September 1, 2025 • 55 mins
Grant McCracken shares his groundbreaking PhD research on satellite security, revealing how vulnerable our orbital infrastructure is to cyberattacks and the urgent need for better security measures before quantum computing renders current encryption obsolete.
• Satellites face unique security challenges with limited patching windows of only 15 minutes during orbit
• Most satellites run on outdated technology with numerous vulnerabilities that can allow complete takeover
• A real-world attack in 2022 showed how Russia could penetrate ground stations and control entire satellite constellations
• Post-quantum encryption will be essential within 5-10 years according to global experts
• CubeSats (small satellites) can be purchased and tested by anyone, creating both research opportunities and security risks
• Bug bounty programs provide unique opportunities for security researchers to specialize and potentially earn substantial rewards
• Zero trust principles must be applied to satellite security before launch since patching in orbit is extremely difficult
• The infrastructure dependent on satellites includes GPS, cellular communications, and financial transactions
You can find Grant on LinkedIn by searching "Grant McCracken Dark Horse" or contact him directly at grant@darkhorsesh.com. His company Dark Horse Security helps organizations at all budget levels improve their security posture, including pro bono work for those who cannot afford security services.
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
How's it going?
Grant, it's great to get you onthe podcast.
You know I can't remember whenwe started talking about this
thing, probably because of thefour-month-old.
Just ruining my schedule and myPhD at the end of the semester
is just insane.
So you said ruined.
What does ruined mean?
Speaker 2 (00:25):
Like you like, it just made everything complicated
.
Or, like they like, spat up onit and the dissertation was
ruined.
Speaker 1 (00:32):
Or yeah, I mean the issue is like the scheduling,
the workload.
You know, like going into thePhD, it's really hard to
understand what the workload isbecause like there's no, there's
no like syllabus, there's nooutline or anything like that.
You know, I mean like they giveyou an outline of like a sample
dissertation, but like there's,you know, two primary methods
(00:53):
you can go about going to getyour PhD and then there's a
whole like there's like athousand different templates out
there for dissertations and soyour entire academic career.
You know you are told like hey,at week eight you have a test,
this is what's going to be onthe test.
You need to know all of thisstuff right.
Week four you need to have thispaper done.
(01:15):
The paper should be on thistopic.
You know you decided the topica long time ago and everything
In the PhD.
There's none of that.
It's okay, go figure out whatyou want to research and then
tell us and if we approve it,then go read about it and then
come back and tell us how you'regoing to like test your
theories, what your theories are, and then you go do it and a
(01:36):
couple of years later you comeback with your findings and
hopefully we give you your PhD.
Speaker 2 (01:41):
So that's and I apologize for being an idiot,
you'll learn that's a recurringtheme here.
What so?
That's?
That's how PhD.
So like there's no, likethere's no like course load for
PhDs, like I, I honest I had noidea.
Speaker 1 (01:53):
No, it is literally so.
You have a, you have an endgoal at the end of each course,
but you set that end goal.
So I and I didn't know this forthe first year, I literally
didn't know this.
That that's how it worked, youknow, and I was trying to like,
figure this all out.
And then I finally got a chairthat was like competent and
whatnot, and he was like no, youneed to be setting like a goal
(02:15):
for each semester and then worktowards that goal, and me and
you form a plan on how you'regoing to achieve it.
I let you know if it'srealistic or not.
So, like it's, it is completelyout there.
Like you know, at the beginningof the summer semester, my
chair just asked me what do youwant to complete this semester?
And I was like well, I got tocomplete these three things, and
those three things encompasslike 70 pages of work, wow.
Speaker 2 (02:36):
So so you have completed your PhD or it's still
in progress, or, yeah, I'mworking on it.
Or it's still in progress or no, yeah, I'm working on it.
Okay, if you don't want measking so what's the?
What's the?
I assume it has something to dowith security and you can tell
me to you're.
You're like, nah, it's, it'srocks man, I'm geologist, but I
mean what?
So?
What?
What are you studying?
(02:57):
What are you trying to like?
What's your hypothesis, sirs?
Speaker 1 (03:01):
I don't, I don't know my yeah, yeah yeah, so I guess
I'll start with like the problemstatement.
Right?
The problem statement is thatwe have, you know, an
astronomical amount ofsatellites in space that are
legacy satellites, that are nolonger running on you know
modern technology, that arepotentially not even functioning
.
And the ones that arefunctioning are vulnerable to a
(03:22):
whole host of thousands ofattacks where an attacker could
literally just take it over andtake over that satellite.
Speaker 2 (03:29):
I want to learn about this.
I want to learn about satellitehacking.
I know nothing about this, andso you're making it sound very
Wild, westy, which sounds likefun.
Yeah, no, it is, it is.
Speaker 1 (03:38):
Okay, I didn't think it was.
And then my chair was actuallyan Air Force employee, moved to
a Space Force employee and heliterally said all that he did
every day was satellite securitystuff.
And he literally told me he'slike there's no standards, like
we're literally just trying ourbest to deploy like security
standards on these satellitesbecause once they're launched,
(04:01):
like there's no patching them,like if you patch it, it takes
days to patch it.
Right, because you have to, youhave to, you know, really
compile all of those updates,send it to the satellite at a
very specific point in time.
You have a very limited window,maybe five or 15 minutes, maybe
, if you're lucky, and thenhopefully, if it downloads at
all at a very slow rate, thenit's able to install and pray to
(04:24):
God that you don't get any, anyissues, because when it goes
around the globe, you know inthe next 12 hours or six hours,
whatever it might be, that'syour time to troubleshoot.
For 15 more minutes, wow.
Speaker 2 (04:35):
And you can't, you can't brick the thing.
Yeah, yeah, no, no crowd strikeupdates.
Speaker 1 (04:42):
Yeah, oh, yeah, yeah.
So I'm I'm researching how toapply zero trust principles to
make the satellites morenatively secure out of the box
before we launch them in aneffort to prepare for
post-quantum encryption.
So technically, yeah, we canthrow satellites up there and
(05:02):
you'll be able to havepost-quantum encryption on it.
You know, have like postquantum encryption on it, but
the post quantum encryptiondoesn't mean much if everything
else is vulnerable to you knowvarious attacks, right?
Speaker 2 (05:10):
When we say vulnerable, I mean cause you,
you so like, if we're talkingabout like a normal machine,
right, it's got like servicesrunning on ports and and you've
got you know so like potentiallyrunning like vulnerable
software, or I mean, in somecases I imagine maybe it's not
even encrypted, what like?
What's the like as an attackeryou're potentially posed with
(05:31):
like the same, like you've gotlike five minutes to kind of try
to throw an attack at it.
It doesn't seem like it.
I don't know.
I so like what are?
Are the vulnerabilities justthings like rce or I don't know,
sequel injection or whatever?
Just what?
Yeah?
Speaker 1 (05:46):
I would say for the most part, like, there's
standard vulnerabilities, themain issue is the patching
process and there's no reallygood way of handling like that
problem.
Right, Because, like, you haveto get them, you know so many,
you have to get it.
You know so many gigs withinsuch a short amount of time over
that distance.
(06:06):
And if it gets, you know ifthere's a man in the middle of
attack, for instance.
Now you just uploaded a pieceof malware, right.
And like the problem when, likewhat we saw with the Viasat
attack in 2022, with Russia,right when they penetrated, this
company on the ground took overtheir ground station, started
communicating directly withtheir satellites and took them
(06:26):
all down, right, they only hadto infect one satellite and that
one satellite was then used topropagate throughout the entire
constellation from there, right.
So Russia now says, okay, well,I have my own ground station.
If I got root on theirconstellation, I could just use
my ground station to communicateto it and just point it
directly at it and we're goingto follow this constellation
(06:47):
around the globe.
Okay, wow, so it like turnsinto a more, almost like a more
advanced, persistent threat.
You know it's like once they'reup there, it's like okay, now
it's very difficult to get themout.
Speaker 2 (07:00):
Yeah, that's wild.
You mentioned another thing inthere that I'm curious about,
and again, it seems like you'veactually got the intellectual
capacity to kind of understandand talk about these things.
But post quantum encryption solike.
So I'm not so like I understandin principle what sort of
quantum computing is and theopportunities provided there Is.
(07:22):
It are, we, are we, are we thatclose to a state where, like
you know it's, it's going to beusable?
And then what are theimplications downstream?
Obviously, for encryption it'spretty significant.
So can you go into that just alittle?
Speaker 1 (07:35):
bit.
Yeah, so you know, post-quantumencryption is built off of,
like, what we call classical,you know computing classical
encryption, right, where you'redoing a key exchange and off of
that key exchange you'rebuilding that secure tunnel.
Post-quantum encryption, or PQC, is essentially, you know,
backing off of that same theory.
They're trying to solve rightnow the reliability of long
(08:00):
distances through various likeweather and other anomalies that
happen between you know, us onthe ground and the satellites in
space, right, so the farthestthey've gone is, I think it's,
1200 kilometers above the earth,and then it also they also
tested it out.
So they got a link, they got aquantum link from one ground
station to the satellite andthen, as the satellite moved, it
(08:21):
transferred that link to theother ground station without
dropping connection or anythinglike that, which is a huge
milestone.
That was something that wasthought to be just completely
impossible because essentially,the equipment that is on the
actual satellite that is talkingto the ground station, it needs
to be so precisely calculatedthat people just thought like
(08:46):
okay, like this is never goingto happen because the satellite
can move when it's in orbit,like if it goes, you know, if
it's one centimeter off, likeit's, it's never going to hit
its target, right?
So, you know, china actuallyfigured out how to do it At
least they wrote a paper aboutit and there is some debates
about whether it's, you know,completely, 100% authentic,
(09:12):
based on what they're telling usin the paper, or maybe they
actually did it and they're wayahead of everyone else.
So, you know, I've talked toexperts throughout the globe at
this point a whole host ofdifferent countries and
companies and all of them giveme the exact same answer when I
ask them for, like, a timelineof when this is going to be
relevant for the rest of theworld, right?
And they said everyone has toldme for sure, 100%, within 10
(09:34):
years.
A lot of them are leaning moretowards five years, if it's not
already there and we don't knowit.
And the big problem iscompanies not adopting it fast
enough, right?
So, like that's a huge, youknow, risk that I'm actually
pointing out in my research islike, hey, we have the time now,
like theoretically, we have thetime now.
(09:55):
We should be using this time toinvest in the capabilities,
because a whole lot of ourinfrastructure runs off of
satellites, but companies arestill slow to do it because
they're saying, well, it was 10years away, 10 years ago, right,
like we should already be theretechnically because everyone's
been telling us.
But it's when you start lookingat the research, it's like
they're they're proposing thatthey spoke to their satellite or
(10:17):
communicate with theirsatellite over quantum already,
and if they're doing that atthat level, there's no reason
why they can't bump it outinfinitely, you know, for
distance, like there's literallyno reason.
Okay, yeah, it's an interestingway to start the podcast.
Speaker 2 (10:32):
Yeah, I mean cause you're just talking about things
that like I.
I mean it's not every day thatI get to talk to someone that's
doing PhD research on satellitesand quantum encryption or
whatnot.
So I say not every day, I meanthere's been exactly zero days
in my life that, prior to thisone, we're talking about this
(10:54):
kind of stuff.
So no, that's fascinating.
Thank you for sharing.
That's really interesting.
If you have papers or articleswhere people kind of dumb it
down for the proletariat mightbe happy to try to digest some
of that, or I don't know, I'lllet you know.
Speaker 1 (11:12):
If I find any.
Because, you know, I wasliterally I think it was last
week I was thinking to myself,you know, okay, I feel like I
have a good understanding oflike the small amount of quantum
encryption that I understand,right, and I was trying good
understanding of like the smallamount of quantum encryption
that I understand right, and Iwas trying to think of like
what's the total knowledge baseout there, because I'm talking
to way smarter people than me,people that specialize in
(11:34):
quantum.
My PhD actually doesn'tspecialize in quantum.
It's taking the quantumrequirements of what it needs to
actually work and then saying,okay, we can throw zero trust on
it in these ways, and this isproven via this method that I
worked through, right.
So, while I was, I was thinkingabout, like my level of
knowledge with it and I I feelcomfortable in my level of
(11:56):
knowledge, but my level ofknowledge is like 1% of what's
out there at best, probably mebeing generous, right, and I'm
sure someone that's, you know, aquantum expert is going to
listen to this podcast and belike, oh, he just explained
quantum completely wrong.
You know.
It's like, okay, well, youtried dumbing this down, you
know, to like a fifth grader,you know, or a high schooler you
(12:20):
know what I mean Like I'm notsaying that you're at that level
, but like being able to justtalk about it with you know
normal people.
It's like almost impossible.
Speaker 2 (12:27):
Yeah, I, I, I'd love to understand it more.
Again, I don't want to take upall your time talking about this
.
Sorry, I'll I'll stop bogartingthe conversation and and uh,
and, let you, let you do yourthing.
Speaker 1 (12:42):
No, no worries, and let you do your thing.
No, no worries, you know.
I mean my audience is prettymuch used to it at this point
that you know, this conversation, this podcast, will go wherever
it wants to go and there's notelling where it will go.
But you know, grant, why don'twe start with telling your
background, right?
How did you get into IT?
What made you want to go downthe security route?
Right, like, tell me what thatlooks like for you.
(13:02):
Because everyone's path is sodifferent and I always start
everyone off there, primarilybecause not only do I want to
hear it, I want to understandyour story.
But if there's someone else,you know, in my audience, right,
that's watching the episode,that's listening to it, and
they're contemplating gettinginto IT or security or going
down that path, I found thatit's always helpful that if you
(13:24):
could just find someone elsethat went down that same path
with a similar background, youcan hear okay, maybe that's
possible for me, right, and itgives that little momentum that
they need to get going.
Speaker 2 (13:35):
Yeah, sure, so I've been in cybersecurity for a
little over 13 years at thispoint, mostly like application
security.
And as for how I got into it, Ithink, like a lot of us in
security, kind of tripped andfell right, like so I I always,
you know, like to do things withcomputers.
Like I built my first computerwhen I was 10 or something like
(13:57):
that, and so I was always doingstuff with computers,
overclocking and like you knowcause you're playing games with
friends and you know you gotta Icouldn't afford a nice gpu, so
you gotta like milk everythingyou could out of it and and so
you're, you're always so likethere's there's a little bit of
like the hacker, you knowmindset in that.
You know you're like physicallytrying to like overclock the
(14:17):
ram.
You're like up in the voltageand seeing just where it'll
break and just how hot it canget.
Like what if I, you know, dothis other thing, and so you're
so kind of already was likeplaying that.
And then you know, in highschool you know we mess around
with different stuff on themachines there just to be able
to play games or be able to goto sites that the field, you
(14:39):
know they didn't want you to goto and nothing like horribly
nefarious, but like there's alot of sites that would just be
like blocked for whatever reasonand so so.
So, yeah, just kept doing thatand I actually went to college
for communications or my majoredin communications.
I thought I was going to workin like marketing or HR.
I don't know what I was goingto do write stuff but yeah.
So I graduated in 09, whichhappened to be, for those that
(15:03):
are fans of history, a bad timeto graduate.
There weren't a lot of jobs andso kind of kind of just was
kind of lost for a few yearswhile just trying to figure
things out.
And then a buddy that I used toplay games with and went to
high school with.
He was like he got a job atwhite hat security through like
a Craigslist ad, like I didn'tknow like real jobs were on
(15:24):
Craigslist and and, and he toldme to apply.
He was like you could do this,you could figure this out, and
so I did that.
I got the job and you know,white Hat security at the time
had something that you know Irefer affectionately to as like
a farm system where they'd bringin people of all natures,
including, you know, people thatthat were, you know, like
(15:46):
myself.
There were people that had goneto, like culinary school.
There were people of all walksof life that they'd bring into
this group that they called theTRC and they'd kind of train
them how to do applicationsecurity.
And then they'd turn them looseon web apps and you'd go do
your assessments.
You'd configure the scanner,you do, you know, some people
turned out, but some people, youknow, had successful careers
(16:07):
out of it.
Anyways, long story short,that's how I got into security.
I did that for a while and then,and then I eventually landed at
BugCrowd, where I was for thelast 10 years, where I worked my
way up from, you know, doingtriage and validation, all the
way up to when I left.
I was the VP of ops, so Ioversaw at different points,
support, customer success,hacker success, services, pen
(16:29):
testing, a number of other teamsthat I can't quite recall at
this moment, but so did a lot ofdifferent stuff and had a lot
of different opportunities.
And then, after I left BugCrowd, I was like, okay, what's
next?
And I was like I want to dosomething a little bit good.
So I built a I know howeffective what I was doing at
Bug Crowd was in terms of likebug bounties and phone
disclosure programs and sort ofpen testing as a service, and so
(16:51):
I wanted to make thataccessible for smaller
organizations.
So that's what I built DarkHorse to do is to make those
services available toorganizations of all sizes and
budgets.
So we work with really, you know, we're not limited to SMBs, but
like small SMBs that can'tafford, you know, a bug crowd or
a hacker one or something likethat.
They want those, they want tobe more secure.
(17:14):
We're going to help them bemore secure.
Right, we're not a nonprofit,but we're pretty close to it, at
least that's what the bankaccount says.
But again, it's, it's good,it's, it's fun.
I enjoy, I enjoy helpingbusinesses.
It's, it's a great, it's agreat spot to be in and you get
to feel like you give back alittle.
And then it's also just been anew challenge.
I I've, I've always been abreaker, not a builder, and so
(17:35):
it's been really fun to be abuilder.
Yeah, so, anyways, thatprobably more information than
you or anybody else wanted, buthopefully that's helpful.
Speaker 1 (17:44):
No, it's really helpful.
It's a fascinating journey.
And I say that because actuallyrecently I was talking to a
friend who's the director oflike offensive security at a
professional services firm.
I was asking you know whatoffensive certs he has?
And he listed them off probablylike four of them or something
(18:06):
like that.
I think I like forgot that Iwas getting my phd at the time
and I was like, man, I want tostart like studying for you know
my oscp, right, like I want toget a little bit more active on
the offense side.
And he goes dude, you gotenough with your phd, wait till
you graduate.
Man, I'm like, oh yeah, oh yeah, I got that thing going on.
Speaker 2 (18:23):
Yeah, I can't imagine what it's like to do the PhD
thing.
It sounds kind of fun, honestly, but it's probably not.
It's probably like the OSCP,where it sounds like fun, it's
not.
Speaker 1 (18:34):
I think once you get into the rhythm of it and you
are studying something thatyou're passionate about which is
usually the case for the PhD,or at least it should be you
know, it's a little bit easierto actually do the work, and
especially with what I've beenfinding with like LLMs.
So I use Grok pretty heavily tolike give me very good research
(18:56):
articles and papers.
Just, you know, right off thebat, because I found out early
on, google was just completelyuseless when you're trying to
like find research articles, orI mean like it is completely
useless.
And I went to chat GPT and itwould, you know, hallucinate
more than anything else and itwould just give me, you know,
(19:19):
out of like 20 articles, youknow 15 of them were completely
fabricated and I'm just sittinghere like I can't, like I'm not
making any progress, you know sogrok huh, what about quad?
Speaker 2 (19:31):
I'm just, I'm just intellectually curious, because
I I'm spending a lot of timewith llms.
Speaker 1 (19:35):
We're building some some llm stuff, but yeah, go
ahead yeah, I haven't usedclaude that much, but I'm
actually going to start here ina couple months when I start
like building out my AI modeland whatnot, because I'm not a
developer, right so.
But I can read code, I canunderstand it and, you know,
work my way through it.
At least I know how to do that.
So as long as I have somethingthat's like prompting me to go
(19:58):
down that path, even if it'sincorrect path, at least I have
something in front of me.
You know, I think it'll behelpful.
So I'm actually going to putwhat I get from Grok up against
Claude and see, you know, seewhat actually works, cause I
actually just upgraded my, mydesktop, literally for running
this model, because I I put myspecs, I put my specs in a Grok.
(20:19):
You know I was having, I had a3080 and I put my specs in a
grok and it said, oh yeah, it'sgoing to take a month to run all
of your tests, like it cannotrun into errors.
I'm like, okay, what if I gowith a 5080?
And it said, I'll take 24 hours.
Speaker 2 (20:32):
Okay, I guess I'm upgrading that's crazy.
I mean the 3080 is still verycapable.
I didn't know it was that bigof a step change between 30, 80
and 50?
.
Speaker 1 (20:43):
I think you know, I think on like the gaming side,
they're very similar.
But when you start using likethe actual Kudo cores, kudo
cores and whatnot, that's whenit like is completely separated,
which you know 90%, 95% ofpeople aren't going to be using
it for that.
Speaker 2 (21:02):
Yeah, so what model are you running that through?
Because I mean, ostensiblythat's not going through grok,
cause grok you can't necessarilyI.
You can tell me I'm wrong, Idon't know if is there like a
mini version of grok that youcan like run locally, or or are
you running that through Likewhat?
What?
What LLM are you using locally?
Speaker 1 (21:18):
If, you don't mind me asking.
So I'm I'm actually not usingan LLM locally.
I need to start, I want to, buthow essentially it's going to
work, is it's going to runthrough PyTorch?
Pytorch is going to workingthrough it like that, trying to
enumerate the network and allthat sort of stuff, and then
(22:06):
there's a whole bunch ofdifferent modules in the code
that have like different itprevents different attacks, and
then separating out the network,adding in micro segmentation,
using like open zd to go in andapply it to the satellites,
separate out the network, limitthe access, you know all that
sort of stuff.
Right?
So it's.
It's simulating all of thatwithin within pytorch.
The llm is more of.
Really, the llm is mostly justlike grabbing the information
and putting it in front of me asquickly as possible, rather
(22:28):
than having ChatGPT or Googlegive me straight up false
information.
At least Grok, most of the time, is giving me something real,
got it?
Speaker 2 (22:37):
So when you're simulating these constellations,
do you have the firmware thatostensibly some some satellites
running?
I mean, this sounds pretty,pretty involved.
Like to be able to have allthat in.
I'll let you go.
Speaker 1 (22:52):
Yeah, yeah.
So that's like the last phaseof my actual research really.
So it's kind of broken up intothree phases and it's designed
like this to eliminate as manyquestions later on down the line
that I don't want to answer,right?
So the first phase is actuallytalking to different experts in
the area of, you know, postquantum encryption, satellite
(23:14):
security, zero trust, thoughprimarily those three domains,
right, those three specialtiesand getting their feedback on
some leading questions towardsmy research, not even telling
them necessarily what theresearch is, but it's very
leading, you know, in the waythat I ask them and whatnot, not
to like get a certain answer,but to get a answer about a very
certain thing without givingthem specifics, essentially.
(23:38):
And then the second phase is themodel phase that I just
explained to you using PyTorch.
And then the third phase isactually me buying a CubeSat,
for I don't know.
I think it's like a thousandbucks or something.
Buying a CubeSat for I don'tknow.
I think it's like a thousandbucks or something.
Buying a CubeSat, deployingtheir own firmware on it and
then deploying my security stuffon it and throwing a tax at it
to see if it still holds up.
Speaker 2 (23:58):
What's a CubeSat?
Sorry.
Speaker 1 (23:59):
Yeah, a CubeSat is probably the most common form of
a satellite, typically like,when you say satellite, you
think like okay, it's as big asmy garage.
Like you know, I can't have oneat home, why would I ever have
that?
That's actually like very fewof them.
Like the imaging satellitesyeah, they're really big, but
communication satellites aretypically, you know, anywhere
from like three U to 12 views.
(24:21):
It can go bigger than 12 views.
The same, you know, like serverrack, you know sizing, that
that we use.
It's the same same same theorywith that right.
So most of them are betweenlike 3 and 12 u's I think it is
in size.
So it's pretty reasonable.
So I'll just get like a 3u cubeset and go from there okay, and
you, so you can.
Speaker 2 (24:40):
I again.
I'm just all this is new to me.
So like there's like soundslike a company that just like
manufactures things that arebuilt for space and then you
throw your own firmware,whatever you want, on it.
So so that's, that'sessentially how people are
putting stuff into space.
They're kind of the same waythey put stuff on their network.
Okay, I'm starting to see wherethe problems lie.
Speaker 1 (25:01):
Yeah, okay, essentially, essentially, people
will buy these CubeSats to liketest out their stuff and
they'll be like okay, it mostlyworks.
Speaker 2 (25:11):
Now I'm gonna go spend the 10 million to actually
like build the satellite itselfand then we'll launch it, you
know okay, but like it's so,like people are just putting
whatever onto these things, okay, I can, I can see where the I
can.
I.
I figured there was.
I figured there was more layersof obfuscation or something in
(25:33):
there.
Speaker 1 (25:35):
No, it's just a bunch of Linux boxes floating a
thousand miles up and once youget to it, you get to it.
There's no like I didn't get in, it's like no, you get to it,
You're pretty much in, Huh, Justokay.
Yeah, I mean, think about theinfrastructure that we have that
runs off of it.
You're pretty much in, huh,just okay.
Yeah, I mean, think about theinfrastructure that we have that
runs off of it.
Right, like you know, gps, cellphones, you know financial
(26:00):
transactions are validatedthrough satellites.
Sometimes it's a lot, it's alot of stuff.
When you start looking at itit's like if someone were to
attack us, like yeah, they, theywould easily just intercept all
communications in the countryyou know.
Speaker 2 (26:13):
I'm in Starlink or and you've got there's I don't
know if you've seen them, butlike there's a company called
ASTS or something like that, butthey're, yeah, they're doing
like you know, like cellularsatellite stuff.
I'm not totally sure, but yeah,I mean it certainly seems like
it also has like a lot of like Icould see cell communications
(26:35):
going to satellite sooner thanlater.
In terms of it just makes a tonof sense.
You don't have all like sort ofthe terrestrial issues with
like terrain and everything andyou kind of always have access,
and then it's, yeah, I could seeokay, yeah, okay, makes makes a
lot of sense.
Cool, I had no idea that.
I mean that sounds like a lotof fun.
Speaker 1 (26:54):
Yeah, okay, yeah, it'll be interesting if I could
pull it off.
It's like like once a week oronce a month.
You know, I'm just like man, Ihope I can actually pull this
off, like I don't know, I don'tknow if I could do it.
You know, I talked to likeother people that got their PhD
and they're like, yeah, that's anormal, that's a normal feeling
, like you don't actually knowif you're going to pull it off,
(27:14):
like really, until you get theokay that you passed.
You know what?
Speaker 2 (27:19):
I mean not to, not to start an existential crisis,
but like what happens.
If you like I mean like is ifthe fact that you can't or or't
or like if something isn't ableto happen, right, I mean, you're
kind of also, you know, like Idon't I forget if the term is
like null hypothesis orsomething like that, but like
you know, you kind of like provesomething didn't work.
(27:40):
Is that still like a validoutcome in the eyes of, I don't
know, the arbiters of PhD-ness?
Or like what happens?
Do you have to like go back tosquare one of PhD-ness?
Or like what happens?
Do you have to like?
Speaker 1 (27:51):
go back to square one , like how do they manage that?
Yeah, so it's like if you testeverything out and you validate
the tests and the people on yourdissertation panel say like,
yeah, like he couldn't have doneanything differently to get a
different result, like that'sjust what it is, then you can,
you know, write in and say like,okay, well, like this process,
this entire method doesn't work,it's invalid and you can still
(28:13):
get your PhD on that.
It's just when it's when, likeyour research methods and how
you're obtaining the informationand all that sort of stuff
isn't like valid you knowmethods and sources and whatnot
that they'll basically take itaway.
And you also, you're also onlike a timeline right or a time
limit.
So they want everyone to bedone within like, I think, five
(28:35):
years, which is pretty steep,but my university wants everyone
done in like three, when theylike start penalizing you if you
go beyond three, which isinteresting.
I've heard of people go in 10years and they still didn't pass
.
Wow, so I don't know, I don'tknow about that, but typically
it's like a five year time limit, where you have five years to
do this research topic and ifyou don't, then you have to like
(28:57):
re-justify why your research isstill valid, because someone
else could have done it by then.
Speaker 2 (29:02):
That's fair Wow.
Speaker 1 (29:03):
Okay.
Speaker 2 (29:03):
No pressure.
Speaker 1 (29:04):
Yeah, yeah, right, at least at least learning that I
can be wrong and still pass.
You know that that gives me alittle bit of comfort because I
can be wrong.
Speaker 2 (29:13):
You know pretty good at it yeah.
Speaker 1 (29:15):
Right, right.
So you know to kind of circleback right to your, to your
background.
You know you talked abouttinkering, which I actually.
I just did a whole lot of thatwith my own desktop.
It was very frustrating.
Speaker 2 (29:28):
The ram was Doing the CUDA situation man.
Speaker 1 (29:37):
I did that.
Oh man, yeah, the the RAM waslike I put the RAM way too high
and the timings were off and mycomputer was crashing just
nonstop.
I'm like okay, fine, like ithas to go down.
You know, but I remember in theearly beginning phases of my
career like I was super curioustoo and I was like I wasn't just
a tinkerer, like I wasdefinitely a professional
breaker of things, you know, atthe company that was lucky
enough to have me I say.
(29:57):
I say that, you know, as a joke, obviously, but you know, it
was interesting though, becauseI approached it from how would a
user interact with this product?
Right, because I'm, you know,the background is I was on the
support team for enhanced 911application, right, that gave
like exact information of wheresomeone was when they dialed 911
(30:19):
, something that didn't reallyexist prior to this solution,
not to the same level, andwhatnot.
And so I would just go throughthe solution and use it like my
users would use it, and I wouldrun into all these bugs.
And so I would just go throughthe solution and use it like my
users would use it and I wouldrun into all these bugs and I
basically turned into like thesupport team QA person, because
I would always run into the mostrandom problems and there was
(30:41):
like a policy on the supportteam like if you're running into
something that makes zero sense, you've never seen it before
and if the engineers never seenit before, just take it to Joe.
Joe probably has notes on it.
He'll walk you through it.
Like you know, like eight timesout of 10, you know it was
actually valid.
You know, one time a coworker ofmine, I was trying to do an
(31:03):
upgrade on a Linux server thathad SE Linux enabled on it and
it was like fully deployed, likeI fully deployed it for them
because they needed it.
You know, fully deployed.
They thought so I went andconfigured everything.
It was configured properly andhe went to try and do an upgrade
, brought everything down,couldn't bring anything back up
and it was getting blocked.
And two hours later he likereaches over you know my desk
(31:25):
and he's like, hey, have youseen where?
Like all this stuff fails, likeit just won't start, and like
the engineers were stumped andeverything.
I was like, yeah, I've seenthat.
What customer?
And he told me and I was like,well, did you turn off SELinux?
He goes no, I was like, yeah,you need to, you need to turn it
off.
And here's the 20 commands youneed to turn it off.
Speaker 2 (31:45):
Okay, just, okay, just so it's a good way to learn
, you know yeah, yeah, yeah,that I mean that that's that
kind of mirrors some of thestuff that I did early bug crowd
right where I just evenactually at the end too, like I
just like people would stillcome to me and just be like you
know how does how to?
Speaker 1 (32:03):
how can I find this like piece of like esoteric
information and I'm like, ohwell, it's like the combination
of like 19 different variablesand it's in these six different
sources and you compile them andthen you figure it out and so,
yeah, cool, okay do you thinkthat that's like a good maybe
like a good bug bounty method,right, when you're specifically
(32:23):
going into you know anenvironment, right like
yesterday or maybe two days ago,I was looking at, like you know
, meta's bug bounty and I,yesterday or maybe two days ago,
I was looking at, like you know, meta's bug bounty and I think
it's like bug crowd or somethinglike that, right, or hacker one
, and I was just trying to thinkto myself like, well, how would
I even approach this goingforward?
You know, because it wastalking about, I think, like the
(32:44):
Oculus, you know, headset orsomething like that.
How, what do you find to be themost effective method?
Like, where do you get startedwith bug bounties?
Speaker 2 (32:52):
Yeah.
So I will caveat it by sayingthat I am I am not the world's
best bug bounty hunter, probablynot even the world's like
50,000th best hunter, bug hunter, right.
So like I I helped run andmanage a lot of those programs,
but I myself and I've done somebug hunting and again, I have my
OCP, so like I know how to likefind vulnerabilities.
(33:14):
So that's mostly theperspective that I'm bringing
here.
But I'm sure people far betterat bug bounties can elucidate
far more effectively on thistopic.
But I absolutely think that'skind of the right thing to do.
I absolutely think that's kindof the right thing to do.
I think that I mean, that'sprobably a good place to start
with.
Almost everything is make sureyou understand how it's supposed
(33:35):
to work, and then you can gobreak it right, so like, if I
understand okay, so like theapplication, like if I'm pen
testing an application orwhatever, right, I need to
understand, okay, what should Ibe able to do and what is this
supposed to do?
And then that gives you someideas around how you could abuse
it or break it If I'm, if I'msupposed to.
You know, just to use theclassical like checkout process,
(33:57):
right, if I, if, if, if I'msupposed to, if this process is
supposed to enable me to paythem money, then what if I could
get it to pay me money?
Or what if I could get it topay them less money, you know,
and so you start building out,like different use cases around.
Okay, what could I potentiallydo?
Like, okay, I'm supposed to beable to use view my account
(34:19):
information.
What if I can view somebodyelse's account information?
What if I can update theirinformation?
And so I absolutely I thinkthat that's absolutely the best
place to start.
A lot of people don'tnecessarily do that because it
feels like you know a lot of you.
You just, you know you're,you're so so fast out the
building that you, you know, you, you end up making three less
(34:39):
and you end up where you started, kind of thing, where, like you
know, you just want to getgoing.
That's fine, right, you can dothat.
But you're going to have a muchmore productive time if you sit
there and you like read thedocs and you understand.
Okay, like, these are also abunch of, like, different API
endpoints that can potentiallydo something else that, like you
know, you can't do in the UI.
(34:59):
It's some potential attacksurface that other people aren't
necessarily looking at, or youknow things like that.
Again, with the gigantic caveatthat I am, I am absolutely not
the world's greatest bug hunter.
I also say that one thing thatin my experience of watching
people be effective bug hunters,one thing I've seen, or seem to
have seen it, when bug hunting,people tend to have like
(35:22):
specialties, so like developinga specialty and kind of just
focusing on that as opposed tolike trying to do everything.
That makes you a lot moreeffective at identifying things.
That as opposed to like tryingto do everything that makes you
a lot more effective atidentifying things that
everybody else isn't going tofind.
If you're just, if you're justa generalist there's a ton of
generalists out there, right?
Everybody can look for the same, you know, restored and
reflective cross-site scripting.
(35:42):
If you're able to look forsomething that is more niche and
you don't necessarily focus oncross-site scripting like
everybody else does, you can youcan still, you know, find stuff
that, again, other peoplearen't looking for.
That said, again, going back tothat, that thing about the
documentation and going deeperand really like getting into the
(36:03):
weeds, there's a lot to be saidfor that depth and that level
of persistence and, again,understanding how it works and
where it hooks back to.
For instance, there was a coupleof guys that there's a program
that sticks out in my mind wherethis program had been running
for a long time and people hadnot found a ton of stuff, and
(36:24):
these guys just decided to comein and they found cross-site
scripting all over the place andthey made somewhere they made
hundreds of thousands of dollarsoff this and it was just like
how, how, how did like everybodyelse miss this?
Right, it's not like it was likefive other people there were a
ton of other people but whatthey did is they just they just
went and were far more.
(36:45):
You know, everybody else kindof just put their payloads in
these random places, whereas,like they went in and they
there's like these, theseaspects where you, you know you
you have to do things that arelike 19 layers deep and then
it'll get bubbled up, you know,seven pages away and in some
sort of like administrativeconsole or whatever, and like
(37:05):
that level of like effort andpersistence also has like a lot
of value.
You know when you're whenyou're working on stuff.
So I know that I don't know howmuch of what I said is actually
going to make any sense, butthere's a lot of different ways
to bug hunt.
Again, depth and specializationand focus, I think, are
(37:26):
probably some of the mosteffective tools that most people
can use.
Make sense Sorry.
Speaker 1 (37:31):
Yeah, no, that definitely makes sense.
And you know, that's the thingthat I really like about
security.
That when I discovered it kindof piqued my interest is that
you can go so deep with it.
You know, you can specialize insuch a very small section of,
like web app pen testing, likecross site scripting or whatever
might be like on a certain youknow OS or a certain web app.
(37:54):
It's, it's fascinating for mebecause that just tells me I can
learn like there's no end to mylearning.
You know, which really helpsthe noisy brain that I have to
be able to like zone in andreally, like you know, start
learning and focusing onsomething.
But yeah, and bug bounties havealways been interesting to me.
(38:16):
You know, I remember I remembera couple of DEF CONs ago that I
went to.
I was talking to someone inLine CON and he was talking
about how, like he found four orfive vulnerabilities early on
in the year, literally likeJanuary and February, and he
made enough from it where hejust took the year off.
A lot of those guys that's thecase.
(38:39):
That is so insane to me tothink, oh yeah, I can.
Just, he probably stayed upreally late a lot of nights that
he missed sleeping.
Things that I can't do rightnow because I have a four month
old, but, like you know, for twomonths of work he just made
like two years worth of incomeand he's just there hanging out.
(39:01):
You know, like it, industry isout there where, as a side job,
as a hobby, you know you can dosomething in your industry, make
two years worth of income inone, go right Within one month
and then take the rest of theyear off because you're done.
Speaker 2 (39:20):
Yeah, I will.
I will caveat not to be a wetblanket, right, but those, those
are like rare in terms of justbecause, like I don't want
people to be like, oh, I'll justgo work on bug bounties for two
months and then I'll make twoyears of salary, because to get
to that point it's a lot ofeffort.
(39:41):
You'll see people get giganticpayouts.
I saw somebody post, you knowlike some quarter of a million
payout for, for it was a, it wasa Google Chrome sandbox thing.
I think Wow.
Speaker 1 (39:56):
And so oh yeah, I think I read about that.
Speaker 2 (39:58):
But like to get there right, like I'm not, I'm not,
I'm not doing Google Chromesandbox escapes Right, and so
like.
So the guy, the guy that'spulling that stuff off, I mean
they're, they're again just likein another tier, not just
another tier, like seven tiershigher and so.
But it's absolutely possible.
(40:18):
And I agree, there's nowhere,there's no like off the top of
my head.
There's not really any other.
You know, you say you're likeyeah, I don't know, I was just
trying to think of like anotheranother, another, another job or
something, I don't know.
Speaker 1 (40:33):
I was thinking like a carpenter, if you're a lawyer,
you're going to be working for alaw firm and you can't do your
own thing on the side.
If you're doing your own thingon, you know, if you're doing
your own thing as your full-timejob, you're not doing extra
stuff on the side.
That's outside of that.
You know, like same thing withlike traders, you with like
(40:56):
traders, you know day traders.
Speaker 2 (40:57):
They're not like.
They probably have their ownportfolio, but they're not, like
you know, doing what they woulddo with other people's money.
Yeah, so it's.
Yeah, I completely agree.
I think I think bug bounty isis a really incredible tool for
organizations and forindividuals too.
It's also been like it's beenlike, you know, we'd see a lot
of you know people's liveschanged by it, right?
I mean, obviously, theindividual you just mentioned,
but you know you got people indeveloping countries too, where
(41:17):
you can make just way more moneythan you could make locally and
so, like a lot of people therewill do it full time.
Again, it's.
It's got ups and downs, right.
Speaker 1 (41:53):
Just so we're super clear on like it's it's got,
it's certainly got a lure, butyou can also go through, like
some deserts and, and you know,not find anything for months or
years and and that's a that's alot tougher to to kind of handle
and it's you know so, but andstarted your own company.
Tell me, tell me about that,right, because I guess it
obviously it would have been.
I mean, we weren't, we weren'trecording at the time, but you
know you didn't have any kids atthe time, so it was probably.
Did it like even register toyou, like as a risk?
Or you know, like just walk methrough that process of starting
a company, because I thinkright now, right, I'm thinking
(42:14):
through it myself.
Should I like do my own thingfull time, or what does that
look like?
And I'm sitting here and it'slike, no, you idiot, you have
two little kids.
Like you need a stable income.
You don't need to be an idiotright now and go start a company
and, you know, not succeed.
Speaker 2 (42:29):
Yeah, I mean a couple of pieces and, you know, not
succeed.
Yeah, I mean a couple of pieces.
One, I kind of saw it so, likethere's been a couple of points
in my life where, like, it'sbeen kind of now or never type
situations, and so this is kindof another one of those Just to
give you some examples of pastones where I was like 26, 24, 26
(42:51):
, some number at when I was atWhite Hat and I decided to leave
, I just bought a one way ticketto Southeast Asia and I was
just going to go backpack aroundSoutheast Asia because I'd
never I'd never traveledinternationally.
But intellectually I knew thatif I didn't do it then I may
never do it again.
Right, so, like and and and Ifeel like my, my, now obviously
(43:13):
I self-fulfilling prophecy kindof situation, but like, like, I
don't think that I could pullthat off now, and like and then
I had that decade of bug crowdright, where, like, I couldn't
have pulled it off anytime inbetween there, and so those
three months ended up being likea whole year of backpacking all
around the world and doing abunch of stuff, and so and I'm
super glad I did it Right and itwas fantastic and so, but again
(43:34):
, just kind of it's either nowor never.
And so same thing with COVID.
During COVID I've I've alwayswanted to kind of live out of a
travel trailer.
I don't know I'm, I'm like a alittle bit of a vagabond at
heart, and so I just bought atravel trailer and went around
to like national parks, workingremotely, and it I loved it and
it was, it was great.
(43:54):
So but I I got, I did that whenI could because I wasn't sure
when.
Anyways, I'm belaboring thepoint.
Same situation here where,where I didn't have any kids at
the time and or any sort ofexpectation of a child coming
into the picture or any sort ofexpectation of a child coming
into the picture and and so Iknew that like this is one of
(44:20):
the least risky points in timefor me to.
If I was ever going to try tobuild my own thing, it would be
this or it would be now.
And if I was ever going to tryto build something and I was
going to be successful at it, Ihave 13 years to back me up here
.
So like I don't think there'sgoing to be another point in my
career where I have like 13years of experience in in, like
a field that, like, I'm prettydang good at.
And then, on top of that, I hada high degree of confidence that
(44:41):
I know what people are payingfor this in market.
I know what people, you know, I, I know people are paying for
it in market and so I know thatthere's no reason why I couldn't
sell this.
So I it was a confluence ofthose things where I said, okay,
like, so, like it was veryintellectual, as it were, right,
like it's not, it's it's, it'sless of a you know.
(45:03):
So it wasn't like an emotionaldecision, right, where, like you
know, I, I, it was just likekind of spur of the moment.
It was like, okay, like this ispretty data driven and I feel
fairly safe in in doing this,and if it doesn't work, I know I
can eject right and I'll go runcustomer success somewhere or
I'll.
You know I, I can, I can findanother role, reasonably
(45:27):
confident in that I don't wantto misspeak, who knows, maybe I
couldn't actually try, but so,yeah, so that that, that that
was that was kind of the, theintellectual process behind it.
Would I go do it right now If,if, like it was right now, I
probably wouldn't, that's sotrue.
Speaker 1 (45:45):
Everyone, everyone always thinks oh, I got, I got
time, I'll, I'll do it later.
I got the time to do it.
You know, I'm only 20, right,23, 24.
I got the time to go and dosomething like that, right.
And I always tell people youhave so much less time than what
you think.
(46:05):
One, you don't know when you'regoing to die.
I mean that's just a pointblank fact.
You don't know when you'regoing to die.
At least you know 9.9 of us outof 10 don't.
Right and like when you'reyoung, that's when you need to
be taking the risk.
If you don't have a family, ifyou don't have anyone depending
on you, to, you know pay themortgage or you know provide in
any way, right, like, I think,back when I was in my 20s and I
(46:27):
studied abroad, in Germany, andI mean that was, that was like
the best time ever possible, Imean I got, I got all the
partying that I could havewanted out of the way I traveled
across the globe alone to acountry that I'm not familiar
with.
I I spoke a little bit of thelanguage at the time, but you
know it like it was a challengefor me, you know, not as extreme
(46:50):
as Asia.
I mean, I couldn't imaginedoing that right, but it's still
like you have to execute whenyou have that time.
You know that makes a lot ofsense and I feel like people
forget that.
You know they always think like, oh yeah, kids, kids will be
down the road.
That's five years away.
It's like, okay, well, yeah,that's five years away and
you're talking about doingsomething for an entire year.
(47:11):
What are you going to do?
Like, in between, you thinkthat you're just going to take a
little baby on the road?
Like, trust me, seven days in,you're not going to want to
leave the house.
Speaker 2 (47:22):
Yeah, but that's not to discourage anybody from doing
.
I mean, the best day to startwas yesterday, the second best
day is today, kind of thing.
It's like you know, obviouslyyou know, just because, like
timing is almost never ideal.
I mean, even at the time, rightLike I, when I left white hat,
like I turned down a promotionto go, everybody told me I was
(47:46):
crazy, like, except for like afew friends that were like, yeah
, go get it.
Uh, you know, like my, like my,my family and and whatnot were
like I don't know about this,like you've got like a good job,
you know, like you know, and so, and, and it's tough to make
those kinds of decisions.
So I mean it's never, it'snever gonna feel ideal, right,
(48:08):
just I, I'm sorry, I'm just I'mjust pontificating to anyone
that's kind of on the fence Likedo, like I'm not telling people
to like go take stupid risk,but like also, don't, don't not
take those risks.
Right, because there's alsolike there's a component to it
where, where, on your deathbed.
Right, and this is kind of my,this is kind of the thing that
(48:30):
that made me decide that I dowant kids.
Right, because there's a periodin life where you're like, do I
want kids or not want kids?
Right, you have to like,actually ask that question and
like on your deathbed, right, amI going to?
Or, when I look back at life,am I going to be disappointed
that I, you know like this isgoing to cost me.
Like I know it's going to.
It's going to cost mephysically, mentally,
financially, it's going to.
(48:53):
It's going to cost mephysically, mentally,
financially, right, but like, ifI look back and I didn't do
this thing, like would I?
Would I be happy about that?
And and some people's answermaybe that they're like, happy
that they didn't have a, have akid or whatever, but like, for
me, it was like no, I think thatthat's part of like, the human
experience and so, yeah, so Iguess I want kids.
(49:22):
All right, let's go.
And same goes for the business,right, like I, I, I'd have a
hard time looking back and beinglike, did I, did I, did I?
Leave it all out on the fieldand and knowing that I didn't go
, do these things, I, you know,like I, I don't want to, I don't
want to, I want to regret nothaving done something, even if
it ends up being a failure, andso that's been a powerful
reframe.
For me it's just kind of alwaystaking that perspective for the
end of life and saying, okay,like, even if this sucks and
(49:43):
even if it goes sideways, if Ilike, I will know that I tried
right and I can live withknowing I tried.
Not having tried is a lot.
It's a lot more tough to livewith.
Speaker 1 (49:59):
Yeah, yeah, that's a really good point and that's
definitely how how I, you know,think about, or quantify, you
know, different choices in mylife.
For sure.
You know, like when I I try tofast forward and when I'm at the
end of my life, what do I wantthat to look like, you know, and
if it if right now what I'mdoing doesn't fit with what I
(50:20):
want that to look like, I know Ineed to correct something, I
need to fix it Right and I wouldI would 100% regret not having
kids if I didn't have kids, like100%, and I felt like I would
regret it without having anykids.
Right.
And now that I have kids, it'slike by far the best thing I've
ever done.
Like I have so much fun.
(50:40):
I don't get any sleep, but likeI have so much fun, you know
it's great, you know just seeingthe kids grow and everything.
Speaker 2 (50:48):
It's exciting.
I'm curious to know what that'slike.
Again, people people always saythat and and I anticipate it
being fun I I look forward tolike teaching them how to think,
like when I'm with like otherkids or like I don't know, like
nephews or nieces or stuff likethat.
I'll, like I don't know it'sit's fun to like challenge their
(51:10):
thought process.
I'm like you know, like they'llsay words to me and I'll be
like, but what does that wordmean?
Like you know, just watch themlike try to have to like explain
like well, why do we do that?
Why does the, why does theworld work that way?
And I don't know.
I I think that's a ton of fun.
Speaker 1 (51:26):
They probably think I'm a terrorist, so Brent, I
feel like I have to have youback on for another episode
Maybe.
Maybe when you're in the thickof it with with your new kid or
just coming out of it.
You know like we can touch baseand be like, well, how is it,
you know, cause I call it, Icall it going into the suck.
You know like, oh, he's goinginto the suck or I'm going into
the suck, I'm just coming out ofit where it's just like a haze.
(51:50):
You know, for two months, likewith my first kid you know she
was born in March and I don'tstart remembering, like I don't
have another memory until MayLike I negotiated a whole deal,
you know, with a sponsor andeverything in person.
I had a really nice dinner witha friend of mine and I don't
remember any of it.
And a couple of weeks go by andmy buddy reaches out and says,
hey, did you ever send them thecontract?
(52:12):
It was like no way.
I don't know what you'retalking about.
Sleep fatigue.
Speaker 2 (52:17):
Yeah, yeah, cause, you're just not sleeping.
Speaker 1 (52:19):
It's just, there's just no sleep.
That's the thing.
Speaker 2 (52:22):
That's why I'm curious about the the working
from home aspect, cause again,I'm I never leave the house, so
like um, when I had an hour inbetween meetings, I was napping
Okay, had to yeah.
Yeah, they're.
They're not due till March, sowe're still pretty early in the
early in the story.
(52:43):
So I got some time, but alittle bit less time than you
think?
Speaker 1 (52:48):
Yeah, less time than you think.
Speaker 2 (52:50):
I believe that yeah Well, that.
Speaker 1 (52:51):
Yeah well, grant, you know I I apologize for going
over.
We got a little, we got starteda little bit late here, but you
know I really did enjoy ourconversation and I definitely
want to bring you back on talkabout, like what you've learned
new about quantum and andsatellites yeah if anything at
all, we'll see.
Speaker 2 (53:09):
we can talk about your new book on on quantum and
satellites for dummies.
Yeah right, explain it like I'mfive.
Speaker 1 (53:17):
Before I let you go, how about you tell my audience,
you know, where they can findyou if they want to connect with
you and where they can findyour company if they wanted to.
You know, reach out and learnmore.
Speaker 2 (53:26):
Yeah, so my home address.
Just kidding, so I don't knowif you want to dox yourself?
Just kidding, so I don't know ifyou want to dox yourself, so
you can.
You can find me on LinkedIn.
My name's Grant McCracken.
There's another Grant McCrackenon there, there's a couple
others, but maybe GrantMcCracken Dark Horse You'll
probably find me there GrantMcCracken security, something
(53:47):
like that.
So feel free to reach out orconnect on LinkedIn.
Grant at darkhorsesh is my workemail and darkhorsesh is Dark
Horse, obviously, theorganization that I've kind of
built.
Again, we're happy to helporganizations at whatever stage
they are in their securityjourney.
Our whole goal is to kind ofmake those solutions accessible
(54:10):
and affordable, and so, even ifyou're not able to afford
security, I've got pen testersthat'll work for free because we
kind of use the crowd.
So, like there's people that'llgladly do pro bono work and
then I'd be happy to give awaythe platform for free as well.
So, like we're just here to tryto make people more secure.
So if you want to be moresecure, whatever your budget
it's a wooden nickel and arubber band, right we're happy
(54:38):
to kind of do whatever we can tohelp you become more secure, if
that's what you want to be, wewant to help you get there.
Speaker 1 (54:40):
So that's my pitch Awesome, cool.
Well, thanks everyone.
I hope you enjoyed this episode.
How's it going?
Grant, it's great to get you onthe podcast.
You know I can't remember whenwe started talking about this
thing, probably because of thefour-month-old.
Just ruining my schedule and myPhD at the end of the semester
is just insane.
So you said ruined.
What does ruined mean?
Speaker 2 (00:25):
Like you like, it just made everything complicated
.
Or, like they like, spat up onit and the dissertation was
ruined.
Speaker 1 (00:32):
Or yeah, I mean the issue is like the scheduling,
the workload.
You know, like going into thePhD, it's really hard to
understand what the workload isbecause like there's no, there's
no like syllabus, there's nooutline or anything like that.
You know, I mean like they giveyou an outline of like a sample
dissertation, but like there's,you know, two primary methods
(00:53):
you can go about going to getyour PhD and then there's a
whole like there's like athousand different templates out
there for dissertations and soyour entire academic career.
You know you are told like hey,at week eight you have a test,
this is what's going to be onthe test.
You need to know all of thisstuff right.
Week four you need to have thispaper done.
(01:15):
The paper should be on thistopic.
You know you decided the topica long time ago and everything
In the PhD.
There's none of that.
It's okay, go figure out whatyou want to research and then
tell us and if we approve it,then go read about it and then
come back and tell us how you'regoing to like test your
theories, what your theories are, and then you go do it and a
(01:36):
couple of years later you comeback with your findings and
hopefully we give you your PhD.
Speaker 2 (01:41):
So that's and I apologize for being an idiot,
you'll learn that's a recurringtheme here.
What so?
That's?
That's how PhD.
So like there's no, likethere's no like course load for
PhDs, like I, I honest I had noidea.
Speaker 1 (01:53):
No, it is literally so.
You have a, you have an endgoal at the end of each course,
but you set that end goal.
So I and I didn't know this forthe first year, I literally
didn't know this.
That that's how it worked, youknow, and I was trying to like,
figure this all out.
And then I finally got a chairthat was like competent and
whatnot, and he was like no, youneed to be setting like a goal
(02:15):
for each semester and then worktowards that goal, and me and
you form a plan on how you'regoing to achieve it.
I let you know if it'srealistic or not.
So, like it's, it is completelyout there.
Like you know, at the beginningof the summer semester, my
chair just asked me what do youwant to complete this semester?
And I was like well, I got tocomplete these three things, and
those three things encompasslike 70 pages of work, wow.
Speaker 2 (02:36):
So so you have completed your PhD or it's still
in progress, or, yeah, I'mworking on it.
Or it's still in progress or no, yeah, I'm working on it.
Okay, if you don't want measking so what's the?
What's the?
I assume it has something to dowith security and you can tell
me to you're.
You're like, nah, it's, it'srocks man, I'm geologist, but I
mean what?
So?
What?
What are you studying?
(02:57):
What are you trying to like?
What's your hypothesis, sirs?
Speaker 1 (03:01):
I don't, I don't know my yeah, yeah yeah, so I guess
I'll start with like the problemstatement.
Right?
The problem statement is thatwe have, you know, an
astronomical amount ofsatellites in space that are
legacy satellites, that are nolonger running on you know
modern technology, that arepotentially not even functioning
.
And the ones that arefunctioning are vulnerable to a
(03:22):
whole host of thousands ofattacks where an attacker could
literally just take it over andtake over that satellite.
Speaker 2 (03:29):
I want to learn about this.
I want to learn about satellitehacking.
I know nothing about this, andso you're making it sound very
Wild, westy, which sounds likefun.
Yeah, no, it is, it is.
Speaker 1 (03:38):
Okay, I didn't think it was.
And then my chair was actuallyan Air Force employee, moved to
a Space Force employee and heliterally said all that he did
every day was satellite securitystuff.
And he literally told me he'slike there's no standards, like
we're literally just trying ourbest to deploy like security
standards on these satellitesbecause once they're launched,
(04:01):
like there's no patching them,like if you patch it, it takes
days to patch it.
Right, because you have to, youhave to, you know, really
compile all of those updates,send it to the satellite at a
very specific point in time.
You have a very limited window,maybe five or 15 minutes, maybe
, if you're lucky, and thenhopefully, if it downloads at
all at a very slow rate, thenit's able to install and pray to
(04:24):
God that you don't get any, anyissues, because when it goes
around the globe, you know inthe next 12 hours or six hours,
whatever it might be, that'syour time to troubleshoot.
For 15 more minutes, wow.
Speaker 2 (04:35):
And you can't, you can't brick the thing.
Yeah, yeah, no, no crowd strikeupdates.
Speaker 1 (04:42):
Yeah, oh, yeah, yeah.
So I'm I'm researching how toapply zero trust principles to
make the satellites morenatively secure out of the box
before we launch them in aneffort to prepare for
post-quantum encryption.
So technically, yeah, we canthrow satellites up there and
(05:02):
you'll be able to havepost-quantum encryption on it.
You know, have like postquantum encryption on it, but
the post quantum encryptiondoesn't mean much if everything
else is vulnerable to you knowvarious attacks, right?
Speaker 2 (05:10):
When we say vulnerable, I mean cause you,
you so like, if we're talkingabout like a normal machine,
right, it's got like servicesrunning on ports and and you've
got you know so like potentiallyrunning like vulnerable
software, or I mean, in somecases I imagine maybe it's not
even encrypted, what like?
What's the like as an attackeryou're potentially posed with
(05:31):
like the same, like you've gotlike five minutes to kind of try
to throw an attack at it.
It doesn't seem like it.
I don't know.
I so like what are?
Are the vulnerabilities justthings like rce or I don't know,
sequel injection or whatever?
Just what?
Yeah?
Speaker 1 (05:46):
I would say for the most part, like, there's
standard vulnerabilities, themain issue is the patching
process and there's no reallygood way of handling like that
problem.
Right, Because, like, you haveto get them, you know so many,
you have to get it.
You know so many gigs withinsuch a short amount of time over
that distance.
(06:06):
And if it gets, you know ifthere's a man in the middle of
attack, for instance.
Now you just uploaded a pieceof malware, right.
And like the problem when, likewhat we saw with the Viasat
attack in 2022, with Russia,right when they penetrated, this
company on the ground took overtheir ground station, started
communicating directly withtheir satellites and took them
(06:26):
all down, right, they only hadto infect one satellite and that
one satellite was then used topropagate throughout the entire
constellation from there, right.
So Russia now says, okay, well,I have my own ground station.
If I got root on theirconstellation, I could just use
my ground station to communicateto it and just point it
directly at it and we're goingto follow this constellation
(06:47):
around the globe.
Okay, wow, so it like turnsinto a more, almost like a more
advanced, persistent threat.
You know it's like once they'reup there, it's like okay, now
it's very difficult to get themout.
Speaker 2 (07:00):
Yeah, that's wild.
You mentioned another thing inthere that I'm curious about,
and again, it seems like you'veactually got the intellectual
capacity to kind of understandand talk about these things.
But post quantum encryption solike.
So I'm not so like I understandin principle what sort of
quantum computing is and theopportunities provided there Is.
(07:22):
It are, we, are we, are we thatclose to a state where, like
you know it's, it's going to beusable?
And then what are theimplications downstream?
Obviously, for encryption it'spretty significant.
So can you go into that just alittle?
Speaker 1 (07:35):
bit.
Yeah, so you know, post-quantumencryption is built off of,
like, what we call classical,you know computing classical
encryption, right, where you'redoing a key exchange and off of
that key exchange you'rebuilding that secure tunnel.
Post-quantum encryption, or PQC, is essentially, you know,
backing off of that same theory.
They're trying to solve rightnow the reliability of long
(08:00):
distances through various likeweather and other anomalies that
happen between you know, us onthe ground and the satellites in
space, right, so the farthestthey've gone is, I think it's,
1200 kilometers above the earth,and then it also they also
tested it out.
So they got a link, they got aquantum link from one ground
station to the satellite andthen, as the satellite moved, it
(08:21):
transferred that link to theother ground station without
dropping connection or anythinglike that, which is a huge
milestone.
That was something that wasthought to be just completely
impossible because essentially,the equipment that is on the
actual satellite that is talkingto the ground station, it needs
to be so precisely calculatedthat people just thought like
(08:46):
okay, like this is never goingto happen because the satellite
can move when it's in orbit,like if it goes, you know, if
it's one centimeter off, likeit's, it's never going to hit
its target, right?
So, you know, china actuallyfigured out how to do it At
least they wrote a paper aboutit and there is some debates
about whether it's, you know,completely, 100% authentic,
(09:12):
based on what they're telling usin the paper, or maybe they
actually did it and they're wayahead of everyone else.
So, you know, I've talked toexperts throughout the globe at
this point a whole host ofdifferent countries and
companies and all of them giveme the exact same answer when I
ask them for, like, a timelineof when this is going to be
relevant for the rest of theworld, right?
And they said everyone has toldme for sure, 100%, within 10
(09:34):
years.
A lot of them are leaning moretowards five years, if it's not
already there and we don't knowit.
And the big problem iscompanies not adopting it fast
enough, right?
So, like that's a huge, youknow, risk that I'm actually
pointing out in my research islike, hey, we have the time now,
like theoretically, we have thetime now.
(09:55):
We should be using this time toinvest in the capabilities,
because a whole lot of ourinfrastructure runs off of
satellites, but companies arestill slow to do it because
they're saying, well, it was 10years away, 10 years ago, right,
like we should already be theretechnically because everyone's
been telling us.
But it's when you start lookingat the research, it's like
they're they're proposing thatthey spoke to their satellite or
(10:17):
communicate with theirsatellite over quantum already,
and if they're doing that atthat level, there's no reason
why they can't bump it outinfinitely, you know, for
distance, like there's literallyno reason.
Okay, yeah, it's an interestingway to start the podcast.
Speaker 2 (10:32):
Yeah, I mean cause you're just talking about things
that like I.
I mean it's not every day thatI get to talk to someone that's
doing PhD research on satellitesand quantum encryption or
whatnot.
So I say not every day, I meanthere's been exactly zero days
in my life that, prior to thisone, we're talking about this
(10:54):
kind of stuff.
So no, that's fascinating.
Thank you for sharing.
That's really interesting.
If you have papers or articleswhere people kind of dumb it
down for the proletariat mightbe happy to try to digest some
of that, or I don't know, I'lllet you know.
Speaker 1 (11:12):
If I find any.
Because, you know, I wasliterally I think it was last
week I was thinking to myself,you know, okay, I feel like I
have a good understanding oflike the small amount of quantum
encryption that I understand,right, and I was trying good
understanding of like the smallamount of quantum encryption
that I understand right, and Iwas trying to think of like
what's the total knowledge baseout there, because I'm talking
to way smarter people than me,people that specialize in
(11:34):
quantum.
My PhD actually doesn'tspecialize in quantum.
It's taking the quantumrequirements of what it needs to
actually work and then saying,okay, we can throw zero trust on
it in these ways, and this isproven via this method that I
worked through, right.
So, while I was, I was thinkingabout, like my level of
knowledge with it and I I feelcomfortable in my level of
(11:56):
knowledge, but my level ofknowledge is like 1% of what's
out there at best, probably mebeing generous, right, and I'm
sure someone that's, you know, aquantum expert is going to
listen to this podcast and belike, oh, he just explained
quantum completely wrong.
You know.
It's like, okay, well, youtried dumbing this down, you
know, to like a fifth grader,you know, or a high schooler you
(12:20):
know what I mean Like I'm notsaying that you're at that level
, but like being able to justtalk about it with you know
normal people.
It's like almost impossible.
Speaker 2 (12:27):
Yeah, I, I, I'd love to understand it more.
Again, I don't want to take upall your time talking about this
.
Sorry, I'll I'll stop bogartingthe conversation and and uh,
and, let you, let you do yourthing.
Speaker 1 (12:42):
No, no worries, and let you do your thing.
No, no worries, you know.
I mean my audience is prettymuch used to it at this point
that you know, this conversation, this podcast, will go wherever
it wants to go and there's notelling where it will go.
But you know, grant, why don'twe start with telling your
background, right?
How did you get into IT?
What made you want to go downthe security route?
Right, like, tell me what thatlooks like for you.
(13:02):
Because everyone's path is sodifferent and I always start
everyone off there, primarilybecause not only do I want to
hear it, I want to understandyour story.
But if there's someone else,you know, in my audience, right,
that's watching the episode,that's listening to it, and
they're contemplating gettinginto IT or security or going
down that path, I found thatit's always helpful that if you
(13:24):
could just find someone elsethat went down that same path
with a similar background, youcan hear okay, maybe that's
possible for me, right, and itgives that little momentum that
they need to get going.
Speaker 2 (13:35):
Yeah, sure, so I've been in cybersecurity for a
little over 13 years at thispoint, mostly like application
security.
And as for how I got into it, Ithink, like a lot of us in
security, kind of tripped andfell right, like so I I always,
you know, like to do things withcomputers.
Like I built my first computerwhen I was 10 or something like
(13:57):
that, and so I was always doingstuff with computers,
overclocking and like you knowcause you're playing games with
friends and you know you gotta Icouldn't afford a nice gpu, so
you gotta like milk everythingyou could out of it and and so
you're, you're always so likethere's there's a little bit of
like the hacker, you knowmindset in that.
You know you're like physicallytrying to like overclock the
(14:17):
ram.
You're like up in the voltageand seeing just where it'll
break and just how hot it canget.
Like what if I, you know, dothis other thing, and so you're
so kind of already was likeplaying that.
And then you know, in highschool you know we mess around
with different stuff on themachines there just to be able
to play games or be able to goto sites that the field, you
(14:39):
know they didn't want you to goto and nothing like horribly
nefarious, but like there's alot of sites that would just be
like blocked for whatever reasonand so so.
So, yeah, just kept doing thatand I actually went to college
for communications or my majoredin communications.
I thought I was going to workin like marketing or HR.
I don't know what I was goingto do write stuff but yeah.
So I graduated in 09, whichhappened to be, for those that
(15:03):
are fans of history, a bad timeto graduate.
There weren't a lot of jobs andso kind of kind of just was
kind of lost for a few yearswhile just trying to figure
things out.
And then a buddy that I used toplay games with and went to
high school with.
He was like he got a job atwhite hat security through like
a Craigslist ad, like I didn'tknow like real jobs were on
(15:24):
Craigslist and and, and he toldme to apply.
He was like you could do this,you could figure this out, and
so I did that.
I got the job and you know,white Hat security at the time
had something that you know Irefer affectionately to as like
a farm system where they'd bringin people of all natures,
including, you know, people thatthat were, you know, like
(15:46):
myself.
There were people that had goneto, like culinary school.
There were people of all walksof life that they'd bring into
this group that they called theTRC and they'd kind of train
them how to do applicationsecurity.
And then they'd turn them looseon web apps and you'd go do
your assessments.
You'd configure the scanner,you do, you know, some people
turned out, but some people, youknow, had successful careers
(16:07):
out of it.
Anyways, long story short,that's how I got into security.
I did that for a while and then,and then I eventually landed at
BugCrowd, where I was for thelast 10 years, where I worked my
way up from, you know, doingtriage and validation, all the
way up to when I left.
I was the VP of ops, so Ioversaw at different points,
support, customer success,hacker success, services, pen
(16:29):
testing, a number of other teamsthat I can't quite recall at
this moment, but so did a lot ofdifferent stuff and had a lot
of different opportunities.
And then, after I left BugCrowd, I was like, okay, what's
next?
And I was like I want to dosomething a little bit good.
So I built a I know howeffective what I was doing at
Bug Crowd was in terms of likebug bounties and phone
disclosure programs and sort ofpen testing as a service, and so
(16:51):
I wanted to make thataccessible for smaller
organizations.
So that's what I built DarkHorse to do is to make those
services available toorganizations of all sizes and
budgets.
So we work with really, you know, we're not limited to SMBs, but
like small SMBs that can'tafford, you know, a bug crowd or
a hacker one or something likethat.
They want those, they want tobe more secure.
(17:14):
We're going to help them bemore secure.
Right, we're not a nonprofit,but we're pretty close to it, at
least that's what the bankaccount says.
But again, it's, it's good,it's, it's fun.
I enjoy, I enjoy helpingbusinesses.
It's, it's a great, it's agreat spot to be in and you get
to feel like you give back alittle.
And then it's also just been anew challenge.
I I've, I've always been abreaker, not a builder, and so
(17:35):
it's been really fun to be abuilder.
Yeah, so, anyways, thatprobably more information than
you or anybody else wanted, buthopefully that's helpful.
Speaker 1 (17:44):
No, it's really helpful.
It's a fascinating journey.
And I say that because actuallyrecently I was talking to a
friend who's the director oflike offensive security at a
professional services firm.
I was asking you know whatoffensive certs he has?
And he listed them off probablylike four of them or something
(18:06):
like that.
I think I like forgot that Iwas getting my phd at the time
and I was like, man, I want tostart like studying for you know
my oscp, right, like I want toget a little bit more active on
the offense side.
And he goes dude, you gotenough with your phd, wait till
you graduate.
Man, I'm like, oh yeah, oh yeah, I got that thing going on.
Speaker 2 (18:23):
Yeah, I can't imagine what it's like to do the PhD
thing.
It sounds kind of fun, honestly, but it's probably not.
It's probably like the OSCP,where it sounds like fun, it's
not.
Speaker 1 (18:34):
I think once you get into the rhythm of it and you
are studying something thatyou're passionate about which is
usually the case for the PhD,or at least it should be you
know, it's a little bit easierto actually do the work, and
especially with what I've beenfinding with like LLMs.
So I use Grok pretty heavily tolike give me very good research
(18:56):
articles and papers.
Just, you know, right off thebat, because I found out early
on, google was just completelyuseless when you're trying to
like find research articles, orI mean like it is completely
useless.
And I went to chat GPT and itwould, you know, hallucinate
more than anything else and itwould just give me, you know,
(19:19):
out of like 20 articles, youknow 15 of them were completely
fabricated and I'm just sittinghere like I can't, like I'm not
making any progress, you know sogrok huh, what about quad?
Speaker 2 (19:31):
I'm just, I'm just intellectually curious, because
I I'm spending a lot of timewith llms.
Speaker 1 (19:35):
We're building some some llm stuff, but yeah, go
ahead yeah, I haven't usedclaude that much, but I'm
actually going to start here ina couple months when I start
like building out my AI modeland whatnot, because I'm not a
developer, right so.
But I can read code, I canunderstand it and, you know,
work my way through it.
At least I know how to do that.
So as long as I have somethingthat's like prompting me to go
(19:58):
down that path, even if it'sincorrect path, at least I have
something in front of me.
You know, I think it'll behelpful.
So I'm actually going to putwhat I get from Grok up against
Claude and see, you know, seewhat actually works, cause I
actually just upgraded my, mydesktop, literally for running
this model, because I I put myspecs, I put my specs in a Grok.
(20:19):
You know I was having, I had a3080 and I put my specs in a
grok and it said, oh yeah, it'sgoing to take a month to run all
of your tests, like it cannotrun into errors.
I'm like, okay, what if I gowith a 5080?
And it said, I'll take 24 hours.
Speaker 2 (20:32):
Okay, I guess I'm upgrading that's crazy.
I mean the 3080 is still verycapable.
I didn't know it was that bigof a step change between 30, 80
and 50?
.
Speaker 1 (20:43):
I think you know, I think on like the gaming side,
they're very similar.
But when you start using likethe actual Kudo cores, kudo
cores and whatnot, that's whenit like is completely separated,
which you know 90%, 95% ofpeople aren't going to be using
it for that.
Speaker 2 (21:02):
Yeah, so what model are you running that through?
Because I mean, ostensiblythat's not going through grok,
cause grok you can't necessarilyI.
You can tell me I'm wrong, Idon't know if is there like a
mini version of grok that youcan like run locally, or or are
you running that through Likewhat?
What?
What LLM are you using locally?
Speaker 1 (21:18):
If, you don't mind me asking.
So I'm I'm actually not usingan LLM locally.
I need to start, I want to, buthow essentially it's going to
work, is it's going to runthrough PyTorch?
Pytorch is going to workingthrough it like that, trying to
enumerate the network and allthat sort of stuff, and then
(22:06):
there's a whole bunch ofdifferent modules in the code
that have like different itprevents different attacks, and
then separating out the network,adding in micro segmentation,
using like open zd to go in andapply it to the satellites,
separate out the network, limitthe access, you know all that
sort of stuff.
Right?
So it's.
It's simulating all of thatwithin within pytorch.
The llm is more of.
Really, the llm is mostly justlike grabbing the information
and putting it in front of me asquickly as possible, rather
(22:28):
than having ChatGPT or Googlegive me straight up false
information.
At least Grok, most of the time, is giving me something real,
got it?
Speaker 2 (22:37):
So when you're simulating these constellations,
do you have the firmware thatostensibly some some satellites
running?
I mean, this sounds pretty,pretty involved.
Like to be able to have allthat in.
I'll let you go.
Speaker 1 (22:52):
Yeah, yeah.
So that's like the last phaseof my actual research really.
So it's kind of broken up intothree phases and it's designed
like this to eliminate as manyquestions later on down the line
that I don't want to answer,right?
So the first phase is actuallytalking to different experts in
the area of, you know, postquantum encryption, satellite
(23:14):
security, zero trust, thoughprimarily those three domains,
right, those three specialtiesand getting their feedback on
some leading questions towardsmy research, not even telling
them necessarily what theresearch is, but it's very
leading, you know, in the waythat I ask them and whatnot, not
to like get a certain answer,but to get a answer about a very
certain thing without givingthem specifics, essentially.
(23:38):
And then the second phase is themodel phase that I just
explained to you using PyTorch.
And then the third phase isactually me buying a CubeSat,
for I don't know.
I think it's like a thousandbucks or something.
Buying a CubeSat for I don'tknow.
I think it's like a thousandbucks or something.
Buying a CubeSat, deployingtheir own firmware on it and
then deploying my security stuffon it and throwing a tax at it
to see if it still holds up.
Speaker 2 (23:58):
What's a CubeSat?
Sorry.
Speaker 1 (23:59):
Yeah, a CubeSat is probably the most common form of
a satellite, typically like,when you say satellite, you
think like okay, it's as big asmy garage.
Like you know, I can't have oneat home, why would I ever have
that?
That's actually like very fewof them.
Like the imaging satellitesyeah, they're really big, but
communication satellites aretypically, you know, anywhere
from like three U to 12 views.
(24:21):
It can go bigger than 12 views.
The same, you know, like serverrack, you know sizing, that
that we use.
It's the same same same theorywith that right.
So most of them are betweenlike 3 and 12 u's I think it is
in size.
So it's pretty reasonable.
So I'll just get like a 3u cubeset and go from there okay, and
you, so you can.
Speaker 2 (24:40):
I again.
I'm just all this is new to me.
So like there's like soundslike a company that just like
manufactures things that arebuilt for space and then you
throw your own firmware,whatever you want, on it.
So so that's, that'sessentially how people are
putting stuff into space.
They're kind of the same waythey put stuff on their network.
Okay, I'm starting to see wherethe problems lie.
Speaker 1 (25:01):
Yeah, okay, essentially, essentially, people
will buy these CubeSats to liketest out their stuff and
they'll be like okay, it mostlyworks.
Speaker 2 (25:11):
Now I'm gonna go spend the 10 million to actually
like build the satellite itselfand then we'll launch it, you
know okay, but like it's so,like people are just putting
whatever onto these things, okay, I can, I can see where the I
can.
I.
I figured there was.
I figured there was more layersof obfuscation or something in
(25:33):
there.
Speaker 1 (25:35):
No, it's just a bunch of Linux boxes floating a
thousand miles up and once youget to it, you get to it.
There's no like I didn't get in, it's like no, you get to it,
You're pretty much in, Huh, Justokay.
Yeah, I mean, think about theinfrastructure that we have that
runs off of it.
You're pretty much in, huh,just okay.
Yeah, I mean, think about theinfrastructure that we have that
runs off of it.
Right, like you know, gps, cellphones, you know financial
(26:00):
transactions are validatedthrough satellites.
Sometimes it's a lot, it's alot of stuff.
When you start looking at itit's like if someone were to
attack us, like yeah, they, theywould easily just intercept all
communications in the countryyou know.
Speaker 2 (26:13):
I'm in Starlink or and you've got there's I don't
know if you've seen them, butlike there's a company called
ASTS or something like that, butthey're, yeah, they're doing
like you know, like cellularsatellite stuff.
I'm not totally sure, but yeah,I mean it certainly seems like
it also has like a lot of like Icould see cell communications
(26:35):
going to satellite sooner thanlater.
In terms of it just makes a tonof sense.
You don't have all like sort ofthe terrestrial issues with
like terrain and everything andyou kind of always have access,
and then it's, yeah, I could seeokay, yeah, okay, makes makes a
lot of sense.
Cool, I had no idea that.
I mean that sounds like a lotof fun.
Speaker 1 (26:54):
Yeah, okay, yeah, it'll be interesting if I could
pull it off.
It's like like once a week oronce a month.
You know, I'm just like man, Ihope I can actually pull this
off, like I don't know, I don'tknow if I could do it.
You know, I talked to likeother people that got their PhD
and they're like, yeah, that's anormal, that's a normal feeling
, like you don't actually knowif you're going to pull it off,
(27:14):
like really, until you get theokay that you passed.
You know what?
Speaker 2 (27:19):
I mean not to, not to start an existential crisis,
but like what happens.
If you like I mean like is ifthe fact that you can't or or't
or like if something isn't ableto happen, right, I mean, you're
kind of also, you know, like Idon't I forget if the term is
like null hypothesis orsomething like that, but like
you know, you kind of like provesomething didn't work.
(27:40):
Is that still like a validoutcome in the eyes of, I don't
know, the arbiters of PhD-ness?
Or like what happens?
Do you have to like go back tosquare one of PhD-ness?
Or like what happens?
Do you have to like?
Speaker 1 (27:51):
go back to square one , like how do they manage that?
Yeah, so it's like if you testeverything out and you validate
the tests and the people on yourdissertation panel say like,
yeah, like he couldn't have doneanything differently to get a
different result, like that'sjust what it is, then you can,
you know, write in and say like,okay, well, like this process,
this entire method doesn't work,it's invalid and you can still
(28:13):
get your PhD on that.
It's just when it's when, likeyour research methods and how
you're obtaining the informationand all that sort of stuff
isn't like valid you knowmethods and sources and whatnot
that they'll basically take itaway.
And you also, you're also onlike a timeline right or a time
limit.
So they want everyone to bedone within like, I think, five
(28:35):
years, which is pretty steep,but my university wants everyone
done in like three, when theylike start penalizing you if you
go beyond three, which isinteresting.
I've heard of people go in 10years and they still didn't pass
.
Wow, so I don't know, I don'tknow about that, but typically
it's like a five year time limit, where you have five years to
do this research topic and ifyou don't, then you have to like
(28:57):
re-justify why your research isstill valid, because someone
else could have done it by then.
Speaker 2 (29:02):
That's fair Wow.
Speaker 1 (29:03):
Okay.
Speaker 2 (29:03):
No pressure.
Speaker 1 (29:04):
Yeah, yeah, right, at least at least learning that I
can be wrong and still pass.
You know that that gives me alittle bit of comfort because I
can be wrong.
Speaker 2 (29:13):
You know pretty good at it yeah.
Speaker 1 (29:15):
Right, right.
So you know to kind of circleback right to your, to your
background.
You know you talked abouttinkering, which I actually.
I just did a whole lot of thatwith my own desktop.
It was very frustrating.
Speaker 2 (29:28):
The ram was Doing the CUDA situation man.
Speaker 1 (29:37):
I did that.
Oh man, yeah, the the RAM waslike I put the RAM way too high
and the timings were off and mycomputer was crashing just
nonstop.
I'm like okay, fine, like ithas to go down.
You know, but I remember in theearly beginning phases of my
career like I was super curioustoo and I was like I wasn't just
a tinkerer, like I wasdefinitely a professional
breaker of things, you know, atthe company that was lucky
enough to have me I say.
(29:57):
I say that, you know, as a joke, obviously, but you know, it
was interesting though, becauseI approached it from how would a
user interact with this product?
Right, because I'm, you know,the background is I was on the
support team for enhanced 911application, right, that gave
like exact information of wheresomeone was when they dialed 911
(30:19):
, something that didn't reallyexist prior to this solution,
not to the same level, andwhatnot.
And so I would just go throughthe solution and use it like my
users would use it, and I wouldrun into all these bugs.
And so I would just go throughthe solution and use it like my
users would use it and I wouldrun into all these bugs and I
basically turned into like thesupport team QA person, because
I would always run into the mostrandom problems and there was
(30:41):
like a policy on the supportteam like if you're running into
something that makes zero sense, you've never seen it before
and if the engineers never seenit before, just take it to Joe.
Joe probably has notes on it.
He'll walk you through it.
Like you know, like eight timesout of 10, you know it was
actually valid.
You know, one time a coworker ofmine, I was trying to do an
(31:03):
upgrade on a Linux server thathad SE Linux enabled on it and
it was like fully deployed, likeI fully deployed it for them
because they needed it.
You know, fully deployed.
They thought so I went andconfigured everything.
It was configured properly andhe went to try and do an upgrade
, brought everything down,couldn't bring anything back up
and it was getting blocked.
And two hours later he likereaches over you know my desk
(31:25):
and he's like, hey, have youseen where?
Like all this stuff fails, likeit just won't start, and like
the engineers were stumped andeverything.
I was like, yeah, I've seenthat.
What customer?
And he told me and I was like,well, did you turn off SELinux?
He goes no, I was like, yeah,you need to, you need to turn it
off.
And here's the 20 commands youneed to turn it off.
Speaker 2 (31:45):
Okay, just, okay, just so it's a good way to learn
, you know yeah, yeah, yeah,that I mean that that's that
kind of mirrors some of thestuff that I did early bug crowd
right where I just evenactually at the end too, like I
just like people would stillcome to me and just be like you
know how does how to?
Speaker 1 (32:03):
how can I find this like piece of like esoteric
information and I'm like, ohwell, it's like the combination
of like 19 different variablesand it's in these six different
sources and you compile them andthen you figure it out and so,
yeah, cool, okay do you thinkthat that's like a good maybe
like a good bug bounty method,right, when you're specifically
(32:23):
going into you know anenvironment, right like
yesterday or maybe two days ago,I was looking at, like you know
, meta's bug bounty and I,yesterday or maybe two days ago,
I was looking at, like you know, meta's bug bounty and I think
it's like bug crowd or somethinglike that, right, or hacker one
, and I was just trying to thinkto myself like, well, how would
I even approach this goingforward?
You know, because it wastalking about, I think, like the
(32:44):
Oculus, you know, headset orsomething like that.
How, what do you find to be themost effective method?
Like, where do you get startedwith bug bounties?
Speaker 2 (32:52):
Yeah.
So I will caveat it by sayingthat I am I am not the world's
best bug bounty hunter, probablynot even the world's like
50,000th best hunter, bug hunter, right.
So like I I helped run andmanage a lot of those programs,
but I myself and I've done somebug hunting and again, I have my
OCP, so like I know how to likefind vulnerabilities.
(33:14):
So that's mostly theperspective that I'm bringing
here.
But I'm sure people far betterat bug bounties can elucidate
far more effectively on thistopic.
But I absolutely think that'skind of the right thing to do.
I absolutely think that's kindof the right thing to do.
I think that I mean, that'sprobably a good place to start
with.
Almost everything is make sureyou understand how it's supposed
(33:35):
to work, and then you can gobreak it right, so like, if I
understand okay, so like theapplication, like if I'm pen
testing an application orwhatever, right, I need to
understand, okay, what should Ibe able to do and what is this
supposed to do?
And then that gives you someideas around how you could abuse
it or break it If I'm, if I'msupposed to.
You know, just to use theclassical like checkout process,
(33:57):
right, if I, if, if, if I'msupposed to, if this process is
supposed to enable me to paythem money, then what if I could
get it to pay me money?
Or what if I could get it topay them less money, you know,
and so you start building out,like different use cases around.
Okay, what could I potentiallydo?
Like, okay, I'm supposed to beable to use view my account
(34:19):
information.
What if I can view somebodyelse's account information?
What if I can update theirinformation?
And so I absolutely I thinkthat that's absolutely the best
place to start.
A lot of people don'tnecessarily do that because it
feels like you know a lot of you.
You just, you know you're,you're so so fast out the
building that you, you know, you, you end up making three less
(34:39):
and you end up where you started, kind of thing, where, like you
know, you just want to getgoing.
That's fine, right, you can dothat.
But you're going to have a muchmore productive time if you sit
there and you like read thedocs and you understand.
Okay, like, these are also abunch of, like, different API
endpoints that can potentiallydo something else that, like you
know, you can't do in the UI.
(34:59):
It's some potential attacksurface that other people aren't
necessarily looking at, or youknow things like that.
Again, with the gigantic caveatthat I am, I am absolutely not
the world's greatest bug hunter.
I also say that one thing thatin my experience of watching
people be effective bug hunters,one thing I've seen, or seem to
have seen it, when bug hunting,people tend to have like
(35:22):
specialties, so like developinga specialty and kind of just
focusing on that as opposed tolike trying to do everything.
That makes you a lot moreeffective at identifying things.
That as opposed to like tryingto do everything that makes you
a lot more effective atidentifying things that
everybody else isn't going tofind.
If you're just, if you're justa generalist there's a ton of
generalists out there, right?
Everybody can look for the same, you know, restored and
reflective cross-site scripting.
(35:42):
If you're able to look forsomething that is more niche and
you don't necessarily focus oncross-site scripting like
everybody else does, you can youcan still, you know, find stuff
that, again, other peoplearen't looking for.
That said, again, going back tothat, that thing about the
documentation and going deeperand really like getting into the
(36:03):
weeds, there's a lot to be saidfor that depth and that level
of persistence and, again,understanding how it works and
where it hooks back to.
For instance, there was a coupleof guys that there's a program
that sticks out in my mind wherethis program had been running
for a long time and people hadnot found a ton of stuff, and
(36:24):
these guys just decided to comein and they found cross-site
scripting all over the place andthey made somewhere they made
hundreds of thousands of dollarsoff this and it was just like
how, how, how did like everybodyelse miss this?
Right, it's not like it was likefive other people there were a
ton of other people but whatthey did is they just they just
went and were far more.
(36:45):
You know, everybody else kindof just put their payloads in
these random places, whereas,like they went in and they
there's like these, theseaspects where you, you know you
you have to do things that arelike 19 layers deep and then
it'll get bubbled up, you know,seven pages away and in some
sort of like administrativeconsole or whatever, and like
(37:05):
that level of like effort andpersistence also has like a lot
of value.
You know when you're whenyou're working on stuff.
So I know that I don't know howmuch of what I said is actually
going to make any sense, butthere's a lot of different ways
to bug hunt.
Again, depth and specializationand focus, I think, are
(37:26):
probably some of the mosteffective tools that most people
can use.
Make sense Sorry.
Speaker 1 (37:31):
Yeah, no, that definitely makes sense.
And you know, that's the thingthat I really like about
security.
That when I discovered it kindof piqued my interest is that
you can go so deep with it.
You know, you can specialize insuch a very small section of,
like web app pen testing, likecross site scripting or whatever
might be like on a certain youknow OS or a certain web app.
(37:54):
It's, it's fascinating for mebecause that just tells me I can
learn like there's no end to mylearning.
You know, which really helpsthe noisy brain that I have to
be able to like zone in andreally, like you know, start
learning and focusing onsomething.
But yeah, and bug bounties havealways been interesting to me.
(38:16):
You know, I remember I remembera couple of DEF CONs ago that I
went to.
I was talking to someone inLine CON and he was talking
about how, like he found four orfive vulnerabilities early on
in the year, literally likeJanuary and February, and he
made enough from it where hejust took the year off.
A lot of those guys that's thecase.
(38:39):
That is so insane to me tothink, oh yeah, I can.
Just, he probably stayed upreally late a lot of nights that
he missed sleeping.
Things that I can't do rightnow because I have a four month
old, but, like you know, for twomonths of work he just made
like two years worth of incomeand he's just there hanging out.
(39:01):
You know, like it, industry isout there where, as a side job,
as a hobby, you know you can dosomething in your industry, make
two years worth of income inone, go right Within one month
and then take the rest of theyear off because you're done.
Speaker 2 (39:20):
Yeah, I will.
I will caveat not to be a wetblanket, right, but those, those
are like rare in terms of justbecause, like I don't want
people to be like, oh, I'll justgo work on bug bounties for two
months and then I'll make twoyears of salary, because to get
to that point it's a lot ofeffort.
(39:41):
You'll see people get giganticpayouts.
I saw somebody post, you knowlike some quarter of a million
payout for, for it was a, it wasa Google Chrome sandbox thing.
I think Wow.
Speaker 1 (39:56):
And so oh yeah, I think I read about that.
Speaker 2 (39:58):
But like to get there right, like I'm not, I'm not,
I'm not doing Google Chromesandbox escapes Right, and so
like.
So the guy, the guy that'spulling that stuff off, I mean
they're, they're again just likein another tier, not just
another tier, like seven tiershigher and so.
But it's absolutely possible.
(40:18):
And I agree, there's nowhere,there's no like off the top of
my head.
There's not really any other.
You know, you say you're likeyeah, I don't know, I was just
trying to think of like anotheranother, another, another job or
something, I don't know.
Speaker 1 (40:33):
I was thinking like a carpenter, if you're a lawyer,
you're going to be working for alaw firm and you can't do your
own thing on the side.
If you're doing your own thingon, you know, if you're doing
your own thing as your full-timejob, you're not doing extra
stuff on the side.
That's outside of that.
You know, like same thing withlike traders, you with like
(40:56):
traders, you know day traders.
Speaker 2 (40:57):
They're not like.
They probably have their ownportfolio, but they're not, like
you know, doing what they woulddo with other people's money.
Yeah, so it's.
Yeah, I completely agree.
I think I think bug bounty isis a really incredible tool for
organizations and forindividuals too.
It's also been like it's beenlike, you know, we'd see a lot
of you know people's liveschanged by it, right?
I mean, obviously, theindividual you just mentioned,
but you know you got people indeveloping countries too, where
(41:17):
you can make just way more moneythan you could make locally and
so, like a lot of people therewill do it full time.
Again, it's.
It's got ups and downs, right.
Speaker 1 (41:53):
Just so we're super clear on like it's it's got,
it's certainly got a lure, butyou can also go through, like
some deserts and, and you know,not find anything for months or
years and and that's a that's alot tougher to to kind of handle
and it's you know so, but andstarted your own company.
Tell me, tell me about that,right, because I guess it
obviously it would have been.
I mean, we weren't, we weren'trecording at the time, but you
know you didn't have any kids atthe time, so it was probably.
Did it like even register toyou, like as a risk?
Or you know, like just walk methrough that process of starting
a company, because I thinkright now, right, I'm thinking
(42:14):
through it myself.
Should I like do my own thingfull time, or what does that
look like?
And I'm sitting here and it'slike, no, you idiot, you have
two little kids.
Like you need a stable income.
You don't need to be an idiotright now and go start a company
and, you know, not succeed.
Speaker 2 (42:29):
Yeah, I mean a couple of pieces and, you know, not
succeed.
Yeah, I mean a couple of pieces.
One, I kind of saw it so, likethere's been a couple of points
in my life where, like, it'sbeen kind of now or never type
situations, and so this is kindof another one of those Just to
give you some examples of pastones where I was like 26, 24, 26
(42:51):
, some number at when I was atWhite Hat and I decided to leave
, I just bought a one way ticketto Southeast Asia and I was
just going to go backpack aroundSoutheast Asia because I'd
never I'd never traveledinternationally.
But intellectually I knew thatif I didn't do it then I may
never do it again.
Right, so, like and and and Ifeel like my, my, now obviously
(43:13):
I self-fulfilling prophecy kindof situation, but like, like, I
don't think that I could pullthat off now, and like and then
I had that decade of bug crowdright, where, like, I couldn't
have pulled it off anytime inbetween there, and so those
three months ended up being likea whole year of backpacking all
around the world and doing abunch of stuff, and so and I'm
super glad I did it Right and itwas fantastic and so, but again
(43:34):
, just kind of it's either nowor never.
And so same thing with COVID.
During COVID I've I've alwayswanted to kind of live out of a
travel trailer.
I don't know I'm, I'm like a alittle bit of a vagabond at
heart, and so I just bought atravel trailer and went around
to like national parks, workingremotely, and it I loved it and
it was, it was great.
(43:54):
So but I I got, I did that whenI could because I wasn't sure
when.
Anyways, I'm belaboring thepoint.
Same situation here where,where I didn't have any kids at
the time and or any sort ofexpectation of a child coming
into the picture or any sort ofexpectation of a child coming
into the picture and and so Iknew that like this is one of
(44:20):
the least risky points in timefor me to.
If I was ever going to try tobuild my own thing, it would be
this or it would be now.
And if I was ever going to tryto build something and I was
going to be successful at it, Ihave 13 years to back me up here
.
So like I don't think there'sgoing to be another point in my
career where I have like 13years of experience in in, like
a field that, like, I'm prettydang good at.
And then, on top of that, I hada high degree of confidence that
(44:41):
I know what people are payingfor this in market.
I know what people, you know, I, I know people are paying for
it in market and so I know thatthere's no reason why I couldn't
sell this.
So I it was a confluence ofthose things where I said, okay,
like, so, like it was veryintellectual, as it were, right,
like it's not, it's it's, it'sless of a you know.
(45:03):
So it wasn't like an emotionaldecision, right, where, like you
know, I, I, it was just likekind of spur of the moment.
It was like, okay, like this ispretty data driven and I feel
fairly safe in in doing this,and if it doesn't work, I know I
can eject right and I'll go runcustomer success somewhere or
I'll.
You know I, I can, I can findanother role, reasonably
(45:27):
confident in that I don't wantto misspeak, who knows, maybe I
couldn't actually try, but so,yeah, so that that, that that
was that was kind of the, theintellectual process behind it.
Would I go do it right now If,if, like it was right now, I
probably wouldn't, that's sotrue.
Speaker 1 (45:45):
Everyone, everyone always thinks oh, I got, I got
time, I'll, I'll do it later.
I got the time to do it.
You know, I'm only 20, right,23, 24.
I got the time to go and dosomething like that, right.
And I always tell people youhave so much less time than what
you think.
(46:05):
One, you don't know when you'regoing to die.
I mean that's just a pointblank fact.
You don't know when you'regoing to die.
At least you know 9.9 of us outof 10 don't.
Right and like when you'reyoung, that's when you need to
be taking the risk.
If you don't have a family, ifyou don't have anyone depending
on you, to, you know pay themortgage or you know provide in
any way, right, like, I think,back when I was in my 20s and I
(46:27):
studied abroad, in Germany, andI mean that was, that was like
the best time ever possible, Imean I got, I got all the
partying that I could havewanted out of the way I traveled
across the globe alone to acountry that I'm not familiar
with.
I I spoke a little bit of thelanguage at the time, but you
know it like it was a challengefor me, you know, not as extreme
(46:50):
as Asia.
I mean, I couldn't imaginedoing that right, but it's still
like you have to execute whenyou have that time.
You know that makes a lot ofsense and I feel like people
forget that.
You know they always think like, oh yeah, kids, kids will be
down the road.
That's five years away.
It's like, okay, well, yeah,that's five years away and
you're talking about doingsomething for an entire year.
(47:11):
What are you going to do?
Like, in between, you thinkthat you're just going to take a
little baby on the road?
Like, trust me, seven days in,you're not going to want to
leave the house.
Speaker 2 (47:22):
Yeah, but that's not to discourage anybody from doing
.
I mean, the best day to startwas yesterday, the second best
day is today, kind of thing.
It's like you know, obviouslyyou know, just because, like
timing is almost never ideal.
I mean, even at the time, rightLike I, when I left white hat,
like I turned down a promotionto go, everybody told me I was
(47:46):
crazy, like, except for like afew friends that were like, yeah
, go get it.
Uh, you know, like my, like my,my family and and whatnot were
like I don't know about this,like you've got like a good job,
you know, like you know, and so, and, and it's tough to make
those kinds of decisions.
So I mean it's never, it'snever gonna feel ideal, right,
(48:08):
just I, I'm sorry, I'm just I'mjust pontificating to anyone
that's kind of on the fence Likedo, like I'm not telling people
to like go take stupid risk,but like also, don't, don't not
take those risks.
Right, because there's alsolike there's a component to it
where, where, on your deathbed.
Right, and this is kind of my,this is kind of the thing that
(48:30):
that made me decide that I dowant kids.
Right, because there's a periodin life where you're like, do I
want kids or not want kids?
Right, you have to like,actually ask that question and
like on your deathbed, right, amI going to?
Or, when I look back at life,am I going to be disappointed
that I, you know like this isgoing to cost me.
Like I know it's going to.
It's going to cost mephysically, mentally,
financially, it's going to.
(48:53):
It's going to cost mephysically, mentally,
financially, right, but like, ifI look back and I didn't do
this thing, like would I?
Would I be happy about that?
And and some people's answermaybe that they're like, happy
that they didn't have a, have akid or whatever, but like, for
me, it was like no, I think thatthat's part of like, the human
experience and so, yeah, so Iguess I want kids.
(49:22):
All right, let's go.
And same goes for the business,right, like I, I, I'd have a
hard time looking back and beinglike, did I, did I, did I?
Leave it all out on the fieldand and knowing that I didn't go
, do these things, I, you know,like I, I don't want to, I don't
want to, I want to regret nothaving done something, even if
it ends up being a failure, andso that's been a powerful
reframe.
For me it's just kind of alwaystaking that perspective for the
end of life and saying, okay,like, even if this sucks and
(49:43):
even if it goes sideways, if Ilike, I will know that I tried
right and I can live withknowing I tried.
Not having tried is a lot.
It's a lot more tough to livewith.
Speaker 1 (49:59):
Yeah, yeah, that's a really good point and that's
definitely how how I, you know,think about, or quantify, you
know, different choices in mylife.
For sure.
You know, like when I I try tofast forward and when I'm at the
end of my life, what do I wantthat to look like, you know, and
if it if right now what I'mdoing doesn't fit with what I
(50:20):
want that to look like, I know Ineed to correct something, I
need to fix it Right and I wouldI would 100% regret not having
kids if I didn't have kids, like100%, and I felt like I would
regret it without having anykids.
Right.
And now that I have kids, it'slike by far the best thing I've
ever done.
Like I have so much fun.
(50:40):
I don't get any sleep, but likeI have so much fun, you know
it's great, you know just seeingthe kids grow and everything.
Speaker 2 (50:48):
It's exciting.
I'm curious to know what that'slike.
Again, people people always saythat and and I anticipate it
being fun I I look forward tolike teaching them how to think,
like when I'm with like otherkids or like I don't know, like
nephews or nieces or stuff likethat.
I'll, like I don't know it'sit's fun to like challenge their
(51:10):
thought process.
I'm like you know, like they'llsay words to me and I'll be
like, but what does that wordmean?
Like you know, just watch themlike try to have to like explain
like well, why do we do that?
Why does the, why does theworld work that way?
And I don't know.
I I think that's a ton of fun.
Speaker 1 (51:26):
They probably think I'm a terrorist, so Brent, I
feel like I have to have youback on for another episode
Maybe.
Maybe when you're in the thickof it with with your new kid or
just coming out of it.
You know like we can touch baseand be like, well, how is it,
you know, cause I call it, Icall it going into the suck.
You know like, oh, he's goinginto the suck or I'm going into
the suck, I'm just coming out ofit where it's just like a haze.
(51:50):
You know, for two months, likewith my first kid you know she
was born in March and I don'tstart remembering, like I don't
have another memory until MayLike I negotiated a whole deal,
you know, with a sponsor andeverything in person.
I had a really nice dinner witha friend of mine and I don't
remember any of it.
And a couple of weeks go by andmy buddy reaches out and says,
hey, did you ever send them thecontract?
(52:12):
It was like no way.
I don't know what you'retalking about.
Sleep fatigue.
Speaker 2 (52:17):
Yeah, yeah, cause, you're just not sleeping.
Speaker 1 (52:19):
It's just, there's just no sleep.
That's the thing.
Speaker 2 (52:22):
That's why I'm curious about the the working
from home aspect, cause again,I'm I never leave the house, so
like um, when I had an hour inbetween meetings, I was napping
Okay, had to yeah.
Yeah, they're.
They're not due till March, sowe're still pretty early in the
early in the story.
(52:43):
So I got some time, but alittle bit less time than you
think?
Speaker 1 (52:48):
Yeah, less time than you think.
Speaker 2 (52:50):
I believe that yeah Well, that.
Speaker 1 (52:51):
Yeah well, grant, you know I I apologize for going
over.
We got a little, we got starteda little bit late here, but you
know I really did enjoy ourconversation and I definitely
want to bring you back on talkabout, like what you've learned
new about quantum and andsatellites yeah if anything at
all, we'll see.
Speaker 2 (53:09):
we can talk about your new book on on quantum and
satellites for dummies.
Yeah right, explain it like I'mfive.
Speaker 1 (53:17):
Before I let you go, how about you tell my audience,
you know, where they can findyou if they want to connect with
you and where they can findyour company if they wanted to.
You know, reach out and learnmore.
Speaker 2 (53:26):
Yeah, so my home address.
Just kidding, so I don't knowif you want to dox yourself?
Just kidding, so I don't know ifyou want to dox yourself, so
you can.
You can find me on LinkedIn.
My name's Grant McCracken.
There's another Grant McCrackenon there, there's a couple
others, but maybe GrantMcCracken Dark Horse You'll
probably find me there GrantMcCracken security, something
(53:47):
like that.
So feel free to reach out orconnect on LinkedIn.
Grant at darkhorsesh is my workemail and darkhorsesh is Dark
Horse, obviously, theorganization that I've kind of
built.
Again, we're happy to helporganizations at whatever stage
they are in their securityjourney.
Our whole goal is to kind ofmake those solutions accessible
(54:10):
and affordable, and so, even ifyou're not able to afford
security, I've got pen testersthat'll work for free because we
kind of use the crowd.
So, like there's people that'llgladly do pro bono work and
then I'd be happy to give awaythe platform for free as well.
So, like we're just here to tryto make people more secure.
So if you want to be moresecure, whatever your budget
it's a wooden nickel and arubber band, right we're happy
(54:38):
to kind of do whatever we can tohelp you become more secure, if
that's what you want to be, wewant to help you get there.
Speaker 1 (54:40):
So that's my pitch Awesome, cool.
Well, thanks everyone.
I hope you enjoyed this episode.
Popular Podcasts
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com