020: What's a Security Researcher Know Anyway?

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Yeah. So I don't know how many of you know
people listening here at immigrant parents, but it was very
difficult to get any money out of for anything, no
matter how good of a cause. So it's like, if
you want to go, you have to go and support
yourself in doing it, right. But yeah, at the time,
I didn't have the ability to get financial aid and
felt those forms and the whole faster thing. So I actually,

(00:20):
you know, spent one semester, dropped out and started working.
My first job to kind of date myself a little bit,
was as a fire dog technician for Circuit City. So
if you think of like best buying geeks by today,
it's basically the same thing, right.

Speaker 2 (00:35):
But I worked at Electric Avenue on Montgomery Wards.

Speaker 1 (00:39):
What a different level of Yeah.

Speaker 3 (00:49):
Well, Circus City was in the same shopping center as
Montgomery Wards when I.

Speaker 2 (00:52):
Was growing up, right right, either one on the yeah.

Speaker 1 (00:59):
There you go, there you go. But yeah, this particular
Circuit City, though, they had a they had kind of
this deal if you you know, were brought on as
a PC technician, you could get vouchers for Microsoft certifications. Right,
Oh wow, great system. You know, the pain was pretty
good at the time. You know, for a high schooler
for some of this fresh out of high school, and
you had the opportunity to get two vouchers to sit

(01:22):
for Microsoft certification exams, which you know, give you a
little bit of a boost, a little bit more strengthen
your resume if you have nothing else on that resume.
You know, I'm a fresh out of school with one job,
so uh, you know, I was like, all right, cool,
let me let me smash this button get my two vouchers.
But I kind of realized and using that system they

(01:42):
used providing the vouchers, you can get more than two
vouchers out of the system. If you knew what you
were doing, right, you basically stopped the second one from
loading and take you back to the beginning. I was
able to get to six. So what I did in
about a month and a half was, yeah, man, you
have to you know, use the talents to give and
use the opportunities that present themselves to you.

Speaker 2 (02:01):
Right.

Speaker 1 (02:02):
So I was able to take three different sets of
certification exams, right because each in voucher is like basically
half of one the way things are said up at
the time, and I use that that additional kind of
credibility to actually start applying for my first consulting gage.

Speaker 4 (02:18):
I can't take no loss owning, no what hit the
ground in and go off? Champ hit the ground in
and go off.

Speaker 1 (02:24):
Cham.

Speaker 4 (02:25):
I can't take no loss, ye owning know what it
hit the ground in and go off.

Speaker 5 (02:29):
If you don't mind, go ahead introduce yourself a kind
of definitely what you do and how you got started.

Speaker 1 (02:35):
I'm Louis Barrett. I'm currently a security researcher. It's basically
a combination of different cybersecurity disciplines, but mainly focused around
kind of finding out what's what new risks or renew
threats exist to kind of influence the direction of either
security company or in my case, the security of a
product of building. Originally got my start. It's a continent

(02:58):
ironic way, I think. Where I came to the US
from Jamaica, this was like in the early nineties where
you know, the Internet was just really coming into fruition.
People are getting broad down their homes and people were
filing some to have desktop computing accessible to them. But
the thing was, we didn't necessarily have the money for
this in my family, for us to have our own

(03:19):
personal computer. So there was this summer program in my
city where they would, you know, for twenty five bucks,
you'd have I think like six weeks of computer training
and they would actually have me go and build a
computer throughout this program. Right, So I participated this program
as a kid, and at the end of it, you know,
I had my own kind of computer work out. But

(03:40):
I guess the crazy surprise before this program actually came up,
before I was all enough to attend, my older cousin went.
He finishes it's like, yeah, you should go do this
is really interesting. But because he went a year ahead
of me, he had already built this machine. It was
already in the home. So while I was supposed to
go through the program normally like everyone else, I kind
of had this thing to this side cond of tinker on.

(04:01):
By the time I went through this program, I didn't
really have to actually do the coursework. I could kind
of really get to the point and kind of start
working directly on the tail end of it, which is
building your own machine more so than having to a
load the basics.

Speaker 5 (04:14):
Wow, So do you feel like do you feel like
that set you back a little bit, not having to
go through that experience.

Speaker 1 (04:22):
I mean, I got to go through a secondhand right
to see what the year is before me, and it's
just hey, I learned this, they learned that today, and
then having that resource of the end of it to
actually get hands on with. I think it was a differentiator.
I wouldn't say really lost out in anything. I thought
I gained because it's like taking a course twice already
know all the course material, you kind of know what
direction things are going in, so it kind of helped

(04:45):
be able to navigate that a bit more directly. You know.

Speaker 5 (04:48):
Yeah, it sounds like it was like more content to
be gained or more experience to be gained from actually
running the system than it was for putting it together. Yeah,
it was that like a state running system or someone
just kind of like put it together.

Speaker 1 (05:05):
Yeah. It was a local nounprofit, so you know, they
didn't take an external funding from the state. This is
all kind of a grassroots effort. And you know, thinking
back after I'd gone through, it's obviously you know, employed
many years in the industry. Now I want to go
back and actually, you know, donate to these guys, but
they didn't exist anymore. That's actually one of the issues

(05:26):
I ran into, like in Connecticut where I grew up,
was these kinds of programs didn't exist. That program itself
was rare, right, And by the time I could actually
give back, it wasn't there to give back to. So
part of what I try to do now is, you know,
get people access to those resources so they're able to
get hands on and you know, take thea to take
their own path through things if it's not you know,

(05:47):
concretely available to them through school or otherwise.

Speaker 6 (05:50):
Right, Yeah, I would I would have loved something like that.
But I mean, yeah, so.

Speaker 7 (05:55):
I was talking to somebody earlier this week. Today's only two.
So yeah, I was talking to earlier this week about
different programs and how everyone wants to like create a
grassroots effort and just kind of linking smaller programs together
to create U to create a more impactful program overall.

(06:17):
So it's like, oh no, this is what my thought
that this should be. This is what my thought that
this should be, is like four people doing it on
each other, and then like if we just combined our efforts,
like it could be so much better if we all
have the same intent, right, And what I was finding
was that a lot of programs, a lot a lot
of programs because I was telling Rico and Redge earlier,
when I was like thirteen, I went through like a

(06:37):
little cybernetics program. A lot of programs they fall off
after like two or three years, like they very rarely
last that long.

Speaker 5 (06:46):
Yeah, we also found out that during that time, is
she's also like part two wish or something too.

Speaker 6 (06:51):
But we that we've all.

Speaker 1 (06:55):
Go that just earlier in the year.

Speaker 7 (06:59):
Yeah, yeah, it is not a part your situation. And
I don't want to keep explaining this. I don't want
to keep explaining this.

Speaker 6 (07:10):
I'm not going to We'll lock that one back away.

Speaker 5 (07:15):
But yeah, that's dope, man, Like I definitely wish I
had something like that growing up. I mean, I won't
go into like what we're doing right now, but I'm
a really big advocate for people like pouring into the
community in those ways because I mean, as y'all can see,
is it actually works. You know, people actually benefit tremendously

(07:35):
from community led programs that people put together. It's like
it doesn't matter how small it is, you know.

Speaker 1 (07:43):
But yeah, I definitely sparked my interests right and just
being able to get hands on, and I don't think
I would have otherwise for probably four or five more
years after that.

Speaker 6 (07:57):
I was gonna ask how old were you when you
when you started a pro program? Again?

Speaker 1 (08:01):
I think that was either eight or nine.

Speaker 2 (08:03):
Dang.

Speaker 6 (08:04):
Wow.

Speaker 1 (08:04):
Yeah, it's like, you know, six feet thing over the summer,
So it's not like it's a four or five year program.

Speaker 2 (08:12):
Yeah, But but that that one program did probably change
the dejectory of your life.

Speaker 1 (08:17):
Though, right, absolutely, man, absolutely, And that's the part that counts.

Speaker 6 (08:23):
Yeah, So what what followed that program?

Speaker 5 (08:25):
Where you were you just kind of like going out
of your way to find computer clubs in school or
you tinkering at the house with different things and whatever,
breaking toasters, yes, breaking the screw drivers, pain toasters.

Speaker 1 (08:40):
I had my limits, but no computer clubs in my
neighborhood at least. But what I was able to do
because I had that resource and it was mine, it
wasn't anyone else's. I could take that thing apart every day,
put back together every day. Like, get familiar with with
the hardware, get with the operating systems, get familiar with
you know what certain ever is me And so if

(09:00):
you do come across this later on, you know the
navigated and it takes you half the time the next time, right,
So that's what I had. It was just a lot
of time with a resource I can kind of break
down and build back up. And that's how I at
least got to the point where I felt proficient. Right.
But there was nothing like this really available in my
neighborhood from a like official you know, schooling standpoint, within

(09:21):
my middle school, high school or otherwise. And just along
the way, I was like, hey, I'll fix a computer
for a fee if it's broken. So I was that
that guy basically within the family and within kind of
the neighborhood.

Speaker 2 (09:33):
You sound like one of you. Sound like one of
those guys, and when you see an ERA, you get excited.

Speaker 1 (09:38):
I mean, now I'm in security. So I've seen an era.
I'm like, wow, that could be a vector for vulnerability. Right,
so I look at those things.

Speaker 6 (09:47):
Right, doe, dope? What what?

Speaker 5 (09:53):
So you were a little entrepreneur running through the community,
run around the block.

Speaker 6 (09:58):
Fix people's computers and stuff like that.

Speaker 5 (10:01):
Did you go into you know, college at the high
school and pursue you know, form of education in that
or what were your next movements?

Speaker 1 (10:12):
Yeah? So I don't know how many of you know
people listening here at immigrant parents, but it was very
difficult to get any money out of them for anything,
no matter how good a cause. So like, if you
want to go, you have to go and support yourself
in doing it, right. But yeah, at the time, I
didn't have the ability to get financial aid and fell
out those forms and the whole faster things. So I actually,

(10:32):
you know, spent one semester dropped out and started working.
My first job to kind of date myself a little bit,
was as a fire dog technician for Circuit City. So
if you think of like best buying geeks sway today,
it's basically the same thing.

Speaker 2 (10:46):
Right, But I worked at Electric Avenue in Montgomery Wards.

Speaker 6 (10:51):
What.

Speaker 3 (10:56):
Yeah, Well, Circus City was in the same shopping center
as Montgomery Wards.

Speaker 2 (11:04):
When I was growing up.

Speaker 1 (11:07):
Yeah, then both no longer exist, right right, Yeah, there
you go, there you go. But yeah, this particular Circuit City, though,
they had a they kind of this deal if you
you know, were brought on as a PC technician, you
could get vouchers for Microsoft certifications. Right, Oh wow, okay,
great system. You know, the pay was pretty good at

(11:28):
the time, you know, for a high schooler with some
of the fresh out of high school and you had
the opportunity to get two vouchers to sit for Microsoft
certification exams, which you know, give you a little bit
a boost, a little bit more strength in your resume
if you have nothing else on that resume. You know,
I'm a fresh shout of school with one job. So uh,
you know, I was like, all right, cool, let me

(11:48):
let me smash this button, get my two two vouchers.
But I kind of realized and using that system they
used providing the vouchers, you can get more than two
vouchers out of the system if you knew what you
were doing, right, you've been basically stop the second one
from loading and take you back to the beginning. I
was able to get to six. So what I did
in about a month and a half was, yeah, man,

(12:10):
you have to, you know, use the talents to give
and use the opportunities that present themselves to you. Right.
So I was able to take three different sets of
certification exams, right because each voucher is like basically half
of one the way things were set up at the time,
And I used that additional kind of credibility to actually
start applying for my first consulting gigs. This is just

(12:31):
like that Robert Half you saw earlier. You know, worked
with those guys for a number of years. I actually
think it's a really good way for people getting into
the industry to get experience, get familiarity, and I also
get some one to vouch for you because they, as
your employer, have in their best interest to put you
up for these clients, right and they're going to talk
you up to do so make sure you have what
you need to present them an embarrass to their company.

(12:53):
So I think that's actually a good way to you know,
kind of get your foot in the door. But yeah,
so I went through them, ended up working number of
initial consulting gigs, mainly around like desktop support. Like I
was doing break fixed technician stuff for a private school
at one point, and that was pretty interesting because I
was like nineteen at the time, and you know, I'm
over your working in the high school. That's a whole

(13:14):
the crazy experience because they think, you know, you could
treat like one of the students. Yea, in all kinds
of ways. But the time, man, you know.

Speaker 6 (13:23):
No, no, not give me, give me way.

Speaker 3 (13:28):
This man, it is beyond the staff and the limitations already.

Speaker 1 (13:34):
Come on, come on, man, come on, but all serious, right,
things like they would have these outings for staff. I'm underage,
I can't drink, so they brought out a heighth cheer
for me one time. Right, little little things like this.
It's like, all right, you guys, are you know that
would fly today on a certain level.

Speaker 2 (13:51):
Yeah, yeah, you were.

Speaker 1 (13:53):
Of course that was his man like hazing was a
normal thing in you know, boring corporate type environments back then. Right,
all right, but yeah, you know that was that was
That was a pretty good job for me at the time, thinking,
all right, I've made them, I'm making what I expected
to make when I looked like the salary ranges for
this kind of thing, I was feeling pretty good. But

(14:14):
you know, long story short, I had a situation where
the car I was driving was no longer drivable and
I ended up having to take a bus, a train,
another bus to that job. If I made one mistake
anywhere on that journey as a whole day late by
an hour holiday And I share this to basically say

(14:35):
that situation with like you know, not being able to
get to work on time, I actually lost that job.
I lost that consulting opportunity and At the time, I
was pretty upset about it. Right, I've been making I
was at the time making more than I had my
entire life. I was like, this is this is terrible
enough to go buy a new car and I just
lost this job. Right. But I realized now looking back
that it was that actual situation that put me where

(14:56):
I am today, because I would have been I would
have been comfortable. I was still in the mindset that
if you have a good job, keep that good job.
You don't have to claw on you further. You're good, right,
That kind of survivalist mindset I think a lot of
us have right or had depending how your life is gone.
But I end up losing that job and I got
another job. The one I got afterward was the when

(15:17):
I stayed for eight years where I was able to
work ACTUA Support works as an administration work data center
engineering roles and kind of step my way up to
founding the security team at that company, defining what that
program looks like before like leaving it in good enough
hands that build a team up, bring some folks and
that I knew were trustworthy and could you would do

(15:37):
the work in the way that I defined. Over these
years and it was able to actually like leave a
pretty strong legacy there. But I never yeah, sort, go ahead, Reggie,
I was going to.

Speaker 2 (15:46):
Say, you foster other people's success, which is great.

Speaker 1 (15:48):
I think have man, this world is too small. Yeah,
that's awesome.

Speaker 7 (15:55):
Absolutely, And it's funny that you say that because I
was just I've been talking to these people a lot
of people. They are always reaching out and they're always like, oh, well,
how long do you think is an appropriate timeframe to
be in a role, And I'm like, honestly, like you
should be in a role probably know more than about

(16:17):
two or three years, because if you don't understand your
role inside and out by like two to three years,
like you're not interested in doing it, first and foremost,
and secondarily, you probably need to find somewhere else to go.
And so the fact that you were able to move
around this company and to handle all of these different
roles within the course of eight years and to be

(16:38):
able to create a scalable program is amazing.

Speaker 1 (16:43):
I think a lot of it honestly came out to
switching roles because you know, to your point, this two
to two and a half your point within the company,
and maybe I only did the it ad and role
for a year and a half two years, and then
something else came up was okay, I have the opportunity
is something completely different than that role. So you sible
to grow, right and you know the company, that particular company,
they were you know, very m and a friendly, let's say,

(17:05):
so they would acquire new companies and all of a sudden,
you have a whole new range of network addresses, you
can you can look at a job. It's a bit
more interesting. So through a lot of that, you know,
I think it did give me kind of a diversity
of experience and honestly, the support I had because I
knew people from every level of that company coming all
the way up, it was I would say, easier to

(17:25):
build a program there in other places because you have
that kind of community support. You have the organizational support
from like the lowest levels all the way to your executives
at that point, right the guy fixing this this the
CEO's computer every now and then. But now you're you know,
in a position of security leadership, you kind of have
a bit more of his trust or of their trust

(17:45):
in that case. So there's something to be said about
that journey, you know, like spending some time, but you.

Speaker 7 (17:50):
Were kind of fast tracked anyway because you were system
adminting it at like nine years old, so like you,
you could be in that job for like three years,
so you know.

Speaker 1 (18:01):
It works out.

Speaker 7 (18:02):
You fix the computers around the neighborhood at eleven, so
like that, it's time to get to your job, like
this is this is.

Speaker 1 (18:09):
Life work, you know. But they don't know that, right,
They're gonna they're always gonna challenge you and say, all right,
you look young, you can't possibly know these things. They'll
assume you've you've only been touching this stuff for a
year or two. Yeah, every time, right, And that's something
I get to some level even today, right where you
don't necessarily look like the people that they think know

(18:29):
these things. You got to show them, right.

Speaker 5 (18:36):
So is that something as as prevalent as it was,
you know, in your earlier years.

Speaker 1 (18:43):
I would say it isn't. And and I think a
big part of that is being more vocal about what
you can share with the community. Like as we go
through our journey as professionals, at each stage of that
journey's something that we can give back to people who
are adjacent to us or you know a little bit
behind this in that problem sets right, and I had
a really really great team a segment. Our leadership there

(19:06):
was amazing, right, really made a safe space for us
to you know, sheer ideas openly and also encourage us
to speak about whatever it was that we were working,
whoever it was that we knew. So at the end
of the day, by you know, putting your ideas out
there and you can the public can kind of see
that these ideas are out there, it's a lot harder

(19:27):
for people to question those ideas. May see the public
reception of certain things, or the fact that other experts
also agree with you, even though they might not see
you as an expert.

Speaker 2 (19:36):
Right, Right, So I got a quick question. I'm go ahead, WeGo.

Speaker 6 (19:42):
I wasn't saying that.

Speaker 2 (19:44):
I was just going to ask was it when you
joined the company? Was it your intention to build this legacy?
Did you did you talk about.

Speaker 1 (19:52):
I mean, I'll be honest, I probably did have something
to prove because again, you know, you come in, you're young,
you are going to get Haye to an extent, and
you know, what is the impact you leave behind? Right?
What are people going to remember about you both as
a person as a professional, and I think that, yeah,
I did have something something that proves there was that intention,
a little bit of intentional leaving a legacy, but just

(20:13):
generally leaving things better than you found is like all
you can really do with most of these places. So
that was my intention more so than anything else. Can
I make certain areas of this company incrementally better from
a security standpoint or an efficiency standpoint, you know, automate
myself out of a job. So I get to the
next job and kind of keep repeating that process and
think until things are in a good state.

Speaker 5 (20:35):
At what point did you realize that you wanted to
go out of you know, transition out of them side
of the house and move into security.

Speaker 1 (20:46):
So I guess the part that I didn't really mention
here along the way is while I've been doing all
the IT work, the pure operations work adjacents had the
entire time, I was always interested in let's call them
security topics, right, so the latest hacking news, I'd be
following that side of the world as well, And that

(21:08):
I think it is like the you know, the part
of my skills that probably most people aren't aware of.
More generally within the security community, but it was always
adjacent to whatever work I was doing. So if I
was doing assistant administration work and say that I, you know,
I'm an ad administrator, I would learn all the weaknesses
of active directory so I could actually attack active directions
I chose to right, and then using that same visibility

(21:29):
from the things I'm doing in my own time to
enhance how we're actually doing security on the defensive side,
and like keeping that process going even tal today in
my career. So I would say that I always knew
that was always my intention to you know, be doing
security actively. And I and like many people like the
most attractive part was like, may go be a pen
tester because allegedly, you know, you're doing the fun thing

(21:52):
every day, but you know, yeah, yeah, but that doesn't
really tend to be the reality.

Speaker 6 (21:56):
But yeah, that was a good question.

Speaker 1 (21:58):
He does doing it the whole time.

Speaker 5 (22:00):
You know, big time protail right there, bro big time protial.
And I tell people like when when people that aren't
in any tech at all they say, I want to
get into cyber, that's how I kind of like, you know,
I always try to push people to try to understand, like, hey,
you can you can understand the security aspects of a

(22:21):
system by learning how to build and manage the system.
You know, it's the even they do it, you know
what I mean? Like, go ahead, but I got one
more I want to hear.

Speaker 1 (22:34):
Yeah, one hundred percent of that, dude. Like I found
vulnerabilities in a number of software platforms that security people
have never touched. Because I took that to Adams View,
I have answered this daily. You know, I deploy this
thing daily. Why is it malfunctioning this way? X, Y
or z. You know, you can file that bug to
the actual uh, you know, vendor of this software. They

(22:56):
often won't fix this bug when it comes from the
customer side. You take that same bug you found and
you come out from a security research side or bug
hunting side, they immediately get spooked and side they want
to fix that. And I experienced this right And I
won't name the vendor because they've already been breached. And
that's that gave me, you know, a pretty good laugh
when that happened. Not gonna lie, but yeah, like, you're

(23:16):
not going to know software any better than people who
are actually deploying it. And if you want to know
what the next vulnerable thing is in terms of whatever
platform's being attacked. Next, look what people are focusing on
in terms of software engineers right right now, it's all AI,
It's all you know, these types of platforms. So that's
where I've started to focus my attention in terms of research,

(23:38):
because that's what they're working on, and it's not well understood,
it's not well secured. The most vulnerabilities right to kind
of follow the attention of those that are doing the
building on the other.

Speaker 6 (23:47):
Side, gotcha?

Speaker 5 (23:49):
Yeah, so, uh rid Yald, I don't know if you
know it or not, but Louie is actually on the
West coast, so you're not Eastern Standard time zone, right
Louis Nah? All right, so but guess what time it
is over there right now and over here at the
same time.

Speaker 6 (24:07):
Guess what time it is?

Speaker 7 (24:16):
Well, look, I couldn't tell you, good guess, but it's
time for a lightning lesson, and that is the time.
It's our show where we ask our guests to teach
us something in sixty seconds or less, and you can
teach us whatever you want. It doesn't have to be

(24:36):
technology related. It can be something that you do in
your spare time, which apparently is still security research. But
Our expectation is that you tell us what you're gonna
teach us, and then Reggie's gonna start this timer and
then you're gonna teach us.

Speaker 1 (24:51):
All right, cool, So I'll teach you how to figure
out what URL is behind a shorten URL like a
bit lead or something like that. Before it gets started that,
I'll want to explain two types of HP requests. Want
is call ahead just giving the information about the page.
Go for it, you get hit that button whenever you want. Yes,
we have two types of HTTP requests. We have to

(25:14):
get it brings back some data, some content. We have
head that just brings back the metadata, the information about
that page. When you have one of these bitly shortened URLs,
what actually happens behind the scenes is your browser will
go out and get do a head request against that URL,
get back a bit of metadata, and that metadata will
contain the location of the real URL. So simple thing

(25:38):
to do. If you have a nice lines terminal hoop
that open, do curl dash dash head dropping that bitly
ur L and you'll get as the location in the
response the real ur L. So if you don't want
to go to the thing, but you want to see
what it is. That's a way to do that. We
can typically use that forensics just to not have an
attack or No, we actually went to their RLDA look

(26:01):
at such is love say look at you crushing the game?

Speaker 6 (26:09):
Beat to that thing.

Speaker 1 (26:10):
Man, I'm on the spot, so I gotta come with
sign right. People ask me things all day. Man, it
comes to the territory right and you justually got less
than sixty seconds.

Speaker 7 (26:25):
Less than sixty seconds, crush it.

Speaker 2 (26:27):
I love it.

Speaker 7 (26:29):
So we talked a lot about your past and how
you started from the bottom and now you hear but
like what is here and what you're doing right now?

Speaker 2 (26:39):
Yeah?

Speaker 1 (26:40):
So here is security research. I started in the Hujab
about a month ago leading security research for a company
called exit Force, their Series A. So I can't talk
too much about what we do just yet. But my
role is mainly around looking at the wider security industry,
looking at the threat landscape within cybersecurity, mainly in the
area of cloud that are product is going to cover

(27:02):
and you know, figure out how to make better detection
this product, stay ahead of threat actors, like what are
they doing next? That we can build a product that's
not going to catch them today, we'll catch them they're
doing it a year or two from now, like the
end the bleeding edge of that. So that's what research is.
Basically a lot of reading, a lot of homework, a
lot of homework, and then you know a lot of
report writing to you know, get those ideas, those insights

(27:25):
either put into the internal security of a company or
in my case into a product, right yeah. Prior to that,
leading product security at SCALAI and before that, leading detection
response engineering at both really own sitement sub bit of
a mix.

Speaker 6 (27:41):
What was that last one?

Speaker 1 (27:44):
Detection and response engineering, So your traditional cert sock type
of role that kind of evolves into you know, detections
as a service and automating all detections so that the
SoC folk can get a bit more more rest and flexibility.

Speaker 7 (27:58):
And what was the one before the last? Because because
I don't think that you realize how quickly you are,
you know, I'm just going going sad right here we are.

Speaker 1 (28:17):
Before this one was a leading Frog security of scalea I.
So it's a you know, an the company that trains
models for a number of the tech companies that we
all know and love. But I was responsible for the
security of their actual SaaS platform of their back end
of their cloud and make sure whether it's shipping in
the customer environments actually leads both our security standards and

(28:39):
theirs the kind of the end to end soft for
them a life cycle. But for artificial intelligence products.

Speaker 7 (28:46):
Oh that sounds cool. What does it take to train
in AI? Is it easier than training and dragon?

Speaker 1 (29:00):
Honestly, a lot of stuff that people are doing to
day is not that hard, right they want us to
think it. There's this huge barrier to entry. AI is
basically just software now all that all the scary math
has pretty much been removed or abstracted away from us.
So I would say that, like, it's really approachable. There's
a few places you can go to find good content,
like you know, you know, big up to Hugging Face.

(29:20):
They're they're basically killing the game right now in terms
of making it accessible with people. And yeah, it's not
that hard, Like and half the time, you know, dirty
secret is you only you need to trade a model.
They're they're good enough off the shelf or do probably
the thing you want them to do with a little
bit of nudging, right, a little bit of you know,
instruction on top of the task you wanted to.

Speaker 2 (29:40):
Form did you say hugging face?

Speaker 1 (29:44):
Yeah I did, Yeah, hugganface dot co. It's all open source.
They have, you know, tutorials, lessons, an easy way to
get your head kind of wrapped around what the stuff
can do today and not have to worry about like
the last twenty thirty years of machine learning and all that.
You know, that extra it really is an extra today

(30:06):
in my opinion.

Speaker 2 (30:07):
You know, that is an interesting name for a company.

Speaker 1 (30:11):
They're french Man. You can't really you can't really judge
them on.

Speaker 2 (30:13):
That, right, gonna hug your face?

Speaker 1 (30:18):
Yo?

Speaker 2 (30:19):
Was that? Was that?

Speaker 5 (30:20):
Was that like a curiosity thing that kind of got
you in the ar? Or were you just doing this
security work and the company happened to be AI so
you just.

Speaker 1 (30:28):
You know, yeah, So, I mean I'm kind of a
voracious reader when it comes to security things, and I
think these are all just tools at the end of
the day. So you know, I want to have all
the tools that way can make my life easier. I can,
you know, be better at what I do, spend less
time doing it ideally, and you know, when I when
I left the detection engineering role at Twilio, I was like,

(30:51):
what's what's next? For me, like where are do I
want to focus my efforts. I could keep doing forensics
and detection engineering they've been doing for in the past
six or seven years at that point, you know, collectively,
or I could see how I could apply what I
learned on that side to something new. So it was
more about trying a new discipline within security more so
than the company being an AI company, since the explosion

(31:14):
we see in interest hadn't happened yet. Right, It's just
like pre chat, GPT, pre h you know, opening I
having the buzz that it does right now. So for me,
just just try a different role and I honestly not
have deeople security incidents at two in the morning, where
like you're getting welcome out of bad and all that.
As a new dad, trying to balance things out and
have less emergencies or at least magical emergencies in my life,

(31:36):
you know. So that's a big part why that shift happened. Yeah.

Speaker 5 (31:40):
Yeah, Manageable emergencies is definitely the key, because you can't
get rid of the emergency exactly exactly. What what what
do you feel? What are your feelings for security when
it with respect like AI? I mean, do you feel
because a lot of people say, oh, well, you know,
the script kitties are going to be you know, through

(32:02):
the roof, right, But it's also a pretty good platform
to ramp up the you know, the white side of
the hacking community and people that are hopeful to secure
the infrastructure.

Speaker 1 (32:14):
Right. So well, I mean the white side isn't wait
now to be honest, yeah, yeah, I feel you.

Speaker 7 (32:26):
Know, the white side is the white side.

Speaker 1 (32:30):
And that's nice.

Speaker 5 (32:32):
Now the blue team, red team, like.

Speaker 3 (32:38):
No, no matter.

Speaker 1 (32:47):
Honestly, I think these are just tools. If you think
about the fact that AI is just a tool, right,
and any tool, no matter what it is, it is
going to take some of the skill to use. A
script kitty is always going to be a script d
until they actually level up and start producing their own
ideas to produce either tools or techniques, right, Because the
term really focused on those that aren't able to do that.

(33:08):
If it takes MONE off the shelf, they might not
fully understand what's going on and they don't understand the
end result. Right. So those kinds of people, even with AI,
aren't going to go very far, right because they won't
necessarily be able to do anything outside of what tools
that were built without AI can't already do right. But
on the other side, the same thing is true. If

(33:29):
you're not the kind of person who's curious and hungry
to ask the right questions of these models or be
able to vet this information is either true or false,
you're going to have the same problem. So you always
have to have that investment in, you know, getting good
along the way to actually make use of that thing
as a tool. But but that being said, you know,
I use AI pretty much every day in my work

(33:51):
for like the past two and a half three years, right,
every single day, in some shape or form, basically seeing
how I could use it, because at the end of
the day, I've seen it. You have folks that are
two camps either I think this thing can do everything,
where this thing can't do anything. AI is not real
and the truth is somewhere in the middle, and you're
only going to find it out for yourself. You get
hands on right. And that's kind of my advice to

(34:11):
folks at least is, yeah, I don't think it's gonna
make a script Kitty Amazing overnight without them having some
sort of either talent or creativity or curiosity. And the
same time, someone trying to learn it is not going
to learn the right thing, as lessen know to asking.
A lot of that comes from you know, navigating it.

Speaker 7 (34:28):
I thank you, thank you. So I just wanted to
like follow up a little bit on this because the
concern that a lot of organizations end up having about
script kitties leveraging AI like that is not where you
need to be. You need to be focusing on building
your people and your defenses. You need to be focusing

(34:49):
on where your controls need to be. You're worried about
something that doesn't even matter, and it wouldn't matter if
you spent the time that you needed to develop your people.
But I'm off my soapbox now, thank.

Speaker 1 (34:59):
You time not wrong, not wrong? Right? How do you
build a security program? So the real hard questions?

Speaker 2 (35:10):
So I had a question for you. This kind of
relates to AI and security. Right. So a lot of
companies have AI security and they're thinking that's probably going
to get rid of that, you know, layer one you
know uh type of workers, right, people that just detect.
So how do you feel about AI working actually doing

(35:30):
the security and doing the detection?

Speaker 1 (35:33):
Yeah, I mean everything comes down to preparation at the end.
Of the day, and it's not thinking just bolt on
the side like yep, it's gonna work.

Speaker 6 (35:40):
Right.

Speaker 1 (35:41):
Everyone is ingesting the logs differently. There are a few
different seams you have in between. There have a few
different ways they want to they want to be notified
of something that is a security event, whether it's you know,
an incident or something somethings to vet and then the
process they used to run through that. So I don't
think you're going to eliminate the level one folks who
are looking at that raw a log did doing the

(36:03):
soft work, doing the threat hunting purely through AI, unless
this is something that you know is going to respect
your organization's dance on certain security issues. Right Because in
my organization, maybe it's okay that someone's logging as ADMIN
every Friday at two pm because that's a process that
we've been put in place in that session as MFA
on it, right, And AI might see, oh, someone's logging

(36:25):
it with AD into a critical resource. This is an
alert now because it has these indicators on it and
the risk score has gone up for that session. So
you need that human either in the loop or directly
doing some of this work. And I think We're still
ways off in making this generally available to people because
we do have the differences in what your organization's security
posture is and what their rules about what they think

(36:47):
is okay from a security standpoint is, as well as
the technologies that are using along the way. So it's
not a silver bullet. I think it comes on the
practitioners in those roles learning how to use it so
they can see how they can apply it to their
specific job task more so than that replacing them and
being something that takes an auto loop completely right, so
to enhance more so than to replace.

Speaker 2 (37:09):
So, just outside of just like eliminating positions, how do
you feel about AI detection just in general?

Speaker 1 (37:17):
I mean, it's it works. It's been something that's has
existed now for years, like a twenty twelve era before
LMS even came out, right, But a lot of this
stuff wasn't really focused on or taken seriously because of
two things. One of the products that had these speeches
built in were prohibitively expensive to use. To what you

(37:38):
I wasn't going to come across this, you know, as
a practitioner at some company who's not willing to spend
you know, hibred millions of billions of dollars a year
to use this thing, right, so that the technology existed,
but you'll only get your hands on. And that's even
more so the case now because they've kind of abandoned
that previous generation of AI that's really good at looking
at like logs and anomalies and all that, and gone

(37:58):
to LLMS, which is, you know, more for contextual understanding
on bodies of text. Right, so it can do the thing.
It works, it always could, just that not enough people
know how to use this and apply this because they've
been paywalled out of the process basically, right. So, yeah,
it works, it's just can you get your hands on

(38:19):
to get good with it to make your actionble for yourself?
Do you know the open source alternatives are.

Speaker 2 (38:24):
And all that?

Speaker 5 (38:28):
Since you put it out there, like, how how would
you got me with the whole how would you build
a securative program? I was kind of curious with that
of being your second choice for a sixty second light
and time, Ah.

Speaker 1 (38:44):
Man, it definitely wouldn't. That's that's more of a five
or ten minute you know, it's like how much time
you got? What kind of problems do you have? How
much money you do you or don't you have?

Speaker 5 (38:52):
Right, Well, we're sit in that twenty minutes and I
don't want that to be the last question. But what
what would what would you say, We'll chop it right?
What would you say is the most challenging aspect of
building the security program, whether that be a certain you
know area in that program or.

Speaker 1 (39:14):
Potentially a hot take. Executive buying, you know, executive buying,
true real executive buying, which means both uh funding in
terms of headcount as well as technology, and also you know,
championing cultural changes that are necessary to get put organizations
would need to be on that security journey right. So
that to me is the hardest part executive buying, having

(39:34):
a champion at a leadership level to say that this
thing actually matters and we're not just checking the box.
Because if you're just checking the box, they can kick
a can down the road. And definitely and by the
time your you know, your chickens come home and roost,
you have nothing to protect you, right, you're in a
bad state. And thenah, because.

Speaker 7 (39:52):
Then we got in the hands of script kiddies.

Speaker 6 (40:00):
The baby got a gun.

Speaker 2 (40:06):
And a knife, and a knife.

Speaker 8 (40:09):
Sounds like you just sound like the baby's strapped, Like
I feel like because somebody take the girl away from
that baby place, you know.

Speaker 1 (40:20):
I mean, babies can make their own guns.

Speaker 2 (40:22):
Now.

Speaker 1 (40:22):
Unfortunately, that's kind that's kind of rhetoric that's getting pushed
around this whole Yeah, AI for uh you know, hacking tools.
They that's kind of going on.

Speaker 5 (40:35):
It's it's it's so uh weird hearing that, right that
that executive buying is still an issue where I mean,
like today where you've gotten like there's execs that have
gone to jail.

Speaker 6 (40:47):
Yeah, what I'm saying, please.

Speaker 2 (40:49):
Picture face.

Speaker 7 (40:53):
Is not broken. First of all, let me just stop
with that. Secondly, yeah, it's it's gonna be a problem because,
like Louis said, it's a matter of most of those
companies looking at people going to jail and suggesting that
they need to be in compliance, they need to check
a box, they need someone to be there to take

(41:14):
the fall, but they're not actually putting in the time
and effort to develop robust and scalable programs that are
enterprise wide, like that's been consistently. That's that's not every
day right now, all right, I'm going off myself.

Speaker 6 (41:33):
Created card.

Speaker 7 (41:39):
They're calling in negotiating down the minimum payment.

Speaker 1 (41:44):
Jesus, that's that would have to be it for sure.
Everything starts there.

Speaker 2 (41:50):
Right, so when you're building your program, I mean only
I know just took a pro so pro side change management.
So you guys do have people that ride. I didn't
do that piece for you too. That's got to be
an important piece right for.

Speaker 1 (42:04):
Your Yeah, I mean it's asset management in general, right
for the companies I've worked at, and mainly being cloud
first company, so that is where we kind of manage
all of the assets. And it's the visibility item right.
Like typically speaking, if you are starting a security team,
chances are you didn't start with the company. It's not
the first day of the company. They have all kinds

(42:26):
of skeletons out there, things that you know, their first, second, third,
developer who's no longer there, deployed, left running, and there's
that initial discovery. So if you're talking about like what
we do for a technical aspect more so than you
know the the organizational let me get some support from
the sea level. It's definitely getting a lay of the
land and whatever form that comes in, whether it's asset discovery,

(42:50):
interviewing people That's always been a thing that I've found
work really well. Also like helps you know your organization
will bit better. But yeah, just having that full asset
in meatory and then kind of categorizing the risks around
certain assets based on what they mean to your business.
And frankly that's what like most security no security tools
going to do that part on top of it, right,
and no AI is going to do that part on topic,

(43:11):
which is why you still need people for that side
to get things.

Speaker 6 (43:15):
Started the facts.

Speaker 5 (43:19):
Did you guys have any anything else for that for
that topic?

Speaker 7 (43:24):
I really no, I didn't have anything asked for that topic.
Fame louly. No, that's my regular life.

Speaker 5 (43:31):
Like that takes a bound here, Yes, he breathed and
drink probably drinking that right now?

Speaker 6 (43:41):
Is that in that glass, that fancy glass.

Speaker 7 (43:45):
You got a little security program here?

Speaker 1 (43:49):
How do you balance that?

Speaker 2 (43:50):
That looks.

Speaker 7 (43:53):
Actually around, don't worry about it rocking it rocking.

Speaker 5 (44:03):
So my question right just to pivot out of out
of you know what you do every day all day? Right,
how do you how do you get away from from work?
How do you get away from the tech? Do you
ever like take a break to breathe? You know air
you go fishing, I do.

Speaker 1 (44:21):
I live in the wonderful state of California. We have
all kinds of freedoms afforded to us, and I take
advantage of all those fine California freedoms, the hikes, yeah okay,
and everything else that comes with it, right, yeah, yeah, yeah, it.

Speaker 5 (44:40):
Might being around the trees exactly. I got yeah, I
know that.

Speaker 6 (44:48):
And you said you got a kid.

Speaker 1 (44:51):
Yeah, I got a little two year old first, so
you know, learning what it means to be a father,
and you know what kind of example I want to set,
because this dude was soaked with everything. Man, Like, you know,
before my son versus after my son, I talked like
neck Flanders, not my guy, Like that's got to be
extra careful, you know.

Speaker 6 (45:10):
Yeah, yeah, yeah, yeah, yeah.

Speaker 5 (45:13):
The is he you you don't give him access to
chat gpt like hacking people.

Speaker 1 (45:18):
I mean, he's my chat GPT like the man. He
hears anything, he's over there repeating it. So you know.

Speaker 2 (45:24):
That's a bad word again, exactly exactly.

Speaker 1 (45:28):
But I don't believe in keeping him away from this
stuff at the end of the day, because you know,
I think about who I am as a person and
watching him grow up and seeing a love of me
and him and knowing that if I stay in like
real Jamaica for example, like who would I be? However,
how wouldever I apply that mindset because I see that
mindset my son. But he has all the opportunity in

(45:49):
the world. Right he's in Berkeley. He could do whatever
he wants. He'll get access from day one to a
lot of this stuff. So you know, with that in
mind and knowing that we have those similarities, I try
to put at least put the right things in front
of him to have to make choices for himself, even though,
like you know to two and.

Speaker 5 (46:05):
A half here, right, is that something that like do
you do you ever find yourself wanting to pull yourself
away just to kind of like just have like one
on one time with him or do you just like
like find time when he's like napping and stuff like that,
Like how does that look?

Speaker 1 (46:24):
Now? I make full time. You have to make full
time because at the end of the day, like the
eight hours to work for someone that's gonna be forgotten about, Right,
you think about legacy, what you're leaving behind and the
memories that you make with your children. With my son
in this case, right, that's something that is irreplaceable, Like
I'm not gonna I'm not gonna trade a work day

(46:45):
for that under any circumstances, for any reason. So they
got to work around that in my case.

Speaker 5 (46:49):
You know, yeah, I appreciate that, man, because it's a
lot of people. They trade a lot of the important time,
you know, for time that they can charge to the clock,
you know, and some of it they don't even charge
to the clock. You know, it's they probably studying, which
I mean, hands off to you, grinding, but you know,

(47:10):
you really have to assess that risk appropriately and really,
you know, understand what you're trading because just looking at
it from a surface level, you know, that's not it.

Speaker 6 (47:21):
It's deep in that it's always deeper.

Speaker 1 (47:22):
In then, Yeah, I mean, I mean that being said,
I feel like the majority of my studying before he
was born, like a lot of that kind of perfect lass,
all that kind of stopped. But that's not to say that,
you know, I miss kind of going heads down the
books and whatever kind you thing came out, right, it's
that you realize what matters. It kind of shifts your

(47:44):
priorities a bunch, you know, because hey, like just the
time with him, and I'm getting to the point where
you know, we can reason like ten to fifteen years
from now, I might have not had the opportunity if
I now, I'm gonna go read this book instead of
like making that with my son. You know, yeah, that
long game.

Speaker 5 (48:04):
So in moving moving at you know, guidance of youth
a little bit older? Right, are you currently mentoring anyone?
I know you you you said that you you know
you've been hiring capacity, so that means that you've probably
been in the managerial capacity as well.

Speaker 6 (48:19):
So are you a mentor as well?

Speaker 1 (48:24):
I would say I used to be, or at least
now it's more of an unofficial capacity, right. I used
to take on two folks per year, like making more
official kind of and give them time as as they
need it on account of reoccurring basis. But ever is
becoming a father like you getting priority shifted out of
so many hours in the day, and you know I'm
mentoring my son, all right, That's the way I look
at like this effort is being portant to this person

(48:47):
and you know anyone else. I'll do what I can,
but it's it's within it, within my means. I'm not
going to stretch myself as much as I used in
the past, right, And that's at least until I'm at
the point where I'm like, all right, either you know,
my son is sick of me at that point because
I'm you know, around too much or whatever it is,
or or that time Kyle opens up all get back

(49:07):
into it. But right now it's all for him, you know.

Speaker 2 (49:10):
Dang Dad, don't you gotta go to work?

Speaker 1 (49:17):
Gets a little crazy though, right looking at you, like
why right here here? You know, I'm preppreciate how you
that man?

Speaker 5 (49:31):
You know, you know I did notice that you said,
you know, not at an official capacity, you know, so
you still the door is still open. People still have
access to you, but you're not going to have submit
time to them, right yeah.

Speaker 1 (49:44):
Because I want to, you know, leave him a straight
and say, hey, I'll have all this time for you.
And that's simply not going to be the case. Right, Like,
my schedule is not as predictable as it was, you know,
four or five years ago. Work and be like all right,
I'll devote six hours to day on X, Y and Z. Yeah,
it's gonna pop up.

Speaker 5 (50:01):
Now, what's the what's the what's the funniest thing you've
seen in an organization that you've done in the system.

Speaker 2 (50:10):
H Man, You did you feel comfortable.

Speaker 1 (50:15):
Because you said statute of limitations earlier?

Speaker 2 (50:17):
Right?

Speaker 1 (50:18):
So, one of the jobs I worked at, I was
working in the detection response team and we had an
overseas office right in France, and every day at about
noon their time, this one dude's machine would just light
up with alerts or like, what's going on? This makes

(50:39):
no sense? Is there like a back door is or
a trojan something?

Speaker 2 (50:42):
Right?

Speaker 1 (50:43):
Nah? Man, turns out this dude was, you know, enjoying
himself in his office over there, going on the websites
every day when everyone left the office for lunch. And
we're getting on the other end because these are like
you know, the background ads and these things reached some
pretty you know, infected sites where getting those things. It's
like an everyday thing. And that you go to this
man's like now you're talking about I'm good, like there's

(51:05):
no virus on here and everything.

Speaker 2 (51:06):
Yeah, he's good, he's good.

Speaker 1 (51:08):
It's good. But yeah, this only got a bit crazier
we started putting in, uh, those intercepting firewalls. He said,
back in the day was like, hey, content filter all
that stuff, right, And it was the content filter we
saw this guy was actually living his best life on
the clock. And yeah, that was quite the funniest one

(51:28):
because I'm like, where do you think you are? My dude? Like,
where do you think you are? You know, like how
is this okay?

Speaker 7 (51:34):
Like how just make yourself at home? Just make your sense?
You really focus later, right, Like that's it's important, final
your focus.

Speaker 3 (51:50):
That media pressed me out.

Speaker 7 (51:55):
I just need a minute. I don't need a minute,
just myself a little meditation.

Speaker 2 (52:02):
Oh man, please don't tell me you have a webcam
on his computer.

Speaker 1 (52:06):
This was also the pre webcam error. You know, we
weren't really handling those out, didn't go that far.

Speaker 7 (52:16):
You sound like an amazing, upstanding citizen.

Speaker 1 (52:20):
You're mentoring, you're.

Speaker 7 (52:23):
Being honest with people, You're fathering, you're prioritizing your fathering.
I mean, like a voracious reader out out in the outside.
It sounds amazing, But I know that you're working on
some other things too right now, And can we discuss

(52:43):
your world tour? We discuss your world tour.

Speaker 1 (52:51):
Alright, So I mean we.

Speaker 7 (52:52):
Gotta let opinions know, so like.

Speaker 1 (52:59):
Having over here, you know, the pressure with the peer
pressure is cool.

Speaker 2 (53:01):
That was cool, though I thought something else was coming bad, but.

Speaker 1 (53:05):
I just started speaking more. Right. This is kind of
a nod to my my previously, so like I still
hear a voice in my head every day like how
are you giving back? Like how are you having your
messages and your experiences you know, kind of reach a
wider audience, ideally for their benefits. So last year I
attended about eight security conferences I spoke at. For this year,

(53:25):
I intended on speaking at none. To take a break.
I'm speaking at too. They're kind of back to back
so that both will be on journ of AI topics.
One is more on the offensive side. It was on
the defensive side, opposite side of the country. So that
should be a lot of fun. You know, within within
two days of each other, speaking at Hope Conference in
New York, this hackens uplonet Earth and then LOCALMOK Security

(53:46):
conference in Hawaii as well, get like one on Believe.

Speaker 2 (53:50):
That's like that's like literally.

Speaker 6 (53:52):
On the Holy Cow.

Speaker 2 (53:56):
You couldn't go go to the furthest parts of the
all the way back to the Wow.

Speaker 7 (54:01):
They didn't have one in Japan at that time, so
he had to settle, but you.

Speaker 1 (54:07):
Know, that's what it is. But yeah, I mean the
intention wasn't to really be out there that much this year.
You have to be honest. It does take a lot
to prepare the content and make sure this can reach
people of different levels as you're presenting it and like
you without leaving anything anyone, you know, kind of starving
through that experience, right, And yeah, it's a lot of work.

(54:28):
But I also do love doing it because even one
person says, yeah, I was able to grow from this,
he might see that person four years down the line.
They might help out someone that you mentored. And you know,
these things pay pay for themselves, you.

Speaker 6 (54:39):
Know, a lot of time.

Speaker 1 (54:40):
So that's my motivation for doing it more so than
there's a lot of I don't want to call it
cloud chasing and security these days, but but I see it.
I'm like people out here copying, pasting people's talks and
re giving them, Like, hey, yo, be authentic out here.
People you know doing that?

Speaker 6 (54:56):
Bro Me tell you I did that.

Speaker 7 (55:01):
You know, he's a researcher. He found it. He found it,
he found just stopping because he was he was here.

Speaker 5 (55:08):
He found it when he died in when he died
and I was copy and paste and stuff off his LinkedIn.

Speaker 1 (55:20):
Control And that's one way sure if your resume right.

Speaker 2 (55:25):
So you used to work for a start are y'all?
Oh no, that's I didn't mean to copy that part
My bad.

Speaker 1 (55:32):
The name and.

Speaker 5 (55:33):
Anything I got, that's your name and you told.

Speaker 2 (55:37):
Me that, Yeah, that's my middle name.

Speaker 6 (55:50):
That's my middle name. You know my middle initial is elder.

Speaker 1 (55:54):
Right, you can take it there you go.

Speaker 5 (55:59):
Oh but well man, it's a lot, you got a lot.

Speaker 8 (56:03):
Man.

Speaker 6 (56:04):
I love your background very you gotta you do.

Speaker 5 (56:10):
Hold yourself like like a person that can really articulate
themselves in a way that is engaging for people. And
people are drawn to you, know, your your knowledge and
the way you hold yourself.

Speaker 6 (56:20):
So I can definitely appreciate that. As been a blast
talking to you.

Speaker 5 (56:24):
And we're running up on time, and I don't want
to keep you away from that two year old.

Speaker 6 (56:27):
So as we close it out, right.

Speaker 5 (56:32):
What advice would you give someone that's walking in your footsteps?

Speaker 6 (56:38):
I hope hopeful the walking I would.

Speaker 1 (56:40):
Say, don't would says as possible. That's a long way.
That's a very very long way in right, Yeah, for real,
because when I was getting into this stuff, you had
to know a little bit of networking, a little bit
of development, a little bit of systems, and that's how
you got into security. But because of the talent shortage,
there are a lot of roads and you know, honestly

(57:01):
shortcuts to gaining yourselves in those positions. So I would
say be open to things that aren't directly security roles,
but are security adjacent because those are things you can
use to springboard yourself into security roles. Because I'm more
apt to hire someone who you know, has has done
you know, some help best work before I put in
my sock versus someone who, uh, you know, did cybersecurity

(57:24):
in college because they've had that kind of hands on
experience at least in solving some of the problems or
the security for the problems in that particular area, right,
And find what kind of role that things adjacent to.
But yeah, that'd be my advice is, don't don't discount
some of these other IT and technology roles when you're
taking that journey.

Speaker 6 (57:45):
You know, foundation experience is definitely important.

Speaker 1 (57:47):
Absolutely.

Speaker 5 (57:49):
People always ask about you know, it's always about like
the contier, you know, surgday long. I gotta get eight plus,
net plus and security plus because I want to work
in serving and I'll tell you were like, you look,
you don't have to get all those shirts, you know,
but but the A plus and the net plus content, Yeah,
get the book and learn the content, right, you know,

(58:12):
but you know, people decorate themselves with CERTs and and
feel like, you know, everything else.

Speaker 1 (58:17):
Is potentially two hot takes on this one. You know,
we're a little bit over right now.

Speaker 3 (58:22):
Give me because I'm looking to have these faces.

Speaker 2 (58:28):
I want to see how this goes.

Speaker 7 (58:33):
Louie heard my heard my interview, so he already knows
how I feel about it. I have to say anything.

Speaker 1 (58:40):
That exactly, but like, I mean, this is why might
be a hot take, right, because I would say for
one half of my career, I was very much yeah,
get all the CERTs, right, get all the CERTs. I
got to another point where I'm like, Okay, I don't
see the value in that as much because I've interviewed
dozens of people who are just you know, five star
generals when it comes to certain every search on the

(59:00):
sun decorated, right, but couldn't tell me a thing right,
It couldn't get through five minutes of their interview, and
I'm like, all right, this is you know, this is
kind of rough to see. But after the fact, like
after that experience. Also then leading security teams, weren't you know,
hiring for folks Again, honestly, you know, they do get
your foot in the door. It's better than nothing. And

(59:22):
if you're the kind of person who shows like volunteer
experience speaking or confidence volunteering alongside these other things, it
shows you an interest and a passion for the for
this type of work and you actually want.

Speaker 2 (59:35):
To do it.

Speaker 1 (59:35):
So I think my mind has kind of come around
to the fact that this is something that's valuable. We
all have different journeys into getting these roles, and you know,
a white male might not need the surge. You can
tell them, hey man, you don't got to do those,
but a black woman might, you know, because you're standing
on different kind of you know, being evaluated differently. They
claim they're evaluating you in the same way.

Speaker 2 (59:57):
Right, they don't. They don't want to hear the truth, man, and.

Speaker 1 (01:00:02):
Do them as long as you're serious about it. Don't
make it a checkbox. Don't make anything in checkbox.

Speaker 7 (01:00:09):
And don't make it a pillow either, because just because
you have that cert. It's not to suggest that there's
no additional work you're doing. You're chilling, chilling, no, no,
don't talk to you, don't talk.

Speaker 1 (01:00:22):
Don't talk to me, like yeah, no.

Speaker 6 (01:00:30):
And when I'm making a mountain retired, Yeah.

Speaker 1 (01:00:39):
A lot of people get tricked with that one. You know,
there's a lot of mountain left to climb, uh half
the time there, but it's.

Speaker 7 (01:00:47):
A mountain range, it's not a single mountain.

Speaker 2 (01:00:52):
You tell them, thank you.

Speaker 7 (01:00:54):
Reggie, thank you, thank you.

Speaker 1 (01:00:58):
Not the enemy. Yeah, what for real?

Speaker 6 (01:01:06):
You know, what's your what's your favorite AI tool? Right now?

Speaker 5 (01:01:09):
I mean aside from like creating no report creation stuff.

Speaker 1 (01:01:14):
Though, Yeah, and I mean honestly, I'm the plug over here.

Speaker 5 (01:01:20):
I like, if you plug, if you plug by mistake,
we can wrap that.

Speaker 2 (01:01:25):
Yeah.

Speaker 1 (01:01:27):
So anything right now that is an online AI where
it's connected to the internet. Right, So all these models
have been trained. Whatever information is the model is in
the model. They have online models that will go out
to the internet and affect information live as of today
and kind of combine it with what I already knows
that you be the best answer. So, like, those are
my favorite tools. There's one or two of them perplexities one.

(01:01:49):
But honestly, I suggest something that's something everyone should try
at least once, so like get an idea of where
this stuff is going, what it can be used for. Like,
don't get distracted by all the mid journey and the
image creation stuff. That's a distraction, man, it's the the text.
The text stuff that's that's really heavy.

Speaker 6 (01:02:05):
Yeah.

Speaker 7 (01:02:06):
Yeah, I use perplexity every day now, like the every day. Now,
I'm like, I'm like, that's probably not long enough. I
need more details.

Speaker 1 (01:02:18):
I need just open it up. Look at his face up.

Speaker 5 (01:02:26):
Yeah, because I've seen, you know, different people have talks
on you know, in different tools and techniques to being
brought about to prevent on a lot of these ais
from scraping, you know.

Speaker 6 (01:02:39):
Scraping things right.

Speaker 5 (01:02:42):
Yeah, but yeah, what do you think is the biggest
uh threat where they are? I mean, you feel like
there is an issue with you know, correlating a lot
of you know, dissimilar data or desperate data and in
coming out with the fact like you know, months or
years later, you know what I mean, because of all

(01:03:05):
the reconnaissance that can possibly do it in an instance,
what do you feel.

Speaker 1 (01:03:09):
There's a couple of things right. One, you need someone
that still has a skill level to even put that
stuff together. Right, Companies that are doing AI right now
barely have the talent to do it. You thought the
cybersecurity talents are just bad. I find an mL engineer
in twenty twenty four that knows what they're doing. It's
a much smaller pool of individuals, right, especially since all

(01:03:30):
the training you had in machine learning AI programs in
schools became obsolete at least in the minds of the
way we minds the people today with a shift from
like these previous neural networks to lms. Right, so everything
we've done before is basically scraps. I want to say
they wasted their time, obviously if the map is still good,

(01:03:50):
but it's software now and things have kind of shifted, right,
So all that to say, you know, there's a limitum
people can do this right as is. The other thing
is the cost to actually do what you're saying, which
is basically they get all this data from disparate places
and make sense of it. That is cost prohibitive to

(01:04:12):
anyone who's not a corporation right now, to be perfectly
honest with you, So I think the biggest risk with
AI today to me is actually centralization, the fact that
a very small minority of companies have the compute, have
the data, and have the reach to basically shape our
understanding of things through AI. Right, Like if we sell

(01:04:34):
the whole situation with Google's model before and not being
able to generate white people. While hilarious, that's actually a problem. Right.
You're filtering out some knowledge of some truth from a
data set before you're giving it back to someone. That's
centralization to me is the scariest thing.

Speaker 2 (01:04:50):
Right.

Speaker 1 (01:04:51):
And then if they buy up all the hardware you
need to do this, you as a third part, you
as an independent citizen, aren't even able to go ahead
and actually build a system like this for yourself. So yeah,
that's that's my take on. It's not it's not hackers,
it's not criminals, not terrorists, actually the people who are
building all this stuff. And you know, maybe that's a
super hot take, but that's where I'm at with it

(01:05:12):
right now.

Speaker 5 (01:05:13):
Yeah, And I don't know if this there's maybe a pushback,
But when I when I think about like your response,
it's like, yeah, it would definitely have to be a
pretty you know, substantial size organization that's leading that effort, right,
But equally so, that level of sophistication will require a

(01:05:33):
pretty you know, large target, you know what I mean.
So it's like for me, I'm thinking like, okay, well
that sounds like a nation state and that's you.

Speaker 6 (01:05:41):
Know what I mean, a nation state that's real, you know.

Speaker 5 (01:05:45):
But yeah, it's not like something that every day your SMB.
I don't got to worry about that, right, So yeah,
I definitely appreciate that.

Speaker 6 (01:05:57):
It's a really good point perspective.

Speaker 1 (01:06:00):
UH nation state of the nations state at that point. Yeah,
absolutely slipped off of the mix as UH citizens.

Speaker 6 (01:06:06):
You know, the gun bro.

Speaker 1 (01:06:10):
Every time, every time. You know, I do believe in
people getting skilled up before they throw the name of
the hat man.

Speaker 6 (01:06:17):
You gotta let them know, bro, you gotta let know people.

Speaker 5 (01:06:20):
Some people that get like they get juiced up by
people that only want to give them encouragement when you know,
you got to give a little.

Speaker 6 (01:06:28):
Bit of the uh growth.

Speaker 1 (01:06:32):
You gotta give them growth opportunities.

Speaker 6 (01:06:34):
You know what I'm saying.

Speaker 1 (01:06:35):
I won't I won't call it negative feedback.

Speaker 6 (01:06:36):
I don't believe in it.

Speaker 5 (01:06:38):
You know, you can give people some positive feedback to
keep encouraging them to do the things that they're doing well,
but you also see that give them some negative, negative feedback.

Speaker 1 (01:06:47):
Keep slipping.

Speaker 6 (01:06:50):
That on that one too, that one too.

Speaker 2 (01:06:52):
Yeah,

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Breakfast Club

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}020: What's a Security Researcher Know Anyway?

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

The Breakfast Club

All Episodes

020: What's a Security Researcher Know Anyway?

Stuff You Should Know