thegray in my beard is not a mask
that I'm wearing, it islegitimately earned.

Speaker 2 (01:49):
I've been doing security full time since 2000,.
Mostly Fortune 500 stuff, awhole lot of architecture,
security and identity, journeyto cloud kind of stuff.
And before that I was adeveloper and doing a whole lot
of client server stuff and Isaid, hey, we got client slash
server.
Nobody does the slash which isnetworking, so I'm going to

(02:10):
focus on data center operations,et cetera.
So I did a lot of networking,server installs, a whole lot of
screwdriver work, fantasticstuff, and I just played the
field a lot across security.
And now it's awesome because Iget to do full time security and
identity strategy.
It's mostly what I do, althoughI do play like in tangential

(02:30):
spaces like BYOD and making thathappen, like I said, journey to
cloud, helping some companiesget there.
So it's a lot of fun.
And along the way I startedacquiring some certifications
and got actually was on aproject with a guy who was a
board of directors of ISUsquared and I had seen the

(02:52):
letter that came out when theyfirst launched.
I was like, oh, that's so cool.
But at that point there werelike two exams a year and I
can't afford to fly toCalifornia and blah, blah, blah.
And he said well, why don't youcome help us develop our
certification?
So I did, long story short.
A couple years later, through awhole lot of volunteering and
whatnot, I found myself on theboard of directors of ISU

(03:15):
squared, started there to addsome governance, to add some to
the ethics program they alreadyhad and take it further, et
cetera, and to establish termlimits.
And then I termed out because Iadded term limits and I came
back later and now I'm on theboard of directors.

(03:39):
The ISU squared just voted todo what I originally planned.
Yes, good for the organization,good for the industry, bad for
me, which is hard.
Stop term limit.
Six years done for life.
And so a year and a half fromnow I'm out, having successfully
pulled the ripcord to say, yeah, term limits are a healthy

(04:01):
thing.
Let's do that.
And it's been a really cool tripand I've seen a lot of cool
stuff, probably my biggest,coolest thing that I ever got to
do.
I was the security architectand technologist that did SAML
for the first time in the realworld.
That was in late 2001.

(04:27):
We went live I think January6th of 2002-ish like right
around there.
So yeah, 21 years ago, firstSAML in the real world ever and
that was really freaking cool.
Got to do a lot of fun stuffwith Federation and helping
organizations solve this wholesecurity challenge around

(04:49):
identity, and led to a prettycool trip from that on.
So yeah, I've had a lot of funand I found a profession that I
would totally do for free.
But don't tell my employerbecause I want to get paid.
Don't tell them how much funI'm having because, oh my gosh,
I would do this for free.
But I got two kids in college.

(05:12):
I didn't make tuition payments.

Speaker 1 (05:15):
And that's the big thing, right?
You never work a day in yourlife if you love what you do.

Speaker 2 (05:19):
That's it.
That is it.
I actually talked with one ofmy profs when I was in school.
We were like locked out of aroom having a chit chat and he
said the kind of same thing.
He said don't tell theuniversity how much fun I'm
having because I'll stop payingme, because if they stop paying
me, I'd still show up and dowhat I'm doing today.
And when you can find theintersection of what you love,

(05:41):
what they will pay you to do,what you're good at.
And I didn't figure out thefourth one until I was 32, what
is aligned with your mission.
And that is, oh my gosh, it's sogood.
So good Because I woke up and Iwas working at BMW Financial
Services great company.
But they I'm not slanderingthem because they don't sue me,

(06:06):
but they kind of exist to beable to help people afford BMWs
they normally couldn't afford sotheir neighbors can look and
see the BMW in their drivewayand that is so far from feeding
starving children.
And I was like, oh, I need toswitch industries because this
is not missional.

(06:26):
Yeah, that's huge, it is.
It is alignment with whateveryour mission.
I can't tell you what yourmission is, but whatever your
mission is, that's enormous.
And the position thatcybersecurity occupies is a
position of trust to be able toprotect economies and people,
the innocent, the disadvantagedand be able to enable missions

(06:53):
to be successful.

Speaker 1 (06:54):
It's a pretty rewarding work it is, especially
if you get into the right area,and so this leads us into the
future state, though this is oneof the things I want to discuss
, because we see a lot now ofconsulting firms, msps, msps all

(07:15):
these different things thatprovide security for a lot of
different organizations.
Their whole premise is tosecure as many companies as
possible, which is great on theoutside, but from the inside, if
you don't agree with, say, oneof the corporations that you're
dealing with, because you haveto secure them, that's your job,

(07:35):
that is your mission, that iswhat you're supposed to do while
you're there.
How can you come to terms withthe two in the future state?
Because I see a lot oforganizations dropping their
security people, and so the onlyjobs left are going to be these
consulting and MSSP firms.

Speaker 2 (07:55):
It was really interesting.
I don't know if I havepermission to mention my current
employer.
Anyway, I won't go therebecause Google works, so you can
figure it out.
So when I interviewed a workfor them and my two-year
anniversary was like two weeksago, so yeah, a lot of the

(08:18):
questions I asked them were onvalues and ethics and they were
a little surprised at that, butI really loved the conversations
I had and found out about youknow what their values were, and
I said like, hey, whatcompanies won't you work for
this at?
Nobody really asked us thatquestion before.
Not that they don't have ethics,but it is like they had

(08:40):
instruction in that way and ifsomebody came along like, hey,
we're Hezbollah, help us secureour stuff, they'd probably say
no, but they hadn't really likethought about it at that level.
Other folks had.
They reached out up to them.
Oh yeah, we actually have alist, like one.
I mean I'm not saying this isthe right list, but you could
list out gambling, liquor,pornography.

(09:05):
I mean, at what level are yougoing to say, not for us?
A buddy of mine was withphotography, research with Paul
Kautcher and, like you know,side channel analysis really
cool shit and and they decidedas a company, cri, and and what
an influencer in the business,holy crap.

(09:26):
In the early days they said,hey, what are we not going to do
?
And there was a lot of money tobe had in the late 90s, early
2000s with protectingpornography.
Right, yeah.
But they said, no, not for us.
We'll, we'll have a discussionif something else comes up, but

(09:49):
we're just going to stand andand I applaud them for that they
just said like that's just notwho we want to be and the notion
of being able to express yourethics in a way of being able to
state yin and yang, superimportant.
So a discussion of values and Ifound this, I started doing this
couple years back and Iencourage those of you listening

(10:10):
in to have that discussion.
And when you're interviewing,let's talk about your values and
your culture and what you holddear, and what's that bright
white line you're not going tocross.
And what do you say?
Yes, all in done, done, done.
Let me know that, because ifyou are in a corporation that's
not aligned to your values,every day is going to suck um,

(10:33):
that's an interesting concept,because a lot of people
especially for those justbreaking in are just trying to
get higher.

Speaker 1 (10:40):
They're not thinking of the values of the
organization.
They are thinking of what'sgoing to pay my bills, what's
going to get me into the field,what's going to do, what I need
to do, and, and so, from a astandpoint of ethics, I think
that is something we lack isholding true to our ethics yes,

(11:03):
do you have a compass?
So with that, why don't you letpeople know kind of what are
your ethics when you're lookingat things, or kind of how do you
view ethics here within cybersecurity?

Speaker 2 (11:13):
yeah, yeah, so um, uh , kind of the the.
The backstory here is um, I Ihave been serving on the ISU
squared board of ethics, uh, orthe ethics committee is formally
called it's actually this has adifferent name but professional
practices, but essentially it'sthe ethics committee um, for I

(11:34):
think 11 of the last 16 years umin one way or another.
And and and how this works outis is one of two ways.
Um Is either a member willformally raise an ethical
allegation against another foran ethics violation which,
thankfully it may always be, sois rare um, or, which has a lot

(11:59):
more is.
There's a questionnaire whenyou, when you sign up um To the
ISU squared, to go off and takeone of the many certifications
Of course, the, the flagshipbeing the CISSP and, and when
you sign up for that, it asksyou if you've ever been
convicted of a crime, amongstthe many other other questions
it asks, or if you've, or if youhave um, and and forgive me, I

(12:23):
I should have this memorized,but I don't uh, it's something
like, basically, if you've uh,uh, if you have that had a
dishonorable discharge, ifyou've lost your license to to
practice as an attorney, uh,been disbarred, that kind of
thing, um, and and disclose thatand, uh, because of the

(12:44):
popularity of, of ISU squared,which is which is just
skyrocketed in the last twoyears, um, you know, there are
quite a few of those cases wheresomebody comes forward and and
they made an unfortunatedecision years past and and it's
, it's everything from gotcaught with the joint 27 years

(13:04):
ago to Almost anything you canthink of that somebody would
serve time for, like drive-bys,child rape, arson, I mean the
whole nine yards.
Uh, because you're talking about, um, you know, hundreds and

(13:25):
hundreds of thousands of peoplethat would like to have this
certification, signing up for it, and anytime you you take a
population of hundreds andhundreds of thousands around the
world, you're going to have apopulation of felonies that get
brought into it and go like, notfor you, no, get me out.
And and a lot of what they dois that aside, is this something

(13:46):
that would would bar you fromholding the certification of
being the community, or wouldnot?
Forgive me for the backstory,kind of like I had to go there
and get through this, but thatis one of the big things that
frames my moral compass.
Right Is is a duty as a society, uh, a, a duty to my principal,

(14:10):
who pays me right.
A duty to the profession, right, and and and those that that,
that code of cannons, every wordbeing very carefully chosen.
I encourage you to go out, lookfor yourself at the.
Is where the code of ethics.
Anybody can look it up and seeit.
Is is pretty well consideredand it's it's a pretty good
compass.
Um, what it doesn'tspecifically call out, it's

(14:34):
alluded to.
I go a little more formallythere.
Um, it is I, at least when Ilast looked is in the issa code
of ethics and it's in a coupleothers, the public
certifications I hold.
Is it specifically calls outnot raising false alarm or false
comfort, and it's.
It's.
It's buried within the issa'sword code of ethics but not

(14:57):
called out explicitly.
And those are two reallyimportant concepts that you're
not saying sky is falling, thiswill, this will take us down or
everything just fine here.
This is not the joys you'relooking for.
Go away.
Either of which are completelydeplorable because we we as as
um, as cybersecurityprofessionals hold a particular

(15:20):
trust.
Just if you trust an attorneyto interpret law, you trust an
accountant to interpret tax codeand help you keep out of
trouble, um with your financesorganizations trust us and um
and I, I literally have um, havequit three jobs over ethics,

(15:40):
which is probably I'm I'm wayout there, six sigma and that
you know, like that's.
That's pretty far out in the inthe bell curve.
But I I have a few times beenasked um to either provide false
comfort or false alarm, andI've raised the issue and and

(16:00):
unfortunately keep beingdissatisfied with the answers I
get from office of ethics etc.
And um, bill Murray was one ofthe founders of isc squared not
the actor has happened at hasthe same name as the famous bill
Murray, but he's the guy whobasically Drove the program to
deliver rack f in the main frameand came up with a practice um,

(16:25):
I saw could cause him thefather of of it audit, which is
like I mean, think of that.
The father of it audit.
How big were practices?
That that's several millionsand millions of people.
Um, and he, he has a number ofsayings like quote from time to
time, because bill Murray is isvery, very wise um, but um, you

(16:47):
know, he, uh, he talks about thefact that that we as a
profession, um, we're quick to,to rush to judgment.
We we smell smoke, we think, uh, fire, not barbecue.
Right, but he also talks abouthow Integrity is the only coin
in our realm, and I have adoptedthat Without integrity, we are

(17:11):
nothing.
Now so.

Speaker 1 (17:14):
So, with that, though , right.
So we talk about ethics and youand you talk about all the
things that potentially and Ithink about this from a military
standpoint, being a veteranmyself you know I I despise
security clearances, not becauseof what they Are, but because
of what they're not.
When I look at people that canand will be the best for cyber

(17:38):
security, I look at hackers, ornot hackers, correction.
I look at malicious attackers,right, those people that don't
have a certification, don't havea degree, don't have anything
to their name.
They just made one mistake andgot caught.
I look at the people that willnever make a name for themselves
Because they live in theshadows and eventually get

(17:58):
caught by the FBI, the CIA, nsa,any of those three letter
agencies, right.
So, with that being the case,though, they eventually get
caught.
They now have felony charges,they now have things that are
going to hold them back for therest of their lives, sometimes
can't even touch a computer, butthese are the people that have
been the best at breaking intothings.
I'm talking people that havebroken into every three letter

(18:22):
agency out there and eventuallystayed, overstate their welcome
and got caught, but it becausethey got greedy or whatever the
case may be.
Eventually they got caught sothey can no longer get a
security clearance, right, theygot a felony.
Those clearances are no longergoing to be allowed or allotted
to them, right?
So when I look at ethics, Ilook at what these people have

(18:43):
done and I think of it in termsof they're the best for what
you're trying to do, though youpay them well, you sort of what
they're deserved, sort of,because they are the best at
what they do.

Speaker 2 (19:00):
Yeah, and, and you know this is, this is a question
, you know there's there's asaying how many angels can dance
ahead of a pin?
The kind of the kind ofdiscussions and and you know, mr
Mitnick was unrepentant,apparently, to his dying day.
We, we I'm saddened that wehave lost no-transcript
Corporation for securitytraining, which was awesome.
So I don't want to castaspersions at the recently

(19:20):
departed, but, as far as I know,mr Mitnick was, was Unrepentant
to his dying day, and and, buthe was a very good person, he
was a very good person and hewas a very good person, and he
was a very good person, and hewas a very good person, and he
was a very good person, and hewas a very good person, and, but

(19:43):
he was the poster child forshould he be a cisp, right?
Or you know, and all of that,that that kind of over and over
and over and over and over againright?
To my knowledge, he neverapplied, but I don't have
complete knowledge.
Um, why?
Why would he?
If, why would he?
Well, you know, and andactually, who, I point out, I've
had the opportunity to meet afew times, so fortunate, ron

(20:04):
Rivest, yes, the r that put ther in rsa, that dude so awesome
for so many reasons, uh, whywould he apply?
He doesn't need it, right, dude?
The guy wrote rc2, rc4.
I mean, he is rock star famous.
Why do you see this?
Cis's speed doesn't right, um?

(20:26):
But Mr Mitnick and occasionally, dr Rivest were were poster
children for conversations aboutthat, and I can tell you it's
not that that the, that theethics committee Um says oh oh,
you did this, you're dead,you're done, you're done, you're
like, you're dead to me I don'tcare whatever.
No, no, no, I mean, um, we, youknow, for us to not believe in

(20:53):
in rehabilitation, for us to notbelieve in redemption and
change lives, that is a bleakexistence, and so I think it
goes beyond that though?

Speaker 1 (21:05):
Oh, of course it does , because, because you can only
be redeemed, you can only Findthis repentance and
cybersecurity If you're paidlet's.
Let's keep in mind in thisindustry, unless you're well
known, unless you reachexecutive levels, illegal shit
will always pay more than legalshit.
Always, of course, of course itdoes so.

(21:27):
So if you want to risk rewardpeople Exactly, if you want to
keep these people that have beenable to make ends meet and go
above them beyond everybody else, you need to pay them, whether
if you don't have to worry aboutredemption, if you're paying
them at we Three a half to threequarters what they would make

(21:49):
for doing it Right.

Speaker 2 (21:50):
So, so I, I would hope that you have a good
financial plan for your future,as should we all.
Yes, uh, I, I would trust thatat from time to time, you may
have somebody you asked forfinancial advice.
Could that person make morethrough criminality?
Probably, but some of thosethings come with with silver
bracelets and that.

Speaker 1 (22:10):
I've never done anything illegal.
I Caught and I got a wife.
Right is I can't exactly.

Speaker 2 (22:17):
Rule for living number two for me is I never
want to use the phrase.
You know my cellmate said I'vehad that rule since 1990 and it
has served me very well.
That's rule number two.
That is a very, very importantrule.
Um, yeah, so you know, I livemy life, so I never have to use

(22:40):
the phrase.
You know my cellmate said now Iride a Harley.
I do enjoy like the twisties,do I occasionally, sometimes
accidentally, go over the speedlimit, sometimes?
Yes, I would point out, thoseare misdemeanors.
Um and uh, I I do definitelytry to avoid criminality and

(23:00):
from time to time it comes up.
Right, I've been asked to lieto auditors.
It's like.

Speaker 1 (23:05):
Hills.

Speaker 2 (23:06):
No, I'm not like to an auditor.
I could Let me.
Let me tell you what you justasked me to do, because I don't
think I heard you correctly.
Like, let's have a conversation.

Speaker 1 (23:18):
I'll let you, boy, let's figure this out real quick
.
Did you really just say that I?

Speaker 2 (23:22):
couldn't have heard what I thought I just heard.
There must have been like someair currents moving like uh,
repeat, yes, uh, and I've, I'vebeen asked a lot of regular like
and you say it.
They go like oh, no, no, wait,you do this like no.

Speaker 1 (23:37):
No, if you don't get your PCI certification, that's
on you, homie, that's on you.
You didn't front the cash forwhat we needed.

Speaker 2 (23:46):
That's your fault, yeah look, you signed the
contract.
You could have not signed thecontract.
You could have negotiated thecontract.
You didn't, so it's on you.
Yeah, but you know, jokingaside, we are being a little
little facetious.
This is a real important areawhere our profession gets to

(24:09):
shine and we're gonna be like,okay, you, you ignored the rest
of the advice.
You went skating near the edgeof the cliff.
Now you find yourself like BugsBunny or, you know, the Road
Runner yeah, Actually it wouldbe Wiley Coyote over the air,
right, no longer on the ground.
Now, what you know?
Hey, I'm in deep, deep trouble.

(24:32):
What are we gonna do?
And I've been there a few timeswith instant response.
You know, large chicken-shapednations are hacking in and you
know things are getting punkedleft and right.
What do we do?
Where do we go?
What's up?
You know, where is our moralcompass?
What should we do?
What's now?
You know?

(24:52):
And leadership in crisis is oneof the areas in which our
profession gets to shine.
It's not necessarily a funplace to be, but, okay, secretly
chasing bad guys is actuallyfun If you're chasing them and
if the company allows you tochase them.
Well, yeah, and that's actuallyreally.

(25:13):
It was a discussion I've had tohave a few times.
It's like you know, youactually have an incident.
Okay, now we're talking aboutpreservation of evidence because
we need, we need to, we needevidence to reach chain, blah,
blah, blah, blah.
So go to court.
They're going like, how are wegoing to sue large,
chicken-shaped nation nearTaiwan?
And?

(25:34):
And it's like, no, no, no, no,no, I'm trying to keep you out
of court.
You could get sued.
There are two parties.
We're talking about One of them.
We're not going to be able tosue you.
Oh, yes, you can be sued.
And how are you going todemonstrate you did the right
thing at the right hour, makingwith the, with the information
you had the best decision youcould?

(25:56):
How are you going todemonstrate that if you don't
have a chain of evidence doingthe right thing?
Blah, blah, blah.
And you know when, when, whenthings are on fire.
Those are some, those are toughdecisions.
Man, like, hey, I can't do that, I need to save first.
Or I can't do that onenvironment, because our

(26:16):
environment is compromised, sendan email to blah blah, blah,
Can't.
They've compromised the emailserver.
I need to go outside.
Yeah, that's a real interestingtime to build a resume.
But but yeah, and I'm notglorification, I'm just sharing,

(26:37):
right, like like being briefedby a three letter agency and
being told like that's fun.

Speaker 1 (26:42):
What are you talking about?
That's yeah.

Speaker 2 (26:46):
You know like you should trust any of them.
Right, you should come armed towork, and and we are in Ohio, a
free, loving state, so we'regoing to put that aside, but I
was going to ask you before thisshow.

Speaker 1 (26:57):
I thought so I got one over there, but that's the
point.

Speaker 2 (27:01):
Yeah, but but yeah, uh, I've been told.
Like I'm ca, I pack into 45 towork every day.
My room got rolled three timesby presumably the PLA, but
chicken shaped country won't saywho.
It was Right.
Um and a parable, a parable um,we're going to get a parable

(27:23):
crypto.
All right Cause, this is.
This is a free, because we'regoing to get into that, but okay
, elena.

Speaker 1 (27:27):
Elena, actually Alana .
I've had her on this show I shehas done a super chat.
I want to bring her question upas soon as possible, please.
Thank you, alana, for the $10.
Speaking of criminality, is itworth the potential criminal
prosecution for being a CISO?
No, seems like that's a trendwe might be seeing.
That's too much accountability,in my opinion.

Speaker 2 (27:49):
Well, if, if done wrong, there could be
prosecution, if done right,there is not.
Um, you know?
Uh, one of our jobs is be theprognosticator of truth, even if
it's not a comfortable truth,even if it's not a popular truth
.
We have to be speakers of truth, see earlier discussion.

(28:11):
Integrity is our only coin inour realm.
We have to be like and I'msorry if it, if this catches you
at a bad time I I I've hadcancer four times survivor.
Thank you very much to mydoctors.
Yeah, I found out there's astage zero.
If you want to pick a stage,that's the one to pick.
Um, but do you want your doctorto say it's probably a cold,

(28:37):
you're probably fine, it'snothing Cloudy x-ray?
Or do you want them to take youby the hand and say look, you
have cancer.
We're going to get through thistogether.
I'm here for you, and that'sthe role of a CISO doing
leadership to be able to lookthem in the eye and say what is

(29:01):
unpopular in a tactful way,difficult communication
challenges and be able to haveearned the respect of your peers
to not be chicken little,bringing everything to them to
be rational and presentingthings not in cybersecurity like
geeky terms, but in financialterms and business resiliency

(29:23):
terms, and you've earned thecapital to be invited to the
C-suite in moment of crisis andsay we have a problem.

Speaker 1 (29:32):
Yeah.

Speaker 2 (29:32):
I'm here for you.
Let's do the right thing.
That is really hard, but, oh mygosh rewarding.

Speaker 1 (29:41):
As we're talking about everything going on and I
got a few more questions savedDo you find that the CISO, as a
majority, is more the fallperson versus someone that can
actually secure an organization?
Sadly, even though we should beswitching that to where they

(30:01):
have more of a voice, is itstill they're the fall person
versus the one of reason that'sgoing to secure an award?

Speaker 2 (30:12):
Let me see if I can get through this without
shedding a tear.
Howard Schmidt was the firsttype of securities are Friend of
mine.
We rode together on motorcycles, loved the guy.
I got to serve with him for theISU squared, but before all of
that he was CISO for Microsoft.
Now, for those of you thataren't aware, before 2002,

(30:39):
microsoft's reputation forsecurity was crap.
Right, okay, the company I workfor is 20% by Microsoft, but I
speak the truth.
So just so you know I finish upa conflict of interest.
But they'll tell you, before2002, their reputation of
security was horrible.

Speaker 1 (31:00):
Yeah.

Speaker 2 (31:00):
And I got to be in the room when they made the
announcement that created theentire program.
They announced it at RSA 2021in San Jose and they announced
the program that writing securecode was the manual that they

(31:22):
released.
They told everybody that putanything on the Windows disk for
the next 90 days, you're notdoing anything by security
training.
Think of what that costs.
We're not like people that dofonts and pictures right, let
alone code.
Huge cost and that's crazybecause crazy Secure coding.

Speaker 1 (31:44):
When you're looking at something like Microsoft Word
, excel, access, you name it,any program they're designing.
You were talking about peoplethat I've met.
So I had some instructors inhigh school that had
legitimately met the programmersfor these applications.
Yeah, and these programmerscannot speak to you.

(32:05):
They have because of howintelligent they are, because of
what they know and how they dothings.
They legitimately.
Their minds don't work that way.
They have zero, close to zero,social skills in talking.

Speaker 2 (32:19):
I wouldn't go that far but Wicked Sharp Geniuses,
and they completely changedtheir culture around security in
90 days.

Speaker 1 (32:29):
How did they go from make this shit work yeah, to
make this shit secure and work.

Speaker 2 (32:39):
Tone at the top.
Bill Gates, at the helm ofMicrosoft, wrote three memos
that changed the course ofMicrosoft and I wish I could
remember number three.
I can't, but the first was hesaid this Internet thing is a
flash in the pan, it meansnothing to us.
And he wrote a memo saying Iwas wrong.

(33:00):
We're all in on Internet.
And the second memo was I waswrong about security.
From this moment on, we areabout security.
There was a third memo.
That was you can look it up,tone at the top, dude.
I mean, if you don't have the Csuite on your side, it is a

(33:21):
tough pull.

Speaker 1 (33:23):
That is the biggest thing with anything in security.

Speaker 2 (33:25):
It's not to have the CEO went down.
It is.
I will tell you.
I was at.
I was at JF Morgan Chase whenthey got breached and I had just
been brought in as the globaloff architect.
I owned the architecture forauthentication, authorization
for it all like ATMs, logins,blah, blah, blah, all that stuff

(33:49):
.
And it's a fast estate.
I mean they.
I had come from a Fortune 20firm with $120 billion and JF
Morgan Chase had more employeesdoing security coding that my
old company had databases oremployees, yeah, and they got

(34:13):
crushed.
They got crushed.
They were.
They were spending more than abillion dollars a year on
security.
Think about that.
How many of you listening havea billion dollar security budget
but they?

Speaker 1 (34:23):
made a few mistakes.

Speaker 2 (34:24):
They made a few mistakes and they got a hell of
a lot better.
But, but, but I was there whenit happened, right, and, and you
know it was, it was a few days,but what was really cool.
Please don't sue me, takeMorgan Chase, as you can sue me
into the Stone Age and I'd liketo retire.

(34:44):
I'm telling a story that isreally cool.
Right, Fastestate.
Right, they have 38,000developers 38,000 developers and
they're a bank.
Right, they transfer $3trillion a day in funds.

Speaker 1 (35:04):
They got the highest.
They probably got one of thehighest PCI PCI DSS fricking
audits ever and and still.
This is why I hate PCI DSSRight.

Speaker 2 (35:16):
Let me, let me think if there's a story Hang on,
because what was really cool wasI was getting like like calls
from the CISO, our team.
It wasn't just me, I was like,you know, one of the guys in the
team what should we do?
And I'm pulling out the list ofeverything I said was broke.
We got a fix, blah, blah, blah.
I'm not saying I was like supersmart, I was like, hey, here's
something we got to fix, but youknow, there's a lot of

(35:38):
priorities in the bank.
And suddenly this became like,oh, this is why we get hacked.
And it was published while theygot hacked.
So it's a known thing.
It was a password out on thewebsite that HR had set up
wasn't federated.
I shared earlier SAML, it's athing and and somebody had

(35:58):
manually synchronized theirpassword and then allowed
somebody to that side, gotpunked by the Russians.
They took it through, sold theinformation off.
Somebody came in and said, hey,let's try all these passwords
against all the SSH interfacesand they got in elevation of
privilege later, boom done.
You're into the stuff thattalks to everything.
That's so.

(36:18):
The cool thing was it came downfrom senior management.
I might get the number wrong.
We'll pretend this is right,but I'm going to say it's like
within 90 days, if you can't dofederated identity as a vendor,
you're no longer a vendor, andthey did it.

(36:40):
Do you have any idea how manyskyscrapers of lawyers that
takes?
I mean, good Lord, have mercy.
How many vendors does a bankacross six continents have?
A lot?

Speaker 1 (36:59):
Holy crap.
I deal with banks now a lot.

Speaker 2 (37:03):
A lot.
Yes, and they did it.
They did it.
Dude tone at the top iseverything.
But Senior Exec says it's dirtyhas to be top down.
Well, at that moment they wereshedding.
I mean stock price tumbling.

(37:25):
I dealing from memory, I havebeen drinking, but I think it
was like a $2.2 billion hit.
I mean that was big and theycouldn't afford to play around.
Man, this is job one, becausethey got to save their ass.

Speaker 1 (37:41):
That's it.
They have to save their look atall right.

Speaker 2 (37:44):
And they have.
They have a pivotal place inthe economy of dozens of
countries, like dozens ofcountries said like oh, we can't
do this chase.
Can you do our treasury for us?

Speaker 1 (37:55):
Sure we can and crush it.
They do.

Speaker 2 (37:59):
They do a great job, but they can I mean dude if
chase goes down and it reallyain't top five bank, if chase,
if chase, or a lot of these.

Speaker 1 (38:10):
I'd say three to five banks go down the global.
It isn't just the U S economy,global.

Speaker 2 (38:20):
It's a reset.
It's not quite you know zombiemovie level of reset.

Speaker 1 (38:25):
They're near, but near bad day.
Yeah.

Speaker 2 (38:31):
Yeah, so it's crazy.
They did the right thing,though.
Toe to the top what and I cantell you being there when, when
the fit hit the shan, if you'repicking them up and throwing
down twice, I literally had likethe lights come down.
I almost drove down like thelights came down to a little
pinpoint, like I'm almost readyto die, and they came back.

(38:54):
Keep working, cause, oh my gosh, the stress was insane.
In four hours we need the plan,45 minutes.
They call back what's the plan?
Do the thing.
Okay, what are we going to dothe thing?
Let's do it right now.
And if you haven't, I didn'tname it.
If you haven't found it, googlethis stuff.
How should it happens?

(39:15):
Right, and it's a hilariousthing from like the 70s or 80s
from the internet and I got toread it to like the global CISO
of Jeff Morgan Chase and you,and it's like the workers see it
and this is shit and it stinks.
And the next level up says youknow, this is, this is made of
extra minutes, it's very strong.

(39:36):
I love above that says this ismade of things that help plants
grow and it promotes growth andby the whole things at the top
is this is good for our company.
And that's how shit happensRight.
And I, I got to read it becausehe's like how could this
possibly happen?
Like dude, you are like eight,nine, 10 levels removed from
truth and by the time it gets toyou, all the filters have taken

(39:58):
all the truth out.
And he's like, okay, I don'tknow if any of you have ever got
the opportunity to literallyread something which curses to a
CISO of a you know fortune 100.
That was an interesting day.
But, yeah, you have to be ableto speak truth.

(40:19):
How could this have possiblyhappened and be reliant to you
with with they're well, they'rewell meaning I've, I've.
There's something reallyimportant to consider as you
drive change.
Senior execs, get it.
We have to do security.
We have to do the right thing.
Boom, Make us secure the worker.

(40:39):
Bees and the trenches will dowhatever they're told.
Middle management has a realbig problem because two, three,
four years ago they said this iswhere we should go, this is
what we should do.
This will solve our problem.
And you're telling them whatthey said before was wrong.
That is creates a huge problemwith driving security change.

(41:05):
And it's not that they werewrong, it's that what was good
enough before is no longer goodenough.
When I was there in 99, runningthe local, you know it was like
a, a, a small liberal artsCatholic universities networks
having a firewall ding, ding,you're secure, and that was

(41:28):
enough.
Two years later, you have tohave a DMZ.
So years later, let's talkabout a DMZ is right, Right and
it's not.
It's not that it was wrong,it's that what before was a
ceiling is now the floor andit's now table stakes for
execution.

Speaker 1 (41:47):
So so I want to touch on that.
And then we got two questionsand then I want to get into ISE
squared because there's some bigthings happening there.
There are a bunch on.
So yeah, first, first andforemost, what you were talking
about is you know, the reasonwhy things are the way they are
is because computers andnetworks were initially built
for blink the lights, to blink,right.

(42:08):
So it was made without securityin mind.
People never thought of thefact that people can break into
this shit.
They thought, oh, let's justget computers to talk, let's
make networks talk.
Security was an afterthought,because they never thought of
the fact that when you look atDARPA net and ARPA net and all
the things that brought theinternet to us go, back and read

(42:29):
never on.

Speaker 2 (42:31):
Read initial spec for telnet and an FTP and they
setting the initial spec.
This will not work on a networkbecause of security.

Speaker 1 (42:41):
They said it If you if the original RFC that's.
That's crazy, because in mymaster's class it's not going to
work on a network.
I never finished my master'sbut in the courses that I went
through and a lot of the otherthings that I've researched,
when I look at ARPA net andDARPA net and all these other
things that I've looked into,and when you look at the
internet and networkconnectivity, it was security

(43:03):
was an afterthought.
We just wanted to blink, thelights to blink.
So the fact that you know theRFC and have now informed me of
that makes it amazing, becauseit means, yeah, go read it, you
can listen.
Yeah, which blows my mind.

Speaker 2 (43:18):
But anyway, they did.
So I digress yeah, we havethings far longer than we ever
thought we'd have them Right.

Speaker 1 (43:24):
So we have networks that are now designed with
security as an afterthought.
So you're basically puttingband-aids on fricking wounds
that require staples andstitches and everything else.

Speaker 2 (43:35):
Do you know what the SLA is on SMTP for email
delivery?

Speaker 1 (43:39):
The SLA SLA for delivery of an email until
you're out of compliance withthe spec.

Speaker 2 (43:45):
30 seconds.
Seven days, Are you serious?
Serious Seven days?
Because back long ago, like my,my, I ran a BBS.
My modem would dial Chicagoevery night to transfer the
packets and those would gettransferred from there to there,
to there, to the Think ofdial-up modems.
Dial-up modems.

(44:06):
And and long distance rates andall the rest of that shit.
Right, we built this entireinfrastructure on on seven days
and like, how often did you saylike Antiquated technology.

Speaker 1 (44:19):
Yeah, no longer exists and they have an update.

Speaker 2 (44:22):
And we have these very, very old protocols.
We've said it far longer thaneverybody, anybody ever thought
they'd be around.

Speaker 1 (44:28):
Yeah, yeah, absolutely correct.
And again this this gets back,though, to when you're looking
at what we do.
We are constantly evolving, fornew people getting into the
field, and this is what I alwaystell people you have to be
willing to constantly learn,because if you're not and again
there are certain aspects of ITand security that I've falling

(44:51):
out of I have not done theresearch on because of what I do
now and trying to do Can't knowat all.
Do what I do.
It is very hard to keep up oneverything.
So you find your niche and whatyou're good at and you go from
there Hone your craze.
I love blue team.
Yeah, I will.
I will look into logs, I willlook into firewalls, I will look

(45:13):
into Sims and things of thatnature, but if you like
something, research it, become aspecialist and go for it.
Now, saying that, I do have twoquestions here for you crypto
night.
First one I mean we havedifferent info.
I did the flex.

(45:33):
I love the flex, so night hashis name on a bottle of makers
mark whiskey.
How many bottles got put outwith that name on it?
Seven, that is awesome.
I need one of those.
I need one Just to keep andjust to say.

Speaker 2 (45:53):
I have my brother Got all whiskey.
Your sour drive, come on, hookit up.

Speaker 1 (45:58):
All right, we got like speaking of ethics, what is
your take on Mr Mitnick'sadventures, and should he be an
example of not allowed due totheir past?
You know?

Speaker 2 (46:10):
Mr Mitnick.
I'll just fuck shit on the dadbecause, no, no, and he is the
second most notorious personI've ever shaken shaken hands
with, shaking hands with himtwice and, you know, once like a
minimum elevator.
Mr Midnight, hello, yes, andyou know he did some really good

(46:31):
work over his last few yearswith, with, with security
training, really, really good.
He was never really repentantof what he did.
And for us to have a criminaljustice system which believes
that it's appropriate to lockpeople up, to have sanctions
against them so they can learnfrom their mistakes and get

(46:53):
better, we have to believe inredemption and I encourage you
to do a little research.
You know your Google Foo cancan perhaps find it.
His unpublished first chapter inhis in his autobiography, which
is editor, says dude, we can'tpublish this because it was so
self-serving it was, it was alittle crazy.
Read it and you'll see that henever really repented.

(47:16):
He was sorry he got caught, notsorry.
He did it and I'm not mean tothrow rocks at the man who found
his niche later in life todeliver good to the community
and delivered some reallyfabulous, fabulous technology
that I love.
However, mr Menon, he neverrepented of his acts.
So, yeah, the whole gray hatquestion.

(47:41):
Should I hire gray hats?
Oh, we're going to go to thatone.
Well, that's the question thatwas asked of of Griffin InfoSec.

Speaker 1 (47:48):
It essentially is Right, so we're going to hide
that one.
We're going to go to James.
What is your opinion of grayhacking, where you don't
disclose to the company but sellhacks to bone brokers such as
zero DM instead of bountyprograms?
Ethical or not?

Speaker 2 (48:04):
Well, you know, cockroaches serve a, a, a, a
society right.
You know, without it we'd nothave that catchy Mexican tune.
But so hit eight Dude.
If you find a vulnerability anddon't take it to the

(48:25):
organization and say I found aproblem, make it better.
You're on the wrong side.
You are not on the side ofjustice and freedom and light,
you're on the other side andyou're on the Sith Lord side and
you need to change your, changeyour tune.
You know there are all sorts ofthings I can sell.
I choose not to because I lovemy family, god, I love my

(48:50):
country and I love my freedomand and freedom is good.

Speaker 1 (48:55):
Freedom is good.

Speaker 2 (48:57):
I should have worked on sort order there.
I won't talk about that, butbut uh, you know the Sith Lord
has really cool toys.

Speaker 1 (49:06):
You know, he really does you.

Speaker 2 (49:10):
I'm telling you, you know, mark Twain had some really
good quotes.
You know, too much whiskey isnearly enough.
One of them, uh, but, but also,um always do the right thing.
You'll, you'll, um you'llsatisfy a number of people and
bewilder the rest, and um alwaystell the truth, because it's
too hard to remember as a liaror something like that right, um

(49:34):
, especially when you startstacking them.
Just tell the truth, man.

Speaker 1 (49:38):
Never happen again.

Speaker 2 (49:39):
Yeah, and I've had to be there where I'm, I'm, I'm
like the doctor you got cancer.
I'm here to deliver the truth,and it's a hard truth.
I need your attention, I needyour focus when I talk through
this, and you might want to havean attorney present, but here's
the hard truth.
Right, was that fun?

Speaker 1 (49:57):
No, no, it was not.

Speaker 2 (50:00):
But afterwards I could look myself in the mirror
right.

Speaker 1 (50:05):
I look at gray hat differently than what um they
they put in the comments, though.
To me, I look at gray hat assomeone who, who finds the
vulnerabilities without a bugbounty, without a contractor,
with anything else.
I look at someone um, the RobinHood hacker, uh, kevin Nick.
Um interviewed him.
I can't remember exactly, uh,his name, but basically he would

(50:31):
find vulnerabilities on theinternet and then reach out and
say, hey, I'll come in and tellyou how to fix it or I'll bounce
.
Those are up to you, but thisis what I found.
He'd go through a third party,but basically illegally.
Right, he would find theseconnections, he would make sure
it was legit, he would do allthese things.
So it was technically illegal.
He wasn't doing anythingmalicious, he was just finding

(50:55):
ways into a network.

Speaker 2 (50:56):
Yeah.

Speaker 1 (50:57):
It wasn't until the New York boat that somebody
pressed charges against them.
But his initial, his initialbreach, where he got his first
story was there was an unmanned,unpatched, unmaintained proxy
server.
He found it just by surfing theinternet and being curious and

(51:18):
being like, hey, what the fuck'sout there.
And he reached out through athird party.
Third party got in touch.
They said, yeah, show them,bring them in, tell us how to
fix it.
He literally sat there, took aknife, cut the cable to the
proxy server because they nolonger needed it.
It wasn't used but it was a wayinto the network.
Right, the New York coast hadcome out and said we cannot be

(51:40):
breached.
Well, their words were wecannot be hacked.
And he went in and said, allright, bet, here's the real
thing.

Speaker 2 (51:54):
So the answer does not justify the means.

Speaker 1 (51:57):
No.

Speaker 2 (51:58):
Right and if the company doesn't want to take
responsibility.
And I've had that.
I have found Tuesday.
I have found two zero days inmy life and and there there are
two CPEs I've earned by watchingvideos where I wet because it

(52:19):
touched me so deeply.
One, oddly enough, by VioletBlue.
When she says not say for work,believe her, okay.

Speaker 1 (52:30):
Oh my gosh.

Speaker 2 (52:34):
But she talked about harm prevention.
Right, and I do support hervery via Patreon because she's
doing a really good thing foryour security, bridging the gap.
She's I like what, what she andI'm like oh, what's that?
Support all she does?
But we talked about harmprevention is very important and
Richard theme talked aboutRichard theme, t H I E M E, who

(52:56):
got beaten up for 15 years fortalking about UFOs.
Turns out he was right.

Speaker 1 (53:03):
I mean, the government just admitted there's
aliens, yeah, and he got beatenup for 1520 years.

Speaker 2 (53:09):
But he talks about the harm of keeping secrets and
our profession has a highsuicide rate and it's something
worth talking about.
You have to have your center,you have to have ethics, you
have to have a community oftrust, and I'm going to talk
about that.

(53:30):
And I'm going to talk about theharm prevention of the harm
prevention, yes, and what hetalked about was the harm of
keeping secrets.
I experienced that personalharm from finding that a major
vendor had publisheddocumentation was complete BS on
how to protect secrets in their, in their, in their
infrastructure.

Speaker 1 (53:53):
And I got here.
James actually came up with acomment about that same topic,
but I want to touch on this,because somebody asked what is
gray hat?
Gray hat is not waking up,deciding whether you're going to
be black or white, what a grayhat hacker is.
Or, yeah, gray hat hacker,because there's black, white and
gray.
There's also other colors.
Some people put other colors onit, but basically you work as a

(54:19):
white hat, but we'll do illegalshit in your off time.
That doesn't necessarily align,because you're doing things
outside of contract, so yeah.
You may not be doing bugbounties, but you're finding
things and I do feel like theRobin Hood hacker was more gray

(54:40):
hat and that he was presentingthis to the client.

Speaker 2 (54:44):
But to me that's like I sell drugs.
But don't worry, I give half ofit to feed starving children,
Right, I'm?

Speaker 1 (54:50):
just saying look at Children you're feeding,
starving children, yeah.
But you are selling drugs atthe playground, right.

Speaker 2 (54:58):
So I think gray hat Not that I believe there's a
black and white in, in inperspectives and and maybe this
is the way to end this was fullcircle.

Speaker 1 (55:11):
This community has one here.
Can you please put crypto nighton a revolving appointment once
every one to three months or so, because storytime is
impeccable Done, done and doneyeah.
Before you get into that, we dohave a more question.
I know you want to touch ongray hat, but James, have us as
another one.
What about how they treat goodguys delivering bones to the

(55:33):
companies not taking boneserious or punishing the hacker
for ethical disclosure?
This is where I get into grayhat.
Well, two questions.
It's closed it ethically Eventhough it was not under contract
.

Speaker 2 (55:47):
Yeah, so so I think, two questions.
First of all, I have disclosed,and if they do nothing, this is
the same thing as a consultant,right, and this is a consultant
.
Employee Consultant says I havethis thing you should do.
I think I was like, yeah,whatever, and I can sort of like
let me make sure you heard me,let me be a little more

(56:09):
articulate, let me provide somedocumentation.
Here's they go yeah, whatever,yeah, and employee gets to come
back.
A third and regular like, oh,hell's, no, we're going to talk
right.
Consultant goes like okay,right, and that's where you are.
If, if, if you have providedcopious documentation on exactly

(56:30):
what, make sure you're talkingto the right entity, make sure
they're authorized to act, makesure you provided clear and
copious documentation, not justlike I found the thing, but I
did this.
Here's what I think, here'swhat I know, here what I believe
are the implications, and hereare my recommendations.
And if they walk away, you'vedone the right thing.

(56:55):
Walk away next, do you have theright of that point to go like
well, they're not doing thething, can I?
Can I tell you?
Oh, but you know, and this is,this is a quandary, because not
doing the right thing, peoplemight be harmed by your silence.

Speaker 1 (57:14):
But that is, that is not on you.

Speaker 2 (57:17):
Right.
If you see somebody beingbeaten up in a parking lot,
being there's a crap beating outthem, are you obligated to
intervene?
No, does it hurt you to notintervene?
Possibly, yes, been there, donethat.
But Do you have an obligationto go home to your family and to

(57:38):
value the things that you valueWith your, with your compass,
your ethical, moral compass, andyou have an obligation to
report?
I can't answer that questionfor you.
The, the, the right thing to do.
You will have to decide foryourself, and and, and that's
why the, the ISC squared code ofethics, which I think is

(58:00):
probably one of the better onesout there.
I am a little biased.
You look, you're.

Speaker 1 (58:04):
You're not a checklist, you're as biased
about ISC squared as I am aboutthis being the best damn
cybersecurity show.
Let's just be honest.

Speaker 2 (58:14):
Yeah, yeah.
But you know, does that haveits flaws?
Well, yeah, it says everysystem, everything does, but.
But it leaves the judgment upto you.
You have to do the right thingat the end of the day so you can
evaluate and look yourself inthe mirror and say did I do the
right thing?
You know, people for the PLABreaking into the merit, into

(58:37):
America because they've beentold to do it as as an officer
in the army.
They're doing the right thingfor their country.
Am I happy about it?
No, oh stop.
But are they doing the rightthing?
You know, the only differencebetween you know attacker and
patriot is is you know who'sright in the history you're

(58:58):
doing it from yeah.

Speaker 1 (59:00):
Yeah, so.
So I got this thing on it,though, and then I want to get
into ISC squared.
It's only gonna be a minutebecause we're at the top of the
hour, but you know, for me onthis is companies not taking
into consideration the fact thatsomebody has been willingly
Able to release this informationto them without releasing it to

(59:20):
the public?
We have seen people whetherit's uber and other
organizations that, whenvulnerabilities have been
disclosed, have pressed chargesVersus saying, hey, thank you,
I'm not gonna head you, I'm notgonna do all this, but thank you
for the information.

Speaker 2 (59:40):
I large right sharing the company about that, like,
oh, that was her.
Yeah, yeah, yeah that was me.

Speaker 1 (59:49):
That is why we are seeing a lot of ethical hackers,
ethical Pentesters, ethicalcybersecurity people.
Now go to the dark side,because if you're going to press
charges against me forreleasing information to you,
for finding a vulnerability, I'mnot asking for money, I'm not
asking for kudos.
I am literally pointing out hey, I found this flaw, here you go

(01:00:12):
, this is how you fix it, andyou're gonna now press charges
against me.
Now I'm gonna go to the darkside and I'm gonna sit there and
I'm gonna burn every singlebridge you have and I am going
to Release at all.

Speaker 2 (01:00:25):
Yeah, but you know, yeah, that that is a problem and
the answer don't justify themeans.
A Organization not doing theright thing I Doesn't, doesn't
obviate your responsibilities Todo the right thing on your own

(01:00:46):
and, and you know, I can't tellyou the right decision there.
That's all on you.
I believe, on, I believe, onethical disclosure If the
company doesn't do ethicalclosure there.
Close it to there are someother means not done anything.

Speaker 1 (01:01:00):
Right, then guess what?
I'm gonna sell that shit forevery penny it's worth.

Speaker 2 (01:01:05):
Yeah, I think there are probably other avenues.
I can't say I can describe theone right avenue, because
Because I've now sat there.

Speaker 1 (01:01:14):
I put out a poc on twitter.
I've told the company.
I've done all this shit.
I told the company Two, threemonths ago.

Speaker 2 (01:01:21):
You could have a conversation.

Speaker 1 (01:01:24):
I put something on twitter.
It's still there.

Speaker 2 (01:01:26):
You could have a conversation.
One of their top 10 customers,there there's.

Speaker 1 (01:01:33):
I mean there, there are other venues saying, but the
problem comes down to and I do,I love this conversation, I
love ethics.
I think it's the ball is gonnado it, it is man.
I love it.
But when I look at this, when Ilook at this great, you put
this out and ethical disclosureis what?
60 days, I think, for mostcompanies, 60 or 90 around there

(01:01:54):
.
So I've done this.
Now usually, usually, you havea done shit.

Speaker 2 (01:02:02):
Usually you're in.
I mean, I've seen some.
Yeah, I've seen somecatastrophic stuff.
How long can we go?
We're at 803.

Speaker 1 (01:02:09):
I'm telling you I could Do what the fuck I want.

Speaker 2 (01:02:12):
So it doesn't boom, dynamite, so One of the coolest
shows I ever saw at RSA.
Full disclosure I am on theprogram committee so I am biased
.
Um Is cartography research,which I already mentioned.
They came forward and they haddiscovered that um a number of
devices when an airplane modewith no network connection Were

(01:02:35):
leaking, keys such as you couldpick it up with a sled or a
direct tv satellite and uh, dishthat had been sent to the
junkyard you get for like fivebucks.
You could take that into adigital signal processor and you
could pull keys off of it whenyou could get symmetric keys

(01:02:58):
within a few packets you couldget asymmetric.
We're talking rsa stuff, man.
Hold up, hold up, hold up, holdup within a few packets
airplane mode.
Okay.

Speaker 1 (01:03:09):
So you could not send anything Technically?
Okay, technically Could notsend any data, all right off the
air at all.

Speaker 2 (01:03:19):
What are the three most important things to do as a
mobile producer of electronics?
Sheep, powerful light, thosethree forces work you out of.
Secure, can I, can I?

Speaker 1 (01:03:36):
can I tell you why?
And this is why and I'm gonnastop you for a sole purpose yes,
this is why non-removablebatteries have been a problem.
Yes, because the best way tosecure your device Was really
power off, remove the batteryand let the bios and the

(01:03:56):
motherboard battery.
Wait for story two, my friend,wait, we're gonna hold up, we
got no, no, you are saving yourstories Because we got people
that want you back on forstories.

Speaker 2 (01:04:09):
Oh, dude, I have.
I have a dude who worked For avery, very large software firm
who had his phone rolled twodifferent ways While off so oh
off, no battery removed.

Speaker 1 (01:04:30):
No battery removed, just off off iphone or android.

Speaker 2 (01:04:36):
Will not disclose saving that for another day.

Speaker 1 (01:04:41):
All right, I gotta see a sequel, my brother, yes,
I'm up for it so yeah, realstory back on.
We're gonna do a sequel.
We're at 805, so this is what Iwant to do.
I'm sorry, space taco squaredas a board on the board of
directors?
Yeah, have, they are doing hugethings and I am going to put

(01:05:02):
they are this link in chat.
But I want to discuss, and inone story, one paragraph,
however you want to do it how isis he squared, helping
newcomers come?

Speaker 2 (01:05:16):
in this field.
This is a great story.
We started many, many, manyyears ago, in fact, when I was
first on the board I want to say2011, but I am old, I drink, I
forget um and and we worked onon dei at that point,
recognizing that that we neededthe space For minorities and
women in our profession, that wewere out of, out of rounds,

(01:05:38):
needed correct blah blah startedthat journey more than a decade
ago Now and we started theworkforce study that we've done
To help us understand themovements of the organization,
and I can share with you thatthe under 30 crowd we've
achieved gender parity and cybersecurity.
Boom, love it, love it.

(01:05:59):
Now we're saying like but man,we got this big gap.
What are you about the gap?
We got the cyber securityskills gap.
Everybody's saying gap, gap,gap.
So what I really love is wehave started the 1 million and
cc program.
Are you sharing the link, mybrother?
Can you share that?

Speaker 1 (01:06:14):
I will put it All right, you just put it there.
So let's Control v hold up onething, okay.

Speaker 2 (01:06:20):
There is a commitment that is the square it is done
when we are giving away 1million certifications, a
million specifically targetingdisadvantaged communities, and
giving away the education, thetraining and the certification
to, to disadvantaged communities, to close the gap and, oh my

(01:06:44):
gosh, is it growing explosively.
Uh, I, I can't tell you, like I, I literally can't tell you.
You know, nba, but the numbersare huge, like um, beyond our
wildest expectations.
We are starting to close thatskills gap With people getting
their, their cc.
I myself sat for the cc, didn'tstudy for it.

(01:07:06):
It's not going to go cold.
Again, that is the, uh, the, thecertified in cybersecurity.

Speaker 1 (01:07:12):
Oh, okay, so is right is e-squares, equivalent
basically of google's course Iwouldn't say that it's an entry
level.
That's not necessarilyequivalent, but it's it's.
It's a basic cybersecuritycertification.

Speaker 2 (01:07:24):
It is truly at entry level, but it is not easy.
I mean they were like, oh man,they're asking about that like
okay.

Speaker 1 (01:07:31):
Bring it on.
What's the cost of that, ofthat certification Um?

Speaker 2 (01:07:37):
free, first million, first million in for free
because we we're putting skin inthe game.
Skin in the game, my brother.
We're saying like, okay, thisis going to hurt a little bit,
but we have to pump this up forthe future generation.
We have to get the nextgeneration in cybersecurity.

(01:07:58):
There was a barrier that's beencreated and and we have to
break down that barrier for thenext generation.
So the one million in cc um, wecreated the cc.
It has all the rigor that youwould expect of a professional
love certification with all therigor of the isc squared.
Um, we're, we're top of thegame as far as that goes.

(01:08:19):
We I could talk for hours aboutthat, can't.

Speaker 1 (01:08:21):
Andrea, did you get the cc?
I see it.
It's not easy for the cc.
I had to study for it.
It is how many you it is.
I believe I've seen a lot ofher posts, andrea on here.
Andrea mylar, one of the themost prominent warriors I have
right now, um, has been doingamazing things as well as space
tacos, um.

(01:08:42):
Please tell me you you got thecc and can tell people about it
because Absolutely amazing thereyou go.

Speaker 2 (01:08:50):
Cheers to you.
Uh, I, I also went and sat forthe cc pointed out I didn't use
the free one, you know, becauseI and I would encourage you if
you have the means.
Um, I don't call myself rich,but compared to many nations the
world, I am, oh, me and youboth, yeah.
So I said, dude, I'll pay themoney, right, because I don't

(01:09:11):
want to take a seat, that thatneeds to be kept by somebody.

Speaker 1 (01:09:15):
All right, all right.
Time out dude.
Does the cc require ce use?

Speaker 2 (01:09:22):
You know, I should know that as a as as a board
member, but uh, I don't knowthat question, the.

Speaker 1 (01:09:27):
The reason I asked that question is because that is
the hardest problem with me andso that is awesome.
Okay, the reason that's a hardproblem I have a cis sp.
As a cis sp, I have to find,just like sands.
I have to find where does thismatch, where does this go?
You?

Speaker 2 (01:09:46):
you have come to the spring.
Well of joy, my friend.
Because I heard this when I wason the board before of like, oh
, I have to travel, it takesmoney, blah blah.
So I started out on twitternaix now hashtag CPE for free.

(01:10:06):
Now I stopped after postingabout 25 to 30.

Speaker 1 (01:10:10):
But that requires me to watch videos.

Speaker 2 (01:10:13):
And you want it for free?
Come on, dude, free, free, free, free, free, free.
I posted like 30,000 CPEs andstopped.
Almost all the links are stillgood, dude, irongeekcom.
Irongeekcom still has like hey,can we get my show to be on the
CPE thing?

(01:10:33):
Dude, I just earned a CPE Done.
The biggest thing with CPEs istrack it every month.
If you have a weekly centersupport, monthly center support,
whatever it is you do that youtrack your CPEs.
Boom Done, join your local.
I'm just saying I do a squaredchapter.

Speaker 1 (01:10:52):
It's just here every week, so if people are watching
or whatever, they should getconfused from it.

Speaker 2 (01:10:58):
That's 52 CPEs.
My brother, I see squaredchapter, I say chapter I socket
chapter ASIS.
Oh, wasp tool, you could act.
Okay, the funnest way you canearn CPEs not free Firearms
training- no, you know how I gotyou know what I'm saying.

(01:11:21):
The best way I see PEs for thelongest time was at the box.

Speaker 1 (01:11:25):
I literally.

Speaker 2 (01:11:27):
Okay, that's a great conference.

Speaker 1 (01:11:29):
I literally did all the boxes and got all my CPEs.
I never made it there.

Speaker 2 (01:11:33):
That summer camp never been but the particular
joy of being an NRA pistolinstructor.

Speaker 1 (01:11:40):
Wait using the CPEs from going to a range.

Speaker 2 (01:11:44):
Oh hell.
Well, not going to a rangeTaking a course, so I took a
course, I'll do it.
I took a course in knifefighting.
That's why I carry, you know,the Delica.

Speaker 1 (01:11:54):
Oh yeah.

Speaker 2 (01:11:57):
And that was eight hours CPEs.

Speaker 1 (01:12:00):
But all right Physical security.

Speaker 2 (01:12:03):
Go to weapons ranges of all types and you get CPEs,
not of all types of reputabletypes.
Train us Weapons training.

Speaker 1 (01:12:13):
Yes, my friend Greg, Ella is awesome.

Speaker 2 (01:12:16):
Yes, and you know it's the fun.
I'm not saying it's the bestwinner in CPEs, but it's the
most fun.

Speaker 1 (01:12:22):
Who cares about the best?
We just care about fun.

Speaker 2 (01:12:25):
Well, you should try to line it to your career and
what you need and close yourgaps, etc.

Speaker 1 (01:12:30):
Right.

Speaker 2 (01:12:32):
Oh, your gap.
I know, but I'm telling you, mylocal ISC squared chapter is 20
bucks a year and includes twobeers a month.
Dude, you're trying to find anyof these?
What for a million digits.

Speaker 1 (01:12:44):
Who does that count?

Speaker 2 (01:12:46):
Oh, you do, I'm telling you, I get 24 CPEs a
year for going to drinking beersand talking security and
sharing stuff, and sharing thisworks.
This does it.

Speaker 1 (01:12:58):
And it's awesome.
All right, we are well over thetop of the hour.
Crypto Knight.
I did share the link for ISCsquared.
I want you any, any and allinformation that you can give to
newcomers in cybersecurity.
Please drop that knowledgeright now.

Speaker 2 (01:13:17):
All right.
So there is always thechallenge of I can't get hired
until I get experience.
I can't experience unless I gethired.
Right, how to break in?
All right, there are lots ofpaths in.
If you are exceedingly youngnot that you started doing hate,
having mortgage and thoseobligations there is no better
training than military training.
Okay, dude, straight up.

(01:13:39):
I wish I could.
I am medically unqualified,being flat footed, colorblind
and nearsighted.
Triple-horizontal Efecta can'tdo it.
But if you can qualify, nobetter training and you will
emerge from the military notonly with discipline,
self-discipline, sense of worthand actual skills to apply, but

(01:14:00):
you're going to have at least asecret, if not top secret,
clearance, which is super, supervaluable.
Now, all of us can do that.
So how to break in otherwise?
First of all, the CC program.
You can go to thatwwwisdsquaredorg.
Slash 1 MCC, free training,free certification, go, go, go,

(01:14:24):
free, free, free.
Other than that, tons ofnonprofit organizations need
help.
Local library, local Boy Scout,girl Scout troop needs to be
able to talk to them about howto keep safe on the internet.
See also Center forCybersecurity and Education that
DICE squared runs forprotecting children online,
seniors, online training,offered there Valuable training.

(01:14:46):
You can become an instructorand get that training and
experience.
Go to your local university, goto your local nonprofit.
I want to help you withcybersecurity.
But before, it's actuallypretty cool, they got breached.
I helped them out, talk to theFBI, got the thing going back up
again, boom done.
That is super valuable training.
It doesn't have to be for pay.
Should it be for pay?

(01:15:08):
Well, sorry, yeah, it should.
That's a great way.
Hey, go work for organization.
Look very carefully.
It will pay for your education.
If you don't have the education, if that's the barrier, work
for usually 400, 400, 1,000.
Usually, pay for your collegeeducation.
Go to work for them flippingtacos, whatever you have to do,

(01:15:30):
but get your Bachelor's, getyour Master's.
So I got my MBA.
Didn't cost me hardly anythingbecause my company paid for it.
So take those, take those pathsand beyond anything we heard it
from the cyber warrior you haveto be committed and study up.
Dude, just our day, our day.
Plug away what's happening,what's next?

(01:15:53):
Sharpen the saw.
Amazon, google and and andMicrosoft Azure all have free
training.
Tons of Really good training.
Certificates usually costsomething.
Training us for free.
Third, first 30 days.
Usually get a free environmentto make your own pop servers,

(01:16:15):
everything else.
Do everything else you want,going with the plan.
Do that.
90, 90, 90, right, boom done.
You now have training on Googleplatform, azure platform, aws
platform and you have theessentials of cybersecurity,
free training.
Do that.
That will help you find amentor, find your compass, and I

(01:16:38):
wish you the best.

Speaker 1 (01:16:41):
Definitely in crypto night.
Thank you for all of thatwisdom and knowledge.
Everybody loves you and theywant you back on, so we are
definitely gonna get you back onthe show here in the coming
months.
But, as you know and everybodyhere in chat knows, look, you
need to invite more people on.
It's all for the newcomers thatneed their voice heard.
So we're gonna get them heard.

(01:17:02):
But crypto night.
Thank you for being here beforeI go.
My pleasure.
They finally came in, so I gotit.
I gotta show it.
Hold up, hold up.
Where's that right here?
So?
So I did order so y'all couldsee.
Wait, wait, merch.

Speaker 2 (01:17:17):
You got the.
Hold on oh, I got, you got.

Speaker 1 (01:17:22):
Thursday I got Thursday, I got this one.

Speaker 2 (01:17:27):
I drink and hack things nice, nice.

Speaker 1 (01:17:30):
Yes, we got security.
Happy hour Hold up.
We gotta get the back.
Came for the conversationstayed for the beer.

Speaker 2 (01:17:39):
You know alcohol.

Speaker 1 (01:17:40):
I forget what he said come back, you got you got 60
seconds for me.

Speaker 2 (01:17:45):
I got 60 seconds go.
We're in year 21 of the localorganization which is now the
ISC squared chapter started withtwo of us in a bar that had an
MBA program.
Masters of beer Appreciationcame in every month, got their
pint, got a certificate, got amug, blah, blah, blah.
We said we should do this moreoften invite a friend.
Before we knew it, a year outwe had like 12 people.

(01:18:06):
Next year we had a hundredpeople.
We had a charity event, boomdone.
Professional association, allabout community and sharing.
You can do it.
I did it, anybody can do it.
Reach out, find a friend,create a community and find more
friends and share.
Yep, that's the secret man.

Speaker 1 (01:18:25):
Chetam house roaring is the secret not working and
sharing is it is cyber securityit is but saying that I love
everybody that's been here inchat.
Look a.
If you want to come back, tipafter.
If you want to do super chat,you can do it right now while
I'm running the end screen.
Otherwise, thank you.
Crypto night.
Thank you everybody who's beenhere.

(01:18:46):
I love you all and you are allmy warriors, you're all my
family and I'll see you all nextweek for another amazing
episode Security happy hour.
Thank you, derek.

All Episodes

Episode Transcript

Popular Podcasts

Crime Junkie

24/7 News: The Latest

Stuff You Should Know

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}An Odyssey Through the Cybersecurity Universe with Crypto Knight

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Crime Junkie

24/7 News: The Latest

Stuff You Should Know

All Episodes

An Odyssey Through the Cybersecurity Universe with Crypto Knight

Crime Junkie