Artwork for podcast Data Driven
Data, Security, And Advanced Persistent Threats with Patrick Hynds and Duane Laflotte
Episode 1327th October 2023 • Data Driven • Data Driven
00:00:00 00:53:03

Share Episode

Shownotes

In this episode, we dive into the pyramid of cybersecurity threats, ranging from amateur hackers to nation-state level cyber threats. We also delve into the intriguing world of OSINT (open source intelligence), uncovering its uses, implications, and potential dangers.

Join us for an intriguing discussion with fellow podcasters Patrick Hynds and Duane Laflotte.

Links

Show Notes

[00:00:00] High-level hacking, OSINT, interconnectedness explored humorously.

[00:04:54] OSINT and security are growing career choices.

[00:09:22] Unauthorized hacking plan involving personal information.

[00:12:22] Two factor authentication is highly effective.

[00:16:22] Breaking into Wi-Fi: remote administration and brute force

[00:19:45] Renting botnets, ransomware, and varying threat levels.

[00:20:48] Advanced persistent threat with unlimited resources.

[00:24:50] Asymmetric key shares are essential but uncertain.

[00:29:00] Connections without LinkedIn, intermingling ideas in history.

[00:32:26] Inject data, stack query, gauge page speed. Awesome.

[00:34:11] Show reveals database vulnerability; Microsoft staff alarmed.

[00:36:26] Acquaintance does physical security with lock picking.

[00:41:11] National Guard, security, Virginia, Maryland, clever, electronics beaten.

[00:44:03] Funny Microsoft speaking gig with office building hazing.

[00:48:40] Reach out to companies for cybersecurity opportunities.

[00:52:01] The end of a thrilling episode of Data Driven explores cybersecurity.

Transcripts

Speaker:

In this riveting episode, we'll be joined by special guests who do

Speaker:

information security work taking us into the deep, dark

Speaker:

realms of high level hacking. We'll explore the pyramid of

Speaker:

threats from those bumbling high school hackers who couldn't hack their way out of a

Speaker:

paper bag to the notorious figures backed by nation states.

Speaker:

But hold on to your keyboards, folks, because this conversation takes

Speaker:

a turn towards Linux and the intricate world of Ozint.

Speaker:

Yes, that's open source intelligence for those scratching their

Speaker:

heads. We'll unravel the mysteries of Ozint, its

Speaker:

uses, its implications, and how it can be a double edged

Speaker:

sword in the wrong hands. With a touch of espionage and a sprinkle of

Speaker:

humor, we'll leave you on the edge of your ergonomic office chair craving

Speaker:

more. And if that's not enough to make your encryption keys quiver,

Speaker:

we'll also touch upon the interconnectedness of the past with stories

Speaker:

of legendary minds crossing paths in unexpected cafes.

Speaker:

All right. Hello and welcome to Data Driven, the podcast where we explore the emerging

Speaker:

fields of data science, artificial intelligence and of course, data engineering,

Speaker:

which actually makes the whole thing possible. But there's another

Speaker:

field that we're going to talk about today, so it's going to be a little

Speaker:

bit different. We kind of did that with the last show or two, kind of

Speaker:

expanding our purview of topics.

Speaker:

And speaking of purview, I said

Speaker:

Purview, hopefully I pronounced it right, but I know, Andy, you've been playing

Speaker:

around with Azure Purview. I have, yeah. And it's

Speaker:

kind of it's speaking of data engineering, there's a lot there

Speaker:

with data lineage and the

Speaker:

secret sauce to it is it does automated scans and if

Speaker:

it can figure out where something new belongs in

Speaker:

the diagrams, it'll just put it in there and that is

Speaker:

almost magic from a data engineering perspective.

Speaker:

There really is a lot of innovation happening in that space. And

Speaker:

today, as we're recording this, my wife we

Speaker:

mentioned this, does cybersecurity at NIST and

Speaker:

my oldest son went with her to Take Your Sons and Daughters to Work

Speaker:

Day. That's cool. And yeah, so it's really cool.

Speaker:

So we have two guys here on the show. It's one of the few times

Speaker:

we've actually have had two guests at the same time. We have Patrick and Dwayne

Speaker:

who are fellow podcasters for a show called Security this

Speaker:

week. We need applause. Where's your effect? I don't have it. Plugged

Speaker:

in the effect. And

Speaker:

they also are the CEO and CTO, respectively of Pulsar

Speaker:

Security. Combined with them, they have 50

Speaker:

plus years of combined experience in cybersecurity and technology

Speaker:

and they provided services for Disney, the military,

Speaker:

bank of America, the NHL and more.

Speaker:

So welcome to the show, Patrick and Dwayne. Thank you. I just want to

Speaker:

clarify, I have 49 and he has one.

Speaker:

Wow. Just kidding. You look great for your age, by the way.

Speaker:

You started when you were like five. Is that what.

Speaker:

So there's actually a funny thing. There was a namespace collision

Speaker:

because you, Patrick, attended West Point, and thank you for

Speaker:

your service. Thanks, sir. There was another Frank Lavinia that apparently

Speaker:

went through West Point. Yes.

Speaker:

And I almost went to West Point, which probably would have confused a lot of

Speaker:

the professors and staff.

Speaker:

Wait a minute. Did you just leave here? What do you want, the eight year

Speaker:

plan? Yeah. You know what

Speaker:

I'm thinking? This is a time travel thing, Frank. It

Speaker:

is? Yeah. Yes. One of the

Speaker:

NCOs I served with sent me a picture of a Life

Speaker:

magazine cover that showed troops in the

Speaker:

landing craft at Normandy. And the guy at the center of the picture

Speaker:

looked exactly the way I did as a second lieutenant. He's like, I didn't know

Speaker:

you were in World War II. So I bought a copy of it. It's exactly

Speaker:

the way I looked when I was 22 years old. That's great. Okay, so

Speaker:

now both of you are time travel. Maybe that's what West Point does. It's

Speaker:

time travel now. We got to delete this.

Speaker:

We'll do it from the future. It'll be fun. The

Speaker:

neuralizer.

Speaker:

That would only work if. We do the video part of this, but that's true.

Speaker:

I want to repeat the name of the website because I was rambling when Frank

Speaker:

mentioned securitythewsweek.com

Speaker:

and you picked up a couple of new listeners, just

Speaker:

the banner in the virtual green room was enough to say, all

Speaker:

right, I got to make some time to listen to this. All right, we appreciate

Speaker:

it. We're trying to educate just like you. Guys,

Speaker:

and it's always fun.

Speaker:

It's a growth field, I think, to put it mildly.

Speaker:

Someone was asking me recently because a lot of big tech layoffs happening and

Speaker:

things like that, someone was asking me lately, someone who's not in data science, and

Speaker:

I was like, look, if I had to do it all over again in 2023

Speaker:

well, actually it was 2022 when I was asked this. I was like, I

Speaker:

would go with security. I'd probably go with security if you have

Speaker:

50 50 data or security. But you can't go wrong with either.

Speaker:

And there have been recent events in my life which I

Speaker:

keep alluding to a court case,

Speaker:

but definitely I discovered the wonderful world of

Speaker:

OSINT. My

Speaker:

wife is really good at OSINT, right? Because that's her career. Yeah.

Speaker:

But kind of watching what she's able to dig out and

Speaker:

kind of know me doing it, too, we've been able to kind of Swiss out

Speaker:

more information and get clarity on things, and

Speaker:

it's amazing what is available. I took a course on

Speaker:

pluralsight on kind of using Kali Linux. Andy and

Speaker:

I I now work at Red Hat, so I've kind of went from

Speaker:

promoting Windows and using Windows 100% to, thanks

Speaker:

to Windows Eleven, being driven away from the Windows world and into

Speaker:

the wonderful arms of Linux

Speaker:

and fascinated by kind of

Speaker:

the tooling that's out there and built into something like Kali or

Speaker:

Kali. I'm not sure how to pronounce it. Depends on who you are. Yeah, we

Speaker:

usually call it Kali, but that's our bread and butter. We love Kali, right? Yeah.

Speaker:

That's an awesome operating system. So tell us a little bit about because I know

Speaker:

I don't think our listeners are necessarily up on the

Speaker:

Linux, let alone kind of the hacking world making

Speaker:

that assumption. If I'm wrong, please let me know kindly through

Speaker:

email comments

Speaker:

in angry letter form. It's a siloed kind of world. We live in technology,

Speaker:

right. There's a lot of specialization. There's this notion of full

Speaker:

stack this, full stack that, but

Speaker:

I've noticed in security that poison of the notion of full

Speaker:

stack has not hitting you guys yet. It started to kind of

Speaker:

flirt with the data science world. But I don't think you can be because just

Speaker:

looking at what are the disciplines. Right, so I think that's one of the things

Speaker:

we mentioned, OSINT, which for those that don't know is open source intelligence. And I

Speaker:

don't mean open source like Linux or anything like that. What is open source

Speaker:

intelligence? So open source intelligence is

Speaker:

from my field. It's awesome because what open source intelligence

Speaker:

is there's information about every human out there and you can

Speaker:

go like Cambridge Analytica or whoever, right? There's tons of data out there about

Speaker:

every human being on the planet that you can pull from just publicly

Speaker:

available either databases, websites, some of them say the Dark Web, but

Speaker:

you don't need to go to the Dark Web. It's all out there. And we

Speaker:

have some crazy OSINT stories.

Speaker:

There was one company we were trying to break into, Fortune 500,

Speaker:

they said, hey, listen, we'd love you to do a spear phishing campaign.

Speaker:

I was going to say and to be clear, you were hired to break in,

Speaker:

right? Sure, whatever. Yeah. So if there's any attorneys

Speaker:

listening, there's any federal DA listening. Let's make that clear

Speaker:

publicly what we're. Saying on the podcast. No, we were

Speaker:

hired to break into this Fortune 500 and they said, listen, we'd love you to

Speaker:

do spear phishing. And for those of you who may not know, spear phishing is

Speaker:

where you target one user. It's either like a CEO,

Speaker:

CFO, something along those lines. So you start to gather some really detailed

Speaker:

information. And we said, listen, it's too easy, we don't want to do that. Let

Speaker:

us just focus on the technology. They're like, no, you have to do spear phishing.

Speaker:

We said okay. Cool. And we did a lot of research on and we said,

Speaker:

we're going to take your head of HR. We took the head of HR and

Speaker:

we did a lot of research on her. They said, before you send these emails

Speaker:

out, can you come talk to us about them? Just show us them so we

Speaker:

can approve them. Said, sure. We sat down with them and said, listen, we got

Speaker:

two campaigns we're super excited about. Super excited about. They're like, all right, hit us

Speaker:

with them. What are they? We said, okay, we found out that she just

Speaker:

purchased a Dodge Durango. I have the Vin number of it, and I know where

Speaker:

she bought it from. We've actually purchased a website that's very close to the

Speaker:

same dealership website. We're going to send her an email that there's a recall on

Speaker:

her Durango with her Vin number. She needs to click a link, come to a

Speaker:

website, start typing in some information. We'll take over her computer, access the

Speaker:

systems. They're like, no, you can't do that. No,

Speaker:

that's way too personal. Okay, cool. Awesome. We got the

Speaker:

second campaign, which I think is a real winner. We're just going to kidnap her

Speaker:

kids, right? They're like, okay, so hit us with the second 1.

Speaker:

Second one is probably great. I said, okay, so we found out what her

Speaker:

kids names are, where she lives. We know what school they go to, the

Speaker:

teacher's name for each of the kids. And we found the school nurse name. We've

Speaker:

set up a website that's close to the school's website, and we can

Speaker:

send an email from the nurse with a form that she has to fill out

Speaker:

that's a PDF that's infected with a virus that will take over her computer. Right?

Speaker:

And we'll mention her kids names and the classes they're in, that sort of stuff.

Speaker:

And they're like, what is wrong with you guys? You can't do any of this

Speaker:

stuff. No. Yeah.

Speaker:

Open source intelligence is crazy right now. It's data, the things you can find. It's

Speaker:

all about data. It's the information you give. So what's the lesson here? The big

Speaker:

lesson is your data is out there. And even if you don't think it's

Speaker:

out there, your data is out there. And you need to use secondary

Speaker:

channels of communication to verify things. So if you get a call

Speaker:

from the school, get an email, get a text message, call them up, call up

Speaker:

the office. If you get a message to call a phone number about your credit

Speaker:

card, call the number in the back of your credit card. Try to find a

Speaker:

safe, reliable channel and use that to verify. I get calls

Speaker:

all the time from my staff that says, did you send me an email to

Speaker:

do this? And I invite that because it's like, you should be using

Speaker:

second channel verification, and it's incredibly inconvenient. And

Speaker:

that's how you know the security is working.

Speaker:

If it's convenient, it's probably not as secure as you'd like. Yeah,

Speaker:

well, I mean, that's an interesting point because people like convenience.

Speaker:

There is a tension you could just feel like, between convenience. I

Speaker:

mean, I have to log in

Speaker:

to my account using two factor authentication

Speaker:

for both my work and my personal stuff. And I know

Speaker:

it's annoying, but I know why.

Speaker:

And Roblox apparently must have some really

Speaker:

hairy security stories because

Speaker:

their captions, their two factor authentication,

Speaker:

I mean, it's pretty rigorous. And

Speaker:

my eight year old, he's, like, complaining about I'm like, no,

Speaker:

there's a good reason for this. You got

Speaker:

to protect the kids, but also kind of train them early. Oh,

Speaker:

yeah, I like that. Yeah, it's a great idea. I was on a

Speaker:

panel with a colonel from Disa, and he said he went on vacation

Speaker:

and he got bit by a spider on his hand and came back to work.

Speaker:

Went into the office, started working, and ten minutes later, armed

Speaker:

guard showed up at his desk. And we forced him to identify

Speaker:

himself, improve his identity, because his typing cadence had

Speaker:

changed. Wow. We're

Speaker:

starting to get to the world of the military is doing things we're

Speaker:

not thinking of, and eventually we're going to have to do those things. Right. So

Speaker:

Dwayne smiled when you said two factor authentication, and I want to know

Speaker:

why. Okay. All right. I get the sense

Speaker:

it's like the tooth Fairy, right? Like, you want to believe in it, but it's

Speaker:

not as effective as it is as it's supposed to be. No, actually.

Speaker:

So, interestingly enough, Google and Microsoft both have released

Speaker:

independent research that says two factor auth will

Speaker:

mitigate about 95% to 98% of most common

Speaker:

attacks, but not everything, which is fantastic. We love using it

Speaker:

because we look for the gaps in between systems. So there's

Speaker:

a couple of two factor authentication providers out there that allow us

Speaker:

to verify that you have valid accounts and that sort of stuff, without actually

Speaker:

yeah, there's all sorts of once you start digging into the APIs of two

Speaker:

FAS, some of them are easily bypassed, some of them are easily mimicked. Some of

Speaker:

them allow you to get more information you wouldn't normally get.

Speaker:

So just be careful. There's nothing in security. That's the panacea of security.

Speaker:

Right. It's the same thing with data analytics. There's nothing that's like, oh, my

Speaker:

God, there's this one product, and if you buy it, you know everything and you

Speaker:

can see into the future. No, it doesn't work that way. Right. All

Speaker:

right. I need to ask you about my password vault off the air.

Speaker:

Yes, you do. Let me tell you

Speaker:

password for it. No matter what you heard in the news, you should have one,

Speaker:

but there's one you might not want to have. Yeah,

Speaker:

I may have that pass.

Speaker:

I think we're on the same one. Well, when someone tells you who they are,

Speaker:

believe them, and then when they tell you again, believe them again.

Speaker:

Yes. That's my concern with these

Speaker:

password vaults, is that you are putting all your eggs in one basket,

Speaker:

and you don't have two arguments, really. You

Speaker:

could use hints in your password vault instead of the passwords.

Speaker:

It's less convenient, and therefore it works.

Speaker:

But that means you still have to use long passwords. So you might have

Speaker:

zip codes and phone numbers and favorite words and favorite

Speaker:

songs and you know what you're going to pull out of them. You'd still have

Speaker:

to have that cognitive presence to understand, but you can put hints

Speaker:

in them and then that'll let you get to where you need to be.

Speaker:

A friend of mine would put incorrect information

Speaker:

in it. Right. And he would know that's what it's same principle.

Speaker:

Exactly. Yeah. That is just

Speaker:

intriguing. So, quick question. Scrambled up symbols,

Speaker:

letters and stuff, or.

Speaker:

Better, longer the better complexity. So okay.

Speaker:

At our office, we break in at companies all the time legally. Right.

Speaker:

I'm going to keep adding that, Patrick, just for the

Speaker:

thank you. So when we find a hash so a hash is a representation

Speaker:

of a password or an account on a particular system. It's not the actual

Speaker:

password. We need to crack it. We need to go and figure out, okay, well,

Speaker:

does the word book match to this hash? No. Does the word car match?

Speaker:

This is a brute force technique. We're not able to reverse it, but we can

Speaker:

brute force it. Right. And so in doing that, we have a crack cluster at

Speaker:

the office. So you know the 30, 90 video cards that you might have in

Speaker:

your computer? We have a crack cluster that has like 40 of them all in

Speaker:

one motherboard. So we can guess 3 billion

Speaker:

passwords a second. Wow. Yeah. So if

Speaker:

you take a normal hash, we're

Speaker:

guessing let's say we're only doing

Speaker:

lowercase characters, it's 26 characters. And let's say

Speaker:

at ten character password, it takes us a day. Right? Well,

Speaker:

at eleven characters, it's a day times 26. Now we're at about a

Speaker:

month. At twelve Characters it's a month times

Speaker:

26. Now we're at a little over two years for twelve characters.

Speaker:

Now let's do one thing. So we also have a

Speaker:

dictionary file with 8.4 billion

Speaker:

passwords that have been found on the Internet through over the last breach.

Speaker:

Ten years. Over the last ten years. If your password is in that, we'll get

Speaker:

it in 3 seconds. Right. Because we can get so we also. Have to talk

Speaker:

about that after. Yes, for sure.

Speaker:

And to be clear, passwords are better. And to be clear, you're doing this

Speaker:

offline. Right. It's not like somebody's listening. You're not like hitting the login

Speaker:

page and clicking that a billion times. Let me give you stolen the hash.

Speaker:

Okay. Yeah. So good example, because that's a great question, Frank. So let's say

Speaker:

I'm trying to break into your Wi Fi. Now, there's a couple of ways to

Speaker:

do that. One is to try to break into your Wi Fi

Speaker:

system because you've allowed a remote administration, which you shouldn't

Speaker:

do. And then I have to guess the password, and I might be able to

Speaker:

get that to accept 1000 attempts per

Speaker:

minute, maybe more, but I'm

Speaker:

still throttled by having to send it, having to receive it. It

Speaker:

processing. And some of those things are going to be slow. But if I can

Speaker:

monitor the airwaves, which I can if I'm local to you and I

Speaker:

get the hash through going through the air to

Speaker:

someone's phone, which we will get, then we can take that home

Speaker:

and we can brute force it in the comfort of our own systems. And that's

Speaker:

offline hacking. So online attacks are harder to do

Speaker:

because you can't get the speed, you can't parallelize them them

Speaker:

parallelize them as easily. But the ones where we can do

Speaker:

offline, we can do those much faster and much more powerfully.

Speaker:

There are cool ways, though, to do online ones. Okay. Really?

Speaker:

Yeah. Okay, real quick, you know how you try and log into a

Speaker:

website and if you log in with the wrong password five times it kind of

Speaker:

locks you out for a period of time? Sure. So what they're doing is they're

Speaker:

saying five times from that one IP address. So what if you could have an

Speaker:

infinite amount of IP addresses, which is what

Speaker:

Azure and AWS will give you. So you can actually route every

Speaker:

password attempt through AWS, for example, and get a new

Speaker:

IP address every single time. You can do thousands, but you're still. Throttled by how

Speaker:

fast it can reply. And it probably can't reply 3 billion. Not as fast as

Speaker:

an offline crack. Exactly. But it can be. I'm just saying won't at some point

Speaker:

AWS or Azure kind of like figure. Out you would think. You

Speaker:

would think. Okay, no, interesting. So it's a game

Speaker:

of cat and mouse. They're dealing with amazing amounts of

Speaker:

traffic. Eventually, maybe there'll be an AI that helps, but then we'll use our

Speaker:

AI to fight it and it'll be and. Then the Robot Wars.

Speaker:

And I would imagine that Microsoft has bigger fish

Speaker:

to fry and AWS has. Bigger fish to fry. Problem is, if you're

Speaker:

not using Amazon, you just use a botnet and then there's

Speaker:

no limitation on that. I got you. Right. And for

Speaker:

the education of our audience, just in case you may have heard it in the

Speaker:

news, what exactly is a botnet? I think I know what it is,

Speaker:

but I want to hear it straight. From the when hackers take over systems,

Speaker:

they can do various things with them. They can ransomware them, they can steal your

Speaker:

personal information and do identity theft and credential theft. But they can

Speaker:

also just turn your computer into one of their slaves and it'll be a

Speaker:

zombie in their army. And they get 100,000 of these systems. They could do

Speaker:

Denial of Service, they can rent them out. Think of

Speaker:

Coin, I think was a thing for a while. Yeah. And honestly, what's interesting,

Speaker:

talking about data trends, you start to see ransomware

Speaker:

attacks on systems go up when bitcoin's

Speaker:

value goes down. So if it's

Speaker:

more advantageous for you to use those systems to mine

Speaker:

coins, that's what they do. But when it's not, then they just switch over to

Speaker:

ransomware and they start making more money that way. So you keep an eye on

Speaker:

that market and, you'll know interesting. Yeah,

Speaker:

interesting. So they make money, whoever they are,

Speaker:

they make money on the way up. One way or

Speaker:

another. Yeah, exactly. Right. You have to admire they're business

Speaker:

savvy. Oh, it's impressive. You shouldn't, but you

Speaker:

can rent a botnet, rent a ransomware framework.

Speaker:

So let's talk about one thing. There's different levels of threats. So the

Speaker:

kid that's walking through the parking lot trying car doors to steal stuff out of

Speaker:

a car is not as much of a threat as the professional who knows how

Speaker:

to break into a vault. And there's

Speaker:

fewer of that latter than there are of the former. So what you're

Speaker:

trying to do is you're trying to build up enough defense that the threats that

Speaker:

are likely to come your way are going to be thwarted. You can't stop

Speaker:

everything if Dwayne comes after you, I can confidently

Speaker:

say we're getting you because that's what we

Speaker:

do. And we're not script kitties. We're not amateurs, and we have a lot

Speaker:

of capabilities, a lot of software. Some of the software packets we use cost

Speaker:

$60,000 a year. Wow. Hackers sitting in their basement

Speaker:

aren't doing that. We're a different level of organization. But you

Speaker:

want to prepare for the highest level you can so that things

Speaker:

bounce off you. Isn't that referred to as

Speaker:

advanced persistent threats? Yeah, we would represent

Speaker:

an advanced persistent threat because we can do things and

Speaker:

spin up resources that aren't available at the lower levels. The lower levels

Speaker:

are like kids in high school that are just

Speaker:

trying to make a name for themselves. And then there's the we

Speaker:

actually have a slide called the Pyramid of Threats that goes through all this. And

Speaker:

the next level would be basically a

Speaker:

stalker, technical stalker, somebody who's a little bit of a techie and is mad at

Speaker:

you and comes after you. That's very personal. Kim Jong

Speaker:

UN is probably not your stalker.

Speaker:

Probably. The next level is the criminal syndicates who are just in it for the

Speaker:

money, and they're going to go after the softest target they can

Speaker:

find. And if you make it hard for them, they're just going to go away

Speaker:

because you're not what they want. They look for another target. And then you get

Speaker:

up to organizations like ours that work with enterprises and

Speaker:

governments and billion dollar entities, and then you get to governments themselves,

Speaker:

which, when we talk about Mitigation, we have levels of what you need

Speaker:

to do to stop the script kitties and everything else. And the top, when we

Speaker:

get to nation states, it's prayer. Yeah. There's not much.

Speaker:

That'S perfect. Yeah. What's fascinating,

Speaker:

though, is I remember reading Bruce Schneier wrote a book on

Speaker:

cryptography, which is probably still a vaunted

Speaker:

tome, but I remember one of the things

Speaker:

was he didn't say exactly what you said, but he

Speaker:

phrased it differently. If you're talking about cryptography. There's cryptography to keep your little

Speaker:

sister out of it, and there's cryptography to keep nation states out of it. And

Speaker:

that's a very wide spectrum.

Speaker:

Even though he wasn't writing about cryptography, it sounds like the same philosophy

Speaker:

holds true. There's also a duration aspect. So if I'm firing

Speaker:

artillery at you, I need the coordinates those are going to land at to be

Speaker:

secret for about two minutes, and then after that, it doesn't matter. Then it doesn't

Speaker:

matter. Right. But if it's nuclear missile silo locations, I need that

Speaker:

for decades. Or mineral depots or things

Speaker:

like that. So there's a time duration that also. Factors

Speaker:

in which actually, I think is a good topic of something else I'm

Speaker:

fascinated with is quantum computing. And I know that

Speaker:

you're laughing, so that I know there's a good story behind this. I have a

Speaker:

podcast on quantum computing called Things, and

Speaker:

it's the only topic that shuts Dwayne up.

Speaker:

I'm going to go do something else now. So that's why I saw the eye

Speaker:

roll and then you were laughing. Okay. So the reason why

Speaker:

people are kind of because in the security space and in the government, there's this

Speaker:

whole thing of how do we get post? Yeah. Shore's law.

Speaker:

So Shore wrote this algorithm that could theoretically

Speaker:

break how we do

Speaker:

cryptography now is largely based on it's hard

Speaker:

to reverse factor prime numbers. It's the discrete log

Speaker:

problem. Right. Which underlies RSA,

Speaker:

diffie hellman and elliptical curve. Oh,

Speaker:

elliptical curve, too. Yeah. I thought that was meant to be post.

Speaker:

Okay, well, they thought so, not so much. Oh, is this the one that

Speaker:

was broken? And don't worry, listeners, we'll unpack

Speaker:

this. That was the NIST psych. It was an

Speaker:

implementation break. So if I can just give a quick

Speaker:

reel. No, please do. There's a lot to unpack here, particularly. For folks that are

Speaker:

I'm not an. Expert, but I've got a podcast for the last two years on

Speaker:

quantum computing called Entangled Things, and it's a great

Speaker:

way to learn a topic really well. I took the MIT courses.

Speaker:

Peter Short was one of the professors, and so he came up with a

Speaker:

way if we had a suitably advanced quantum computer, we could

Speaker:

break RSA 2048 or RSA anything. Diffie

Speaker:

helman and elliptical curve. Now, those aren't our

Speaker:

primary symmetric encryption

Speaker:

protocols. Those are our primary asymmetric encryption protocols. So those are

Speaker:

the protocols we use to share the key that then does all the

Speaker:

encryption. Because files and large amounts of data can't be

Speaker:

encrypted with an asymmetric key, it has to use symmetric. But

Speaker:

how do you share that key? Well, that's where the asymmetric comes in. And so

Speaker:

it's the key to the key drawer is really what it is. And

Speaker:

so if those all break, then we need replacements.

Speaker:

And NIST, which is one of the reasons I'm a big fan, has come out

Speaker:

with basically, they did a Bake off over the last five,

Speaker:

six years to figure out which algorithms would not be

Speaker:

quantum based, but would be quantum resistant. And

Speaker:

Crystals.org has crystals, kyber crystals,

Speaker:

dilithium. So you got to love the techies, right?

Speaker:

It looks like those kinds

Speaker:

of technologies are in our future as well as when

Speaker:

quantum finally arrives. The problem is no one knows when quantum will actually be

Speaker:

ready. And that's the sticking point. Is it the end of this decade? Is it

Speaker:

three decades? I think it's closer to the end of this decade, but we don't

Speaker:

know because we're in the middle of the infancy of quantum. But

Speaker:

the computers do exist now. But the point you're doing about

Speaker:

time, right? So if you need something to be secure for decades,

Speaker:

right now is the time to at least

Speaker:

try with post quantum cryptography. Because and

Speaker:

supposedly there are stories that there are bad actors

Speaker:

out there storing stuff, storing data

Speaker:

for later. That's what's motivating. Honestly, that's where

Speaker:

a lot of the money is coming from for quantum computing, is

Speaker:

because of this threat, nothing funds like

Speaker:

defense. So this has turned quantum into a defense

Speaker:

spending among the primary powers. But it also solves a lot of

Speaker:

problems, does a lot of other things. So speaking of geeky stuff, there's

Speaker:

a quote from one of the Ferengi characters on Deep Space Nine, and

Speaker:

it's something to the effect quark. Yeah, it

Speaker:

might even be one of the Rules of Acquisition, but it was basically something to

Speaker:

the effect of no one ever went broke selling weapons.

Speaker:

I have that book somewhere on this bookshelf. I have that too. That's an awesome

Speaker:

book. Yeah, not wrong. I highly recommend that book. I don't know if

Speaker:

it's print, but. The other thing I'd say about quantum, and I bring

Speaker:

this up every now and then, we have a podcast called Impact

Speaker:

Quantum as well. We've been doing it about a year and a half, two years.

Speaker:

So it sounds like we started around the same time. Wow. But it's interesting

Speaker:

spinning around in the corner in all of this is as

Speaker:

they run simulations to try and simulate

Speaker:

Quantum every six months or so, they go, oh

Speaker:

man, we can take this problem. That was going to take 100,000 years

Speaker:

on traditional hardware. Now we can do it in a couple of months.

Speaker:

They keep finding these optimizations, I guess.

Speaker:

And so it's like without meaning to be here already,

Speaker:

quantum is kind of sneaking in. It certainly

Speaker:

is. And I think we've just hijacked the podcast here. I

Speaker:

know, right? Yeah, it's all good. All these things are. So one

Speaker:

of my favorite shows of all time, aside from D Space Nine, of

Speaker:

course, is there was this British television series called, I think

Speaker:

was Connections. Yeah. And I think it

Speaker:

was with the guy who's done a bunch of documentaries, or it was

Speaker:

the guy who played a James Bond villain at one point, I forget. But

Speaker:

they would basically try to connect. I'm. Going to get a lot of

Speaker:

hate mail on that one because I'm totally messy.

Speaker:

1978 TV series. This guy, he had a bunch of

Speaker:

James Burke. James Burke. You're right. Yes. But he looks like a

Speaker:

guy that would play he was also in Game of

Speaker:

Thrones, looks like a mad scientist. But

Speaker:

he had a number of shows from the 70s into the don't know if there's

Speaker:

any newer ones, but you basically show how the way

Speaker:

we learn about anything right. Is a very siloed right. You have English class, you

Speaker:

have math class, and then you put your brain

Speaker:

on part of your brain on the shelf. But he kind of shows how one

Speaker:

particular one that stuck out was the connection between perfumes

Speaker:

and the carburetor. And that's awesome.

Speaker:

The spoiler alert was the Atomizer for the

Speaker:

carburetor came from. But there was a whole connection of

Speaker:

people that knew each other, who knew each other, just like today. They didn't have

Speaker:

LinkedIn then, but you would always have these second and third connections that you

Speaker:

would meet at a cocktail party or ballroom dance,

Speaker:

depending on the time period. And it was just interesting how these ideas would intermingle.

Speaker:

Another story I like that kind of illustrates that, is that apparently there's some cafe

Speaker:

in Vienna where Freud would hang out, einstein

Speaker:

would hang out, and so would Vladimir Lenin hang out from time

Speaker:

to they did they have conversations with each

Speaker:

other? I don't know. But just the fact that they were in the same coffee

Speaker:

shop around the same time opens up the thing of

Speaker:

did Einstein say to Freud, like, hey, can you pass the sugar? And

Speaker:

then, you know, that's what your mom said, or something

Speaker:

like stupid stuff like

Speaker:

or or Lenin would have said, is it really your sugar?

Speaker:

But you have to wonder. These little type of chance

Speaker:

encounters, those are the types of things that the thought of which fascinate

Speaker:

me. Yeah. It is impressive how some of the modern

Speaker:

day, you think brilliant inventions, and when you unpack them, you're like,

Speaker:

it was a lot of little steps and a lot of weird connections that happened

Speaker:

that brought this thing about, right? Yeah. And Quantum to me, is still

Speaker:

mind blowing. I'm working on breaking into conventional systems

Speaker:

for now. I'll break into Quantum systems later. Well, yeah, I mean,

Speaker:

eventually anything can be broken,

Speaker:

apparently. You can watch the movie War Games, and War Games

Speaker:

came out at 83. I would have been impressionable young youth,

Speaker:

and I was just fascinated by that movie. And there's a scene

Speaker:

in there where he smugly turns to I guess it would have been Ali. Sheedy

Speaker:

like, anything could be broken.

Speaker:

Like, if nothing has ever been such a

Speaker:

timeless, a just existing is kind of like a

Speaker:

vulnerability. I'm telling you, those movies

Speaker:

all right, how many of you are fans of Sneakers? Oh,

Speaker:

yeah. Well, that wasn't Robert Redford.

Speaker:

Yeah, that was the one where I. Was like, okay, if there's a job in

Speaker:

the real world to do that, that's what I want to do.

Speaker:

Social engineering, right? That was the first time I saw it. Oh, my

Speaker:

gosh, I just love that. Movie because it showed,

Speaker:

like it's not just the obvious, right? Like the thing where the

Speaker:

guy who was blind was playing back with tape

Speaker:

whistler was playing, like, the tape. Okay, well, what did the road sound

Speaker:

like? And he goes, he described he goes, did it sound like this? I was

Speaker:

like, no, a little slower. Oh my God. I was like, So you were on

Speaker:

that highway? It was just like but that was one of those

Speaker:

moments where you're like, wow, holy crap. That sort of thing possible.

Speaker:

Where he's listening to neon signs as they're moving the mic around, and he's like,

Speaker:

no, that's an exit sign. And they're like, Dwayne, do you want. To talk about

Speaker:

the way you hack a database without actually reading any of the

Speaker:

data? So awesome. Based on denials. Have you guys ever heard of blind

Speaker:

injection? No? Okay. Blind injection is the coolest thing ever. So let's

Speaker:

say we go to a website and it's blackmagic, it's like

Speaker:

voodoo stuff. You go to a website and let's say in the website, all you

Speaker:

can do is you have a little drop down and you can change the language

Speaker:

of the website. And that's it. That's all you can do. No login screen? No

Speaker:

none of that stuff. But in that drop down, as a website owner, you

Speaker:

keep adding languages. So you add French and you add Spanish and you add whatever,

Speaker:

right? So that pulls it out of a database. So what

Speaker:

I can do is, even though I don't have

Speaker:

the ability to inject data, I can stack the query for

Speaker:

the language, and then at that point, I have the ability

Speaker:

to gauge how quickly the web page comes

Speaker:

back, so I can say, okay, give me the language

Speaker:

Spanish. And if the first column in

Speaker:

the first database is

Speaker:

an A, then pause for a fraction of a second

Speaker:

and the page will pause for a fraction of a second.

Speaker:

So you can pull all the information out of the back end database just by

Speaker:

how quickly the page comes back to you, whether it's two milliseconds

Speaker:

or five milliseconds or ten milliseconds, just by blindly injecting, which

Speaker:

is awesome. Yeah, that's insidious.

Speaker:

The first time I heard about SQL injection was actually at a Microsoft like,

Speaker:

dev days thing in New York, and they built this

Speaker:

website, I might have been Channel Nine, which for our listeners, they know what

Speaker:

Channel Nine is, but it was basically like a community site where they would post

Speaker:

content they since killed. It rebranded it's been

Speaker:

rebranded to learn. TV or something like that. But

Speaker:

I was on channel nine. You were

Speaker:

half microsoft flew me out to and five other

Speaker:

hackers flew us out to Vegas to break into a casino and

Speaker:

they did a half hour long, like breaking into

Speaker:

casino. So we did injection. It was called the code room. I remember the code

Speaker:

room. I got to see if they've archived that.

Speaker:

We have to check it out. You're like that guy in Oceans Eleven, right?

Speaker:

I'd like to say it's the only time I've ever been walked through a casino

Speaker:

in handcuffs, but whatever. Anyway,

Speaker:

another show. Exactly.

Speaker:

No. So the same team that built Channel Nine, this would have been early

Speaker:

2003, 2004, they basically

Speaker:

had shown how they did this challenge, like, who can

Speaker:

hack this? And basically somebody had basically said, well, your database sent

Speaker:

the email back saying, know, hey, this is what your database looks like. And everybody

Speaker:

at Microsoft was freaking out. And it turns out it was a SQL

Speaker:

injection. But when I first heard that, my mind was blown like I never thought

Speaker:

of cool. And the wife

Speaker:

did nix the idea of naming our kid Little Bobby Table. Bobby

Speaker:

table, right? Missed

Speaker:

opportunities right there. Right? Little Bobby tables.

Speaker:

Which if you don't know that story, you have to Google it because the

Speaker:

Xkcd cartoon does it. Those are excellent.

Speaker:

Brilliant. One of many.

Speaker:

So this is awesome.

Speaker:

We've talked about OSINT, but there are other disciplines in this. Oh, there's, there's, there's

Speaker:

Red Team, Blue Team, pen testing,

Speaker:

auditing, auditing, CNA

Speaker:

certification, accreditation. Being a good developer. OSCPs.

Speaker:

Oh, yeah. Just not being a bad developer using oh my God. Well,

Speaker:

that's really true.

Speaker:

Oh, Patrick. You froze Patrick. I think we lost him. We lost

Speaker:

him. So while we're hoping his video

Speaker:

comes back, I will tell you a joke that

Speaker:

because when my first child, I think I'm back.

Speaker:

You are back. So think about building a house. And then

Speaker:

afterwards you say, okay, now secure it. You got to replace all the

Speaker:

doors. You got to think about Windows. Now, it's much more expensive when

Speaker:

you build anything, whether it's hardware, software, or anything,

Speaker:

if you start with security in mind, it's much cheaper. And so really, security is

Speaker:

a job for everybody. Data architects, SQL

Speaker:

administrators, network, file systems, Nas

Speaker:

administrators, everyone. And then there's the ones who are just thinking about

Speaker:

security all the time. But we have to make it pervasive. We have to make

Speaker:

everybody think about it. Well, I mean, that's a good point, because there's

Speaker:

an acquaintance of my wife who does I forget what it's called, but it

Speaker:

was basically physical security. He does all kinds of security, but one of the things

Speaker:

that he does is more like the stuff you would see

Speaker:

in movies where they follow people. They kind of

Speaker:

do kind of like the lock picking and the lock picking, stuff

Speaker:

like that. There's actually a video on it might have

Speaker:

been from Defcon where breaking into like 50

Speaker:

places in 50 days or something like that. But

Speaker:

I was talking to this acquaintance of my wife and no

Speaker:

names, but he basically that's one of the jobs that he

Speaker:

does. He's contracted to do that. And

Speaker:

he'll get some interesting things where they

Speaker:

have some really good stories. This guy. This guy's. Stories. So one story

Speaker:

was he's testing out a new data center for

Speaker:

someone, and they want to test the security. And he's

Speaker:

like, okay. Takes a look around outside, he walks in and he goes

Speaker:

and the customer says, well, when do we start to test? And he goes, has

Speaker:

the paperwork been signed? He goes, yeah. So he looks at this

Speaker:

bulletproof door, and then he's got these giant

Speaker:

boots. That's what he always wears, these giant boots. And he just basically looks

Speaker:

around. He goes, and the paperwork signed, right? He talked to the lawyer who was

Speaker:

there. He goes, yes. Paperwork signed. And he turns to the customer

Speaker:

once again, he goes, Are you sure you want to do this? They're like, absolutely.

Speaker:

We're secure. We'll get it. And then he does and he does this, like, karate

Speaker:

kick, and he's a big guy. Basically knocks down the

Speaker:

bulletproof door. Oh, my God. Because the bulletproof door was not on

Speaker:

reinforced hinges. Sure, but it was just kind of.

Speaker:

Like the description that he gives of

Speaker:

whoever was the chief security officer's face just blew color drained from

Speaker:

his face. We've done physical security and seen

Speaker:

bulletproof systems where they were installed backwards

Speaker:

so that people attacking could have taken it out.

Speaker:

Because the hinges you have to think about where the hinges are and where the

Speaker:

nuts so when you disassemble it.

Speaker:

We lost them again. Oh, no. Sadness. I want to know how

Speaker:

it ends.

Speaker:

So while we wait for him, there's this TV show called Burn

Speaker:

Notice, which always has some oh, I love Burn Notice.

Speaker:

It's one of my favorite shows. Yeah, well, the one where the drug

Speaker:

dealer and I love how he does like the voiceover. He

Speaker:

goes, this drug dealer has a bulletproof angel.

Speaker:

Angel. That's right. Sugar. Sugar. Sugar. It was sugar. He lived downstairs

Speaker:

from him. He shot the door. He shot through the door. The wall. The

Speaker:

wall. No, the wall. He's like, yeah, but there's not bulletproof drywall.

Speaker:

The way he says it was funny. Yeah, I highly

Speaker:

recommend I forget what service it's on, but I discovered it because

Speaker:

it was on Pluto. They had a channel that was just burned. Notice.

Speaker:

Twenty four seven. And then like 7 hours later I was like, oh, my God,

Speaker:

7 hours. It's that good of a show.

Speaker:

So you were talking about the before you froze up, you were

Speaker:

talking about the hinges.

Speaker:

Oh, I'm sorry. I don't know what's going on with my Internet connection. I apologize.

Speaker:

No worries. You're probably in the middle of a hack.

Speaker:

Dwayne is actually hacking. Yeah. Let me stop. Hold on.

Speaker:

So my password is 54 characters long because he kept telling me what my password

Speaker:

was in the Smarmiest voice

Speaker:

possible. How many years would that take to break

Speaker:

all of them? More years than we all have. Until

Speaker:

I get quantum computing comes up. To speed, then we're good.

Speaker:

Probabilistically. Yeah, I think I was just saying

Speaker:

that you got to make sure you think about where the hinges are, which

Speaker:

direction they're facing and stuff like that, but it's

Speaker:

mistakes. If you look at the news of the day, it's

Speaker:

misconfigurations. It's social engineering,

Speaker:

and it's getting more and more complex, and so we're having a tough time keeping

Speaker:

up with the education, which is why podcasts like yours and ours are so

Speaker:

important. No, absolutely. And you're right. Security is

Speaker:

everybody's businessweek.com. I've got to

Speaker:

check that out. And you got the.

Speaker:

Oh, my God. You need a we did it. Yeah,

Speaker:

we.

Speaker:

Were talking about you were talking about the physical security part. I did a little

Speaker:

bit of that back in one day. You were in the military, so you

Speaker:

did a lot of the back. Yeah, think about it. At least

Speaker:

the National Guard stuff. But it was interesting because

Speaker:

being in Virginia and working with a little bit

Speaker:

of physical security here, it was amped up a

Speaker:

notch. Same way Frank's in Maryland. Same way in Maryland, if you are in

Speaker:

driving distance of important places, you

Speaker:

know that there's no need to give anybody any more ideas,

Speaker:

but occasionally, somebody would

Speaker:

do something clever. And the gist

Speaker:

of the story, kind of the moral of the story was they didn't beat the

Speaker:

electronics. No. They beat the.

Speaker:

Was. And it's the same thing with social engineering. It's the same thing with

Speaker:

all of this stuff. So hopefully I didn't say too much. Frank, you may have

Speaker:

to take that out. I don't know. I

Speaker:

live now. I was being the tomahawks on its way. Andy.

Speaker:

We have the watch lies come back on, but

Speaker:

no, I live up the road on Route 32 from if you know, you know,

Speaker:

from places. I know from places from places

Speaker:

in and around that county and the next county. There's a lot of

Speaker:

office buildings know, just have no signs on them, have

Speaker:

suspiciously high degrees of security, and they. Don'T like when you

Speaker:

pull up unannounced. Oh, my. No.

Speaker:

So right next to where the Microsoft Reston office used to be,

Speaker:

there is an unmarked building with

Speaker:

a high number of security. And one of my former

Speaker:

bosses who drove down from Pittsburgh, his first trip to the Rest in

Speaker:

office, he missed the turn, and he was trying to turn around inside that

Speaker:

parking lot. Yeah, no. And yeah, he learned

Speaker:

very quickly. He went back up. Severe tire. Not that

Speaker:

parking. No. Well, I mean, law enforcement showed up pretty

Speaker:

quickly with seconds, and they're like, what are you doing here? And he's

Speaker:

like, I'm just trying to get the money. Just turn around. Like, sure you are.

Speaker:

So ten years ago, my daughter was moving out of

Speaker:

a place that she was renting down in Boston, right by the VA hospital.

Speaker:

She was finishing her senior year of college, and I had

Speaker:

a U Haul truck. And I took the U Haul truck

Speaker:

and parked it in the VA parking lot because I'm a veteran, right?

Speaker:

And I moved a barrier to do it because I'm a veteran. And I

Speaker:

parked it. And then I went and walked through the woods to where her apartment

Speaker:

was to talk to her and left my 17 year old nephew in the car.

Speaker:

And the cops came, guns drawn,

Speaker:

like, Open the truck. Open the truck. Oh, my goodness. Okay. And

Speaker:

he opened the truck. It was empty. They're like, what are you doing here? And

Speaker:

he's like, oh, my uncle. And he's like, this better not be here when I

Speaker:

come back. I came back, and he's like, telling me this story. I'm like, I'll

Speaker:

be fine. We're leaving now anyways. And we leave, and the cops coming back, and

Speaker:

I'm like, I wave. That's funny.

Speaker:

Yeah, there's a lot of good stories. My first day at Microsoft

Speaker:

not my first day, but my first speaking gig, because I was doing a developer

Speaker:

evangelism then was at a nondescript office building in and around the

Speaker:

Bethesda area. And I've driven past 100 times, never noticed

Speaker:

it. I still think

Speaker:

to this day it was a hazing thing, right? I was a last minute

Speaker:

replacement for somebody else, so my name wasn't on the big list. So I

Speaker:

show up, and I wasn't on the big list. And then the guard

Speaker:

looks at me and was like, well,

Speaker:

why don't you go over there? I'm like, uhoh

Speaker:

all of a sudden, out of nowhere, this normal suburban looking building

Speaker:

like, armed machine guns meant it was just like, oh, my God.

Speaker:

Like dogs sniffing around the car. It was crazy.

Speaker:

And the guy with the heavy machine gun said to me, you want you to

Speaker:

sit in the car and wait for Ain't getting out?

Speaker:

And so finally, they did manage to get in a hold of somebody, but it

Speaker:

was just kind of like, oh, my God. Yeah.

Speaker:

So I've been drawn on at an air force base. We

Speaker:

went in to do work, and I was working with I won't mention the military

Speaker:

contractor, but military contractor. I wasn't cleared for the particular

Speaker:

intelligence systems, but I was helping them do security

Speaker:

work. So the contractor had to type,

Speaker:

and I had to tell her what to type. And after two days, she's like,

Speaker:

listen, I don't know what you're telling me to type anyways. Doesn't matter, right? Just

Speaker:

sit down and type at the computer. I was like, okay. So I'm sitting there

Speaker:

typing. After a couple of hours, she leaves. A fully uniform guy comes in

Speaker:

like, what's your clearance for that system? Oh, my God. I don't have any clearance.

Speaker:

Pulls his gun, pulls his gun. Is like, don't touch the key.

Speaker:

Step away from that keyboard. And I was just like, I got to get shot.

Speaker:

Yeah. Back up slowly. Yeah. No, that

Speaker:

was probably the scariest cyber incident I've ever been

Speaker:

in. Well, it's interesting because the

Speaker:

cybersecurity world, I think, is really an interesting

Speaker:

space for a lot of reasons, but it does blend the physical and the real,

Speaker:

right. The kinetic and the virtual, as I've heard

Speaker:

said. It's fascinating. Yeah.

Speaker:

You know what, we didn't get to our questions. I

Speaker:

know, I'm okay with that. This was an awesome

Speaker:

conversation to come back. There you go. I love

Speaker:

it. So we will ask this because

Speaker:

you told us in the virtual green room you didn't want to be

Speaker:

advertising your company and that sort of stuff, but we ask everyone,

Speaker:

where can people learn more about you? And feel free

Speaker:

to plug your business. Our website is

Speaker:

Pulsarsecurity.com. We're in a weird situation

Speaker:

because we have very high end cybersecurity talent. We have

Speaker:

several billion dollar customers, and we try to do a lot

Speaker:

for community school systems, things like that, on a budget. So cool.

Speaker:

But we're really not looking for a ton of customers, which is

Speaker:

a good place to be. So we're mostly promoting the podcast

Speaker:

to say, that said, we do try to help people who need

Speaker:

it, but we also have to pay a lot of cost for that high end

Speaker:

software that makes sense.

Speaker:

Securitytheweek.com, podcast.

Speaker:

And entangle things. Okay. Entangle things. Okay. So

Speaker:

before you go, there's one question I think that everybody who's listening to this is

Speaker:

probably asking themselves, if you're not in the security field, how does

Speaker:

one get started? Where does one get started?

Speaker:

You mentioned, like, pluralsight, LinkedIn. There's all sorts

Speaker:

of training out there. If there was this much training when I was a kid,

Speaker:

I would be way smarter than I am now.

Speaker:

You just have to start going and surveying. I tell people they

Speaker:

should start a mile wide and an inch deep. They need to learn

Speaker:

terminology. They need to learn what is SQL? Well.

Speaker:

SQL injection. What'sql? You have to understand what a database is. You have to understand

Speaker:

what a file is. You have to understand what Red Hat is and

Speaker:

what Kali is and what Linux is. You need that basis. And

Speaker:

then you can figure out where your niche will be. Whether you're going to be

Speaker:

an auditor, or a hacker, or a red teamer or blue teamer

Speaker:

or project manager or whatever. Because it's kind of like saying,

Speaker:

I want to be in security or I want to be in technology. That's like

Speaker:

saying, I want to be in medicine. It's a wide range. You need to just

Speaker:

start getting that understanding so that when you listen to a

Speaker:

podcast or read an article, you understand what they mean when they

Speaker:

say deployment or compile. That's where you

Speaker:

start. You start with the vocabulary. And I'd say the other thing is reach out

Speaker:

to companies. I can't tell you how many times I have people reach out to

Speaker:

me and say, hey, listen, I'm interested in cybersecurity. What should I

Speaker:

do? And we'll do things like, I'll have them sign an NDA

Speaker:

and bring them on an engagement. See if this is for you before you actually

Speaker:

go. And just watch and ask questions and use

Speaker:

it as a training event.

Speaker:

So it's things like that. I think you'll find

Speaker:

companies out there who are just there's so little people in the cybersecurity space.

Speaker:

They're just willing to help and educate and see if this is a field you're

Speaker:

interested in. Also, we are summer program

Speaker:

True with interns that come in with

Speaker:

us. We're working with high school in the area

Speaker:

for kids that it's a Stem high school

Speaker:

bringing them on and having them do their required hours just to get

Speaker:

a feel for what it's all. About, what it's like. Yeah,

Speaker:

right? And that mystery voice is Jill.

Speaker:

Just for the listeners that are like. Who was somebody broke into the podcast.

Speaker:

That's hilarious. Nothing's safe.

Speaker:

Okay, Joe. We didn't say your last name. We're good. Yeah.

Speaker:

That's really interesting to know about the intern program. My

Speaker:

daughter is headed to Virginia Tech for computer science,

Speaker:

and she's looking for I don't know if she'll want to do

Speaker:

cybersecurity, but if she does now, I know some people. Yeah, there you go.

Speaker:

Have her reach out. Because, honestly, even if she just wants to sit in and

Speaker:

watch what a Red Team engagement looks like, I've had people my son's 19 years

Speaker:

old, and I got him to intern and look at engagements, and he came to

Speaker:

me after, like, a year, and he was like, hey, dad, you know what? And

Speaker:

I was like, yeah. And he's like, I hate this. This is not yeah,

Speaker:

this is not for me. That's a good thing, though, right? Because it's a

Speaker:

great thing. Did he say this or you

Speaker:

fire targets down. Tell him his 54 character

Speaker:

password. That'll get.

Speaker:

Well. This has been an awesome show. I hate to end it, but all good

Speaker:

things must end. But we'll definitely have you back, because this is a field that

Speaker:

I think and there's topics in my head that we didn't come up with. Right.

Speaker:

The idea of how do you secure data from

Speaker:

the source to the end, right? Because if you're training these AI

Speaker:

models, particularly with something like a

Speaker:

Kafka stream, what if you inject bad data in? How do you detect that?

Speaker:

A friend of mine was talking about there was some talk of using

Speaker:

blockchain technology to kind of

Speaker:

authenticate data transactions. So that way when you're learning

Speaker:

it, you have kind of a trail to it. And obviously that could probably be

Speaker:

another hour episode right there. But in the interest of time,

Speaker:

we'll definitely love to have you back, and. We'D love to join

Speaker:

you. Any parting thoughts? Stay

Speaker:

in school. Yes, stay in school. Use long. Change your

Speaker:

password. Right? And keep listening to this podcast. It's great. That's

Speaker:

right. And the other ones? Awesome. All right. And I'll let the

Speaker:

nice British lady finish the show. And that,

Speaker:

dear listeners, brings us to the end of another riveting episode of

Speaker:

Data Driven. I hope you've all enjoyed delving into

Speaker:

the mysterious world of cybersecurity. I must

Speaker:

admit, the idea of advanced persistent threats and hacking can be a bit

Speaker:

unnerving. But, hey, who needs beauty sleep when you

Speaker:

can have nightmares about hackers instead? As we sign

Speaker:

off, I'd like to extend a big thank you to our guest speakers, who shared

Speaker:

their insights and experiences, including that rogue AI of

Speaker:

theirs. Remember, folks, hacking might be a

Speaker:

dark art, but with great knowledge comes great,

Speaker:

um, well, cybersecurity skills, I suppose.

Speaker:

But wait. Before we biddered you, I'd like to remind you all to

Speaker:

secure those passwords, enable two factor authentication, and

Speaker:

resist the urge to click on suspicious links.

Speaker:

Because, let's face it, no one wants to wake up one morning to

Speaker:

find out their bank account has been drained by a hacker named Dwayne.

Links

Chapters

Video

More from YouTube