November 19, 2024 • 54 mins
In this episode of The Audit, we dive into key takeaways from a top cybersecurity event. From IoT hacking and RFID bypasses to AI governance and vishing bots, we explore the tools and strategies shaping security. Plus, real-world lessons, social engineering insights, and a few unexpected laughs—because security isn’t always all business.
In This Episode We’ll Cover:
- RFID hacking and social engineering insights from WWHF.
- Cameron’s IoT hacking training highlights.
- AI advancements and governance takeaways.
- Challenges with regulations and compliance in cybersecurity.
- Project management lessons inspired by Elon Musk.
Thanks for joining us for this glimpse into one of the year’s most unique cybersecurity events. Don’t forget to subscribe and share this episode with your team—we’ll see you at the next conference.
#WWHackinFest #InfoSecConferences #Cybersecurity #AIThreats #IoTSecurity #SocialEngineering
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
All right, welcome to the Audit presented
by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt.
Today, we're joined by CameronBerklin, nick Mellom and Eric
Brown, as usual.
Thanks for listening.
How are you guys doing today?
Nick Mellem (00:16):
We're doing great Awesome.
Happy to be here.
Joshua Schmidt (00:19):
Yeah, great, as always.
Well, you know, I always startwith an icebreaker question.
This is one.
Maybe you have to put a littlethought into this.
But the icebreaker question iswhen was the last time you tried
something for the first time?
And I'll go first give you guysa chance to think about it,
don't think too hard.
So I did a conference a coupleof weeks ago and it was the
(00:39):
first time I tried a sweat lodge.
So I was in it.
I was in a tent with 30 guys inthe dark and it was.
It was cool.
Um, it was cool.
Uh, it was like a spiritualsauna, you know.
So, um, we had a uh, a healer,shaman guy singing songs, and it
(01:02):
was completely pitch black, itwas a little claustrophobic and
there was a lot of like smokefrom the fire, but, um, yeah, it
was a very interestingexperience, definitely the first
time I've tried it.
Uh, I'm 39.
I'm gonna be 40 here in acouple days, so you know, um,
there's not a whole lot of newthings.
You know, when you starthitting middle age, you're
(01:23):
running out of runway yeah,you're running out of runway and
you don't get as many firsttime things.
So I enjoyed that it was, it wasdifferent, it was new, it was
uh, it was a nice experience.
So, okay, anyone else want toshare?
How are we supposed to?
Cameron Birkland (01:37):
go after that I know there's something a lot
more boring.
Go ahead, cam, hit us with it,because I've heard about sweat
lodges before and I can't say Iwas ever tempted to try one.
But so mine is a lot moreboring.
I this week tried all-dressedflavored chips all dressed
(02:09):
flavored chips.
This is a like canadian flavorof chips that you usually don't
find here in the us, but I sawthem at walmart and gave them a
try.
Well, yeah, what was it called?
All dress, all dressed yep, alldressed.
Nick Mellem (02:20):
What?
What's the flavor, can you?
It's like a mix of flavors.
Cameron Birkland (02:23):
Yeah, basically the ones I had were
onion, tomato and vinegar.
It's all that combined togetherand it's just like a tangy,
kind of like ketchup.
It kind of tastes like a chip.
Would you buy it again for twobucks?
Joshua Schmidt (02:39):
yeah, I would buy it again do you remember
clearly Canadian Did you guysever drink that back in the day
from the gas station?
It was like a sparklingflavored beverage I don't think
I've ever heard of it.
Eric Brown (02:53):
Speaking of weird flavors, isn't there an Oreo
cookie Coke out now.
Nick Mellem (03:00):
I have seen that I've not tried it.
I have heard of it.
I saw it's sugar-free.
We should probably get thoseCoke-flavored Oreos and try them
live on the next podcast.
Cameron Birkland (03:10):
Yeah, I was wondering how much it could
possibly taste like Oreos, giventhat it doesn't have sugar in
it, this kind of Oreo's primarycomponent.
Nick Mellem (03:19):
This is exactly what the listeners are coming
here for.
These are the hard-hittingquestions.
Eric Brown (03:23):
Yep, what was your?
Nick Mellem (03:26):
first, nick.
Oh my gosh, I've been trying tothink.
Well, I mean, if I want to playit safe.
You know, wild West Hackenfestwas my first big security
conference.
Eric Brown (03:37):
Oh nice.
Nick Mellem (03:38):
That was fantastic.
Notably, I drove my firstelectric car last week.
Two weeks ago, my folks ordereda Model Y and they test drove
the performance version and,holy crap, you're like a hippie
now.
Seriously, I was whipping thatthing around the streets like a
(04:02):
goddamn golf cart.
That thing is so fast, Icouldn't believe it.
It was really fun.
Joshua Schmidt (04:10):
You'll have to try a sweat lodge.
Nick Mellem (04:11):
now I could cap all this off of the sweat lodge.
Eric's got to have somethinggood.
Eric Brown (04:18):
What did I do?
This is a couple weeks old.
I went for the first time in aglider, so that was fun.
Oh yeah, you know where.
They tow you up behind theairplane and that was a lot of
fun.
Nick Mellem (04:33):
How long did you stay in the air doing that?
Eric Brown (04:35):
About 15, 20 minutes .
The glider I was in had a Ibelieve it was a 38 to 1 glide
ratio.
I believe it was a 38 to 1glide ratio, meaning for every
1,000 feet that it would descend.
You could theoretically go38,000 feet horizontally.
(04:56):
So just a mile is just over5,200 feet, just for comparison.
But they tow you up to I thinkwe went up to 3,000 feet and
then you circle around the arealooking for thermals.
But we did get into a thermaland you're sitting one behind
the other, so you're in thefront, the instructor is behind
(05:18):
you, and we got up and thenthere was a Walmart parking lot
just kind of off the end of therunway that we were circling
over because that parking lotgenerates a lot of heat.
And then there's an uplift,right there's an updraft coming
from that and that's thosethermals birds of prey circling
(05:41):
like an eagle or hawks andthey're looking.
You know they're just kind ofcircling around and going up and
moving between thermals and youcan also tell a thermal in some
cases where you'll see cloudsthat are maybe three or four
thousand feet off the ground,like these little circular
cumulus clouds, and that's fromthe warm air rising and then as
(06:05):
it, as it rises, it cools andthen it condenses and that forms
the cloud.
But the thermals are underthose clouds so you'll see birds
sometimes in there.
We were in a thermal with a birdand you know, we're in the
glider, you're trying to stay inthe thermal, so you, you're in
a pretty tight bank, like a 45degree bank and you're just, you
(06:26):
know, circling around.
When we started out the birdwas below us and then like two
laps in the thermal later.
I wasn't doing a very good jobstaying in the thermal.
I could look and he's way aboveus.
But the glider instructor wassaying that the bird, he's seen
them.
Sometimes he thinks their eyesare closed and they're just
(06:48):
feeling the thermal just by the,you know, in their wings, which
I thought was pretty cool.
Joshua Schmidt (06:55):
So how do you land something like that, Eric?
Do you just stay close to therunway and kind of judge how
much time you have left beforeyou need to start making an
approach?
Eric Brown (07:05):
Yeah, they have competitions or just you know
people who have gliders thatwant to go long distance.
You can go thousands of milesin them.
You know, bring your p bottle,but you can go long distance in
the gliders.
Uh, and for us, as we werepracticing, we stayed within 10
miles of the airport and thenwhen you get close to the
(07:27):
airport, you want to enter theairport pattern around 1,000
feet and then as you get close,you're kind of flying a square
pattern in that airport.
And then the glider a littledifferent from the smaller
airplanes they have speed brakeson the wings, which is
(07:48):
essentially about a four footsection that's about the size of
a railroad track like that wide, maybe you know, three inches.
That rises up out of the centerof the wing when you pull a
lever back and that reallycauses you to descend quickly.
So you get your your landingswhere you want to land set and
(08:09):
then you, you deploy about halfof the speed break and you come
down at a pretty decent angle.
You're looking to land in thisparticular glider at about 60
knots, a little over 60 miles anhour, and then you, you just
come in over the runway and thenyou're just practicing holding
it off of the runway.
(08:30):
You're maybe about a foot offof the runway.
It's got a wheel in the front,a wheel in the back and you're
just holding it off, holding itoff, and then it just sinks down
and lands on the runway andthen you pull the lever, the
speed brake lever, all the wayback and that the wheel brakes.
And then you come to a stop andget out, hook it up to the the
golf cart and tow it back to thebeginning of the runway.
Joshua Schmidt (08:53):
That sounds like a lot of fun, something more
fun than the sweat lodge.
I'd be sweating like a sweatlodge if I was up in a glider
where I think, uh, there's zerochance no, no, don't say that
nick, don't say that zero.
Eric Brown (09:09):
I will have my license next spring when you
come up, we'll go out I'll watchfrom the ground.
Joshua Schmidt (09:16):
Speaking of watching from the ground first
time, uh, I thought you guyswould get a kick out of this,
since we've talked about ufos.
Uh, I, I saw starlink the othernight on my my dog walk and I
thought I was witnessing a ufos.
Uh, I, I saw starlink the othernight on my my dog walk and I
thought I was witnessing a ufo,because I I had no idea that's
what it looked like.
I was.
Yeah, I was full to wrap thatmode.
I was very excited for about 15minutes until I realized what I
(09:38):
was looking at.
Um, but yeah, I I've never,I've never of that.
I mean, I guess that's startingto be common knowledge.
People have been seeing it alot.
Have you guys seen it?
Eric Brown (09:49):
Yes, a few times you have.
Joshua Schmidt (09:51):
Okay, well, yeah , I mean, no one gave me the
memo, uh, but yeah, it was about30 lights in a straight row um
flying silently across the sky.
It was pretty impressive.
Cameron Birkland (10:05):
So, um, impressive, so um, I guess at
some point there's are theysupposed to break up, or or go
into different orbits, or, yeah,they spread out over time.
They start really closetogether and then spread out as
they orbit.
So I've seen them when they,like you know, soon after they
launch them, they're like areally close trail and then, as
it goes on, you start seeingthem one at a time.
Do you guys have a starlink?
Joshua Schmidt (10:23):
no, er Eric's been using it.
Eric Brown (10:28):
Yeah, whose did I use?
Oh, at that vacation there wasa VRBO that we had on.
Nick Mellem (10:33):
It was great I do have one, but I've only used it
a few times.
Joshua Schmidt (10:37):
So how does it look?
Like a little device.
Is it like a little modem?
Nick Mellem (10:48):
Yeah, you get the dish, dish, this flat satellite
per se, and you put it on theground and it's got, I think
like a 40 or 50 foot cable thatruns to a, you know, a modem
router combo and plug it intopower and away you go well, I
love.
Joshua Schmidt (10:59):
I love that you said your first conference was
wireless hack and fest.
That's what we're going to chatabout today, and I'll tie that
in by saying I know Eric flewout there, yeah.
Nick Mellem (11:07):
We did.
I watched him land and pickinghim up from the airport.
Eric Brown (11:10):
I was trying to get Nick in there.
He didn't want to go.
I was like, let's do a hot lap,Nick.
He was pulling some funnybusiness on that first landing
and I watched it and I was like,we know, jayden and I came,
came in, we, you know, we'rejust chilling, we're listening
to jazz music on the way over,it's all chill, um.
(11:30):
And then we came in a littlehot on the landing so we just
had to go around to get lined upa little bit better, it wasn't
that simple.
Nick Mellem (11:38):
I was watching him on the runway and he's like
three feet from the ground andthe plane's like and like, goes
back up like this, and I'm like,yeah, right, that's why I'm not
getting in that thing.
I don't know if it's an eric, Ijust don't need to be off the
ground.
Eric Brown (11:54):
here we go, here we, okay.
So we're coming in, we, we wantto land about, uh, just about
80 miles or 80 knots on thisparticular plane.
So we're coming in.
It's a tricycle landing gear,so it has, you know, a front
front gear and then two, two,you know wheels underneath the,
the wings.
So we're coming in the runwayat at um, where do we land?
(12:16):
Where the deadwood spearfish.
So the runway is actually, um,it's kind of where we're coming
in.
I think I forget the runwayalignment, but where we were
landing, I think we were comingout of the east, the southeast.
The runway is upsloped.
So when we're coming in and therunway is not flat either,
(12:39):
there's like a hump in it andyou know we're coming into land,
we're coming a little hot I didsay that about 85.
So we're bleeding off speed andthen, just as we're about to
land, it's got this lump in it.
The front wheel touches thelump right, comes back up, and I
(13:01):
was like all right, I'm notgoing to fight this thing, let's
just go around full power, goaround, get lined up, smooth
landing done.
That was not good enough forNick, though, apparently.
Nick Mellem (13:14):
Me and another colleague were standing there
and I'm like what the heck justhappened and they were like back
off.
You could hear us on the radiotoo, couldn't you?
I was inside the uh, I don'tknow what do you want to call it
waiting room?
And uh, yeah, I could hear aircalling in for quite a ways out,
like 20 minutes out, you werecalling uh it's airport, though,
(13:34):
a nice airport?
Eric Brown (13:36):
oh yeah, it's awesome it was great.
Joshua Schmidt (13:39):
Have you seen this airport in the one of the
scariest airports in the world,in nepal?
Eric Brown (13:44):
uh lukla, we heard of that one is that the one
where they've got to come inbetween, like the mountain pass
yeah, it's like literally on theedge of a cliff.
Nick Mellem (13:53):
I thought the one in vale or aspen.
Is that real right there?
Joshua Schmidt (13:57):
oh yeah so, uh, I guess it's in the himalayas or
near there, and, um, yeah,that's.
Uh, that's when I always thinkI think I saw it in one of those
you know history channels 25most scary airports in the world
that looks like it's ai like anai picture.
I'm I'm glad you're being safe,though, eric.
You know, erring on the side ofsafety always always a good
(14:18):
thing.
So you guys got there, what doyou do?
You check in, you get badges um, it was it connected to a
casino or or what's kind of?
Nick Mellem (14:26):
it was.
Joshua Schmidt (14:27):
You know what's the first impression when you
get this?
Nick Mellem (14:31):
uh, deadwood, south dakota, for a hack and fest so,
yeah, after the uh grand timeat the airport, uh, you know, we
we made it back to the hotel,which is awesome, uh, what's?
the hotel called again the uh,deadwood mountain grand.
Yeah, deadwood mountain grand.
So you know you check in thehotel called again Deadwood
Mountain Grand.
Yeah, deadwood Mountain Grand.
You check in.
The hotel's fantastic.
I think the atmosphere isreally cool because everybody's
(14:52):
like-minded, everybody's therelooking to have a great time,
learn a bunch of things,collaborate with all these great
people that are coming from allover the country.
You get your badges, which Ithink Cam has his as well.
It's not like a normal badge,you know you get, you know, pins
.
Joshua Schmidt (15:08):
Love the UFO.
Nick Mellem (15:10):
Yeah, it's got the UFO and it turns on and there's
a bunch of challenges you knowyou do with it.
So they have a, you know,besides the conference, there's,
you know, extracurricular itemsthat you can do besides going
to all these classes.
But anyways, yeah, you know,you go check in and you get your
(15:32):
badge, and you get your RootTootin' Roundup book for all
your stamps, so you can get thesheriff badge.
So we did all that and we mayhave paid a visit to the casino.
Eric Brown (15:42):
One visit.
Yeah, uncle Eric had us goingon craps and roulette.
Uh, it was a good.
Roulette was a mistake, theroulette was a mistake and I
yeah, I'm disappointed in theroulette.
Um yeah, but it was a fun time,I think we two nights we we one
(16:04):
night we were at the Roundupwhere we went.
They have a vendor stampedewhere there are different
vendors at different bars, let'ssay six different bars in town
and then you take that book andyou go to that particular area.
You meet up with other peopleat the conference and get your
book stamped.
People at the conference andget your book stamped, and there
(16:25):
may or may not have beenwhiskey tastings and moonshine
tastings along the way.
Nick Mellem (16:31):
Yeah, at each vendor when you're getting your
stamp, there's like a triviaquestion or something about
their tools or some sort of fun.
You know, I don't know kind oficebreaker question that you do,
and then when you answer thequestion correctly, you get a
stamp and then you get a drinkticket for the bar.
So you know, it's a good way toyou know, start conversation
(16:52):
with people you've never metbefore with your team, and I
think it's a really good way tostart out.
Start out the conference,because the next day you're
rolling into all kinds of theyhave four different tracks where
you go to different classes andyou know you can review the
classes, bounce between otherones and actually kind of
notably maybe before we get moreinto the conference Cam
(17:14):
actually did the pre-conferencetraining, which is two days
before the actual conference.
Cam, can you elaborate a littlebit on what training you did
and what it was like?
Cameron Birkland (17:25):
Yeah, yeah.
So the pre-conference trainingis one of the big things that
Wild West Hack and Fest offers.
So for people who want to do it, you can show up there on
Monday.
They have a training dinner foreverybody who's attending the
training and then you do yourtraining on Tuesday and
(17:48):
Wednesday.
The one I did was intro to IoThacking.
So this was mainly hardwarefocused.
We were working on like actuallylooking at the firmware in like
microchips.
For example, we had a littlerouter that we worked with where
we put a it's called a chipclip on it.
It's got the pins to read thechip.
You just kind of put it on topand it's kind of snaps onto the
(18:12):
pins of the chip and it readsthe firmware off of it.
And we also got to solder.
I've used a soldering ironbefore but I found out that it's
very hard to use one after I'vehad a cup of coffee.
But I found out that it's veryhard to use one after I've had a
cup of coffee.
It's very, very precise workand the first two pins I
soldered went pretty well, butthe other one was kind of a mess
(18:36):
.
Joshua Schmidt (18:37):
I've tried my hand at a soldering iron before
using for my guitar cables andstuff.
Cameron Birkland (18:41):
That's tricky business, yeah yeah, and what I
found is uh it, if you get itright, like right away, it goes
great.
But if you have to mess with ita little bit, it just all goes
downhill, it gets.
It's one of those things thatgets worse the more you mess
with it.
Eric Brown (18:57):
Did you get it on there?
Cameron Birkland (18:59):
I did.
Everything worked.
Everything worked.
We soldered a pin header on sowe could communicate with the
router over serial.
Okay, yeah, so most IoT deviceshave serial headers like that,
but they don't put them on there, right?
Because they don't want peopleto interact with the device
(19:21):
through a console.
So what they did for us wasthey already got the device all
prepped and stuff.
They removed the solder out ofthe holes on the board and we
got the header, got thesoldering iron and we had to
solder that little tiny headeron there.
And then we got a sort ofadapter plug the pins in, plug
(19:41):
it into the device, plug it intoour laptops and then we get to
communicate with the device overserial and see what that's like
.
Joshua Schmidt (19:51):
So was this so you could do some actual hacking
activities?
It seemed like, through thepictures that I saw of you guys
there at the conference, thatyou were maybe breaking into
some RFID doors or doing somekind of live hacking.
Tell me a little bit about that.
That looks fun.
Cameron Birkland (20:10):
Yeah, that was part of it as well.
As far as the intro to IoThacking goes, the big thing was
how do you utilize these devices, like the firmware that's built
into them to get into themright, Because a lot of these
are pretty much all Linux-based,with just kind of a basic shell
that you can interact with.
Nick Mellem (20:32):
So we learned how to upgrade the shell to a full
like Linux shell so we can domore with it and things like
that I think you know, josh,getting to, there's so many
things going on at theconference like you couldn't
possibly do it all, so you kindof pick and choose different
classes that really curate.
(20:52):
You know what you want to getout of it.
So like, for example, I thinkthe first day I was in a lot of
some social engineering classes,some deep fake classes, some AI
classes and a lot of these stemfrom, you know, governance to
AI, to how people are using AI.
You know to where we're seeingdeep fakes and how we're
combating it.
You know to where we're seeingdeep fakes and how we're
combating it.
But you know and we're talkingabout the roundup, like the
(21:16):
vendor stampede there's allkinds of different
extracurricular items you can bedoing.
You know one is the badge thatwe showed.
You know they have a littlescanner at all the vendors.
So if you go to all the vendorswhere there was 25, you can get
all their swag.
You can talk to them abouttheir tools.
You know in the space whatthey're doing and you know
(21:37):
they'll scan your badge and youget a point right.
And then the all the tracks.
There's four tracks that havedifferent classes going on.
Well, after the class, you'llgo, scan your badge and you get
a track, you know.
So you do that for all four ofthem.
So you have those two, you havethe tracks and the vendors, and
then you have, like a CTFcapture, the flag event for the
(21:58):
badge, where you're looking atthe code and trying to find the
flags, and then Cam, what's the?
What's the last one that I'mforgetting?
Cameron Birkland (22:05):
The events at the at the conference Yep.
Nick Mellem (22:08):
So they have four events that you're supposed to
scan at to get those, and thenyou kind of complete that
challenge.
And then more items that you'retalking about were that we did
film us breaking in, doing somephysical social engineering or
physical breaching at theconference.
Was those doors, eric?
Do they have six or eight doors?
(22:30):
I think it was.
Do you remember something likethat?
Eric Brown (22:33):
Yeah, it was something like that.
Like Josh just saw in the video, there were some that were
physical use a bypass lever andthen there were some that were
RFID.
What was kind of cool is Camhad brought his Flipper Zero so
after the exercise at Wild Westthere in the conference, the
(22:57):
door hacking was taken back tothe hotel.
The hotel badge was compromised.
Cameron Birkland (23:06):
It was an older system that they used for
the door hacking.
All we had to do was just tapthe card on the Flipper Zero.
The Flipper Zero captures itand then it's just like having
your own card, and without goinginto too much detail.
Hotel keys are often not thatdifferent.
(23:28):
Brute forcing is obviously notsomething you Somebody can't
just take a Flipper Zero andhold it to the keypad until they
get into the room.
But if they get access to yourkey, that's where somebody can
get the data off of it.
Joshua Schmidt (23:42):
Would that even be as simple as sitting at the
bar and just holding it close tosomeone's pocket that may
contain their wallet with theirhotel key in it, or how close do
you have?
Cameron Birkland (23:50):
Yeah, I mean a lot of wallets are rfid
blocking now, so it's probablynot going to work for people
with newer wallets.
But yeah, essentially it justhas to be within you know, a
close range and it'll pick it upjust within probably six inches
, wouldn't you say?
Eric Brown (24:06):
cam yeah or less yeah so then we should also talk
about social engineering.
Nick Mellem (24:13):
Eric was heavily invested in this.
Eric Brown (24:17):
Which one was this?
Nick Mellem (24:18):
one.
Are you talking about whereyou're calling the yeah?
Eric Brown (24:22):
that was a good one, but I wasn't going to talk.
We should talk about that one.
Yeah, go ahead with what you'regoing to say.
Yeah, so the other one, really.
Josh evolves around the mealmenu.
Nick Mellem (24:37):
The vegetarians.
Eric Brown (24:39):
They pride themselves on this steak dinner
that they have, I think, thesecond night there Chuck Wagon
right or something?
Cameron Birkland (24:49):
Chuck Wagon steak dinner.
Eric Brown (24:50):
So some folks like Nick, maybe that's not the first
choice, right, maybe they wanta vegetarian meal and since they
don't really like meat is atheme where I think they're.
You know, they had the steakand then they had the mashed
potatoes which had bacon in it,but you really could not escape
the much you wanted to eat thenapkin, but you were, you're
(25:13):
gonna have me.
Um, so for those with you knowdifferent preferences I mean
it's 2024 people like differentthings um, you can get a coupon
to eat at the restaurantdownstairs.
Um, so you know I was like whatthe heck?
Right, let's get the coupons,we'll go down the the for those
(25:35):
who had it right, you stand in areally long line, kind of like
a it's like a defcon line, so Ithink it's the only like line at
wild west where you know defcon.
You're gonna wait in line twoand a half hours to get
merchandise because there's 30000 people there at wild west
there's maybe a thousand peopletotal.
I think a little less this year.
So there's not really any lines.
Everything's reallyapproachable, really cool
(25:56):
conference, but long lines forthe food because everybody's
eating at the same time.
But I think the lines wentfairly quick anyway.
So I go up to the desk, I get mycoupon.
One of the other guys that wewere with, he gets his coupon.
Now it comes Nick's turn to gethis coupon.
Now, nick, you know, socialengineer, that he is apparently
(26:17):
had trouble getting the uh,getting the the vegetarian um
coupon to eat at the restaurantdownstairs.
Nick, I think you were toldthat you were not vegetarian, is
that?
Is that what happened?
I?
Nick Mellem (26:30):
I told her that I she said wait.
The other gentleman that wewere there was like yeah, I need
another coupon for my buddythere, and I was like I'm not
vegetarian.
She's like you're notvegetarian.
I was like no, no, and she wasgot mad at the other, our other
buddy, for saying that I wasvegetarian to try to get a free
(26:52):
meal.
And so could I have carried out.
No, but I'm not passing as avegetarian.
I'm a happily red bloodedAmerican that eats meat.
Eric Brown (27:03):
Drive an electric car and now he's vegetarian.
Nick Mellem (27:06):
We were just talking about how I drove an
electric car for the first time,raising hell on the streets,
and now I can't pass the socialengineering test to get uh, to
get a vegetarian meal.
So but the bright side is thatI just expensed it on the labs
for my meal that I had.
Joshua Schmidt (27:23):
I think I've heard about this uh the uh
vegetarian shenanigans a coupletimes now.
It must have deeply affectedyour emotional well-being yeah,
it did I, I think she.
Nick Mellem (27:34):
She said are you a vegetarian?
And I was like, I was like yeah, I was like I can smell where
you guys are hanging out, the uh.
Joshua Schmidt (27:45):
You know the, the uh, the wood, the wood smoke
the whiskey, the bacon a hugevat of beans just baking outside
the atmosphere at theconference is really cool,
though, like that, like the WildWest name fits it perfectly.
Nick Mellem (28:01):
That's cool.
Joshua Schmidt (28:02):
So I'd love to hear more about the social
engineering.
One thing I wanted to ask you,eric, is this is probably not
your first conference.
You've probably been to manyconferences at this point.
Yeah, is that safe to assume?
Yes, yeah, yeah, is that safeto assume yes, yeah, okay.
So why, why keep going?
And what did you learn?
Or what can you take away froma conference like Wild West
Hackenfest to bring back to itaudit labs, and how does it
(28:24):
maybe influence your work?
You know, moving forward.
Eric Brown (28:27):
Wild West in particular.
It's for me it's kind of likethe culmination of summer.
It's a time where we can gettogether, you know, as friends
and colleagues.
I think there's like a group ofI don't know 10 or 12 of us.
We jump in a signal, chat outthere, and then some folks like
(28:49):
Cam go out early, do a littletraining and then most of us are
all there by Tuesday orWednesday and then we're able to
just kind of hang out outsideof work, socialize, have some
fun and just kind of, you know,be together, hang out and talk
to other people that you knowmaybe we only see at that
(29:10):
conference once a year Meet somenew folks who are doing, you
know, in the same business thatwe are, have some fun around the
craps table.
And this conference inparticular is different from
others because it's in a reallysmall town like Deadwood.
Maybe there's 2,000 peoplethere.
Normally.
It's not like going to LasVegas for DEF, con or Black Hat,
(29:33):
where you're just kind ofsucked up in this large
ecosystem, which is a differentkind of fun.
But this one is.
It just feels more kind ofhomegrown.
Nobody's pretentious, you don'thave a bunch of goons yelling
(29:54):
stuff constantly like you wouldat Defcon.
So I've stopped going to Defconand going to Wild West.
You know, kind of like for thesummer conference.
There's some things at Defconthat you can't get anywhere else
, like the Sky Talks.
But in all honesty, for theDefcon stuff, stuff, I think you
can get it all online.
You can just go to the virtualconference, which I will say the
(30:19):
Black Hills side, or the WildWest Hackenfest.
Sometimes it's kind of hard tohear some of the conferences.
They do make them all availableonline, so I attended a few
sessions remotely even though Iwas there, just because it's
(30:40):
easier to hear.
Nick Mellem (30:41):
Kind of branching off what Eric's saying,
especially being, like my firstbigger.
I've been to other conferencesbut this was the biggest
cybersecurity one I had been toand I think it was really cool,
kind of like what Eric wassaying, that you get all these
people that really love thisline of work and they're really
just genuinely invested, thatwant to collaborate with
like-minded people, and it'slike Christmas Everybody's in a
(31:04):
good mood and they're happy tobe talking about things they
just actually enjoy socialengineering, black hat stuff,
whatever it is deep fakes, allkinds of stuff, anything you can
think of.
It's probably there.
But then you get people thatare literally just to do the
badge competitions and hack thebadge and do all these different
things.
But it's just such a coolenvironment.
(31:26):
I think that's maybe one of themost underrated aspects to going
to a conference like this isthe atmosphere of all the
like-minded people.
You know Eric, cam and our otherfriends, colleagues, or there
are people we've never metbefore from other organizations
that work, you know, ingovernment entities, whatever
other clients that wecollaborate with, and you get to
see them all in this place andit's kind of not like work
(31:49):
because you generally want to bethere and Eric also brought up
meeting people that for from,let's say, the West Coast, that
go to this every year for theirorganization and you see them
again, and for me the first time.
So I got to meet some peoplethat Eric and others
collaborated with last year andit's everybody's just in a good
mood, happy to share.
You know what they're learningor how they're handling this
(32:11):
situation, and I think overallit just it made us all better.
Besides learning new aspects,you know what they're learning
or how they're handling thissituation and I think overall it
just it made us all better.
Besides learning new aspects,you know from classes or whatnot
, seeing all these differentpeople come from all over the
country is really cool, or wasone of my highlights of the time
.
Joshua Schmidt (32:25):
Yeah, I know burnout can be a big thing in
cyber.
So I'm sure it's nice to getout of the office, you know, off
the computer for a few hoursand interface with people and
and kind of have thatcamaraderie around your work and
maybe gripe about some commoncomplaints that you guys deal
with on a daily basis.
But was there anything that youlearned specifically that you
(32:45):
might have taken back into theoffice after being there?
Maybe, Cameron, was theresomething that that stuck out to
you that you that may influenceyour work?
Cameron Birkland (32:55):
Boy, well, I ended up going to a lot of talks
there.
You know I tried toconsistently.
I go to one each session.
I can't say I did 100% of thetime, but I tried to and it's
it's honestly tough to pick outone exact thing because there
was so much information there.
(33:17):
You know they get a lot oftalent in that do these talks,
and I I mean I think I really Ijust enjoyed listening to it,
you know, and getting to hearwhat they have to say, and I
tried to take some notes as well.
You know where I couldsometimes take pictures of
slides and things.
Joshua Schmidt (33:37):
Yeah, I'm sure it's hard to kind of keep track
of everything.
I know what it's like being atsome of those conferences.
How about you, eric?
Was there anything that youlearned there that was like kind
of a key moment, or maybe aspeech or something that you
would be bringing back to ITAudit Labs?
Eric Brown (33:53):
You know, I don't know if I learned anything that
was net new per se reinforcedconcepts that I had heard in the
past.
I think for me one of the morememorable talks was the one on
deepfakes, and we do a lot oftalks around personal
(34:16):
information security, so thatwas a cool one, just to see how
far that discipline has come in.
You know, the last couple ofyears where you could take a
photo now and just by looking atthat photo, someone who is
(34:36):
relatively, you know, wellstudied in the area of
technology around not only deepfakes but really understanding
how to discern where maybe aphoto was taken from and kind of
use technology that willessentially overlay a shadow map
(35:01):
.
So, you know, at 2 pm the sunis at this angle, you could see
the person giving the talkshowed a picture that was taken
from a window at theStratosphere in Vegas when he
was out there for Black Hat andDEF CON technology that that's
(35:29):
available could pinpoint exactlythe day and time that the
picture was taken by overlayingthe shadow.
Joshua Schmidt (35:32):
You know, within five minutes, right, but um,
something like that is reallycool and something that we
wouldn't have been able to do,you know, even 10 years ago so
what's an example of somethingthat that's that's really cool,
but also what's an example ofsomething that might have been
solidified, that you kind ofalready knew about security.
That was like oh yeah, ofcourse this is kind of a big
topic.
I know we've been talking a lotabout AI and generative AI and
(35:55):
things like that.
Eric Brown (35:56):
The AI wave and the billions of dollars going into
AI, it really feels like we'reexperiencing that dot-com bubble
again.
But on the AI side of things,the AI technology is getting
(36:16):
decent.
There was a CTF that Nick wasalluding to earlier that was put
on by I think it was Red Siege,and they spun up a vishing CTF
so voice phishing and theconcept was you had to get three
flags, so three differentpasswords, and you were calling
(36:39):
into this organization, thisfake organization, but the fake
organization was staffed purelyby but the fake organization was
staffed purely by AI robots.
So you would call into the helpdesk, you were greeted by the
help desk receptionist and thenyou could be transferred to a
different department and theidea was to be able to just
(37:01):
using your voice andcommunication to socially
engineer a password reset.
It wasn't perfect, but it wasreally cool to be able to see
how far just the voicerecognition software had come.
You know it's probablyoperating at like the third
(37:21):
grade level, so to speak, butwithin five years it's going to
be really good.
And just to be able to have aCTF that was vishing based,
having no human interaction,just spinning up computers in
AWS, I thought was really cool.
Joshua Schmidt (37:40):
That's awesome to hear.
I just got an email from acolleague or one of the
producers that I work with formy agency.
What's happening now in musicis that they're using that voice
recognition software so thatyou can replace your voice with
a different style of voice, muchlike we're hearing with
voiceover talent happening onYouTube.
I'm starting to see a song andthen have it overlay or change
(38:10):
my voice into a female voice oran old soul singing kind of
sound or a husky like countryvoice.
You know something that I'm notable to do with my inflection,
so it's interesting to see whereall that's going to end up in a
few years in all industries,right, not just cyber, but kind
of across the board.
It's like auto-tune on steroids,just cyber, but kind of across
the board it's like auto-tune onsteroids, yeah, and there'll be
a pushback, but then eventuallyit will kind of become
(38:31):
ubiquitous.
You mentioned socialengineering.
Nick Mellem (38:34):
I think you had a little bit more to say about
that, but maybe Nick was thereanything that you took away that
you're going to be bringingback to the office?
For me, obviously, socialengineering is huge One of the
gals out there she did a great,great talk on that and I think
for me the takeaways were someof her tactics and failures that
led her to be as good as she isnow hoping she's going to come
(38:56):
on the show here and hopefullyanother couple of weeks or a
month, but that was huge for mejust to learn some different
tactics and how she's goingabout it, even down to like her
goal bag, like what she'sbringing and how she's setting
up to be successful.
But I was going to bring up AIas we were just talking, but in
the conference one of the talkswas, you know, governance of AI
(39:17):
and I think that was more of atakeaway for me, being in living
in more of the complianceauditing space myself is how do
we work to govern with policyprocedures and training of staff
of AI?
Right, the governance piece ishuge as we're trying to keep a
lid on what AI is doing.
So there's a couple of talksthat I did attend on policy
(39:40):
creation and rules andgovernance for AI.
So I think that was probablyone of my biggest takeaways that
I would bring to to a clientfrom the conference.
That was tangible informationthat I learned um was just about
the governance piece of wherewe're going and the best way to
to do that with AI.
Joshua Schmidt (39:58):
And what specifically has changed or
evolved from you know what?
Maybe it was a year or so ago.
Nick Mellem (40:03):
Well, I think it's huge.
I think it's changing so much,even on a weekly basis.
This is really a broad answer,but I don't think that we ever
had a good way and this is mypoint of view that we were
actually governing AI.
Right, we're just learning howwe want to, how we want to
implement policies, what do wewant it to do and touch within
(40:24):
our environments?
No-transcript.
(40:54):
More traction now, as we, youknow, get deeper in AI.
Joshua Schmidt (40:59):
You know I just read an article today as I was
looking through the news about.
You know, it's just kind of aburnout in cyber and there's
been a slowdown in the hiringand we've talked about this a
lot.
It's just kind of a burnout incyber and there's been a
slowdown in the hiring and we'vetalked about this a lot.
It's just that constant uphillbattle of trying to explain to
entities why it's so importantto implement these practices.
And people are kind of stuck inthis mentality of being
(41:20):
apathetic, or you know betterthem than me kind of mentality.
Do you think that some of theregulatory industries will kind
of help push some of thesechanges that you guys really
need to see and help drive thesafety that we're all craving,
that no one really wants to payattention to until something
breaks and maybe you can speakto that, Eric, because I know
(41:42):
that's a constant source of yourattention is like explaining to
people what the threats are,because no one really sees them.
You know, no one gets to seewhat you guys prevent, right,
and it's always like you know,you hear about a crowd strike or
something like that and that'skind of how we get that news.
So it's kind of a thankless job.
Eric Brown (42:01):
You know that's an interesting one too.
We do get involved in a lot ofgovernance and be interested to
get cam and nick's take on this.
It's a problem I'm currentlywrestling with in one of our
larger accounts, where they'rethey're an entity that has some
(42:22):
governmental oversight andthey've been stuck on a problem
where they're trying to connecttwo different environments that
have sensitive information inthose environments and
technically they can do they canconnect the environments.
But there's a hang up on someof the but there's a hang up on
(43:08):
some of the policies, thegovernmental policies that are
essentially, depending on howyou interpret the policy, you
may or may not be able toessentially do everything that
you want to do in order to havethe two environments connected
and to be able to have userworkstations or user mobile
devices in one environment,sending data into this protected
environment, the management ofthe user endpoint device, kind
of controlled in an environmentthat has less security controls.
(43:29):
You know the oversight as well,because this environment has,
you know, let's call itcorporate standard controls.
We'd have to replicate thatenvironment, move thousands of
users over into this otherenvironment or create all of
these complexities around howyou're doing user management
(43:51):
between really this more closedenvironment and then more of the
traditional corporateenvironment.
So when you've been involved inthe project for about nine
months and there's been two orthree different teams working on
it, and every time a new teamgets involved they're relying on
this third party governmentagency to you know kind of
(44:14):
provide some overall guidanceand they're kind of, you know,
going hat in hand to this agency, saying, yeah, you know, can we
do this?
And then you know they'll get alittle bit of guidance that you
know the government agency isnot going to be involved in the
architect, but they'll just kindof say yes or no or whatever.
And then you know, four weekslater they'll come back with
something else.
Can we do this?
And it just keeps going roundand round and round.
(44:37):
So I recently said, look, we'renever going to get to the
bottom of this, we're nevergoing to be able to implement
this.
It's clearly a need for it, butif we just keep going round and
round, we're not going to getto the bottom of it.
If we want to actually getsomething done, we've got to say
, okay, we've read the guidance,we understand the guidance, but
(45:00):
we're going to put somethinginto place that works.
They can audit us, that's fine.
And if the audit, if we're notable to adhere to whatever the
guidance is of the audit, that'sfine.
We'll take an audit finding andthen we'll go back and you know
we'll do our best to shore upthat finding.
So to me that's an approach.
(45:22):
Otherwise you could just getstuck in this cyclical loop
where I could easily see thisnot being solved for five or 10
years more, given that it'salready two and a half years or
so in the making and I've justbeen involved in nine months and
just seen it spin and I'mcurrently reading the Elon Musk.
(45:49):
I guess it's not really anautobiography but it's written
by Walter Isaacson who has kindof studied Elon and regardless
of whether or not you're an Elonfan, you have to admit that the
guy has done some crazy things,some things that people just
said weren't possible, and thebook goes into that.
(46:09):
And you know, maybe Elon hasn'talways had the right approach
of how to get something done,but he's gotten something done
and he's done it in industrieswhere there was traditionally a
lot of resistance and a lot ofgovernment red tape to get
something done.
So in the book, like Elon's,like the only laws out there are
(46:33):
the laws of physics and youknow, as they were going through
and they're building rocketengines, there was, you know,
some, some policy or someregulation somewhere that said
you know you have to do this oryou've got to have so many hours
of testing, or whatever it wassaid you know you have to do
this or you've got to have somany hours of testing, or
whatever it was.
And you know Elon was reallyhard on his team and would say
(46:54):
you know these regulations arethere, you know they're
suggestions, and if it doesn'twork, and then you know,
challenge it, figure out whowrote it, go.
You know, go and talk to thatperson and find out why it's.
You know that's the case.
And then you know, if you don'tthink it's right, then you know
don't do it right, you knowwe'll figure it out in court or
whatever.
(47:14):
And that I mean that approachhas worked right.
Like he's launching rockets,stuff that you know Boeing
couldn't do.
He's got an electric carcompany and you know the most
successful car company of alltime.
He's got Neuralink.
He's digging holes underneathLos Angeles, um, and and in Las
(47:35):
Vegas it's tuned out to robots.
It's got robots.
He had PayPal, uh, and I'mprobably missing.
Uh, and Starlink?
I mean, starlink, that's goingto be the most successful
company of all time, right, Imean that's going to be the most
successful company of all time,right?
So just changing the dynamic,but we're only beholden to
ourselves.
I mean, you know, humanswriting policy and requirements
(47:56):
for other humans, just becauseit's written down doesn't mean
it's right.
And just kind of tying back Josh, to what your original question
was around how are we doinggovernance in this ecosystem
where we have a rapidly changingenvironment?
(48:16):
And I think we have to go backto what is it that we're trying
to do?
Well, in information security,we're trying to protect the
information of that organization.
I mean, that's the very root ofit, right?
Or is there privilegedinformation in that environment?
Are there social securitynumbers?
(48:36):
Is there healthcare information, driver's license records,
police data?
Are there systems, then, thatprotect our safety right, our
SCADA systems or operationaltechnology environment, like you
know what is the route thatwe're trying to do.
And then, how do we bestaccomplish securing that
environment?
You know, are we usingencryption?
(48:57):
Or you know how are we doingthat?
When you get beyond that, Ithink some of the regulations
really do have to be looked at,because otherwise we're just
going to be in this constantloop and we're not going to be
successful.
We're just going to be wastingthousands of hours of time.
So you know, I'm an advocate ofgoing back.
(49:17):
Look at what it is you'rereally trying to solve for that
organization and then puttingsomething in place, and then
take the audit finding and youknow what's the worst that's
going to happen.
They say you got to fix it.
Okay, we'll fix it, you know.
Joshua Schmidt (49:30):
So that that's kind of where I land on the
whole thing I love that cutthrough the red tape and then
then go back to the drawingboard and then see what can be
fixed to kind of augment thingsto meet compliance standards or
whatever.
At least you got something done.
I see that a lot in general.
I mean I think we probably allwe see a lot of people go and
insert.
A lot of money is being made inboardrooms.
You know I often joke, you know, talking about whether we
(49:52):
should use an exclamation pointor not.
You know, on this, on thisemail or this memo, you know.
So I can definitely relate tothat.
That's an awesome take.
Nick Mellem (50:02):
Hey, yeah, we're almost at an hour, so maybe if
you guys had any final thoughtson Wild West or what your next
conference is, and then we canwrap it up for the day.
I mean, I think we're allexcited that Wild West announced
Mile High in Denver, so that'scoming up in February.
I think a lot of us will atleast be there, virtually trying
to be there in person stillworking out some logistics there
(50:25):
there in person still workingout some logistics uh there.
But uh, I think it's a greatstep for wild west and the
community allow a little bitmore space see what they do uh
with with in denver, with morespace.
So I'm really looking forwardto uh, you know, going to to the
mile high event in februarythat sounds like fun.
Joshua Schmidt (50:43):
I also want to take this opportunity to point
out that eric has been speakingat some of these conferences,
doing some keynotes and thingslike that.
You just did one this week,right, eric?
Eric Brown (50:51):
I did.
Yeah, there was a symposium inMinneapolis.
That was a really coolconference.
It was a three-day conference.
I spoke on the first day.
What was really cool is theaccount that both Nick and
(51:14):
Cameron were there were at theconference representing in a
capture the flag and they camein second amongst the
professionals.
But I will say they came insecond probably because they
didn't have Nick and Cam there,because they only wanted
full-time employees from theorganization.
For whatever reason Wouldn'thave been my first choice.
But I'd say send whoever youcan that's representing that
(51:35):
organization and you get Cam andNick on it.
You probably would have come infirst place.
Joshua Schmidt (51:41):
Take a number one spot you heard it here
ITAL's got the best.
Was it GridSecCon Eric?
Eric Brown (51:48):
It was Cybersecurity Summit.
Joshua Schmidt (51:51):
Gotcha, all right, just to let our listeners
know, reach out to IT AuditLabs if you'd like to have Eric
speaking at your conference.
We're available and we'd loveto meet up with you if we're at
one of these upcoming events.
Cameron, any final thoughtsbefore we wrap up today.
Are you going to anyconferences 2024 or 2025?
Cameron Birkland (52:12):
Yeah, I'm looking forward to Wild West,
hackenfest, mile High.
If everything works out likeplanned, I'm definitely going to
be there.
Joshua Schmidt (52:22):
Well, it sounds like IT Audit Labs will be well
represented, so please get intouch if you're going to be
there.
Maybe we can connect up for awhiskey tasting or at least a
coffee.
You've been listening to theAudit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We have Cameron Birkland, nickMellom and Eric Brown, and we
had a great time chatting today.
Guys, thanks so much for yourtime and thanks for listening.
(52:44):
Guys, thanks so much for yourtime and thanks for listening.
Just one more shout out we havecoming up on the end of the
year here, so we'll probablytake a few weeks off during the
holidays.
We're not quite sure theschedule yet, but we'll be sure
to let our listeners know.
In the meantime, we got plentyof content, plenty of past
episodes, so please like, shareand subscribe and tell all your
friends and give us a five starrating on Spotify.
(53:04):
We now have video on Spotify aswell, so you can see us on
YouTube and or Spotify.
Eric Brown (53:10):
Hope to see you soon .
You have been listening to theaudit presented by it audit labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, while our security
(53:32):
control assessments rank thelevel of maturity relative to
the size of your organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio-video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
(53:53):
subscribing to this podcast onApple, Spotify or wherever you
source your security content.
All right, welcome to the Audit presented
by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt.
Today, we're joined by CameronBerklin, nick Mellom and Eric
Brown, as usual.
Thanks for listening.
How are you guys doing today?
Nick Mellem (00:16):
We're doing great Awesome.
Happy to be here.
Joshua Schmidt (00:19):
Yeah, great, as always.
Well, you know, I always startwith an icebreaker question.
This is one.
Maybe you have to put a littlethought into this.
But the icebreaker question iswhen was the last time you tried
something for the first time?
And I'll go first give you guysa chance to think about it,
don't think too hard.
So I did a conference a coupleof weeks ago and it was the
(00:39):
first time I tried a sweat lodge.
So I was in it.
I was in a tent with 30 guys inthe dark and it was.
It was cool.
Um, it was cool.
Uh, it was like a spiritualsauna, you know.
So, um, we had a uh, a healer,shaman guy singing songs, and it
(01:02):
was completely pitch black, itwas a little claustrophobic and
there was a lot of like smokefrom the fire, but, um, yeah, it
was a very interestingexperience, definitely the first
time I've tried it.
Uh, I'm 39.
I'm gonna be 40 here in acouple days, so you know, um,
there's not a whole lot of newthings.
You know, when you starthitting middle age, you're
(01:23):
running out of runway yeah,you're running out of runway and
you don't get as many firsttime things.
So I enjoyed that it was, it wasdifferent, it was new, it was
uh, it was a nice experience.
So, okay, anyone else want toshare?
How are we supposed to?
Cameron Birkland (01:37):
go after that I know there's something a lot
more boring.
Go ahead, cam, hit us with it,because I've heard about sweat
lodges before and I can't say Iwas ever tempted to try one.
But so mine is a lot moreboring.
I this week tried all-dressedflavored chips all dressed
(02:09):
flavored chips.
This is a like canadian flavorof chips that you usually don't
find here in the us, but I sawthem at walmart and gave them a
try.
Well, yeah, what was it called?
All dress, all dressed yep, alldressed.
Nick Mellem (02:20):
What?
What's the flavor, can you?
It's like a mix of flavors.
Cameron Birkland (02:23):
Yeah, basically the ones I had were
onion, tomato and vinegar.
It's all that combined togetherand it's just like a tangy,
kind of like ketchup.
It kind of tastes like a chip.
Would you buy it again for twobucks?
Joshua Schmidt (02:39):
yeah, I would buy it again do you remember
clearly Canadian Did you guysever drink that back in the day
from the gas station?
It was like a sparklingflavored beverage I don't think
I've ever heard of it.
Eric Brown (02:53):
Speaking of weird flavors, isn't there an Oreo
cookie Coke out now.
Nick Mellem (03:00):
I have seen that I've not tried it.
I have heard of it.
I saw it's sugar-free.
We should probably get thoseCoke-flavored Oreos and try them
live on the next podcast.
Cameron Birkland (03:10):
Yeah, I was wondering how much it could
possibly taste like Oreos, giventhat it doesn't have sugar in
it, this kind of Oreo's primarycomponent.
Nick Mellem (03:19):
This is exactly what the listeners are coming
here for.
These are the hard-hittingquestions.
Eric Brown (03:23):
Yep, what was your?
Nick Mellem (03:26):
first, nick.
Oh my gosh, I've been trying tothink.
Well, I mean, if I want to playit safe.
You know, wild West Hackenfestwas my first big security
conference.
Eric Brown (03:37):
Oh nice.
Nick Mellem (03:38):
That was fantastic.
Notably, I drove my firstelectric car last week.
Two weeks ago, my folks ordereda Model Y and they test drove
the performance version and,holy crap, you're like a hippie
now.
Seriously, I was whipping thatthing around the streets like a
(04:02):
goddamn golf cart.
That thing is so fast, Icouldn't believe it.
It was really fun.
Joshua Schmidt (04:10):
You'll have to try a sweat lodge.
Nick Mellem (04:11):
now I could cap all this off of the sweat lodge.
Eric's got to have somethinggood.
Eric Brown (04:18):
What did I do?
This is a couple weeks old.
I went for the first time in aglider, so that was fun.
Oh yeah, you know where.
They tow you up behind theairplane and that was a lot of
fun.
Nick Mellem (04:33):
How long did you stay in the air doing that?
Eric Brown (04:35):
About 15, 20 minutes .
The glider I was in had a Ibelieve it was a 38 to 1 glide
ratio.
I believe it was a 38 to 1glide ratio, meaning for every
1,000 feet that it would descend.
You could theoretically go38,000 feet horizontally.
(04:56):
So just a mile is just over5,200 feet, just for comparison.
But they tow you up to I thinkwe went up to 3,000 feet and
then you circle around the arealooking for thermals.
But we did get into a thermaland you're sitting one behind
the other, so you're in thefront, the instructor is behind
(05:18):
you, and we got up and thenthere was a Walmart parking lot
just kind of off the end of therunway that we were circling
over because that parking lotgenerates a lot of heat.
And then there's an uplift,right there's an updraft coming
from that and that's thosethermals birds of prey circling
(05:41):
like an eagle or hawks andthey're looking.
You know they're just kind ofcircling around and going up and
moving between thermals and youcan also tell a thermal in some
cases where you'll see cloudsthat are maybe three or four
thousand feet off the ground,like these little circular
cumulus clouds, and that's fromthe warm air rising and then as
(06:05):
it, as it rises, it cools andthen it condenses and that forms
the cloud.
But the thermals are underthose clouds so you'll see birds
sometimes in there.
We were in a thermal with a birdand you know, we're in the
glider, you're trying to stay inthe thermal, so you, you're in
a pretty tight bank, like a 45degree bank and you're just, you
(06:26):
know, circling around.
When we started out the birdwas below us and then like two
laps in the thermal later.
I wasn't doing a very good jobstaying in the thermal.
I could look and he's way aboveus.
But the glider instructor wassaying that the bird, he's seen
them.
Sometimes he thinks their eyesare closed and they're just
(06:48):
feeling the thermal just by the,you know, in their wings, which
I thought was pretty cool.
Joshua Schmidt (06:55):
So how do you land something like that, Eric?
Do you just stay close to therunway and kind of judge how
much time you have left beforeyou need to start making an
approach?
Eric Brown (07:05):
Yeah, they have competitions or just you know
people who have gliders thatwant to go long distance.
You can go thousands of milesin them.
You know, bring your p bottle,but you can go long distance in
the gliders.
Uh, and for us, as we werepracticing, we stayed within 10
miles of the airport and thenwhen you get close to the
(07:27):
airport, you want to enter theairport pattern around 1,000
feet and then as you get close,you're kind of flying a square
pattern in that airport.
And then the glider a littledifferent from the smaller
airplanes they have speed brakeson the wings, which is
(07:48):
essentially about a four footsection that's about the size of
a railroad track like that wide, maybe you know, three inches.
That rises up out of the centerof the wing when you pull a
lever back and that reallycauses you to descend quickly.
So you get your your landingswhere you want to land set and
(08:09):
then you, you deploy about halfof the speed break and you come
down at a pretty decent angle.
You're looking to land in thisparticular glider at about 60
knots, a little over 60 miles anhour, and then you, you just
come in over the runway and thenyou're just practicing holding
it off of the runway.
(08:30):
You're maybe about a foot offof the runway.
It's got a wheel in the front,a wheel in the back and you're
just holding it off, holding itoff, and then it just sinks down
and lands on the runway andthen you pull the lever, the
speed brake lever, all the wayback and that the wheel brakes.
And then you come to a stop andget out, hook it up to the the
golf cart and tow it back to thebeginning of the runway.
Joshua Schmidt (08:53):
That sounds like a lot of fun, something more
fun than the sweat lodge.
I'd be sweating like a sweatlodge if I was up in a glider
where I think, uh, there's zerochance no, no, don't say that
nick, don't say that zero.
Eric Brown (09:09):
I will have my license next spring when you
come up, we'll go out I'll watchfrom the ground.
Joshua Schmidt (09:16):
Speaking of watching from the ground first
time, uh, I thought you guyswould get a kick out of this,
since we've talked about ufos.
Uh, I, I saw starlink the othernight on my my dog walk and I
thought I was witnessing a ufos.
Uh, I, I saw starlink the othernight on my my dog walk and I
thought I was witnessing a ufo,because I I had no idea that's
what it looked like.
I was.
Yeah, I was full to wrap thatmode.
I was very excited for about 15minutes until I realized what I
(09:38):
was looking at.
Um, but yeah, I I've never,I've never of that.
I mean, I guess that's startingto be common knowledge.
People have been seeing it alot.
Have you guys seen it?
Eric Brown (09:49):
Yes, a few times you have.
Joshua Schmidt (09:51):
Okay, well, yeah , I mean, no one gave me the
memo, uh, but yeah, it was about30 lights in a straight row um
flying silently across the sky.
It was pretty impressive.
Cameron Birkland (10:05):
So, um, impressive, so um, I guess at
some point there's are theysupposed to break up, or or go
into different orbits, or, yeah,they spread out over time.
They start really closetogether and then spread out as
they orbit.
So I've seen them when they,like you know, soon after they
launch them, they're like areally close trail and then, as
it goes on, you start seeingthem one at a time.
Do you guys have a starlink?
Joshua Schmidt (10:23):
no, er Eric's been using it.
Eric Brown (10:28):
Yeah, whose did I use?
Oh, at that vacation there wasa VRBO that we had on.
Nick Mellem (10:33):
It was great I do have one, but I've only used it
a few times.
Joshua Schmidt (10:37):
So how does it look?
Like a little device.
Is it like a little modem?
Nick Mellem (10:48):
Yeah, you get the dish, dish, this flat satellite
per se, and you put it on theground and it's got, I think
like a 40 or 50 foot cable thatruns to a, you know, a modem
router combo and plug it intopower and away you go well, I
love.
Joshua Schmidt (10:59):
I love that you said your first conference was
wireless hack and fest.
That's what we're going to chatabout today, and I'll tie that
in by saying I know Eric flewout there, yeah.
Nick Mellem (11:07):
We did.
I watched him land and pickinghim up from the airport.
Eric Brown (11:10):
I was trying to get Nick in there.
He didn't want to go.
I was like, let's do a hot lap,Nick.
He was pulling some funnybusiness on that first landing
and I watched it and I was like,we know, jayden and I came,
came in, we, you know, we'rejust chilling, we're listening
to jazz music on the way over,it's all chill, um.
(11:30):
And then we came in a littlehot on the landing so we just
had to go around to get lined upa little bit better, it wasn't
that simple.
Nick Mellem (11:38):
I was watching him on the runway and he's like
three feet from the ground andthe plane's like and like, goes
back up like this, and I'm like,yeah, right, that's why I'm not
getting in that thing.
I don't know if it's an eric, Ijust don't need to be off the
ground.
Eric Brown (11:54):
here we go, here we, okay.
So we're coming in, we, we wantto land about, uh, just about
80 miles or 80 knots on thisparticular plane.
So we're coming in.
It's a tricycle landing gear,so it has, you know, a front
front gear and then two, two,you know wheels underneath the,
the wings.
So we're coming in the runwayat at um, where do we land?
(12:16):
Where the deadwood spearfish.
So the runway is actually, um,it's kind of where we're coming
in.
I think I forget the runwayalignment, but where we were
landing, I think we were comingout of the east, the southeast.
The runway is upsloped.
So when we're coming in and therunway is not flat either,
(12:39):
there's like a hump in it andyou know we're coming into land,
we're coming a little hot I didsay that about 85.
So we're bleeding off speed andthen, just as we're about to
land, it's got this lump in it.
The front wheel touches thelump right, comes back up, and I
(13:01):
was like all right, I'm notgoing to fight this thing, let's
just go around full power, goaround, get lined up, smooth
landing done.
That was not good enough forNick, though, apparently.
Nick Mellem (13:14):
Me and another colleague were standing there
and I'm like what the heck justhappened and they were like back
off.
You could hear us on the radiotoo, couldn't you?
I was inside the uh, I don'tknow what do you want to call it
waiting room?
And uh, yeah, I could hear aircalling in for quite a ways out,
like 20 minutes out, you werecalling uh it's airport, though,
(13:34):
a nice airport?
Eric Brown (13:36):
oh yeah, it's awesome it was great.
Joshua Schmidt (13:39):
Have you seen this airport in the one of the
scariest airports in the world,in nepal?
Eric Brown (13:44):
uh lukla, we heard of that one is that the one
where they've got to come inbetween, like the mountain pass
yeah, it's like literally on theedge of a cliff.
Nick Mellem (13:53):
I thought the one in vale or aspen.
Is that real right there?
Joshua Schmidt (13:57):
oh yeah so, uh, I guess it's in the himalayas or
near there, and, um, yeah,that's.
Uh, that's when I always thinkI think I saw it in one of those
you know history channels 25most scary airports in the world
that looks like it's ai like anai picture.
I'm I'm glad you're being safe,though, eric.
You know, erring on the side ofsafety always always a good
(14:18):
thing.
So you guys got there, what doyou do?
You check in, you get badges um, it was it connected to a
casino or or what's kind of?
Nick Mellem (14:26):
it was.
Joshua Schmidt (14:27):
You know what's the first impression when you
get this?
Nick Mellem (14:31):
uh, deadwood, south dakota, for a hack and fest so,
yeah, after the uh grand timeat the airport, uh, you know, we
we made it back to the hotel,which is awesome, uh, what's?
the hotel called again the uh,deadwood mountain grand.
Yeah, deadwood mountain grand.
So you know you check in thehotel called again Deadwood
Mountain Grand.
Yeah, deadwood Mountain Grand.
You check in.
The hotel's fantastic.
I think the atmosphere isreally cool because everybody's
(14:52):
like-minded, everybody's therelooking to have a great time,
learn a bunch of things,collaborate with all these great
people that are coming from allover the country.
You get your badges, which Ithink Cam has his as well.
It's not like a normal badge,you know you get, you know, pins
.
Joshua Schmidt (15:08):
Love the UFO.
Nick Mellem (15:10):
Yeah, it's got the UFO and it turns on and there's
a bunch of challenges you knowyou do with it.
So they have a, you know,besides the conference, there's,
you know, extracurricular itemsthat you can do besides going
to all these classes.
But anyways, yeah, you know,you go check in and you get your
(15:32):
badge, and you get your RootTootin' Roundup book for all
your stamps, so you can get thesheriff badge.
So we did all that and we mayhave paid a visit to the casino.
Eric Brown (15:42):
One visit.
Yeah, uncle Eric had us goingon craps and roulette.
Uh, it was a good.
Roulette was a mistake, theroulette was a mistake and I
yeah, I'm disappointed in theroulette.
Um yeah, but it was a fun time,I think we two nights we we one
(16:04):
night we were at the Roundupwhere we went.
They have a vendor stampedewhere there are different
vendors at different bars, let'ssay six different bars in town
and then you take that book andyou go to that particular area.
You meet up with other peopleat the conference and get your
book stamped.
People at the conference andget your book stamped, and there
(16:25):
may or may not have beenwhiskey tastings and moonshine
tastings along the way.
Nick Mellem (16:31):
Yeah, at each vendor when you're getting your
stamp, there's like a triviaquestion or something about
their tools or some sort of fun.
You know, I don't know kind oficebreaker question that you do,
and then when you answer thequestion correctly, you get a
stamp and then you get a drinkticket for the bar.
So you know, it's a good way toyou know, start conversation
(16:52):
with people you've never metbefore with your team, and I
think it's a really good way tostart out.
Start out the conference,because the next day you're
rolling into all kinds of theyhave four different tracks where
you go to different classes andyou know you can review the
classes, bounce between otherones and actually kind of
notably maybe before we get moreinto the conference Cam
(17:14):
actually did the pre-conferencetraining, which is two days
before the actual conference.
Cam, can you elaborate a littlebit on what training you did
and what it was like?
Cameron Birkland (17:25):
Yeah, yeah.
So the pre-conference trainingis one of the big things that
Wild West Hack and Fest offers.
So for people who want to do it, you can show up there on
Monday.
They have a training dinner foreverybody who's attending the
training and then you do yourtraining on Tuesday and
(17:48):
Wednesday.
The one I did was intro to IoThacking.
So this was mainly hardwarefocused.
We were working on like actuallylooking at the firmware in like
microchips.
For example, we had a littlerouter that we worked with where
we put a it's called a chipclip on it.
It's got the pins to read thechip.
You just kind of put it on topand it's kind of snaps onto the
(18:12):
pins of the chip and it readsthe firmware off of it.
And we also got to solder.
I've used a soldering ironbefore but I found out that it's
very hard to use one after I'vehad a cup of coffee.
But I found out that it's veryhard to use one after I've had a
cup of coffee.
It's very, very precise workand the first two pins I
soldered went pretty well, butthe other one was kind of a mess
(18:36):
.
Joshua Schmidt (18:37):
I've tried my hand at a soldering iron before
using for my guitar cables andstuff.
Cameron Birkland (18:41):
That's tricky business, yeah yeah, and what I
found is uh it, if you get itright, like right away, it goes
great.
But if you have to mess with ita little bit, it just all goes
downhill, it gets.
It's one of those things thatgets worse the more you mess
with it.
Eric Brown (18:57):
Did you get it on there?
Cameron Birkland (18:59):
I did.
Everything worked.
Everything worked.
We soldered a pin header on sowe could communicate with the
router over serial.
Okay, yeah, so most IoT deviceshave serial headers like that,
but they don't put them on there, right?
Because they don't want peopleto interact with the device
(19:21):
through a console.
So what they did for us wasthey already got the device all
prepped and stuff.
They removed the solder out ofthe holes on the board and we
got the header, got thesoldering iron and we had to
solder that little tiny headeron there.
And then we got a sort ofadapter plug the pins in, plug
(19:41):
it into the device, plug it intoour laptops and then we get to
communicate with the device overserial and see what that's like
.
Joshua Schmidt (19:51):
So was this so you could do some actual hacking
activities?
It seemed like, through thepictures that I saw of you guys
there at the conference, thatyou were maybe breaking into
some RFID doors or doing somekind of live hacking.
Tell me a little bit about that.
That looks fun.
Cameron Birkland (20:10):
Yeah, that was part of it as well.
As far as the intro to IoThacking goes, the big thing was
how do you utilize these devices, like the firmware that's built
into them to get into themright, Because a lot of these
are pretty much all Linux-based,with just kind of a basic shell
that you can interact with.
Nick Mellem (20:32):
So we learned how to upgrade the shell to a full
like Linux shell so we can domore with it and things like
that I think you know, josh,getting to, there's so many
things going on at theconference like you couldn't
possibly do it all, so you kindof pick and choose different
classes that really curate.
(20:52):
You know what you want to getout of it.
So like, for example, I thinkthe first day I was in a lot of
some social engineering classes,some deep fake classes, some AI
classes and a lot of these stemfrom, you know, governance to
AI, to how people are using AI.
You know to where we're seeingdeep fakes and how we're
combating it.
You know to where we're seeingdeep fakes and how we're
combating it.
But you know and we're talkingabout the roundup, like the
(21:16):
vendor stampede there's allkinds of different
extracurricular items you can bedoing.
You know one is the badge thatwe showed.
You know they have a littlescanner at all the vendors.
So if you go to all the vendorswhere there was 25, you can get
all their swag.
You can talk to them abouttheir tools.
You know in the space whatthey're doing and you know
(21:37):
they'll scan your badge and youget a point right.
And then the all the tracks.
There's four tracks that havedifferent classes going on.
Well, after the class, you'llgo, scan your badge and you get
a track, you know.
So you do that for all four ofthem.
So you have those two, you havethe tracks and the vendors, and
then you have, like a CTFcapture, the flag event for the
(21:58):
badge, where you're looking atthe code and trying to find the
flags, and then Cam, what's the?
What's the last one that I'mforgetting?
Cameron Birkland (22:05):
The events at the at the conference Yep.
Nick Mellem (22:08):
So they have four events that you're supposed to
scan at to get those, and thenyou kind of complete that
challenge.
And then more items that you'retalking about were that we did
film us breaking in, doing somephysical social engineering or
physical breaching at theconference.
Was those doors, eric?
Do they have six or eight doors?
(22:30):
I think it was.
Do you remember something likethat?
Eric Brown (22:33):
Yeah, it was something like that.
Like Josh just saw in the video, there were some that were
physical use a bypass lever andthen there were some that were
RFID.
What was kind of cool is Camhad brought his Flipper Zero so
after the exercise at Wild Westthere in the conference, the
(22:57):
door hacking was taken back tothe hotel.
The hotel badge was compromised.
Cameron Birkland (23:06):
It was an older system that they used for
the door hacking.
All we had to do was just tapthe card on the Flipper Zero.
The Flipper Zero captures itand then it's just like having
your own card, and without goinginto too much detail.
Hotel keys are often not thatdifferent.
(23:28):
Brute forcing is obviously notsomething you Somebody can't
just take a Flipper Zero andhold it to the keypad until they
get into the room.
But if they get access to yourkey, that's where somebody can
get the data off of it.
Joshua Schmidt (23:42):
Would that even be as simple as sitting at the
bar and just holding it close tosomeone's pocket that may
contain their wallet with theirhotel key in it, or how close do
you have?
Cameron Birkland (23:50):
Yeah, I mean a lot of wallets are rfid
blocking now, so it's probablynot going to work for people
with newer wallets.
But yeah, essentially it justhas to be within you know, a
close range and it'll pick it upjust within probably six inches
, wouldn't you say?
Eric Brown (24:06):
cam yeah or less yeah so then we should also talk
about social engineering.
Nick Mellem (24:13):
Eric was heavily invested in this.
Eric Brown (24:17):
Which one was this?
Nick Mellem (24:18):
one.
Are you talking about whereyou're calling the yeah?
Eric Brown (24:22):
that was a good one, but I wasn't going to talk.
We should talk about that one.
Yeah, go ahead with what you'regoing to say.
Yeah, so the other one, really.
Josh evolves around the mealmenu.
Nick Mellem (24:37):
The vegetarians.
Eric Brown (24:39):
They pride themselves on this steak dinner
that they have, I think, thesecond night there Chuck Wagon
right or something?
Cameron Birkland (24:49):
Chuck Wagon steak dinner.
Eric Brown (24:50):
So some folks like Nick, maybe that's not the first
choice, right, maybe they wanta vegetarian meal and since they
don't really like meat is atheme where I think they're.
You know, they had the steakand then they had the mashed
potatoes which had bacon in it,but you really could not escape
the much you wanted to eat thenapkin, but you were, you're
(25:13):
gonna have me.
Um, so for those with you knowdifferent preferences I mean
it's 2024 people like differentthings um, you can get a coupon
to eat at the restaurantdownstairs.
Um, so you know I was like whatthe heck?
Right, let's get the coupons,we'll go down the the for those
(25:35):
who had it right, you stand in areally long line, kind of like
a it's like a defcon line, so Ithink it's the only like line at
wild west where you know defcon.
You're gonna wait in line twoand a half hours to get
merchandise because there's 30000 people there at wild west
there's maybe a thousand peopletotal.
I think a little less this year.
So there's not really any lines.
Everything's reallyapproachable, really cool
(25:56):
conference, but long lines forthe food because everybody's
eating at the same time.
But I think the lines wentfairly quick anyway.
So I go up to the desk, I get mycoupon.
One of the other guys that wewere with, he gets his coupon.
Now it comes Nick's turn to gethis coupon.
Now, nick, you know, socialengineer, that he is apparently
(26:17):
had trouble getting the uh,getting the the vegetarian um
coupon to eat at the restaurantdownstairs.
Nick, I think you were toldthat you were not vegetarian, is
that?
Is that what happened?
I?
Nick Mellem (26:30):
I told her that I she said wait.
The other gentleman that wewere there was like yeah, I need
another coupon for my buddythere, and I was like I'm not
vegetarian.
She's like you're notvegetarian.
I was like no, no, and she wasgot mad at the other, our other
buddy, for saying that I wasvegetarian to try to get a free
(26:52):
meal.
And so could I have carried out.
No, but I'm not passing as avegetarian.
I'm a happily red bloodedAmerican that eats meat.
Eric Brown (27:03):
Drive an electric car and now he's vegetarian.
Nick Mellem (27:06):
We were just talking about how I drove an
electric car for the first time,raising hell on the streets,
and now I can't pass the socialengineering test to get uh, to
get a vegetarian meal.
So but the bright side is thatI just expensed it on the labs
for my meal that I had.
Joshua Schmidt (27:23):
I think I've heard about this uh the uh
vegetarian shenanigans a coupletimes now.
It must have deeply affectedyour emotional well-being yeah,
it did I, I think she.
Nick Mellem (27:34):
She said are you a vegetarian?
And I was like, I was like yeah, I was like I can smell where
you guys are hanging out, the uh.
Joshua Schmidt (27:45):
You know the, the uh, the wood, the wood smoke
the whiskey, the bacon a hugevat of beans just baking outside
the atmosphere at theconference is really cool,
though, like that, like the WildWest name fits it perfectly.
Nick Mellem (28:01):
That's cool.
Joshua Schmidt (28:02):
So I'd love to hear more about the social
engineering.
One thing I wanted to ask you,eric, is this is probably not
your first conference.
You've probably been to manyconferences at this point.
Yeah, is that safe to assume?
Yes, yeah, yeah, is that safeto assume yes, yeah, okay.
So why, why keep going?
And what did you learn?
Or what can you take away froma conference like Wild West
Hackenfest to bring back to itaudit labs, and how does it
(28:24):
maybe influence your work?
You know, moving forward.
Eric Brown (28:27):
Wild West in particular.
It's for me it's kind of likethe culmination of summer.
It's a time where we can gettogether, you know, as friends
and colleagues.
I think there's like a group ofI don't know 10 or 12 of us.
We jump in a signal, chat outthere, and then some folks like
(28:49):
Cam go out early, do a littletraining and then most of us are
all there by Tuesday orWednesday and then we're able to
just kind of hang out outsideof work, socialize, have some
fun and just kind of, you know,be together, hang out and talk
to other people that you knowmaybe we only see at that
(29:10):
conference once a year Meet somenew folks who are doing, you
know, in the same business thatwe are, have some fun around the
craps table.
And this conference inparticular is different from
others because it's in a reallysmall town like Deadwood.
Maybe there's 2,000 peoplethere.
Normally.
It's not like going to LasVegas for DEF, con or Black Hat,
(29:33):
where you're just kind ofsucked up in this large
ecosystem, which is a differentkind of fun.
But this one is.
It just feels more kind ofhomegrown.
Nobody's pretentious, you don'thave a bunch of goons yelling
(29:54):
stuff constantly like you wouldat Defcon.
So I've stopped going to Defconand going to Wild West.
You know, kind of like for thesummer conference.
There's some things at Defconthat you can't get anywhere else
, like the Sky Talks.
But in all honesty, for theDefcon stuff, stuff, I think you
can get it all online.
You can just go to the virtualconference, which I will say the
(30:19):
Black Hills side, or the WildWest Hackenfest.
Sometimes it's kind of hard tohear some of the conferences.
They do make them all availableonline, so I attended a few
sessions remotely even though Iwas there, just because it's
(30:40):
easier to hear.
Nick Mellem (30:41):
Kind of branching off what Eric's saying,
especially being, like my firstbigger.
I've been to other conferencesbut this was the biggest
cybersecurity one I had been toand I think it was really cool,
kind of like what Eric wassaying, that you get all these
people that really love thisline of work and they're really
just genuinely invested, thatwant to collaborate with
like-minded people, and it'slike Christmas Everybody's in a
(31:04):
good mood and they're happy tobe talking about things they
just actually enjoy socialengineering, black hat stuff,
whatever it is deep fakes, allkinds of stuff, anything you can
think of.
It's probably there.
But then you get people thatare literally just to do the
badge competitions and hack thebadge and do all these different
things.
But it's just such a coolenvironment.
(31:26):
I think that's maybe one of themost underrated aspects to going
to a conference like this isthe atmosphere of all the
like-minded people.
You know Eric, cam and our otherfriends, colleagues, or there
are people we've never metbefore from other organizations
that work, you know, ingovernment entities, whatever
other clients that wecollaborate with, and you get to
see them all in this place andit's kind of not like work
(31:49):
because you generally want to bethere and Eric also brought up
meeting people that for from,let's say, the West Coast, that
go to this every year for theirorganization and you see them
again, and for me the first time.
So I got to meet some peoplethat Eric and others
collaborated with last year andit's everybody's just in a good
mood, happy to share.
You know what they're learningor how they're handling this
(32:11):
situation, and I think overallit just it made us all better.
Besides learning new aspects,you know what they're learning
or how they're handling thissituation and I think overall it
just it made us all better.
Besides learning new aspects,you know from classes or whatnot
, seeing all these differentpeople come from all over the
country is really cool, or wasone of my highlights of the time
.
Joshua Schmidt (32:25):
Yeah, I know burnout can be a big thing in
cyber.
So I'm sure it's nice to getout of the office, you know, off
the computer for a few hoursand interface with people and
and kind of have thatcamaraderie around your work and
maybe gripe about some commoncomplaints that you guys deal
with on a daily basis.
But was there anything that youlearned specifically that you
(32:45):
might have taken back into theoffice after being there?
Maybe, Cameron, was theresomething that that stuck out to
you that you that may influenceyour work?
Cameron Birkland (32:55):
Boy, well, I ended up going to a lot of talks
there.
You know I tried toconsistently.
I go to one each session.
I can't say I did 100% of thetime, but I tried to and it's
it's honestly tough to pick outone exact thing because there
was so much information there.
(33:17):
You know they get a lot oftalent in that do these talks,
and I I mean I think I really Ijust enjoyed listening to it,
you know, and getting to hearwhat they have to say, and I
tried to take some notes as well.
You know where I couldsometimes take pictures of
slides and things.
Joshua Schmidt (33:37):
Yeah, I'm sure it's hard to kind of keep track
of everything.
I know what it's like being atsome of those conferences.
How about you, eric?
Was there anything that youlearned there that was like kind
of a key moment, or maybe aspeech or something that you
would be bringing back to ITAudit Labs?
Eric Brown (33:53):
You know, I don't know if I learned anything that
was net new per se reinforcedconcepts that I had heard in the
past.
I think for me one of the morememorable talks was the one on
deepfakes, and we do a lot oftalks around personal
(34:16):
information security, so thatwas a cool one, just to see how
far that discipline has come in.
You know, the last couple ofyears where you could take a
photo now and just by looking atthat photo, someone who is
(34:36):
relatively, you know, wellstudied in the area of
technology around not only deepfakes but really understanding
how to discern where maybe aphoto was taken from and kind of
use technology that willessentially overlay a shadow map
(35:01):
.
So, you know, at 2 pm the sunis at this angle, you could see
the person giving the talkshowed a picture that was taken
from a window at theStratosphere in Vegas when he
was out there for Black Hat andDEF CON technology that that's
(35:29):
available could pinpoint exactlythe day and time that the
picture was taken by overlayingthe shadow.
Joshua Schmidt (35:32):
You know, within five minutes, right, but um,
something like that is reallycool and something that we
wouldn't have been able to do,you know, even 10 years ago so
what's an example of somethingthat that's that's really cool,
but also what's an example ofsomething that might have been
solidified, that you kind ofalready knew about security.
That was like oh yeah, ofcourse this is kind of a big
topic.
I know we've been talking a lotabout AI and generative AI and
(35:55):
things like that.
Eric Brown (35:56):
The AI wave and the billions of dollars going into
AI, it really feels like we'reexperiencing that dot-com bubble
again.
But on the AI side of things,the AI technology is getting
(36:16):
decent.
There was a CTF that Nick wasalluding to earlier that was put
on by I think it was Red Siege,and they spun up a vishing CTF
so voice phishing and theconcept was you had to get three
flags, so three differentpasswords, and you were calling
(36:39):
into this organization, thisfake organization, but the fake
organization was staffed purelyby but the fake organization was
staffed purely by AI robots.
So you would call into the helpdesk, you were greeted by the
help desk receptionist and thenyou could be transferred to a
different department and theidea was to be able to just
(37:01):
using your voice andcommunication to socially
engineer a password reset.
It wasn't perfect, but it wasreally cool to be able to see
how far just the voicerecognition software had come.
You know it's probablyoperating at like the third
(37:21):
grade level, so to speak, butwithin five years it's going to
be really good.
And just to be able to have aCTF that was vishing based,
having no human interaction,just spinning up computers in
AWS, I thought was really cool.
Joshua Schmidt (37:40):
That's awesome to hear.
I just got an email from acolleague or one of the
producers that I work with formy agency.
What's happening now in musicis that they're using that voice
recognition software so thatyou can replace your voice with
a different style of voice, muchlike we're hearing with
voiceover talent happening onYouTube.
I'm starting to see a song andthen have it overlay or change
(38:10):
my voice into a female voice oran old soul singing kind of
sound or a husky like countryvoice.
You know something that I'm notable to do with my inflection,
so it's interesting to see whereall that's going to end up in a
few years in all industries,right, not just cyber, but kind
of across the board.
It's like auto-tune on steroids,just cyber, but kind of across
the board it's like auto-tune onsteroids, yeah, and there'll be
a pushback, but then eventuallyit will kind of become
(38:31):
ubiquitous.
You mentioned socialengineering.
Nick Mellem (38:34):
I think you had a little bit more to say about
that, but maybe Nick was thereanything that you took away that
you're going to be bringingback to the office?
For me, obviously, socialengineering is huge One of the
gals out there she did a great,great talk on that and I think
for me the takeaways were someof her tactics and failures that
led her to be as good as she isnow hoping she's going to come
(38:56):
on the show here and hopefullyanother couple of weeks or a
month, but that was huge for mejust to learn some different
tactics and how she's goingabout it, even down to like her
goal bag, like what she'sbringing and how she's setting
up to be successful.
But I was going to bring up AIas we were just talking, but in
the conference one of the talkswas, you know, governance of AI
(39:17):
and I think that was more of atakeaway for me, being in living
in more of the complianceauditing space myself is how do
we work to govern with policyprocedures and training of staff
of AI?
Right, the governance piece ishuge as we're trying to keep a
lid on what AI is doing.
So there's a couple of talksthat I did attend on policy
(39:40):
creation and rules andgovernance for AI.
So I think that was probablyone of my biggest takeaways that
I would bring to to a clientfrom the conference.
That was tangible informationthat I learned um was just about
the governance piece of wherewe're going and the best way to
to do that with AI.
Joshua Schmidt (39:58):
And what specifically has changed or
evolved from you know what?
Maybe it was a year or so ago.
Nick Mellem (40:03):
Well, I think it's huge.
I think it's changing so much,even on a weekly basis.
This is really a broad answer,but I don't think that we ever
had a good way and this is mypoint of view that we were
actually governing AI.
Right, we're just learning howwe want to, how we want to
implement policies, what do wewant it to do and touch within
(40:24):
our environments?
No-transcript.
(40:54):
More traction now, as we, youknow, get deeper in AI.
Joshua Schmidt (40:59):
You know I just read an article today as I was
looking through the news about.
You know, it's just kind of aburnout in cyber and there's
been a slowdown in the hiringand we've talked about this a
lot.
It's just kind of a burnout incyber and there's been a
slowdown in the hiring and we'vetalked about this a lot.
It's just that constant uphillbattle of trying to explain to
entities why it's so importantto implement these practices.
And people are kind of stuck inthis mentality of being
(41:20):
apathetic, or you know betterthem than me kind of mentality.
Do you think that some of theregulatory industries will kind
of help push some of thesechanges that you guys really
need to see and help drive thesafety that we're all craving,
that no one really wants to payattention to until something
breaks and maybe you can speakto that, Eric, because I know
(41:42):
that's a constant source of yourattention is like explaining to
people what the threats are,because no one really sees them.
You know, no one gets to seewhat you guys prevent, right,
and it's always like you know,you hear about a crowd strike or
something like that and that'skind of how we get that news.
So it's kind of a thankless job.
Eric Brown (42:01):
You know that's an interesting one too.
We do get involved in a lot ofgovernance and be interested to
get cam and nick's take on this.
It's a problem I'm currentlywrestling with in one of our
larger accounts, where they'rethey're an entity that has some
(42:22):
governmental oversight andthey've been stuck on a problem
where they're trying to connecttwo different environments that
have sensitive information inthose environments and
technically they can do they canconnect the environments.
But there's a hang up on someof the but there's a hang up on
(43:08):
some of the policies, thegovernmental policies that are
essentially, depending on howyou interpret the policy, you
may or may not be able toessentially do everything that
you want to do in order to havethe two environments connected
and to be able to have userworkstations or user mobile
devices in one environment,sending data into this protected
environment, the management ofthe user endpoint device, kind
of controlled in an environmentthat has less security controls.
(43:29):
You know the oversight as well,because this environment has,
you know, let's call itcorporate standard controls.
We'd have to replicate thatenvironment, move thousands of
users over into this otherenvironment or create all of
these complexities around howyou're doing user management
(43:51):
between really this more closedenvironment and then more of the
traditional corporateenvironment.
So when you've been involved inthe project for about nine
months and there's been two orthree different teams working on
it, and every time a new teamgets involved they're relying on
this third party governmentagency to you know kind of
(44:14):
provide some overall guidanceand they're kind of, you know,
going hat in hand to this agency, saying, yeah, you know, can we
do this?
And then you know they'll get alittle bit of guidance that you
know the government agency isnot going to be involved in the
architect, but they'll just kindof say yes or no or whatever.
And then you know, four weekslater they'll come back with
something else.
Can we do this?
And it just keeps going roundand round and round.
(44:37):
So I recently said, look, we'renever going to get to the
bottom of this, we're nevergoing to be able to implement
this.
It's clearly a need for it, butif we just keep going round and
round, we're not going to getto the bottom of it.
If we want to actually getsomething done, we've got to say
, okay, we've read the guidance,we understand the guidance, but
(45:00):
we're going to put somethinginto place that works.
They can audit us, that's fine.
And if the audit, if we're notable to adhere to whatever the
guidance is of the audit, that'sfine.
We'll take an audit finding andthen we'll go back and you know
we'll do our best to shore upthat finding.
So to me that's an approach.
(45:22):
Otherwise you could just getstuck in this cyclical loop
where I could easily see thisnot being solved for five or 10
years more, given that it'salready two and a half years or
so in the making and I've justbeen involved in nine months and
just seen it spin and I'mcurrently reading the Elon Musk.
(45:49):
I guess it's not really anautobiography but it's written
by Walter Isaacson who has kindof studied Elon and regardless
of whether or not you're an Elonfan, you have to admit that the
guy has done some crazy things,some things that people just
said weren't possible, and thebook goes into that.
(46:09):
And you know, maybe Elon hasn'talways had the right approach
of how to get something done,but he's gotten something done
and he's done it in industrieswhere there was traditionally a
lot of resistance and a lot ofgovernment red tape to get
something done.
So in the book, like Elon's,like the only laws out there are
(46:33):
the laws of physics and youknow, as they were going through
and they're building rocketengines, there was, you know,
some, some policy or someregulation somewhere that said
you know you have to do this oryou've got to have so many hours
of testing, or whatever it wassaid you know you have to do
this or you've got to have somany hours of testing, or
whatever it was.
And you know Elon was reallyhard on his team and would say
(46:54):
you know these regulations arethere, you know they're
suggestions, and if it doesn'twork, and then you know,
challenge it, figure out whowrote it, go.
You know, go and talk to thatperson and find out why it's.
You know that's the case.
And then you know, if you don'tthink it's right, then you know
don't do it right, you knowwe'll figure it out in court or
whatever.
(47:14):
And that I mean that approachhas worked right.
Like he's launching rockets,stuff that you know Boeing
couldn't do.
He's got an electric carcompany and you know the most
successful car company of alltime.
He's got Neuralink.
He's digging holes underneathLos Angeles, um, and and in Las
(47:35):
Vegas it's tuned out to robots.
It's got robots.
He had PayPal, uh, and I'mprobably missing.
Uh, and Starlink?
I mean, starlink, that's goingto be the most successful
company of all time, right, Imean that's going to be the most
successful company of all time,right?
So just changing the dynamic,but we're only beholden to
ourselves.
I mean, you know, humanswriting policy and requirements
(47:56):
for other humans, just becauseit's written down doesn't mean
it's right.
And just kind of tying back Josh, to what your original question
was around how are we doinggovernance in this ecosystem
where we have a rapidly changingenvironment?
(48:16):
And I think we have to go backto what is it that we're trying
to do?
Well, in information security,we're trying to protect the
information of that organization.
I mean, that's the very root ofit, right?
Or is there privilegedinformation in that environment?
Are there social securitynumbers?
(48:36):
Is there healthcare information, driver's license records,
police data?
Are there systems, then, thatprotect our safety right, our
SCADA systems or operationaltechnology environment, like you
know what is the route thatwe're trying to do.
And then, how do we bestaccomplish securing that
environment?
You know, are we usingencryption?
(48:57):
Or you know how are we doingthat?
When you get beyond that, Ithink some of the regulations
really do have to be looked at,because otherwise we're just
going to be in this constantloop and we're not going to be
successful.
We're just going to be wastingthousands of hours of time.
So you know, I'm an advocate ofgoing back.
(49:17):
Look at what it is you'rereally trying to solve for that
organization and then puttingsomething in place, and then
take the audit finding and youknow what's the worst that's
going to happen.
They say you got to fix it.
Okay, we'll fix it, you know.
Joshua Schmidt (49:30):
So that that's kind of where I land on the
whole thing I love that cutthrough the red tape and then
then go back to the drawingboard and then see what can be
fixed to kind of augment thingsto meet compliance standards or
whatever.
At least you got something done.
I see that a lot in general.
I mean I think we probably allwe see a lot of people go and
insert.
A lot of money is being made inboardrooms.
You know I often joke, you know, talking about whether we
(49:52):
should use an exclamation pointor not.
You know, on this, on thisemail or this memo, you know.
So I can definitely relate tothat.
That's an awesome take.
Nick Mellem (50:02):
Hey, yeah, we're almost at an hour, so maybe if
you guys had any final thoughtson Wild West or what your next
conference is, and then we canwrap it up for the day.
I mean, I think we're allexcited that Wild West announced
Mile High in Denver, so that'scoming up in February.
I think a lot of us will atleast be there, virtually trying
to be there in person stillworking out some logistics there
(50:25):
there in person still workingout some logistics uh there.
But uh, I think it's a greatstep for wild west and the
community allow a little bitmore space see what they do uh
with with in denver, with morespace.
So I'm really looking forwardto uh, you know, going to to the
mile high event in februarythat sounds like fun.
Joshua Schmidt (50:43):
I also want to take this opportunity to point
out that eric has been speakingat some of these conferences,
doing some keynotes and thingslike that.
You just did one this week,right, eric?
Eric Brown (50:51):
I did.
Yeah, there was a symposium inMinneapolis.
That was a really coolconference.
It was a three-day conference.
I spoke on the first day.
What was really cool is theaccount that both Nick and
(51:14):
Cameron were there were at theconference representing in a
capture the flag and they camein second amongst the
professionals.
But I will say they came insecond probably because they
didn't have Nick and Cam there,because they only wanted
full-time employees from theorganization.
For whatever reason Wouldn'thave been my first choice.
But I'd say send whoever youcan that's representing that
(51:35):
organization and you get Cam andNick on it.
You probably would have come infirst place.
Joshua Schmidt (51:41):
Take a number one spot you heard it here
ITAL's got the best.
Was it GridSecCon Eric?
Eric Brown (51:48):
It was Cybersecurity Summit.
Joshua Schmidt (51:51):
Gotcha, all right, just to let our listeners
know, reach out to IT AuditLabs if you'd like to have Eric
speaking at your conference.
We're available and we'd loveto meet up with you if we're at
one of these upcoming events.
Cameron, any final thoughtsbefore we wrap up today.
Are you going to anyconferences 2024 or 2025?
Cameron Birkland (52:12):
Yeah, I'm looking forward to Wild West,
hackenfest, mile High.
If everything works out likeplanned, I'm definitely going to
be there.
Joshua Schmidt (52:22):
Well, it sounds like IT Audit Labs will be well
represented, so please get intouch if you're going to be
there.
Maybe we can connect up for awhiskey tasting or at least a
coffee.
You've been listening to theAudit presented by IT Audit Labs
.
I'm Joshua Schmidt, yourco-host and producer.
We have Cameron Birkland, nickMellom and Eric Brown, and we
had a great time chatting today.
Guys, thanks so much for yourtime and thanks for listening.
(52:44):
Guys, thanks so much for yourtime and thanks for listening.
Just one more shout out we havecoming up on the end of the
year here, so we'll probablytake a few weeks off during the
holidays.
We're not quite sure theschedule yet, but we'll be sure
to let our listeners know.
In the meantime, we got plentyof content, plenty of past
episodes, so please like, shareand subscribe and tell all your
friends and give us a five starrating on Spotify.
(53:04):
We now have video on Spotify aswell, so you can see us on
YouTube and or Spotify.
Eric Brown (53:10):
Hope to see you soon .
You have been listening to theaudit presented by it audit labs
.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, while our security
(53:32):
control assessments rank thelevel of maturity relative to
the size of your organization.
Thanks to our devoted listenersand followers, as well as our
producer, Joshua J Schmidt, andour audio-video editor, Cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
(53:53):
subscribing to this podcast onApple, Spotify or wherever you
source your security content.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.