From Cipher Wheels to Modern Data Security with Jeff Man Pt 2.

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:01):
How's it going, jeff?
It's great to have you back onthe podcast.
You know we're doing a part twotoday because your story was so
expansive right before that.
Like I couldn't just leaveeveryone on a cliffhanger, and
mostly for selfish reasons, Icouldn't leave myself on a
cliffhanger, right.
So how's it been going?

Speaker 2 (00:21):
Yeah, it's been busy.
This is the busy season.
I forgot when we recorded ourfirst session.
I feel like it was like a monthor two ago yeah and uh, it
might have been june, it wasbefore vegas.
I know that, so you know, hackersummer camp has come and gone.
Summer has come and gone.
I was talking previously aboutuh, in the fall I'd be speaking
at b-sides edmonton, which is incanada.

(00:44):
Edmonton alber, as well asGurkhan, got the Gurkhan shirt
on.
That hasn't happened yet.
That's the end of September, soI feel like you're getting me
back on.
We talked a little bit lasttime about how it had taken a
long time to pull the trigger onthis, but this seemed to come
much more quickly.
The second round that's whathappens when you leave people

(01:06):
with a cliffhanger.

Speaker 1 (01:07):
Yeah, yeah, I guess.
So I've also taken a very, veryaggressive approach to
lightening my schedule the backhalf of the year, because it's
just it's too much, you know,trying to juggle four or five
different things all at once,you know, and trying and try to
right, try to have a family aswell, right, like I don't want
to be working until 9 pm everynight, but yeah, that could be a

(01:31):
third episode where we talkabout, uh, work, work life,
family life, balance, self-care.

Speaker 2 (01:36):
I've been learning about self-care this year.
My wife and I have been on ajourney of learning how to
relate to each other moreclosely after 34 years and empty
nesters.
And what do we do now?
We're staring down retirementand ultimately death.
But this is supposed to be theprime of our life and I've

(01:58):
talked to many people that arein the same situation and
they're like, yeah, I don't knowwhat I would do with my wife.
I had to hang out with her allday long.
But we're we're trying to be alittle bit more proactive and
plan some things.
Like you know, we're taking atwo week road trip the back half
of October, just for fun, justbecause I've never taken a two
week vacation before because ofyou know the workload that it's

(02:22):
like dang, I'm going to.
I'm going to do it this time.
So we're going to take a roadtrip.
Our ultimate destination is tohang out with a dear friend of
mine, pioneer in the industry,especially in terms of security
B-sides Mr Jack Daniel.
Some people might have heard ofhim, although he's retired now
and it's very quickly.
People forget about relics fromthe past.
But, yeah, self-care.

(02:43):
But that's not the purpose ofthis call today.
We can save that for yetanother episode.

Speaker 1 (02:49):
Yeah, that might even be good for maybe an episode
like kick off the new year.
You know where we're talkingabout.

Speaker 2 (02:57):
You could even do it as a roundtable.
I know there's severalnonprofits in the industry that
are focused on various aspectsof that, mental health hackers
being one of the primary onesthat I run into a lot, and they
do lots of cool things just totry to help people.
As it turns out, what I'mlearning is self-care, take care

(03:17):
of yourself, all work and noplay.
Make Jack a dull boy.
It also drives you to drinkingand you know bad habits and all
sorts of other things and failedmarriages and stuff like that.

Speaker 1 (03:29):
So anyway, we digress .
Yeah, you know it's interesting.
You brought up how you knowpeople always say like I don't
know what I would do, you know,with my wife after retirement if
I had to spend all day with heror whatnot, and like it kind of
takes me back to like the verybeginning of COVID right,
because me and my wife gotmarried two weeks before the

(03:49):
lockdown started here in Chicago.
Right, so we got married, movedin together for the very first
time and now we're locked insidewith each other Right, and
we're told we can't go outside,we can't go to the gym, we can't
go to work, all these things,and that was.
That was like like trial byfire for starting a marriage.
I mean that was insane.

Speaker 2 (04:10):
We heard stories.
A lot of people didn't make thecut.
You know they.
They were used to getting alongwhen they were each working and
had their own careers and hadtheir own you know, support
groups and social groups andwhatnot, and all of a sudden
being stuck with one another.
Yeah, Not a lot of peopledidn't make it.

Speaker 1 (04:28):
Yeah, I know quite a few that didn't, and it's I
don't know like.
I feel like it was definitelydifficult, but I'm glad that we,
you know, stuck in there orwhatnot.
Right Like it's.
That was a feat in and ofitself.

Speaker 2 (04:40):
I feel In and of itself, I feel Right, well, yeah
, I mean, my wife is my bestfriend.
It's been an exciting year forme because one of the things
we're learning is she needs tohave her own things to do.
I obviously have my own thingsto do and a lot of that is being
out Security community, hackercommunity, like you know

(05:06):
mentioning, I go get a bunch ofconferences every year, but I
had a chance to her stuff, mystuff and stuff that we can do
together.
One of the things that we'retrying to do is for her to enter
my world and for me to enterher world.
So I've been able to take herto a couple of the hacker and
security conferences this yearand that's been a lot of fun
because you know she likestalking to people, she likes

(05:26):
meeting people and I tend tohang out with people.
People approach me and it's justbeen fun watching her engage
with other people because youknow she's got a lot of
experience and a lot of wisdomtoo, about all this stuff that
we all talk about and care about, and she's been hearing me talk
and bitch about security thingsfor 34 years.

(05:49):
So she was always my soundingboard over the years when I was
trying to figure out how toexplain some difficult security
concept to a client.
I'd run it by her and she'sgreat at making analogies and
that's something that I'velearned to do not as well as she
does, but over the years to tryto help people understand

(06:10):
concepts by putting in into alanguage and into a context that
they can understand.
I got that from my wife andshe's great at it, so anyway,
yeah, she's, yeah, she's prettyawesome.

Speaker 1 (06:22):
I hope to bring her to many more conferences in the
future yeah, it's fascinatinghow, you know, two people can
kind of like complement eachother that way.
Right like it's, it's reallyit's, it's great to have that.
I don't quite have that justyet with my wife.
She's a special education likeearly childhood teacher, um, and
so like me talking aboutanything with cyber security

(06:44):
just goes straight over her head.
She's like I don't know, youneed to break it down more for
me, and I was sitting here likeI don't know.

Speaker 2 (06:50):
I kind of told you the the basics there, yeah, but
most of us in the hackercommunity, especially the white
guys, you know, we are justadolescents at best, if not
toddlers, on the inside.
So she's probably perfect foryou yeah, yeah exactly not
making.

Speaker 1 (07:05):
Not making any judgments or accusations, it's
just trends, guys yeah, the onlydifference is she doesn't have
any patience for me.
She has way more patience forher students, but none for me.
You know right right interestingwell, jeff, you know where we
kind of left off in part, onefor one for the audience.

(07:25):
If you haven't already listenedto or watched part one, please
go do so.
I'll leave the link in the showdescription or the show notes,
whatever it is.
But where we kind of left offwas we didn't quite get to your
invention while you were at theagency.
So why don't we talk about,maybe, the problem that you were
faced with, that you weretrying to solve for, and then

(07:46):
what the invention is and howit's used?

Speaker 2 (07:50):
Sure, yeah, I started at NSA in late 1986 and spent a
couple months taking courses,introductory courses, learning
about the basics of cryptographyand kind of the things that NSA
did, waiting to get myclearance, my top secret
clearance.
When I was finally assigned toan office it was probably early

(08:14):
1987.
It was in what at the time wascalled InfoSec, the defensive
side of the house, and I wasreporting to the manual crypto
systems branch.
So this was back in the dayswhere there wasn't a lot of
digital encryption going on.
I think public key cryptographyhad been invented.

(08:35):
You know Diffie-Hellmanalgorithm I think that was done
early on but not a whole lot ofpractical application for it yet
.
So most of what nsa did from adefensive perspective infosec
being defensive was producemanual.
You know manual crypto systems,what we were doing, but a lot
of machine crypto systems.
You know things that you see inmovies army guys talking on

(08:58):
radios.
The radio itself is on abackpack.
Well, there there's otherthings besides just a radio that
are encrypting the voice signal, converting it to digital,
doing encryption, variousdifferent methods.
You know dating that technologykind of dates back to World War
II.
A lot of people are familiarwith the Enigma machine.
But in the 70s and 80s at NSA,with the advent of more digital

(09:24):
machines and just more machinesin general, things like
electronic typewriters and copymachines you know what we used
to call Xerox machines, becauseXerox was the company that you
know made the.
You know they were the firstones or the main ones that made
them Everybody assumed thatpaper systems would go away.
Nsa was continuing to movetowards more machine-based

(09:47):
cryptography, building littleblack boxes where data went in
in plain text form and out camecipher and all the magic and
secret stuff happened insideliterally little black boxes.
So one of the things that I wasdoing or I guess my primarily
Mary assignment working for thisorganization was to do sort of

(10:08):
a security evaluation of theexisting systems that were out
there, the manual systems, andone of the first assignments I
had was working with US SpecialForces, the Green Berets.
They had as their primary formof communication something
called a one-time pad, and aone-time pad was literally a pad

(10:29):
of paper.
There was two copies, five,maybe 50 groups of five letters
I don't know how many exactlythere were printed on a paper

(10:49):
and you would write your messageone letter at a time, above or
below the letter that wasprinted there and then you would
use something called avisionaire table or a visionaire
square.
This is a copy that was thefirst page of every one-time pad
for the US Special Forces.
So that's the dimensions of thepad, maybe three inches by six

(11:12):
inches thereabouts.
This table represents what wascalled trigraphs, three-letter
combinations Again, trying toget it up there so you can see
it the communications sergeantsthat were part of the special
forces teams.
They were responsible forsending and receiving the
messages, doing the encryptionand the decryption Back in those

(11:33):
days.
Very often they were sendingthe messages still in the late
80s by Morse code and they werereceiving the signals by radio
signal and they'd have areceiver.
They'd set it up, turn to theright frequency, listen for the
message, write it down letterfor letter.
And the way it works is youwrite down the letter, whether

(11:54):
it's plain text or the cipher.
You've got the key.
There's a unique third letter.
So you write down plain text.
There's the key.
The third letter becomes thecipher.
The cipher gets sent.
The other end has the same key.
So he writes down two of thethree letters and gets back to

(12:14):
that first letter because it's aunique three-letter combination
.
So that's what they used astheir primary form of
communication.
They also had a backup system incase they were deployed
somewhere and had to drop theirbackpack that had all the
one-time pads in it and stillwanted to send an encrypted
message.
They had a memory crypto systemand my assignment was to come

(12:38):
up with a new memory cryptosystem because the one that
they'd been using.
We'd done a security evaluationprior to when I was there and
determined that it wasvulnerable and it could be
broken.
So I set out to try to come upwith a new memory system for
them, and I had just gonethrough history of cryptography

(12:58):
courses and learning about allsorts of classic substitution
systems, transposition systems,cipher systems, the Caesar
cipher from back in Roman days,cipher wheels and little Orphan
Annie, decoder rings and allthat kind of stuff, and I was
trying to use a lot of thosedifferent techniques to see if
there was one that could be used, because a memory system, by

(13:22):
definition, needs to besomething that you can memorize
and be fairly easy to use.
One of my sort of going in goalswas to take advantage of the
guys that were the radiooperators.
They had these things more orless memorized.
They would have this paperevery time they cracked open
their new one-time pad as abackup, but they would memorize

(13:43):
these things so that they coulddo it in their head much more
quickly.
As I was visiting them, youknow, we said sort of the work
groups for the variouscommunication charges from
various teams come together andI would present ideas of you
know what if you did somethinglike this?
What if you did something likethis?
Here's a couple options whatworks, what doesn't work.

(14:06):
I think I mentioned on the firstepisode I was a business major,
so I was like applying basicbusiness practices, trying to
get you know group buy-in andall that kind of stuff.
But as I was like in a littleclassroom or meeting room
talking to you know eight or 10guys turning around writing on
the whiteboard and trying to dothis and also demonstrate, you
know a couple of differentvariations of what I was trying

(14:29):
to hope, hope, hope them, hopeto get them to buy into.
At some point I was strugglingbecause I'm like I'm not going
to memorize these things, I'musing this awkward table and
it's just time consuming.
And at some point I was back inthe office and I was thinking
you know, I just learned aboutcipher wheels.
I was back in the office and Iwas thinking, you know, I just
learned about cipher wheels.
There ought to be a way to makea cipher wheel out of these,

(14:51):
these alphabets.
And so I talked to the guy thatwas my mentor I think I
mentioned him on the previousepisode, the guy that does that
used to write logic problems forDell Crossword Puzzle Magazine.
I talked to him about it and wefigured out yeah, there is a
way to do it.
So I drew it out on paper andyou know, cut it out, glued it
to cardboard, put it togetherand made just maybe a five or

(15:13):
six inch large wheel, cipherwheel that had a.
This is what the prototypelooks like.
So we know what we're talkingabout.
The one I did was on cardboardand paper.
It was a larger edition, butbasically two wheels and there's
a little window inside thesecond wheel or inside the
second row that has a thirdalphabet that's hidden.
So you line up your two letters, whatever they are trying to

(15:37):
get it focused here, and in thewindow is the third letter.
So it was magical.
I took this cardboard,paper-based wheel with me the
next time I visited SpecialForces and they loved it so much
they stole it from me.
I mean, they literally didn'tgive it back to me.
I was like, fine, you can keepit.
So the next time I went andvisited them, I made like maybe

(15:58):
a half dozen more and they justsnatched them up and at some
point I was like you know, know,we're nsa, we're in the
business of supplying you withall your crypto systems and your
crypto materials.
Would you like us to make thesethings for you?
And they're like, oh, we wouldlove that.
So I went and found, uh, amachine shop at nsa that would
build prototypes of little blackboxes and I gave them some

(16:19):
specs and so they came up withthis being the prototype of this
Cypher wheel.
And I had two of them made andI took them with me and showed
it to them and like, oh, theyloved it.
So we found a way to get themproduced as cheap as possible
Got the unit cost down to $10.
And they wanted 15,000 of them.

(16:40):
The sad part about this storyis I could not find at NSA a way
to only spend $150,000.
Everybody I talked to was doingmulti-year, multi-million
dollar engineering projects,three-year R&D projects,
five-year R&D projects,development projects and, for
the life of me and I talked todozens of people where do I go

(17:04):
to find the petty cash box?
All I need is $150,000.
Ended up had to call back tothe army and say I can't find a
way to get this paid for.
Will you pay for it?
No, I'm not a problem.
So I got the money from thearmy.
We made 15,000 of these wheels.
So I've been carrying around thetwo prototypes of these wheels
for years, going to conferencesand, you know, every once in a

(17:27):
while, you know, somebody wouldsay they're in the army.
Or I'd meet somebody fromspecial forces and I'd say, oh,
do you ever remember using alittle cipher wheel with your
one-time pads?
And at some point somebody said, yeah, I remember that we call
it the whiz wheel or the whizzywheel.
So when I would meet guys thatwere green berets, you know,

(17:47):
after that I'd ask about thewhiz wheel and you know a lot of
people remembered it.
I met a guy at DEF CON, I thinkback in 2017 or 2018, you know,
prior to COVID Actually.
A friend of mine met this guythat was an ex-green beret or
former green beret and said, hey, do you remember the whiz wheel
?
The guy said yes, and they saidwould you like to meet the guy

(18:08):
that invented it?
And the guy was like heck, yeah.
So you know, I met this guy andhe was very excited because he
had been in special forces backin like the late 90s, early
2000s and he very muchremembered using the whiz wheel.
He was the communicationsergeant.
They called him the POMO.
That was sort of their nicknamefor that position on the team.

(18:34):
The long story short is I, youknow, got to know this guy.
We corresponded and somewherealong the line he said you know,
I think you'd qualify formembership in our alumni
association.
So well, I was never in themilitary, you know on special
forces.
So he goes.
Oh, I know, but we have specialstatus for civilians that made
significant contributions.

(18:54):
So he was able to get me alifetime membership in the
Special Forces Association.
So I've got my membership madeof metal.
It doesn't get me first on theairplane or anything like that,
because that has to be retiredmilitary or active duty, but
it's still kind of cool to whipout every once in a while and

(19:16):
gets me a free drink every oncein a while.
Last year 2023, I got to speakat their convention.
They have an annual convention.
It happened to be in the townwhere this guy that I had met
lived, so he was hosting it, andI gave a talk to the convention
about the origin of the whizwheel and I asked I sort of put
out an appeal I said you know,I've never actually seen a

(19:38):
production model because by thetime they were made and
distributed I had moved on fromthat office.
And if anybody's got them andis willing to part with them, my
goal was to have it put ondisplay at the National
Cryptologic Museum.
That's part of the NationalSecurity Agency at Fort Meade,
maryland, and also there's aSpecial Forces Special

(19:58):
Operations Museum down in NorthCarolina, in Fayetteville, at
what used to be known as FortBragg but is now Fort Liberty, I
believe, and that's one of themain special forces bases that I
used to visit all the time.
So a couple days later, by theend of the conference, the guy,
my friend, walked up to me andhanded me two actual Cypher

(20:20):
wheels.
So this is one of two actualproduction model whiz wheels.
I mean it's made out ofaluminum, it's nothing fancy.
But in talking to these specialforces guys they were very
appreciative of the wheel.
One guy told me that, whilethey had the letters memorized,

(20:41):
very often when they're deployedthey might be up for 24, 48, 72
hours and you don't have recallwhen you're up that long.
So he said, yeah, it was alifesaver to have that wheel
available to use in certainsituations.
The guy my friend that had gotme into the association in the
first place, he's on a Facebookgroup and he said shortly after

(21:02):
he met me, he posted to thatgroup.
Hey, I'm at the inventor of thewhiz wheel.
So there's this.
All sorts of chatter aboutremembering this trigraphs,
since people were citing theones that they still remember.
One person said whoever madethat thing ought to have a
national holiday named after.
So apparently it made adifference for him.
Long story short.

(21:23):
I mean it's already been a longstory, I guess, but that's what
you wanted me to do.
I was able to get one of theprototypes and the production
model I donated to the NationalCryptologic Museum.
I did that shortly after Ireceived it back in 2023.
Put it on display this pastApril.
So the cipher wheel that Iinvented is currently on display

(21:46):
at the National CryptologicMuseum.
If you happen to be in Marylandor traveling near Baltimore or
DC, it's a pretty short haul upto Fort Meade and the museum's
open 10 am to 4 pm, I think,monday through Saturday.
Come and see the cipher wheelon display.
They were excited because theydon't often put stuff on display
and the inventor is still alive.

(22:07):
They've got a lot of veryrelics there.
I mean they've got I don't knowhow many Enigma machines.
They've got on display.
One of Hitler's personal Enigmamachines.
He had his own special set thatyou know.
One traveled with him and onewas in his eagle's nest or
whatever they called it where heused to hang out.
They got lots of cool stuff.
I mean, you know thecryptologic museum is is.

(22:30):
If you're into this kind ofstuff, I guess you have to be a
certain kind of geek.
It's a real fun place to visit.
There's a lot of history thereand a lot of stories and a lot
of mystery involving, you know,cipher and cryptography and and
it's really, I guess, for usaging Krippies and people that
you know worked at NSA and youknow I was there for 10 years.

(22:51):
I didn't spend my whole careerthere but very much unsung
heroes, especially World War II.
You know the role ofcryptography and being able to
break codes and ciphers thatwere transmitted by the enemy.
You know we're very pivotal inchanging the outcomes of most of
the wars that we've fought in,in fact all the way back to the

(23:13):
American Revolution.
I mean there was cryptographyand secret writings and codes
and ciphers employed.
I mean it's been around forthousands of years but
definitely has been a role in UShistory for thousands of years.
But definitely has been a rolein US history.
I was at NSA during the firstskirmish in the desert, desert
Shield and Desert Storm back inthe early 90s and I hope I don't
get in trouble for saying this,but it was impressive for me to

(23:36):
be young and at that time I wasover in operations, the real
side of NSA that people you knowknow and like to think that
they know about.
But basically it's the codebreaking side, the intercepting
the messages and trying to weredoing it and getting them back
to NSA headquarters.
However, we were doing thatthat's probably all the

(24:10):
classified stuff that mightstill be classified, but we were
getting stuff back, breakingthe encryption.
Getting back to the messages,getting those messages relayed
to troops in the field,commanders in the field, very
often before the intendedrecipient of the message is
getting the decrypt from hisradio officer and his cryptic

(24:32):
was impressive to me as a youngkid and that was sort of to me
what the that was NSA's, that'sNSA's mission, that's what NSA
was designed to do and that'swhat NSA is and was in the
business of doing.
So kind of seeing it inoperation, seeing all the
planning and all the thingsinvolved with getting that kind

(24:53):
of stuff out there, that waskind of cool.
So, and you know, the Cypherwheel, the Whiz wheel, played
some role in that encounter.
Yeah, later on in 2001, after9-11, when we started fighting
battles in Afghanistan SpecialForces there's a group, a

(25:14):
Special Forces team, that foughtthe first battle in the
Afghanistan war horse soldiers.
Because they were deployed soearly, they didn't have any,
they weren't really ready forthe desert and they were
attached to a local tribe andwent in and attacked a city and

(25:34):
so they were on horseback, sothey came to be known as horse
soldiers.
There's a movie about themcalled 12 strong.
I had to meet their camo, acommunication sergeant, a couple
years ago because he and acouple of the members of that
unit started a distillery.

Speaker 1 (25:49):
So there's a— yeah, I love their whiskey.
You've heard of it.
Yeah, I've got a bottle of it.

Speaker 2 (25:53):
I've got a bottle of it over there that's autographed
by this guy.
That was the commo.
But I was talking to him when Imet him and he remembered using
the whiz wheel.
He said, you know, we didn'ttake it with us on that battle
because at that point they hadthe beginnings of encrypted
radios and stuff like that.
But he said it was definitelywith us because, again, it was
originally.
I mean, what remained in usewas the memory system which they

(26:18):
still needed to have thetrigraphs, because that's what
was used with that.
So that's the story of the WhizWheel and, as I said, I had two
prototypes.
I had two productions.
One set is at the NationalCryptologic Museum.
These two will end up at theSpecial Operations Museum in
Fayetteville at some point.

(26:38):
They're sort of COVID, reallyscrewed up the museums in
general.
So they're getting reorganizedand relocated and refunded and
stuff like that.
But it'll get there eventually.
My goal was simply, you know,I'd been carrying them around
for years.
My family knew the story, closefriends knew the story, but at
some point I was like, yeah,this is a piece of history,

(27:00):
somebody should take an interestin it, and they did.
So that's kind of that's kindof.

Speaker 1 (27:07):
Yeah, and that museum is open to the public.
Yep, absolutely.

Speaker 2 (27:21):
I do tell people you know Fort Meade is right at the
intersection of theBaltimore-Washington Parkway, BW
Parkway and Route 32.
And there's a very clearlymarked exit sign for NSA and
there's a sign for NationalCryptologic Museum.
So you take the exit looparound, go under 32.
You'll come up to anintersection.
Turn left, you get to themuseum, turn right, you get shot
at.
Fair warning.

Speaker 1 (27:41):
But it is very clearly.
Okay, that's really fascinating.
You kind of bring up some ofthe lengths that the country
will go to to interceptcommunications that are
encrypted, that kind ofdetermine and sway the power on

(28:03):
the battlefield.
Like I remember readingsomewhere that before we even
went into Iraq, like somethinglike two months beforehand, we
had intercepted allcommunications, we owned all
communications in the country.
We owned their entire watersystem, electrical grid,
everything you know like that'slike a superpower almost.

(28:26):
I mean like that's almost likethe finger of God coming down
and touching you know a countryright, like because you're
owning the entire infrastructureof that country, right, and I
always.
I just find it fascinatingbecause I then I went and I read
an article about how theagencies went and set up a you
know like their own.

(28:47):
They either set up their ownencryption company in germany, I
think it was, or they like tookover a company in germany and
like basically put a backdoorinto this encryption algorithm
that like russia was buying innorth korea and all of our
enemies, very conveniently, werebuying it, but like that that's

(29:09):
such an extreme length to getto it, so it kind of like it
weighs the importance of it youknow properly in your head, I
think Well yeah, I'm somewhatfamiliar with what you're
referring to because I was inthe last, I think, year or two
or three, but it could have beenbefore COVID.

Speaker 2 (29:28):
I feel like it was in the last couple of years where
it came out that the CIA I thinkyou know it set up a storefront
and you know it was like alegitimate business that was
selling stuff that had embeddedlittle extras in it, type of
thing that none of us canconfirm nor deny.
But it really speaks to I meanit speaks to more of the
classical history of espionageand intelligence and

(29:53):
counterintelligence.
You know I started at theagency during the Cold War.
So our enemy undeclared,declared enemy was the Soviet
Union.
Soviet Union and the US backand forth, you know, from the
late 40s on up still today,arguably, although it's Russia,

(30:17):
not the Soviet Union have beenengaged in sort of this
clandestine, you know, cat andmouse type of game where lots of
deception, lots of things gointo trying to steal data.
You know the Soviets were verygood back in the day at
recruiting people to spy forthem.
When I was at the agency in thelate 80s, early 90s, there was a

(30:38):
couple very famous espionagecases exposed Walker Whitworth,
two guys that were Navy or oneof them was the Navy Gosh, I'm
going to forget all the names ofthem.
There was a guy that wasbasically selling.
You know, we had all thesesuper secret keys for all of our
crypto systems and this guy wasselling them and he'd been

(31:00):
doing it for like 15 years.
Nobody nobody caught it Walker.
I think his name was WalkerWalker Whitworth.
Anyway, they're in the historybooks or you can find it on
Wikipedia.
But the one guy the reason thathe got discovered was because
he was going through a divorceand his wife ratted him.
But you know, he had beenbasically selling keys and

(31:23):
getting money from the Sovietsand he didn't have political
aspirations, he didn't have abone to pick with the US
government, he just basicallyentered for the money.
And you know there's been along history of trying to find
people's weaknesses and whywould you get them to turn?
And there's still someapplication to that these days

(31:44):
in terms of social engineeringand things like that.
In terms of social engineeringand things like that, you know
there's variations on a theme,but it still goes down to how do
you get the information andwhat are creative ways to get
the information.
I was having a conversationwith some people a couple weeks
ago it was probably in Vegaswhere they were talking about

(32:05):
yeah, did you know that you canrecord sounds just by gauging
the you know vibrations ofvarious things?
And of course I'm like, yeah,I'm not going to say anything
about that because someplacemight have known about that for
a hundred years and have beendoing it.
But you know, nsa primarily,when I was there they were

(32:25):
picking things out of the air.
It was all.
It was radio waves, variousfrequencies high frequencies,
low frequencies, frequencyhopping but it was intercepting
communications and signalstraffic.
They had whole organizationsthat were doing statistical
analysis of the signals thatthey were collecting to try to
determine if it was an actualsignal or if it was noise, and

(32:49):
lots of math went into that.
It's funny because these days,with all the data that's out
there on the internet,proliferation and all the
traffic, we're sort of back todata analysis in some ways.
Not big data, but trying tomake sense of more data than you
can assume manually.

(33:09):
A lot of the techniques arestill the same looking for
patterns, trying to make senseof more data than you can assume
manually.
A lot of the techniques arestill the same looking for
patterns, you know, trying tocompress it down into something
that's even visual.
I saw a talk I think it wasactually a GURCON a couple years
ago where the speaker wastalking about mapping network
traffic and, rather than justtrying to do a schematic of
where things were going, he was,he was plotting it based on

(33:30):
something and like look at thepatterns, wow, yeah, we used to
do that a long time ago.
Nothing what goes around comesaround.
There's, there is, there'sdefinitely a cyclical nature to
all this.
It seems.
If you've been around longenough, there is a good yeah,
it's.

Speaker 1 (33:46):
Uh, it's fascinating how you know the agencies at
times or in some ways, rightwill be so far ahead of like
what's publicly available, right, and someone will come out with
it, you know, and people in thegovernment that have that know
right.
They'll be like we were usingthat 10 15 years ago, right like

(34:09):
I, I always go back to, uh, youknow, the zero dark 30 movie
right the very first time whenpeople saw like the, the four,
the four, uh, night visiongoggles, right, everyone I mean
at least everyone like you know,kind of like tangentially in
that hobby right in america waslike, oh, those are the coolest

(34:30):
things, right.
And then you talk, you talk toa navy seal or you, you, you
know, hear an interview of them.
Several years later they'resaying, yeah, we use them
because those were like the mosttrusted things that we had.
We had better stuff, like wehad a lot better stuff, but that
was just the most trusted.
We knew that wasn't going tobreak, right, like that, that's

(34:52):
just like it.
Kind of like it blew my mindwhen I heard that, because it's
like man, we thought that thatwas like coolest thing.
You know, we never, never seenit before, never thought about
something like that before.
And here they have it's.
It's just a casual, you know,tuesday night, wednesday night,
you know, whatever it is Right,right, I always, I always took

(35:13):
that, you know that always likepiqued my intrigue, right,
because I'm a very, uh, I'm avery curious person.
It's always, it's always drawnme to the federal side of it,
right.

Speaker 2 (35:26):
Yeah, there's uh I mean you know I do another
podcast Paul's a pretty publiclyknown thing.
Now how long NSA might haveknown about it and who they

(35:53):
might have attempted thatagainst, that's probably still
classified.
But there's other things thatpeople talk about that I'll just
I'll just play it safe and keepmy mouth shut because I don't
want to tip the scales.
I mean, I mentioned the Enigmanmachine when I started working
at the agency in 1986, the factthat the Enigman machine had

(36:14):
been broken by the Allies duringWorld War II.
That was still a secret and itwasn't declassified until like
1987 or 88.
And the reason it wasn'tdeclassified is because there
was some entity somewhere in theworld that was still using the
Enigma machine and we were stillintercepting traffic from it
and reading it.
So you don't want to say, ohyeah, we already broke that,

(36:36):
because you're going to loseyour source of information.
And that's one of the keyelements for the classification
of data, at least in thatclassical sense, is.
It's not the content of thedata itself necessarily back in
those days, it's how you'regetting it.
That's what's top secret andcompartmented, your collection
methods, what we call methodsand sources.

(36:57):
That's very often what is thesecret that needs to be kept.
Another example from World WarII is the architect of the Pearl
Harbor raid, admiral Yamamoto,japanese admiral.
We had intercepted and brokenthe Japanese communications
prior to the beginning of WorldWar II.

(37:18):
I mean we had decrypts of themessages that said you know,
close the embassy, close theJapanese embassy, come on back
to Tokyo, because we're gettingready to go to war.
And there's controversy overwhether that message was held
and not sent to Pearl Harbor andall that kind of stuff.
But the point is, shortly afterthat there was an intercept

(37:39):
where they figured out thatYamamoto was going to be on a
plane going from point A topoint B and so they had an
opportunity to take him out.
They didn't want to immediatelysend a bunch of fighter planes
out and take him down becausethat they felt would have tipped
off that.
How did they know that he wason that plane?
So they ended up sending out ascout plane that just

(38:01):
accidentally bumped into thisplane and sent somebody to shoot
it down, just because, and thathelped keep the secret that we
knew how to read thecommunications of the japanese
drama awards yeah, that is,that's really fascinating, I.

Speaker 1 (38:16):
I feel like we could probably go for another hour or
two, right, just talking aboutthat sort of stuff, because we
could.
Yeah, well, once, once theinterest in me is peaked, it
just doesn't stop.
Right, I'm gonna go back andI'm gonna start reading things
on that, right, but you know,jeff, why don't we, I guess,
fast forward a little bit?
Right, because before, in partone, you know, we kind of sped

(38:39):
past that, we sped past your,your invention, and then we kind
of sped past you know, theincident, or however much you
can tell me about the incidentRight, that that result, or I
guess, ended up, you know, withyou leaving the agency, right?
Can we talk about that a littlebit?

Speaker 2 (38:59):
Yeah, and you know for the full.
For a more complete version ofthe story, if you happen to
catch my talk like if anybody'sgoing to GurkCON I'll be giving
this talk at GURCON.
Besides Edmonton, I actuallysigned up for a conference in
Philadelphia called JohnCon andI'll be giving the talk there.
I don't tell the whole story,it's just a piece of it.
But towards the latter part ofmy career at NIA, the internet

(39:24):
was becoming a thing.
I was with a group of guys thatwas learning how to do ethical
hacking, penetration testing,breaking into systems and
networks to see how well theywere resistant to it, but then
to discover the vulnerabilitiesand the ways that things were
being broken into.
We were doing that for a coupleof years and there was

(39:46):
complexities to it.
There was political issues,there was bureaucracy issues.
This might sound foreign topeople because we live in a
post-9-11 world, but there wasthis thing called the NSA
charter that basically said NSAdoesn't do what NSA does to US
citizens, and while the idea oflet the good guys break into
your network and tell you what'swrong before the bad guy does

(40:08):
seems like a great idea, it wastechnically violating NSH
charter, so we had to, and I wasthe one doing it work with the
lawyers to get the specialpermissions and to figure out a
methodology that couldaccelerate the process of
getting authorization to performthese pen tests.
That was the most painful partAt the very beginning of us

(40:30):
doing this and trying to getauthorizations.
It would take weeks andsometimes months to get
permission to just break into aninternal network or an internal
server at NSA, and one of theproblems was everything that we
did had to be classified topsecret.
And then it had to, becausethat was the classification of
the network and the computersand the servers and the

(40:52):
mainframes.
And because it was top secret,we had to go through a very
lengthy process and we weremaking that work.
We were making headway, I wasmaking headway with the general
counsel that's what we calledthe lawyers, the lawyers and we
were getting to the point wherewe were sort of coming up with a

(41:13):
good way of doing it, amethodology that was repeatable,
not only informing the pen testbut also the process of getting
the authorizations andpermissions and all of our docs
in a row.
But somewhere along the line andI don't know the exact details,
but word got out that NSA hadthis capability and Internet was
new.
Everybody was plugging in new.
The World Wide Web knew.

(41:35):
But we eventually got anapproach through one of our
sister agencies I believe it wasDISA, Defense Information
Systems and Security Agencysecurity agency.
Look somebody, look it up.
Disa approached us.
They had a contact at theDepartment of Justice, which was
an unclassified civil agency,and they wanted to hire us to do

(41:57):
a pen test or engage us to do apen test.
There was no money exchange.
So we had to go through thisvery lengthy process and I was
working with the lawyers everystep of the way, because
unclassified networks at thosetimes were the purview of NIST,
National Institute of Standardsand Technologies, and NSA was
responsible for classifiednetworks.
It was also fairly commonknowledge within that circle

(42:21):
that NIST didn't have a lot ofcapability in those days, so
they would very often sort ofhave a handshake agreement under
the table, gentleman'sagreement to pass the work on to
NSA anyway.
So we embarked on figuring outand I was following the lawyer's
direction how do we make thiswork?
So there's a whole litany ofstuff that had to be done, which

(42:44):
was a several months longprocess, was a several months
long process.
We got to the point where wehad a letter that was written
and signed by the director ofthe National Security Agency and
addressed to the attorneygeneral.
You know who was you know, theoversight above the Department

(43:05):
of Justice.
It happened to be Janet Reno,if you remember that name.
It had been signed and it hadbeen dated for a Thursday of a
certain week in August and theweekend before somebody popped,
defaced the Department ofJustice webpage website and that
was the first time a governmentwebsite had been publicly

(43:29):
defaced and hacked.
So it was in the news.
It was a big deal.
I come into the office onMonday and get a phone call from
my point of contact to theDepartment of Justice and he
said help, we were hacked overthe weekend.
So I said well, let me see whatI can do.
I hung up the phone with him,got on the phone with the
lawyers, explained what hadhappened and I said you know,

(43:50):
I'd really like to get people onthe ground by tomorrow to try
to help them out with forensics.
By the way, there was noforensics capability, there were
no forensics guidelines, therewas nothing written down at
those days.
All we had was the cuckoo's eggby Cliff Stahl, because he had

(44:11):
sort of invented the idea ofdoing forensics and trying to
track back where an attack mighthave come from and how things
might have been done.
But we figured we were morecapable than most because we had
been learning the innerworkings of Unix networks and
networking of that Unix systems.
So the lawyers gave me someguidelines or requirements of,
gave me three things I needed todo.
He said one get the requestfrom the DOJ in writing.

(44:33):
So that's not a big deal.
I called them back and theysent a memo, inter-office memo
or whatever.
So that was done.
And the second one, secondcriteria was don't go alone.
I said, okay, that's kind ofcool.
You know there was a bunch ofus from our team, our team that
we called the pit.
A bunch of us got.
I think there was four of usthat went down initially.

(44:55):
And the third thing was don'tgo on your own authority.
Have somebody send you, havesomebody in your management
chain send you.
So I did all those things.
So we got a team on the groundon Tuesday.
Now, back in those dayseverything was hardware-based.
You know a web server wasrunning on somebody's own server
that was in their own machineroom, data center and it was

(45:15):
hopefully outside of a firewall,if they had a firewall.
But you know it was owned andoperated by the entity.
There was no concept ofoutsourcing or hosting at that
point and, of course, when theydiscovered the breach, the first
thing they did was pull theplug on the server and rebuild
it.
So whatever forensic evidencemight've been there was pretty
much wiped out.
But there were other systems,there was other servers, and so

(45:37):
we spent a couple days lookingaround for things.
So Tuesday goes by, wednesdaygoes by, thursday comes and we
go down there and we're there anhour or two and I get a phone
call.
It had somebody from the homeoffice, from the pit, somebody
that stayed behind, and he saidJeff, the shit's hit the fan.
You guys got to drop whatyou're doing right now and come

(45:59):
back to the office.
So we did so we took an hour orso, hour and a half to get back
.
So we got back to our officeand we were immediately escorted
into the conference room forthe deputy director of InfoSec.
He was not in the meeting, buthe was next door.
He knew what was going on.

(46:19):
Same lawyer that I'd beenworking with for months and
months trying to make this allwork.
I was teaching him abouthacking and pen testing and what
it all meant, how it all worked.
He was Irish and I don't knowIrish.
Soulless, ginger redheads.
You know, if they get madsometimes they get really red.

(46:40):
And he was just enraged.
He was like Heatmiser in YearWithout Santa Claus, if you know
that story, and he was justyelling at us and mostly me,
since I was the ring leaderabout how we had done something
to break the law.
Weren't we aware of the NSAcharter?
What we did could get thedirector fired, if not

(47:00):
prosecuted.
And you know, apparently it wasa very bad thing that we did
and we were all kind of like,yeah, we were just there to help
.
The customer asked and at leastthat was my attitude.
It was like you know, I went toyou and asked you what had to
be done to get me there.
The manager that I had had sentme, that person, did kind of

(47:21):
throw me out of the bunts.
They disavowed giving mepermission.
They said that I had beendeceptive and had not explained
to them exactly what the natureof the request was, which was bs
.
But you know, whatever I youknow I'm not even saying who the
person is, because let bygonesbe bygones.
But what was interesting was thetalk that I put together this

(47:43):
year.
That I'll be giving is sort ofthe the story of my couple years
after I left the NSA, leadingup to where I got into PCI and I
started doing PCI in 2004.
And when I was putting the talktogether I said, oh, I got to
tell a little bit about thisstory and I've got a lot of the
evidence.
I've got copies of the letterswent back and forth.

(48:04):
I've got a copy of the lettersfrom the director that had never
got sent and I saw the date onit and I'm like you know, it was
like August 21st or somethinglike that.
And I'm like that's weirdbecause I left before the end of
September because, you know, ingovernment the end of the
fiscal year is end of Septemberand I left before the end of the
fiscal year.

(48:24):
So I'm like wow, that was likefive weeks.
And I think about all thattranspired in terms of I was put
on double secret probation.
I had my clearance pulled.
They still let me sit at mydesk, but they disabled my
access to the network, which wassilly because we all had like a
half dozen ways to get on thesystem.

(48:44):
But I had to go talk to allsorts of people at internal
security and external securityand lawyers and this and that
and the other.
But they also at the time,because it was coming up to the
end of the fiscal year and itwas post Cold War we hadn't had,
we didn't basically have anenemy in 1996 that we knew about
.
So they were doing a buyout,they were letting people, they

(49:07):
were paying people to leave,basically, and I finally become
eligible for that.
So I took advantage of thempaying me basically a thousand
dollars for every year ofgovernment service and I'd been
at NSA for 10 years and twoyears with the Navy prior to
that.
So they paid me $12,000, whichwas basically three months of

(49:27):
pay to go out and I had gottenthe first job offer that came
along and I was leaving on aFriday and starting.
I think I maybe took a week off, but starting a week later with
like a 30% or 40% pay raise.
So you know, it was like ano-brainer.
Like a no-brainer.

(49:49):
A bunch of us have beenconsidering going out into the
private sector anyway because ofthe allure of making more money
solving the world's problems.
But for me, in part at least,it was getting rid of the
bureaucracy and the red tape.
Because you know, when I firststarted doing pen testing in the
private sector, we'd get acustomer saying that they wanted
it done and we'd negotiate astart time and a start date and

(50:11):
we'd go do it and write up areport and present it, and that
usually took place in about amonth, if not quicker, and they
were very appreciative of allthe findings that we had and we
would work with them to fixthings, and so this follow-on
business was just a lot neaterand cleaner and we didn't have
to wait weeks for dozens ofsignatures and initials from all

(50:36):
sorts of different levels ofmanagement.
So that's kind of how I left.
Two anecdotes I'll share withyou, because I know we're coming
up on close to an hour.
It wasn't until DEF CON.
Again, it was probably 2017.
It might have been a little bitbefore that 16 or 15.
I didn't go to DEF CON until2014 when I went to work for a

(50:59):
vendor in 13.
And the next year I got to goto DEF CON for the first time
because I'd been a consultant, abillable resource, for most of
those years.
That wasn't allowed to go outand play and go to conferences
unless I did it on my own.
But I, I was at DEF CON and itwas.
I think I was in that if you'veever been to DEF CON, I was

(51:20):
somewhere between Bally's andParis and sort of a thoroughfare
when DEF CON was over in thatarea.
And who do I bump into?
But it's this lawyer that I hadworked with very closely for
months and months back in 1996.
And I hadn't seen him.
It was probably 2015.
So it had been almost 20 yearssince I'd seen the guy and I'd

(51:44):
been kind of pissed off at himfor most of those 20 years
because I felt like he threw meunder the bus and he turned
because he was so into it and wewere very, you know, had a very
close working relationship.
He was learning a lot and he,you know, to my way of thinking,
he turned on me.
The first thing he said to mewhen he saw me was I forgive you
and I'm like what are youtalking about?

(52:05):
You forgive me, I'm the onethat's mad at you.
And then he proceeded to tellme about how, since he was the
one that had sent me, he hadgotten in so much more trouble
than I did.
And he was able to withstand it, of course, because he ended up
still working at NSA forprobably another 10 or 15 years
after that and became known as acybersecurity expert and so on

(52:28):
and so forth.
But he also told me that theyweren't just trying to fire me,
they were trying to find reasonsto charge me with treason and
they wanted to prosecute me.
So I'm like, oh, that's good toknow.
Many years later, my God.
So I'm like, oh, that's good toknow.
Many years later, my God.
So that's one anecdote.
The other anecdote I'll tell youis I went out to Vegas to DEF
CON this past we're in Septembernow, so it was just a month ago

(52:51):
One of the guys that I used towork with at NSA he actually was
a manager that was across thehall from the pit.
Really great guy, sharp guy.
He's been involved in cyber formany years.
He worked at NSA probablyanother 20 years after I did.
Then he went to work for Centerfor Internet Security, cis, got

(53:12):
involved in the CIS Top 20.
I won't say his name to protectthe guilty.
This is not a story about himas much.
But he said he was going to bespeaking at DEF CON this year
and I had seen him post onLinkedIn a couple of weeks
before DEF CON where he wassaying you know, I'm kind of
excited to go out to DEF CON andhave a chance to speak.
And he was reminiscing andthinking I remember the first

(53:34):
time that NSA officially went toNSA and he said it was in like
2007 or 2008.
And I thought, you know, goodLord, we had people from the pit
going to like the first orsecond DEF CON back in 93 or 94.
One of my frustrations, one ofall of our frustrations, was how
long it took for NSA to dothings and to change things.

(53:57):
And I left in 96, and he'ssaying that NSA officially went
to DEF CON 11 years later whenwe were screaming those of us in
the pit were screaming atmanagement guys, you got to get
with the times.
Things are moving much morequickly.
Internet speed is not three tofive year design development

(54:19):
projects anymore.
You got to speed it the hell upand change your way.
And I just thought, holy crap,11.
It took them 11 years after Ileft for them to get around to
get into defcon of fish.
That's one of the reasons youknow, other than you know, other
than this little incident, thatwas one of the main reasons why
dnsa was just because they weretoo freaking slow and they were

(54:43):
too full of themselves.
They had kind of a monopoly, atleast on the InfoSec side,
because they had no competition,but they also fell behind very
quickly.
I mean, they used to be thesole provider of
cryptographyystems, dataprotections for, obviously, the

(55:03):
military and the government, andthey just were in a lot of ways
not equipped to compete whencompetition became available.
We are a free market system.
So I left.
It was bittersweet.
If things hadn't have blown upI might have stayed there a
while longer, although a lot ofus were looking to go out into
the private sector.

(55:24):
But I did the private sectorthing for a few years, did pen
testing for a few years, gotfrustrated that nobody was
changing anything.
We would break in one way, comeback six months later and break
in the exact same way.
Passwords hadn't been changed,permissions, trust,
relationships hadn't beenchanged, things hadn't been
patched or updated.

(55:45):
And at some point I was likewhy, you know, why isn't saying
we've got root on all yoursystems?
The equivalent today would bedomain admin.
Why isn't that getting thepoint across?
You've got problems that youneed to fix something.
So I was very frustrated at notyou know, that wasn't working.

(56:06):
There had to be a better way todoing things and a lot of the
clients.
They didn't really understandsecurity.
They didn't understand any ofthe technology.
They didn't understand any ofthe concepts of data security or
cybersecurity or informationsecurity.
And along came PCI and I fellinto PCI.
It's a love-hate relationship,mind you, but one of the reasons

(56:29):
why I love it was, all of asudden, it gave me an audience
with clients where they may nothave understood things any
better, but they had to do stuff.
So all of a sudden, okay, howdo we make this work?
They were listening in a waythat they never listened before,
so I kind of had a captiveaudience.
But it was where over I've beendoing it for 20 years,

(56:51):
developed a few techniques andhoned a few skills.
I like to think I got prettygood at trying to explain the
concepts of data security in away that most people will say,
yeah, that makes sense, weshould be doing that and then
help them to start doing it.
But it was a big stick becausejust pleading with people and

(57:12):
telling people that it's intheir best interest to do things
differently or to make hugeinvestments in security when
they're not understanding whythey need it or how they need it
or where they need it or whatdo they even have to protect
Home Depot the CEO when theywere breached, which was gosh
over 10 years ago, he's ratherfamously quoted as saying why do

(57:34):
I care about cybersecurity?
We sell hammers.
Well, they also deal with lotsof, you know, tens of millions
and hundreds of millions ofcredit cards that got stolen
because that was lucrative.
Back, the bad guys startedmonetizing.
So the lessons learned, thethings that I learned from the
past, I I think they stilllargely apply today, although

(57:56):
the world's changing and I'm andI'm happy to acknowledge if
some, some of the concepts havebecome outdated and obsolete,
giving way to other things.
But I haven't run into a wholelot of and we're still
struggling with getting peopleto change factory settings and
defaults and changing thedefault passwords and or coming

(58:16):
up with strong passwords oreliminating passwords all
together.
And let's move on to some ofthe other forms of
authentication, like biometrics.
There's all sorts of cleverthings, but the bad guys in the
hacker community can alwaysthink of a hundred ways to
bypass and get around it, andthe human nature wants us to get

(58:37):
things done.
We want all the data and allthe things fast, so the
convenience of the internet, butat the same time, we have this
concept that we need to secureall this stuff.
And you know, frankly, I don'tthink we're doing a very good
job.
At the end of the day, I don'tknow if we can do a good job.
Part of me thinks and this isthe curmudgeon in me thinks that
the ship has sailed, thehandora is out of the box.

(59:01):
That if I can help one company,one organization, be a little
bit better and be able to stayin business, I feel like I'm
making a difference, and I'vehad the opportunity to do that
with working within theconstruct of PCI, where I talk
to many other people that keepbeating their heads against the

(59:21):
wall and are frustrated becausetheir organizations and their
clients aren't doing the thingsthat they need to be doing, but
they don't have this regulatorystick behind them, at least not
one that's as powerful as PCI,because PCI is quite simple.
You don't have to follow it.
You just don't get to engage incommerce and do business and be

(59:42):
able to take credit cards, andthere's some companies that opt
out of that, but most companieswant to opt into that and so
money talks.
It's been a huge motivator andcompanies by and large that are
involved in it have gotten moresecure, whether they liked it or
not or whether they wanted toor not, but they know they
needed to.
So they could avoid the finesand avoid the breaches, avoid

(01:00:05):
the public scrutiny if theircompany is involved in a breach.
That's the state of things, andI don't know how, but I've been
doing it for 20 years.
That's what my career has beenPCI, wow.

Speaker 1 (01:00:20):
So, jeff, you know I have one last question before I
let you go.
So when you were transitioningfrom the agency to you know a
company, right?
What was that process like?
Did you know someone at thatcompany that got you the job,
that kind of knew your skill setand whatnot, or you know, was
it literally that easy back thenwhere you got let go on Friday

(01:00:42):
or you left on Friday and youstarted a new place on Monday?
I asked because a lot of thepeople that I talked to with you
know TS clearances and whatnot,right, they all say that like
they're basically completelylying to employers to employ
them for the first five years,five to seven years after their
employment with the government,because they can't tell anyone

(01:01:05):
that they even worked for thegovernment.
And especially when it's likethe only thing that they've done
.
They have nothing to lean on,you know.
So they're making things upjust so that they can get
employed.
What was that like for you?

Speaker 2 (01:01:19):
Well, I think in part it was a unique time in history
because this whole what we nowcall cybersecurity is kind of a
new thing and there weren't alot of people that knew anything
about it, knew how to do it.
There wasn't the gazillionvendors out there selling all
sorts of solutions and have allsorts of use cases like we see

(01:01:39):
at the RSAs and the Black Hatsthese days.
There was like four or fivecompanies that sold firewalls
and most of them, you know,started with building a firewall
for the government.
There's a couple of freewarevulnerability scanners one
flipped and became closedsourced and commercial, and one
stayed open and that was aboutit technology, technology wise.

(01:02:01):
So what was in demand werepeople that kind of knew what it
was all about.
I had been talking to a coupledifferent companies and much of
us had gone on differentinterviews because we were
always kind of looking for thatgrass is always greener on the
other side of the fence.
None of us had pulled thetrigger.
Well, one of us had left Onethe original members that had

(01:02:25):
left before all this hadhappened.
Um, but you know, none of uswere in a huge rush to leave.
But you know, when I sort ofwent through what I went through
.
I started calling people that Imight have been speaking to
before and I got in touch with aguy two guys that were running

(01:02:45):
a practice that were doinggovernment work.
It was a government contractor,but they were just beginning to
want to spin up a practice thatwould start looking at the
private sector, and that waskind of new.
Back then there wasn't a wholelot of focus on the private
sector.
So I was hired by these guys anoffice chief and his deputy for

(01:03:07):
a government contractor withthe idea that I would come in as
sort of a co-director, third incommand type of thing, and
focus more on building apractice that was focused on the
private sector and one that wasdoing vulnerability assessments
and pen testing.
As it turned out, the two guysthat I had interviewed a couple

(01:03:30):
of times and went to work forthey both resigned within like a
month after I started thiscompany because they went off
for their own better offer tostart a practice and do it more
their way out from under theauspices of a government
contractor, which was almost asbad as working with the
government.
So my immediate job out of theagency only lasted for six

(01:03:53):
months and two or three monthsI'm like, okay, I got to look
for a more permanent positionand I kind of was in a rush and
I took the first offer because Ireally wanted to get out the
door before the end of Septemberand be eligible for the for the
buyout.
So I I went on a bunch ofinterviews and I think I ended
up getting offers from like fouror five different companies and

(01:04:16):
I didn't take the one thatoffered the most money out of
the gate.
I went with the company that itseemed to be smaller and leaner
and was more serious andinterested in spinning up a
commercial practice that wouldfocus on the private sector.
And let me build a team ofpeople doing pen testing.
We called it pen testing, butit was mostly vulnerability

(01:04:38):
assessment.
Back in those days People wantedto know what all the holes were
.
They didn't want to know if youcould break in.
They knew you could break in.
They wanted to know all theways you could break in.
That experience was that was alittle bit more deliberate, and
I took more time and tried totalk to different types of
companies.
Half of them were I guess theywere all pretty much still

(01:04:59):
government contractors, becausethat was pretty much all there
was back then, at least in termsof professional services
companies, but I went that route.
I know a lot of people thesedays think the way to get into
this business is theentrepreneurial route and I talk
to many, many people that areexcited about their startup
company and they have thisvision and a lot of them I feel

(01:05:20):
like that's the path to success.
Is the entrepreneurial route,like well, there are other ways
to do it.
You're not going to get richand retire and buy your own
island, necessarily being aconsultant.
But if you want to make adifference and feel like you're
impacting people's lives andhave a sense of accomplishment
which I'm not saying you don'tget that by building some sort

(01:05:43):
of product company and becominga vendor.
But I've always had this thingagainst vendors because they
were competing for the samedollars.
Many of my clients in the earlydays.
They only had so much to spendand they felt like they needed
to buy something rather than buysomebody telling them what they
needed to buy, which makessense at one level.

(01:06:04):
But you know, at the end of theday they still didn't know what
they were doing and they werebuying the thing from the most
convincing sales guy.
So I've had, for most of mycommercial private sector
figures, sort of a disdain forvendors and for salespeople from

(01:06:24):
the vendors.
Not personally, I know.
I have many friends that aresalespeople, but they understand
where I'm coming from.
It's a competition thing, butbeyond a competition thing it's.
You know your job is to sellsomething.
My job is to help the client bemore secure.
You might say that that's whatyour job is, but you have this
conflict of interest because yougot a quota to meet and even if

(01:06:48):
you're a reseller, we've got ahundred widgets on the shelf.
We got to move those thesequarters.
So all of a sudden that widgetis.
That is the absolute solutionthat you need, mr Client.
In fact you need 10 of them.
How many can I put you down?
For?
I'm not saying everybody's likethat.

(01:07:09):
I used to go around saying thatvendors are liars and then I
went to work for a vendor and Ifound out, no, they're not lying
, they just don't know.
They don't understand it anybetter than anybody else does.
All they know is to read fromthe script that sales and
marketing people put togetherfor them, and I'm grossly, you
know, painting a very widepicture here.

(01:07:30):
There's exceptions to all ofthis, but generally speaking,
people don't know what they'retalking about.
And I say that having 40 yearsunder my belt.
I don't think anybody knowswhat they're talking about.
But I don't know what I'mtalking about, frankly.
But I have 40 years of havingthe conversation and I've seen a
few things and I think I'velearned a few things about how

(01:07:52):
to motivate organizations to dothe right thing or help them to
rethink how they're doing it.
I've given talks over the years.
One was called RethinkingSecurity.
What we're doing isn't working,so maybe let's try something
different.
Let's try something old ratherthan new, like applying the
actual principles of datasecurity, the way that we used
to do it in what was arguablythe organization that invented

(01:08:15):
the discipline, which wasInfoSec at NSA.
So I don't know if that's theanswer.
Yeah, like I said, it's not a.
My experience is very much auniform experience because it
was a point in time and a pointin history.
So I don't know how helpful itis other than to be diligent.
Take your time, I tell people,look for something that you like
to do.
Look for something that youfeel like you have the aptitude

(01:08:37):
or you think you could do wellat it.
Hopefully they're the samething.
Do that, you'll get paid well,you'll get paid enough to make a
living.
You may not be able to retirerich and buy an island, but
there's a lot of people thatmake a pretty decent living and,
at the end of the day, most ofus need to make a living.
We've got mortgages to pay andmouths to put food in and

(01:09:01):
college tuition for our childrento think about in years to come
.
You're probably not there yet,but most of us are in that boat.

Speaker 1 (01:09:11):
Yeah, I have about 18 years before I have to make
that first payment for someoneother than myself, right?
Well, there's no time like thepresent to start saying he has
or teach them to be a hacker,and they don't need to go to
college right, they could just,uh, give themselves the the
degree that they need, right,that's right.

(01:09:32):
Well, well, jeff, you know it'sbeen a fantastic conversation
like it was.
The last time I'll absolutelyhave to have you back on talk
about some mental health stuffand whatnot, what that looks
like for you.
But yeah, I mean it was afantastic conversation.
I really enjoyed it.
I appreciate the opportunity.
Yeah, absolutely.

(01:09:52):
Well, you know, before I letyou go, how about you tell my
audience or remind them again?
You know where they could findyou if they wanted to reach out
and maybe connect.
Or you know where they couldfind you if they wanted to reach
out and maybe connect.
Or you know, uh, you know,learn more about you.

Speaker 2 (01:10:03):
Sure, my Twitter X handle is Mr Jeff man.
I'm Jeff man on LinkedIn.
I'm mostly on LinkedIn thesedays.
If you Google me, if you go toYouTube, you can find
presentations that I've done atvarious conferences, and if you
go to the end, usually there's aslide that actually has my
email and even my cell phonenumber.
I've actually had people callme only like once or twice, but

(01:10:26):
I do try to connect with peopleas much as possible, giving life
advice, mentoring as much as Ican, and try to help out and
give back as much as I can.
So spell my name right.
It's only one N, a-n and typein Jeff Mann in security.
I'll pop up in most of thebrowsers out there.

(01:10:46):
Search engines.

Speaker 1 (01:10:49):
Awesome.
Well, thanks everyone.
I hope you enjoyed this episode.
Go check out part one in thedescription of this episode if
you're interested in hearingmore.
Thanks a lot, jeff.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}From Cipher Wheels to Modern Data Security with Jeff Man Pt 2.

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

On Purpose with Jay Shetty

All Episodes

From Cipher Wheels to Modern Data Security with Jeff Man Pt 2.

Stuff You Should Know