The Team House - NSA "Red Team" Hacker | Jeff Man | Ep. 269
Episode Date: April 2, 2024Support the show here:⬇️https://www.patreon.com/TheTeamHouse----------------------------------------------------------------------------------------------------------------------------------------...-----------------------------------------------------------Jeff Man is a respected Information Security expert, advisor, evangelist, and co-host on Paul’s Security Weekly and Tribe of Hackers. He is currently serving in a Consulting/Advisory role for Online Business Systems. Jeff had over 37 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis and penetration testing. He is a certified NSA Cryptanalyst and he previously held security research, management and product development roles with the National Security Agency, the DoD and private-sector enterprises. He was also part of the first penetration testing “red team” at NSA. For the past 20 years, Jeff has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best known companies.------------------------------------------------------------------------------------------------------------------------------------------------To help support the show and for all bonus content including:https://www.patreon.com/TheTeamHouse-AD FREE AUDIO-AD FREE VIDEO-Access to ALL bonus segments with our guestsSubscribe to our Patreon! ⬇️https://www.patreon.com/TheTeamHouseOr make a one time donation at: ⬇️https://ko-fi.com/theteamhouseTeam House merch: ⬇️https://teespring.com/stores/my-store-10474963Social Media: ⬇️The Team House Instagram:https://instagram.com/the.team.house?utm_medium=copy_linkThe Team House Twitter:https://twitter.com/TheTeamHousePodJack’s Instagram:https://instagram.com/jackmcmurph?utm_medium=copy_linkJack’s Twitter: https://twitter.com/jackmurphyrgr?s=21Dave’s Twitter: https://twitter.com/dave_parke?s=21Team House Discord: ⬇️https://discord.gg/wHFHYM6SubReddit: ⬇️https://www.reddit.com/r/TheTeamHouse/Jack Murphy's memoir "Murphy's Law" can be found here:⬇️ https://www.amazon.com/Murphys-Law-Journey-Investigative-Journalist/dp/1501191241The Team Room Reading Room (Amazon Affiliate links):⬇️ https://jackmurphywrites.com/the-team-room-reading-room/Intro music by https://www.youtube.com/user/RemixSampleWant to sponsor the show?Email: ⬇️theteamhousepodcast@gmail.com#nsa #cyberwarfareBecome a supporter of this podcast: https://www.spreaker.com/podcast/the-team-house--5960890/support.
Transcript
Discussion (0)
Hey guys, it's Jack. I just wanted to talk to you today about a way that you can help support the podcast if you're not already. We would really appreciate it if you guys went and reviewed us on Apple or Spotify. Those reviews really help people find the podcast and help it get recognized. And, you know, if you've been enjoying the show, we really appreciate your support. Another thing that you can do to support the channel is to become a Patreon member. So we have Patreon memberships that start at just $5 a month.
And when you sign up, you get access to all of our episodes ad-free.
That's the big bonus for that.
I mean, we also do some Patreon bonus episodes for our subscribers.
But this is the biggest and best way that you can support the Teamhouse channel and podcast if you'd like to.
And we really appreciate that.
So go and check us out at patreon.com slash the teamhouse.
Special operations.
Covert Ops.
espionage, the Team House, with your host, Jack Murphy, and David Park.
Hey, everybody, welcome to the Team House episode 269.
I'm Dave Park, co-host Jack Murphy, and behind the wheels of steel, D.
Tonight, we'd love to, you know, we welcome our guest, Jeff Mann, NSA for 10 years,
28 years in the crypto and hacking community outside the NSA.
So Jeff, thank you very much from coming out from the shadows and sharing your time with us.
Hey, happy to join you here this evening.
Looking forward to having a fun conversation.
A little stroll down memory lane, as it were.
Hey, I just want to hit everyone up before we get started and let you know about our Patreon.
on, you can find the link down in the description.
If you guys sign up, you get access to all of these episodes ad-free.
We really appreciate you guys supporting the channel.
So if you can, please go take a look at it.
Again, the link is down in the description.
All right, and Jeff, on to you.
One of the things we like to ask our guests are, is what's your origin story?
Like, how did you grow up?
And what led you into the crypto world, the cryptography world?
Well, it's a great question.
And ironically, on the podcast that I'm a co-host on, Paul Security Weekly, we often start with the interviews with the same kind of, how'd you get your start question.
And for many years, if somebody asked me, how did you get your start?
I'd say, well, I sort of cut my teeth.
I got started at NSA.
But I realized a couple years ago that that doesn't really tell the story.
The real story is how did I get to NSA in the first place?
And I'll try to be succinct.
I grew up in a family of pretty smart people.
My dad was a physicist.
He actually, in the 1950s, came to the Washington, D.C. area, went to work for the Naval Research Laboratory around the time that they were experimenting with hydrogen bombs, hydrogen devices.
I guess the first one was not technically a bomb.
He used to tell stories about how he was on a ship in the South Pacific
and he got to watch the detonation of the first hydrogen device
obliterating a little atoll called Annie Weakot.
So my dad being a physicist and me being like many people having daddy issues,
I grew up as like I'm not going to be a physicist.
I tried to avoid physics and I did.
I'm the youngest of four boys.
We all liked to do puzzles.
We were all sort of analytical problem solving.
And I really grew up doing puzzles, crossword puzzles,
crypto quizzes.
Back when we used to have newspapers and comics pages,
there always be like a little Caesar cipher type of cryptogram that you had to solve,
usually like a famous quote or something like that.
Yeah, I went to college, didn't know what I want to do.
I graduated with a business degree because,
It was the easiest major I could find that required the least amount of work, the least amount of term tapers, and I didn't have to take physics.
My mom at the time had gone back to work, and she was working for a different naval institution called Naval Surface Weapons Center at the time.
And she actually got me a summer intern job before my senior year of college working.
ironically for a physicist.
Only this guy was doing anti-submarine warfare research.
My first week on the job, my first day on the job, he asked me,
well, what do you know about anti-submarine warfare?
Of course, I didn't know anything about it.
And he's like, well, I could explain it to you, but, you know,
there's a book came out recently.
It explains it about as anything, as good as anything does.
So he handed me a copy of The Hunt for Red October.
So I thought, this is really cool.
My first week on the job, and I get to sit and read a book.
So summer intern job graduated, looking for, you know, what do I want to do with a business degree,
was putting in applications to a lot of different places.
My mom who worked in human resources or personnel, as they called it back in the day,
she had a friend whose daughter had gotten a job at this place called the National Security Agency.
And being born and raised in Maryland, I'd never heard of it because it used to be very clandestine,
and nobody knew it existed.
Nobody was supposed to know it existed.
There were no signs on the highway or anything like that.
But I filled out a standard government application, mailed it in, got a response from them,
and went to Fort Mead for a couple days of aptitude and skills testing, psych exam, polygraph,
all sorts of different prodding and poking.
But most of it was just taking these various skill level exams,
aptitude tests.
And long story short is I scored really well on the tests, and so they offered me a job.
What I didn't know was they just hired me when I first went to work for NSA, and this is back in
1984.
I'm sorry, 1986.
84 was that George Orwell book.
I was granted a secret clearance, but I was going through the background investigation to get
a top secret clearance.
so I had to wait a couple months.
While I was waiting, I essentially went on a bunch of job interviews,
and I ended up in what at the time was the defensive side of the house,
which we called at the time communication security,
soon to be renamed information security,
later on to be renamed information assurance,
now sort of dissolved and you have U.S. Cyber Command.
But I'm getting ahead of myself.
So I went to work for the manual crypto systems branch,
and they were looking for someone to do cryptographic analysis of manual crypto systems that they'd produced and were fielded by primarily the military.
So I went to work for him.
I had somebody that was there on assignment from the operation side, a real cryptanalyst.
He sort of took me under my wing and became my mentor.
And he was actually the one that advised, yeah, this is a pretty good job.
you should take this.
So one of my first assignments was actually my customer was U.S. Special Forces.
So there's a little connection there.
And I can tell that story in a minute.
But the day I knew that I was in the right place and I had found the right place to be
was, you know, I'd mentioned growing up my whole family liked to do puzzles.
And when we would go to vacation at the beach in the summer,
we'd buy a single copy of a Dell Crossword Puzzle magazine
that had all sorts of different types of puzzles in it,
but they always had one or two logic problems.
And we all love to do the logic problems.
And there was usually like a little table that you could use to fill out
and kind of help you solve all the clues.
And basically the logic problems were like maybe eight or ten statements
about a bunch of different things.
and you had to try to just based on a couple clues, connect the dots.
And maybe it was there's five different students taking five different classes,
what's their favorite subject from five different teachers in five different classrooms?
And they'd give you just very sparse types of clues.
Like Sally loves biology and it's next to the red room.
And statements like that, you'd put it together and try to figure out whose class.
You know, who's the teacher, who's the student, what's the subject, that type of thing.
One day at lunch, you know, so that was something I grew up on.
One day at lunch, I'm talking to my mentor, and he's working on something.
I asked him what he's working on.
He says, oh, I'm writing a logic problem.
I'm like, oh, I love logic problem and says, yeah, I write logic problems as a side job for Delcross.
Wow.
So it was like, you know, the planets were in alignment.
I knew I was in the right place.
So my started NSA was really in cryptology, and I was doing analysis of systems and really just designing systems.
My very first assignment was to come up with a replacement, a new memory crypto system for special forces.
When they were deployed, they had at the time one-time pads, paper pads with the key, the random key written out on it, that they would use to manually encrypt and decrypt messages, and then send.
them. But if they had to, you know, exit someplace really quickly or they're on their run and they had to
drop all their paper, they still wanted to have a way to communicate securely. So they needed to have a way
of doing a memory crypto system. So that was my first assignment was to come up with a new memory
crypto system for them. In doing that, I had just been through, you know, the five months of waiting to get my
clearance, taking all sorts of introduction to cryptography classes, history of cryptography classes.
I've learned about things called cipher wheels. If you've seen a Christmas story, you know,
the little orphan Annie Dakota ring. And I thought, you know, there ought to be a way to take
a visionary table, which is what special forces used, which is the alphabet, 26 offsets and a big
table, which for special forces actually translated into, try to get this on screen for you,
I think it's 123 unique three-letter groupings that they called trigraphs.
They would memorize these things, the commos.
Right.
When you put something through a one-time pad and a trigraph, it's considered impossible to
decrypt, right?
Absolutely.
There is no cryptographic solution for it.
There's no brute forcing.
It's completely random based on the fact that there's.
only two copies of the key in the world, one on each end,
as long as it's not stolen or compromised,
and used only once, it's unbreakable.
But anyway, I was struggling to,
I wanted to use the same essentially algorithm,
use these trigraphs and use this visionary table.
And I thought there ought to be a way to do it on a wheel.
So I figured it out with graph paper and drew one out,
and my mentor helped me with it.
And we kind of came up with the design.
The first one was glued to cardboard.
I took it with me the next time I went to, what's that place in North Carolina called now, Fort Liberty?
Yeah.
It used to be called Fort.
We can't say it anymore.
But I turned my back to ride on the board, turned around, and the thing was gone.
They'd stolen it from me.
And I'm like, guys, where's my wheel?
And they're all like looking around.
So after a couple visits and bringing multiple handmade,
copies, I finally said, you know, we're in the business of, you know, we're NSA. We're in the
business of making crypto systems and all sorts of crypto for you. Why don't we just make a bunch
of wheels? So there was a machine shop at the time of NSA because back in those days, they were
building little black boxes, engineering little black boxes that would go in different places.
So I had them make a prototype of this thing that we called the visionary wheel.
So the three-letter combinations would just line up.
You got your two letters and the third letter appears in the window.
They loved it.
So we ended up producing 15,000 of them and distributing them to U.S. Special Forces.
This was all the different groups.
This was probably in 1988, I would say.
And as far as I can tell, they were using it up into the early 2000s
until digital crypto solutions and encrypted phones and stuff became popular.
So that was my very first assignment, made a wheel.
And if I may, shameless pitch at Fort Meade,
which is where National Security Agency is located in Maryland,
there is something called the National Cryptologic Museum.
And at the end of this month, the end of April,
a copy, one of the production models of what came to be known as the Whiz Wheel,
or I came to learn that that's what they called it,
is going to be put on display at the National Cryptologic Museum.
They're excited about it because, you know,
they're not usually putting stuff on displays
where the people responsible for it are still alive.
Right.
I'm excited about it because, you know,
something I did that was just a little,
a silly little thing as far as I was concerned
actually turned out to be very instrumental
in the mission of U.S. Special Forces for, you know, over a decade.
I had the opportunity to meet someone that was a former Green Beret a couple years ago at DefCon,
a hacker conference in Vegas.
And actually a friend of mine met him and found out he was a Green Beret and asked,
oh, do you remember the Whizwill?
And he said, yes.
And they said, would you like to meet the guy?
They invented it.
So I met the guy.
And long story short, he said, you know, I think you might qualify for membership in our
alumni association.
kind of made a significant contribution.
So he got me a lifetime membership in the Special Forces Association.
That's fantastic.
That's super helpful.
Yeah.
And I had the opportunity, you know, COVID came along, kind of blew things up, but I had the
opportunity to speak at their convention last year.
It was in Indianapolis, which is Chapter 500, like the Indy 500.
And I asked the guys there when I was speaking, I said, you know, I've been walking around
with the prototypes.
I have two of them.
for, you know, 30 some odd years, I'd never seen a production model of the Whizwheel before.
And I put out an appeal if anybody was willing to donate them.
You know, I was trying to get a couple, one of which was to be put in the National Cryptologic Museum.
That was the goal anyway.
They came up with two.
One has been donated.
We'll be put on display.
This is another one.
This is a production model of the Whizwheel.
and this one is designated if we ever get a contact for the Special Operations Museum
that's down in North Carolina at Fort Liberty.
That's where we want to put the other one.
This is a little piece of history.
That's amazing.
So I'll pause for a minute.
That's how I got my start.
Just solving puzzles, got into crypto, designed something, came up with a little quick fix.
It was really just an aid for me and it ended up being something that was
pretty critical to the mission, many missions that I don't even know about of many
and Russian forces teams.
Before we get deeper into it, since you're the first, I think you're the first guest
we've had on from NSA.
We've done all kinds of different federal agencies.
Could you explain to our audience a little bit about what the national security agency is,
what their mandate is, their job, why they came about?
Sure.
I mean, I'm not a historian. I can give you a little bit of the history. I've probably forgotten more than I know about it at this point.
NSA, I believe, was started in the late 40s. It was sort of after World War II, you know, organizations that were doing code breaking and things like that during World War II kind of got reorganized and they came up with this idea for the National Security Agency.
I want to say 48 or 49 was when it was convention.
Because it was like the National Information Agency or something first, wasn't it?
Yeah, you probably know more, and you can Google quicker while I'm talking.
Yeah, sure.
To get the exact story.
It'll come back later on in my story, but I'll share it now.
The charter, the mission of NSA is I always used to describe it to people, the operations,
what we call it operations, is basically to be the big ear of the country.
responsible for primarily monitoring and intercepting signals, anything that was going out over the
airwaves, which back in those days was mostly radio, a little bit of, you know, eventually television,
you know, maybe some telephones, but primarily radio waves, the whole spectrum of sound.
NSA's mission was to listen to everything and try to intercept whatever.
they could from other countries, adversarial countries,
you know, nation states is what we call them these days.
And, you know, just keep tabs on everything.
So at one level was a big collections agency.
It would collect a lot of information,
and there'd be people that would try to break codes and ciphers.
When those were in play, others would translate foreign languages
that they intercepted, and there would be other people that would read it
and try to, you know, extract.
useful information that gets put together on, you know, daily reports that get sent to the White
House and the Pentagon and other places, anybody that, you know, is a customer of intercept
collections and communications that are collected. At a broad level, that's what the mission
has always been with some rules that were put in place in the early 70s after Watergate and
Watergate Investigations, Senate subcommittee hearings that happened after Watergate,
one of which was a Senate subcommittee that was chaired by Senator Frank Church,
and their output was called the Church Proceedings.
And they published several volumes of material.
But in essence, what they discovered as a result of the Watergate investigations,
the Watergate break-in from the early 70s, was that the three-letter eight,
agencies like NSA, FBI, the CIA, had a lot of power and a lot of capabilities at their hands with
not a whole lot of any kind of oversight or rules dictating how they would operate, you know,
rules of engagement, as it were. So one of the outcomes of that was what I came to learn when I
went to work for NSA is the NSA charter, which is still to this day a classified document, but
basically what it says is that NSA can only do what NSA does to other countries,
foreign nationals,
and specifically NSA cannot do what it does to U.S. citizens.
Now, fast forward to 9-11 in the Patriot Act,
the rules kind of changed a little bit.
But, I mean, that's the charter that NSA was built on.
So, you guys are also,
in charge of like maintaining
America's
communication security
as far as the U.S. government, right?
Well, yeah, I was
you know, just warming up to that.
You know, like when I went to work for NSA,
I was working on what we would have called
the defensive side, information security,
communication security.
And it was, you know, probably classified
that maybe 10 or 15 or 20%
of the mission, you know, of the personnel
and the resources of NSA.
say. So even when I was there at the time, there were people there that were, had been there for a while,
working the mission for a while. And everybody sort of had a chip on their shoulder. Everybody
was considered Infosec, as we called it, sort of the bastard stepchild, because operations got all the
headlines, operation got all the budget, operations got all the glory. And Infosec, which was the
mission of providing secure communications and crypto to all of the all of the u.s, whether it's the
military or any level of government where they needed to have secure communications. That was
NSA's purview. That was NSA's responsibility, the infasex side. So I came into an organization
that kind of had an inferiority complex. Always did and probably always will. Of course,
it doesn't exist anymore. But there was always this conflict between operations,
what everybody knows NSA that they know what NSA is,
what they're doing,
and then us doing the really important stuff
that you don't get any credit for,
like making sure that people can't steal any of our communications.
So a lot of cryptographers,
a lot of mathematicians coming up with the algorithms
and the machines,
the little black boxes that would secure the communications
for the military primarily,
any level of government,
interdepartmental communications,
you know, embassies abroad and things like that.
And you went in, you said you went in in around 86, is that correct?
Correct.
So the Cold War was still a very real thing at that point in time.
Why, yes, yes, it was, which is one of the main reasons why I was hired.
I was hired at a time when NSA was hiring 100 people a week.
and they'd been doing that for a couple years
because they'd gone through a lean time in the 70s
where they really didn't hire that many people.
The guy that was my mentor had been hired in the early 70s,
and then they'd just had a handful of hires
from like the early 70s to the early 80s.
And they really hired a bunch of people.
This is where I get a chip on my shoulder.
We didn't call it STEM back then.
They called it critical skills,
but they were mostly looking for mathematicians,
computer scientists and engineers.
And if you had a degree in any of those fields, you would get a job offer and you were paid on an accelerated pay scale.
So you got paid extra.
I think the engineers made the most, but don't quote me on that.
You know, anywhere from 10, 15 to 20 or 25% more than what I was making is just a Pion regular employee.
But, you know, they hired me because I scored well on the aptitude tests, the skills test,
And so I was not a critical skill.
And those hundred people around me that were hired the same week I was, they were first in line for promotions, they were first in line for training opportunities, first in line for diversity tours, going to other organizations.
Because the game at the time was if you wanted to be promoted up past a certain level, you had to have what was called a professionalization degree.
And the professionalization degree would be similar to search that we know of in the cybersecurity field these days.
And to get that professionalization, you had to have a certain amount of work experience,
a certain amount of diversity of work experience, working in different places.
You had to have continuing education and various, depending on what field you were choosing in various other things.
If you wanted to go into the computers, you'd have to write a computer program.
point and so on and so forth. So I being just a regular employee was, you know, not getting the
opportunity to get the diversity tours. And I tried to get into an intern program and I wasn't
qualified for it, not because I wasn't a critical skill, but because I had a horrible GPA in
college. I won't say what it is on air because people would be shocked. But, you know, you
You know, my mentor did a good job of kind of nurturing and talking to friends of his, like on the operation side of the house and getting me some diversity tours on my own because he knew I was going to need it.
But, yeah, they hired a bunch of people.
They would go off to get a graduate degree and the government would pay for it.
They called it the 2020 program.
So they'd work 20 hours, go to school for 20 hours.
And then they had to give back government time to offset the time that they went to school.
But what they failed to figure out for many years was the clock was running as while they were in school.
And their retirement.
So you could literally go to grad school, get a graduate degree, completely paid for by the government.
And after about three months, you could quit and go out to the private sector and get paid more.
And that's what a lot of people did.
So they were kind of growing by attrition.
And because I didn't qualify for the 2020 program initially, I didn't get to go to that.
I didn't get to do the intern programs.
I just sat in this little office and designed a wheel that was used by Special Forces for 12 years.
And I'm told, saved lives.
I was also there at sort of the beginning of the computer age.
You know, IBM PCs were kind of a thing.
I think, you know, my first office, I had a standalone IBM PC.
It wasn't networked yet.
It didn't have windows on it.
It was just DOS.
In fact, I think my first one didn't even have a hard drive.
But one of my early assignments, I can't say it was my second assignment,
but one of my early assignments in this office was I was approached by another customer,
another military branch.
And they were responsible for communicating with one-time paths with people that, shall we say,
had been recruited in certain places in Eastern Europe.
And the one-time pads that they were using in the field were really tiny and they could hide
in the heel of your shoe type of thing.
And they were printed on rice papers so that when you used it, you could destroy it by
eating it.
But the caseworkers, the handlers, were in skiffs, controlled spaces, offices on the, you know,
on the good side of the world.
And their version of the one-time pad was sort of like a legal.
pad. But they came to us and they said, you know, it takes us hours and hours to decrypt and
encrypt these messages because they're getting situation reports from these people. And they said,
there's this PC sitting on our desks. Is there any way we could use that? And me being young and
naive, like, yeah, I don't see why not. Of course, I didn't know it at the time, but I was working
for an engineering organization whose mantra was there's no such thing as software. There's only
hardware. All they did was build little black boxes. So I took up the,
the project of coming up with the design for writing a computer program that could run on the IBM PC
and taking the one-time pad key and instead of printing it on paper, putting it on a floppy disk,
which I forgot to grab.
So you'll have to look at the save icon on your word document.
And that's what a floppy disk looks like.
And I had to go through an engineering process, a design review process called the FSRS.
functional security requirement specification.
It was specifications to build secure hardware, and I was building a software program.
So I kind of had to fudge my way through it.
I had to go through a review process with all the executive management of Infosec.
Infosec was organ.
It was a directorate, and inside the directorate were various groups, and every group had offices and divisions and so on and so forth.
But all the group chiefs, and there was like five or six of them, got together.
And that was the board of directors, as it were.
And I had to present the ideas to them.
And they said, yeah, go ahead and do it.
And I came back with the design and had to go through its own security review,
which produced issues that had to be addressed.
And I went through that process.
And eventually went back and pitched it to them and said,
okay, I've met all the security requirements, met all the objections,
we're ready to go.
It's ready to field.
and the director, the chairman of the board,
don't know what his exact title was at this point,
he said, okay, we'll let you do this.
And literally he said, don't do this again.
To my knowledge, it was the first software-based system that NSA ever produced.
And it was simply a computer program that would automate the process of doing a manual encryption and decryption with a one-time pad.
But I actually ran into somebody about 10 years.
ago at a conference that remembered using it, we called it Centaur because it was a half paper
and it was half electronic. So Centaur. Every system we produced had to have a cool
mythological name attached to it. So we came up with Centaur. Semi-automated one-time tab.
Can't show it to you because it was software.
So just to like, correct me if I'm wrong, trying to paint the picture here, the person on the
end user in Good Guy Land is taking like an Oregon
trail floppy disk, putting it into the computer and then typing in the encrypted message
he had received and the computer would spit out the decrypted message.
Correct. Yep. That's pretty cool. And conversely, if he wanted to send a message, he's typing
in a message hitting the button to encrypt it. And the trick was one of the secrets of a one-time
pad is you use one page at a time as much of it as you need and then you destroy it. So we had to come up with a way
of securely deleting a page of key at a time off the floppy disk.
And part of that was coming up with a secure deletion or a secure overwrite routine.
That was a requirement.
And so I went searching and asking various offices, you know, can you, can you show me one?
Can you give me the specs for one?
And it had never been done before.
So we had to come up, you know, it was a requirement, but we had to come up with,
what would this look like?
And so we had to come up with a routine for doing an override of,
the one-time pad key that was on a floppy disk, doing it in enough.
So, you know, other really smart people at similar agencies couldn't figure out how to
read the data off the, off the floppy drive used to be like a flimsy piece of plastic
where stuff was printed on it, you know, bits and bites in various sectors,
kind of like a vinyl album only smaller and much more compact.
and you know things that get deleted off of memory space on floppy disk and hard drives traditionally
at least in those days didn't really get deleted you would just you would move the needle to a
different part of the record and start writing new information there right and the to where
your information was which was sort of kept in a master list on the drive or on the floppy disk that
was erased so you didn't have the location anymore but nothing
was done to remove the data off the drive itself. Eventually it would come around and get
overwritten. So we had to figure out how do we zone in on exactly where it is and delete the
right amount of keys so that it can be done. So there was some engineering, as it were,
or software design that had to be done. And people weren't happy about it, but they let us do it.
You know, in the late 80s or around that time, how were you keeping up?
with what was going on in the computer industry because it was moving fast.
Like I remember like an 88 hearing about like the first one gig hard drive and thinking
what would anybody ever do with a gig of a hard drive?
That's insane.
Hey, I had the same thought when I got my 10 megabyte hard drive on my IBM PC.
Yeah.
Who would ever fill that up?
And now I think I have more storage space on my smartphone than the supercomputer.
that I used to use in the early days of NSA.
So, yeah, I mean, there was,
try to be a politically polite answer to that question.
On the operations side, all you have to do
is figure out how to intercept stuff.
And as communications got more advanced
in terms of the cryptography,
you and other sister organizations
perhaps come up with other ways of capturing the data,
perhaps maybe before or after it's been encrypted or decrypted.
You know, and that's the land of espionage and so on and so forth.
On the Infosec side, it was actually really a struggle, and I saw it at the very beginning,
and it came to a head, you know, later on in my career in the early 90s,
where technology was catching up with Infosec, which was, you know,
responsible for taking three to five years to design a little black box,
and we'll get it to you when it's ready.
and we're responsible for providing, you know, all this year communications.
Probably the first, I'm skipping forward a little bit, but the first real test of that for the government in general.
But for Ennessy in particular was when a program came out called Pretty Good Privacy, which, you know, don't quote me on what year it came out, probably late 80s, early 90s.
and it was an encryption program, and it was written with public algorithms, not NSA designed algorithms.
And it was based on what we call public key cryptography, which is where you have a pair of keys, one that does the encryption and one that does the decryption.
And everybody uses it if you're online at all, every day, multiple times a day.
But the idea is you have a public key that is used to encrypt the data, and that can be sent anywhere.
It's not secret.
And the only way you decrypt a message that's been encrypted with that key is if you hold the secret key and you hold that close.
That's the private key.
And it's a one-way relationship like that.
So you have to do a key exchange.
If I want to communicate with you, I give you my public key.
You give me your public key.
We do something to verify we're really talking to each other.
And then we're off and running.
We can send messages to each other.
Well, so fast forward a little bit.
You know, I left the manual cryptosystems office.
I was there for about three years, and then I did finally get into an intern program.
There's not much to this story.
It'll get quick.
I went over to the operations side of the house.
I did happen to be there during Desert Shield Desert Storm.
So I got my certificate of appreciation for participating in Desert Shoehl.
Shield, Desert Storm.
I was an intern, so I was doing six-month tours in various office.
My last tour of the intern program was back on Infosex side in what was called fielded
systems evaluations.
So we're back into the, I'm back on Infosec, it's the early 90s.
There was a time when one of our clients, and this was probably, I would guess, 93 or 95,
one of our clients, one of the military branches, came to NSA and said,
why are we spending multi-millions of dollars on a secure communication system with you guys?
Why can't we just use PGP?
And that was really a slap in the face to the power structure,
at least the Infosec side of things.
And there was literally an all-hands-on-deck call put out for everybody in Infosec to stop what you're
doing everybody work on an attack against PGP.
And there was a couple guys in an office nearby that actually did come up with an attack
against it.
And they were paraded around as heroes.
They got huge cash awards.
They were taking down to the Pentagon, the White House.
I mean, the red carpet was rolled out for these guys.
Months later, you know, when all the dusts settled down, you know, everybody's got a short
attention span. They did a lunch and learn in our lab to just tell us peons that worked with them
about the attack that they'd come up with PGP. And what they essentially had done was
figured out a way to send a document, let's say a word document, only it wasn't word. It was
some predecessor. And they found some unused bit space in the document that they were able to insert a
virus, as it were. And, you know, if they sent this document to somebody and could trick them into
opening the document, it would execute this code that would essentially steal the key rings, the
secret key rings, and attach it to an email back to whoever it sent the email. That might
sound familiar to you guys if you keep up with cybersecurity schemers today. It sounds a little bit
like a fishing attack. Only we don't, you know, we don't click on attach.
anymore we click on links um but i i remember sitting there and you know hearing them describe this
and then they got to the point where they're asking you know does anybody have any questions and i raised
my hand i said wouldn't this work against our stuff too and they kind of looked at each other and
they're like well yeah i said well so what's the big deal said well our mission was to come up with an
attack against pgp and that's what we did and like okay if that's what if that's how you sleep at night
But yeah, I mean, well, and which is very, and I'm not, it was funny then at the time, and it's kind of a funny story now.
But, you know, I mean, they did make a difference.
They did come up with an attack.
But as is true, most often, and I've been in this business, you know, 40-some years, when you're attacking crypto, very rarely are you going after the algorithm itself?
you're going after the implementation
and either the implementation of the cryptography itself
or what we call the key management or the key distribution.
So they didn't essentially break the algorithm,
they just stole the key.
When has that ever happened before in the history of the world?
Jeff, can I back you up real quick?
I just want to ask because you were, you know,
the Soviet Union was a real threat.
when you joined the NSA
and then in 89 the wall
fell and the Soviet Union was no longer
did the NSA at all go through any
kind of identity crisis? Were there
issues where like who's our
enemy now or did you guys just
kind of have a mission and drive forward?
I don't know if
anybody in power would admit to it but
absolutely there was issues
because once the great
Satan fell, that was Reagan's
term for
President Reagan's term
The evil empire
The Soviet Union
The evil empire
Once they fell
Yeah for the first time
In a long time
NSA had to worry about
You know
Budget requisition
They had to go before Congress
And justify what they were doing
Right
And I'm not a conspiracy theorist
But
You know
Desert Shield Desert Storm
Happened shortly after the wall
fell
And you know
Terrorism
became kind of the thing that kept things alive.
But that wasn't really a clear and present danger,
including my Tom Clancy books.
It wasn't something you could put your finger on.
I mean, I remember watching videos about terrorists
when I was waiting for my top secret clearance to come through
and classified briefings at the time
about, you know, what did the terrorists do back in the 70s and 80s?
They'd hijack planes.
They'd blow them up.
You know, that, you know, that was the thing back then.
You know, there was, you know, one plane in particular that, you know, nobody knew it,
but there was people on it from NSA and CIA, and there was suspicions of whether people knew.
Oh, you're talking about Lockerbie?
I can neither confirm or deny.
but it's been a long time, so it's probably declassified at this point.
There was the one plane where they landed somewhere,
and they killed a passenger and shoved him out the pilot's window.
And it was, I think it was a Navy enlisted person.
Y'all was a diver, I think, right?
And the reason they tagged him or pulled him out was because he was in uniform.
Because what I remember hearing at the time, you know, the briefing I got, the video I watched about that was there was a flight attendant that had been asked to collect the passports of all the passengers.
And for whatever reason, U.S. citizens get a blue passport, but government employees get a red passport.
And so she was able, as she was collecting the passports, to somehow hide the fact that she was collecting red passports.
I mean, when I was at NSA, I was issued a red, you know, it's more like a burgundy passport.
That's your official passport to use on international travel.
And you're only allowed to use that password, but then I was pulled aside and said, take both.
And I did.
And, you know, for the official get through customs, the red one comes out.
Everywhere else is the blue password.
I'm just Joe Citizen, much because of that experience of that plane being hijacked.
So, yes, there was an identity crisis.
There was a justification for budgets that had never.
been realized before and computers were becoming much more thing. I mean, we sort of leapfrogged over
the whole machine age into the digital age and NSA was largely unequipped for that and slow to
respond. You know, think, you know, probably too soon, but, you know, think a large ship that's,
you know, pointed towards the pylon of a bridge and how hard is it to steer that and turn that thing?
I'm five miles away from that particular, what used to be that particular bridge.
So they were very slow.
There was also a certain amount of attitude, I would say, in sort of the old guard where like, you know, people can, you know, what was it?
Henry Ford, you can have whatever color car you want as long as it's black.
I mean, they sort of had a monopoly on crypto.
And so they weren't very quick to change.
They did start farming things out to contractors and third parties.
The classified telephone that was popular at the time that I was there called a secure telephone unit, STU.
And they were up to the Stu 3, the third version, which looked like an old-fashioned office desktop phone.
And there was three contractors that were allowed to build it.
It was RCA, GE, and Motorola, I believe, were the three models.
If you're old enough to remember those, and have worked for the government.
So early 90s, I'm back in this fielded systems evaluation office,
and that's where I started doing penetration testing,
is what we called it then,
but trying to break into computers and network systems.
We were assigned to break into military facilities throughout the world.
And at some point, we decided, why don't we just call it penetration testing?
Because that's what the world's calling it.
Let's become hackers.
So that was early 90s.
The NSA trying to respond to the changing world, they reorganized and formed what they called the systems and network attack center.
The vision was that it was going to be a center of excellence.
and they'd have all the really smart people.
And NSA has lots of really smart people.
And they were going to be experts on everything related to computers and networks.
And, of course, we'd been doing this for a couple years at that point,
this small team of people.
And we had realized because of being involved in something that's interconnected,
we realized very quickly there's a whole lot of people in the world
that are focused on this problem.
I don't care who you are.
You have a small subset of 10, 20, 100, 200 people.
there's no way to compete against the whole world.
Right.
For that kind of brainpower and distributed thinking, let's say.
But they went about doing the reorganization,
and that's when the office that I was in got pulled into it,
and we were sort of formally given the task,
the small group of people that I worked with,
of just doing, we called it vulnerability and threat assessment,
but for lack of the better term,
we said we're hackers and we're learning how to do pen tests.
So that was, we were formed officially, I guess, 93, 94, at least in terms of this new organization.
Now, we moved to a different. I'm sorry.
I just want to, I'm curious because you coming from cryptology, had computers been a hobby, you know, had you been learning C or like C plus plus?
I don't know what languages were prevalent at that time.
But how were you personally and then as an organization,
how were you catching up with these teenage kids
who had nothing better to do than to figure out how to, you know, break in a shit?
Well, I mean, I graduated from high school in 1980,
and I remember taking a computer math class, so it was late 70s, but it was a very rudimentary type of PC.
I think I was programming in Basic.
That was kind of cool.
We wrote our programs to punch tape.
It was even before the era of floppy disks.
So, you know, I'd have two or three or four feet long of punch tape that I would have to feed into a machine to read my program.
So, yeah, I was kind of interested in it.
I had an older brother, one of my older brothers, you know, sort of the brain of the family.
He was into physics and engineering, and he was always buying the new toy of the month.
So he, you know, he built a computer, you know, built it from scratch, kind of like you build, you know, the old ham radios.
Of course, he did that when he was a kid.
but at some point he built his own computer, very rudimentary,
and then what was popular at the time,
the Apple 2E or Macintosh or something like that.
He was always getting computers.
He was the first one to have the first video game Pong,
and he was the first one to get a Nintendo and an Atari.
You know, I kind of grew up playing video games at the arcade.
Everybody remember that.
You know, put a quarter in a machine and play the game,
and keep putting the quarters in.
So I was into it because it was new and it was kind of fun and different,
but I wasn't like, how does this work and digging into the innards of it?
But at NSA, you know, when I was in the intern program,
I had to write it.
One of the assignments was to work for a programming office,
and I had to write a computer program.
That was one of my assignments.
And at the time, NSA was converting from their own mainframe supercomputers that they had their own custom operating system on it and their own programming language that all their number crunching cryptanalytic calculating statistical counting types of programs have been written on.
They were migrating over to what at the time was fairly common.
Unix workstation's primary Sun microsystems later, you know, Sun OS later to be called
Solaris. So the IBMPC left and in came a Sun workstation, the old pizza boxes, Spark
510s, whatever they called them. So I had to rewrite a program that had been written in a,
in a proprietary language at NSA in C. And of course I got it to compile and then,
got it to hang the first time I ran it because it worked, but it didn't optimize for the number
crunching type of thing it needed to do. So, you know, I did that. It was kind of cool, but I
wasn't really into it, into it. But the idea of breaking into things, that was kind of cool. The idea
of going someplace where you weren't supposed to be learning a hidden trick or a hidden feature.
There weren't many exploits in those days.
It was mostly features of the operating system, undocumented or undocumented,
or just learning the tricks of how to fool the computer or trick the computer into giving you stuff.
Of course, a lot of stuff was there, and it wasn't that hard to do.
And, you know, other people had figured out a lot of the ways to do stuff.
So, you know, the terminology in those days was script kitty.
So starting out, I was much more of a script kitty.
just doing the stuff that other people had figured out,
but trying it on our classified networks,
even though it was something that was discovered out in the real world.
But because I had a cryptanalytic background,
one of the things that I enjoyed doing was password cracking.
And, you know, of course, I didn't write the programs.
I was using the programs that were available at the time,
but learning out to tweak them and fine-tune them.
Password guessing was a thing back then.
I was actually pretty decent at guessing passwords.
Nobody does that anymore these days.
There was a lot of our customers when we were doing these field and systems evaluations.
We were going to military bases throughout the world.
And they always had like some real whippersnapper teenager, but he was also an E4 or an E5 now.
And he was, you know, because he knew computers, he was responsible for computers.
so he came up with an idea of coming up with a random password generator.
And so they knew passwords security was a thing back then.
So they wanted to come up with ways of defeating the password cracking tools
or just making passwords less prone to being guessed.
And they inevitably were horrible because from a cryptanalytic statistical brute forcing perspective,
they almost inevitably fell.
I mean, I remember one guy, I want to say he was at a base,
doesn't matter where he was,
but he thought he had this program that was really cool
and it was producing really random-looking passwords,
and we cracked 100% of them in minutes.
It just was that bad.
So that's where I kind of like applied the cryptanalytic stuff
that I'd learned to some aspect of it,
and we didn't call it cybersecurity at the time.
We actually called it Internet Security.
But that was something I could kind of focus on as sort of a niche area.
It's like, oh, yeah, I'll focus on like password cracking and how to come up with strong passwords or random passwords.
And any of the few types of cryptanalytic things that were associated with operating systems at the time.
That was sort of my focus.
The other focus I had, I guess, was I worked with people both.
while I was at NSA and then even into the private sector days years after,
that would love to just break into a system, get root.
It was all root because it was all Unix back then and say they were done.
And I was more like, well, we've just broken onto a computer or a server.
Why don't we look at what's on it and see what's there?
What kind of information is there?
They were all about the hunt and let's conquer another box.
Let's root another box.
I was more about the analytical, well, what kind of information?
is here and what can we learn about our target or our customers or what is sensitive here that might
give us more of a clue of where to look next or have we found the crown jewels or just whatever
it was but just looking at stuff so I tended to do more of a analytical deep dive let's see what
we've got rather than just keep knocking over boxes after boxes after boxes and saying we're done
Right.
So how did that develop for you?
Because while all these other people are trying to like get root, now you want to get into the system.
You want to go through the various like, you know, file systems and everything like that.
Right.
You know, and move throughout the system.
Like, what does that look like for you compared to what everybody else was focused on?
So back in those days, the sort of the methodology.
which ironically is based mostly off a film that came out in the early 90s called Sneakers.
Robert Redford and Ben Kingsley were the stars.
And that was sort of the first movie that showed what people would more commonly refer to as a red team exercise these days.
Because a combination of computer hacking, but maybe physical penetration testing.
The methodology was simply back in those days
You have a target
You have a company, an organization
Everybody had their own IP routable IP addresses
There was no masking back in those days
Or no private addressing
Everything was internet reachable
Because everything was connected
So you'd find out what the target was
Whether it was a Class C address
Or a series of Class C addresses
Which is 255
potential addresses.
And then you do a probe of each IP address, do some sort of rudimentary scan to see what's
alive, what's answering.
And so once you found live targets, you do a port scan, which is basically, okay, what's,
what's this machine talking on?
You know, in TCPIP, there's 65,535 potential channels that you can talk on.
and there's some commonly associated
reserved ports that are associated
with specific protocols, specific services.
Start with there,
and most of the protocols,
communication protocols back then were clear text.
There wasn't a lot of encryption going on.
So you would find what they were talking on,
and then that's usually when you could, you know,
connect to a system, maybe steal a password,
maybe guess a password,
maybe force one of the programs
it was listening to hiccup and give you access.
There's many different methods of doing it.
But the goal then was to get access.
And it didn't have to be root.
It could just be any user account.
And then once you had that foothold, that toe in the door,
then you try to elevate your privileges to root.
And once you're on the system,
there was any a number of ways of doing that,
including reading the password file,
which was world readable.
Anybody could look at what the password hashes were.
I'm not using the word correctly, the encrypted passwords.
They're hashed passwords.
But you could copy that and run it into your computer pracking program,
which conveniently was called crack.
So elevating privileges.
I mean, that was sort of the modus operandi.
The first thing to do is get to root.
Because once you're at root, you have access to everything.
Any file system, any folder, anything that was locked down
and protected, Root had access to
because Root was what we called the God
account. It could go anywhere, it could do anything.
Which is why we used to say
to our clients, if we've got Root, we're
done, but they would very
rarely understand that, comprehend
that, and take it to heart,
which is why it became
beneficial to say,
okay, you're not getting it that we
have root, but would you
understand it if I said we're looking
at your financials for the
previous quarter and we can
and we can see all of it, or we can look at the payroll and tell everybody, you know, what they're
being paid and who got what bonus and the people sitting next to each other.
One person is getting paid 15% more and he's a guy and she's a woman and we can blow things up
or, you know, research data or we know where the money is.
You know, there's any number of things.
That tends to be something that, you know, I have no idea what you're talking about getting root,
but you can do this.
Right.
I mean, when I was, and I'm blurring the lines a little between my NSA days and my private sector days, but when we first started out doing this at NSA and people started, and we started calling it pen testing.
And we started being asked not by just, you know, our military customers, but like offices within NSA and other classified networks, you know, within the community.
we started kind of having to come up with processes
and kind of formalize a methodology
because we had to get permission to do it.
You know, I mentioned early on in the interview
the church proceedings in the NSA Charter.
That became an issue, at least early on,
because, you know, even though we were white hat hackers
were the good guys trying to break in
because we're NSA, we technically weren't allowed to break into computers and networks that were U.S.
owned and operated.
But, you know, as long as it was in the classified world, it wasn't really that much of an issue.
But we did have to start talking to our general counsel.
And for whatever reason, I volunteered to do that.
You know, I was a business major.
So finally, I was like, oh, we need organization.
We need structure.
I can do that.
My friends that I worked with, they were much more into the gears and, you know, the weeds of the technology.
I'm like, business processes.
I got that.
I can do that.
So I started talking to the lawyers.
I tell a story that, well, to level set, everything that we did in terms of our techniques for breaking into computers and networks, when we were working within the classified realm, everything we did by rule,
had to be classified at the level of our target.
So naturally, if we were working on top secret systems,
everything that we did was classified top secret.
In order to get authorization to do top secret stuff against top secret targets,
you had to go through bureaucracy and red tape and get all sorts of permissions,
which took a god awful amount of time.
I mean, we literally would have to wait weeks to get permission to,
try to break into something that was even, you know, within NSA, like another organization,
another office within NSA.
And, of course, what nobody, what we didn't tell the powers to be, we'd already broken in,
we already knew how to do it.
And then we'd do the paperwork of, you know, this is the way we're going to try it.
This is our attack methodology.
And then we'd have to go off and get permissions, which was on a typed up piece of paper
that had to be signed or initialed by every level of management.
from our branch on up to the group level,
over to the group that was the target
and down their management chain.
And this is paper passing from desk to desk,
secretary to secretary,
it might sit on a desk for hours or days.
So it would take weeks.
I tell this story in a talk I've given a couple different conferences,
but usually when I'm telling this story
about what was our tradecraft,
what do we do?
I have to qualify and say,
technically I can't tell you what we did because it was top secret.
And then at some point I say, okay, I'll tell you one.
So I had this big disclaimer banner, top secret.
And I say, okay, one of our primary cyber weapons that we used to get against top secret systems
was something called the PING command.
Let that sink in.
Or if you don't know what a PIN command, it's a system level command that comes with every Unix operating system.
It's basically, and it's named after a submarine submarine.
sonar, you know, it sends out a signal and waits for a response. Are you there? Yes, I'm here. And it'll
ping every single address on whatever your target space is. Very rudimentary, very common,
part of the operating system, it's a feature. But because the lawyers looked at it and said,
well, you're eliciting response from the target. Therefore, this has to be considered an active
attack. Therefore, it qualifies as a top secret cyber weapon. Wow. That's the live.
that we were dealing with. And that's where I kind of like, okay, we got to fix this.
So I started talking to the lawyers and started teaching them about our methodologies.
And their idea was, why don't you just show us what you do and we'll pre-approve it so that when you get a job request to do an attack,
you can just tell us, well, we're going to do a little of this and a little of that and a little of this over here and a little of this.
And it'll be kind of like an alacart menu.
And we already know what they are and what they do.
and we'll just pre-approve it and it'll be pretty quick.
I'm like, yeah, the problem is you don't know what you're doing
until you're in the middle of it.
Right.
And, you know, it starts with the probing.
We called it recon.
You know, what's out there?
And what's out there?
What are they talking on?
What, you know, how are they communicating?
What are they listening on?
What are the ports and channels that are open?
So I went through a process.
I would meet weekly with our lawyers
and just sort of teach them the fundamentals of penetration testing.
and hacking and how do the computer networks work.
And I say all this because one time I was showing the lawyer,
even though he was sort of on an isolated sub network that he thought was very super secret
because he's dealing in all sorts of legal proceedings and investigations.
And he had his folders and files on his computer that he thought was completely protected
and top secret.
I was like, well, let's look at that.
So we were sitting in our office, which was in a physical.
building that was different probably 10 miles apart. I said, let's go, let's go over to your network.
See, here we are. Here's your file system. We're on your system now. We had him log in.
And I said, let's look at your directory structure. And I'm looking through it. And, you know,
Unix file permissions. There's this concept of the owner, a group membership, and then the
world. And for each category, there's the option of read only.
read and write or read and write and execute.
Let's just go with read for now.
I was looking at his folders that were supposedly top secret, his eyes only.
I'm like, that folder is not only your readable and not only the lawyer group readable,
general counsel's office readable.
It's set to anybody read it.
Look, I've just clicked on the folder.
Here's all these files.
Look, I can click on this document here and open up.
He's like, oh my God, don't do that.
That's all secret stuff.
Oh, my God.
So he got this really great education on how to set file permissions so he could actually lock down his folders.
And you're not doing anything supremely technical right now.
You're just accessing his network and he has open permissions.
Like, you're not even technically really hacking.
You're just showing him how much access a knowledgeable person would have.
Right.
Yeah.
And that's a good way to sort of.
summarize it. I mean, the hackers that are out there these days, the security researchers,
they're trying to come up with creative ways of breaking things, using a methodology that's
similar to what was done back in those days. But in the early days, it was much more just taking
advantage of what I would call undocumented features. What can the system do? And taking advantage
of knowing more about how it works than the users, because in the early days,
Most users didn't really know how it worked.
They could barely get it to work and they were happy if they could get it to work.
And it wasn't anybody telling them to do anything else.
I have a question.
As you describe all of this, it actually reminds me a bit of, you know,
Richard Marsenko's red cell, which was testing physical security at military bases.
And you guys were, of course, doing that in the electronic space.
I was wondering, did you guys get any sort of like pushback or political fallout?
from what you were doing, like people who are shocked or embarrassed and maybe even angry,
that you were able to penetrate their systems?
Interesting segue question.
Initially, no, when it was mostly military targets that they'd asked to do it,
and then internal targets that, I take that back.
We did have one internal target one time.
supposedly that they were isolated with internal segmentation,
what we would call it these days.
But supposedly there's a firewall or some sort of router
with some sort of access control lists in place.
And we were doing initial programming.
And I think we had a target of either an IP address
or maybe an IP range.
But us being us, we just kept going.
It's like, what else can we see?
Where else can we go?
and this particular target, which was an internal office,
they did have some sort of monitoring in place,
and they were detecting our activity.
And, you know, we technically went beyond the bounds.
But, you know, we didn't break into anything.
It was like, well, the door was open, you know, everything was answering.
You know, we just kept going.
There was nothing blocking us.
We didn't subvert anything.
We just, this is how far we could go.
but there was a point where we sort of got called to the carpet and I guess I've been doing a lot of the work and I got called into a meeting with the customer and the poor guy I still feel sorry for this guy.
The guy that they had assigned to be like the investigator, he was a very apparently some branch of the military police and he came in with like a stack of notebooks with printouts of all the activity that he had seen us doing, me doing,
and had it all printed out because they thought they'd caught a bad guy.
He was like, they're ready to throw the book at us.
And we're like, well, no, we had this request to do this thing.
And we just kind of didn't know where the boundary was.
And we just kept going.
And like, oh, well, thanks for letting us know.
We didn't realize it was that for us.
And the guy was like, he never got a chance to open it.
I mean, it must have been a foot high.
This might be a little sensitive.
But I mean, as far as like the attack surfaces that you,
you guys used. I mean, did you have to be inside the NSA to get to even launch this attack?
Or were you guys replicating an outside attack, you know, perhaps a foreign adversary?
Well, you know, our targets, at least in that case, were internal to internal.
And technically, whatever we was doing, what we were doing was classified at the level of the
target. So technically what we were doing was top secret. But it's probably a
safe bet to think that we were doing a lot of the techniques that were publicly available
because guess where we were learning how to do it publicly accessible stuff so yeah that's how I'm
going to answer that question what was your relationship like because like I remember you know in
the late 80s going to my local game shop to buy d&D stuff and there's always a copy of 2,600 there
and and you know and
For people who don't know, 2600 was like the OG, I think, you know, hacker, like little booklet magazine pamphlet type booklet thing.
And then the DefCon started in the early 90s.
So there was this vibrant hacker community out there that was moving along with the times from, you know, Captain Crunch, you know, and freaking and all that.
how was your relationship with them, these people who are sort of breaking the law and on the cutting edge, but also like pushing it?
Right.
I mean, at the time, we didn't interact with many of the people in that part of the community.
I've certainly, over the last 10 years or so, had the privilege of meeting many of those folks.
and comparing notes and so on and so forth.
But, I mean, we were certainly learning from them.
I mean, we, you know, back in those days, it was bulletin boards and mailing lists.
And, you know, our best resources was the Internet and learning all the places where people were posting stuff about hacking and breaking into things.
So we were certainly learning from them.
And I would even say that we felt.
like we were behind them. I mean, when we were, when we were considering ourselves to be students
and learning all this stuff, I mean, they were doing it, and we were just trying to pick up on it
and learn from them. So there was, I guess, from our perspective, a certain amount of respect,
but, you know, there's a handful of people that kind of went south of the law and got caught
and prosecuted. You know, I have different opinions on some of those people.
there was, you know, certainly mythology associated with it.
You know, there's sort of, you know, the elite or elite hackers, you know, the Uber hackers is what we called them back then.
You know, I hope to somebody someday meet some of them.
But we were kind of learning and doing stuff and figuring out stuff.
We certainly had access to a lot of resources that a lot of people don't have access to.
I mean, we had access to Unix source code, and this is before the days of Linux.
And the Unix source code is something that, you know, that the agency, NSA paid, you know, God knows how much money for.
So, you know, we were able to look at all the internals, all the function calls, all the libraries.
So, I mean, we had a fair amount of opportunity to tear things about, we tear things apart.
We had a fair amount of resources that maybe not everybody has.
but we still consider ourselves to be students and learning.
You know, it's funny because, you know, we'll get to why I left NSA in a little bit, hopefully,
but, you know, was out in the private sector for a few years doing the penetration testing
and trying to get basically trying to convince companies back in those days.
If you're going to play on the Internet, you really need to have a firewall,
you really need to have some sort of secure architecture, you need to have some sort of clue,
or plan as to what you're doing, so you need to put a security program in place and figure out
what it is you want to protect and need to protect. And at some point, I got really frustrated with,
you know, being hired by clients every six months to break in, and we'd break in the same way time
after time, and we tell them this is really easy to fix, and they didn't seem to want to care to fix it.
And at some point, I'm like, okay, I'm done pen testing because that doesn't seem to be,
getting the message across. And I ventured into, you know, I need to, I need to just be able to
companies and explain it to them and explain why they care and explain why it matters. And
about the time I made that decision is about the time that this thing called PCI came along,
the payment card industry. And I got sucked into that, but it was nice at the time because
there were a lot of companies that had to do PCI. And it's a, it's a private sector regulatory
security standard that's of buy and for the credit card industry.
So it's not a federally mandated thing.
So it's voluntary.
But if you don't do it, you don't get to take credit cards if you're a retailer or any
kind of business that wants to make money.
So for me, it was beautiful because it gave me a captive audience.
And I did that for a lot of years.
And one of the people that I work with at NSA in our little hacking group,
our pen test,
went out into the private sector,
became an entrepreneur,
started a company,
and it finally agreed,
you know,
we finally came to terms
and he found a way for me
to come work for him.
And when I came to work for him,
which is, gosh,
it's been 10 years ago at this point,
he said,
oh, I want you to be an evangelist.
I want you to start going
to the conferences and start telling stories
and do some, you know,
talk about the stuff that we did.
And so I,
I, you know,
having, I mean, there wasn't much of a hacking community in terms of conferences and training and search, you know, back in the, in the, when did I walk away from the early 2000s, 2004-ish, but, you know, compared to 2013, 2014, 2015, where there's lots of hacker conferences all throughout the country. There's security B-sides conferences, so on and so forth. So I, you know, I was like, I was kind of nervous because I'd kind of been away. I walked away from pen testing. I was just talking.
to people for the better part of 10 years and explaining a particular security standard,
which to this day is still a decent standard.
Here's all the fundamental things that you should think about and do.
But as I went back to these conferences and started meeting people and over time,
one of the thoughts I had was, oh, I'm going to meet all these smart hackers and they've
had 10 years to keep working and growing.
and I've been going to these conferences now for 10 years,
and I'm still waiting to meet those Uber people
that my perception was they were so advanced.
Not to say that I'm advanced,
but I think we were all in it together,
and we were all at a similar level,
which is always learning.
I mean, nobody claims to have the complete understanding of all of this.
There's always more to learn,
and there's always more to discover,
and there's always layers and layers and layers.
But I've had the privilege of meeting a lot of the people that were, I considered to be the pioneers and my heroes over the last couple years.
I've met a lot of people that were members or some of the famous, you know, hacking groups and hacking collectives from back in the day.
And I've met a lot of people and they,
and I apologize if this,
I hope this does not come across as egotistical,
but as I meet all these people that are,
you know,
farm boy from the Midwest, you know,
got into phone freaking to get free long distance
and then later free cable and they just kept going
and they figured out some things.
Nobody's had the experiences that I've had.
Right.
You know, which, you know,
and for me it was just, you know,
the right time and the right place type of thing.
But I've never met anybody yet to this day that I'm like,
I'm completely in all of one or two exceptions.
The Uber hackers.
Most of them are almost as much as excited to meet me as I am to meet them.
I remember before COVID, I think the last DefCon,
so it would have been 2019,
I was sitting around with some folks.
And one of the guys I was sitting with was a guy whose name is Weld Pond.
He's a member of the loft, which became famous back in the in the in the 90s for figuring,
producing one of the one of the first, if not the first password cracking routines that would work on Windows passwords.
So it was called loft crack.
And they were a hacker collective, a bunch of smart guys out of Boston.
you know, Berkeley, Harvard, MIT type people.
And I'm sitting there with one of them.
And then one of the other guys I was sitting with, I was introduced to.
He was one of the original members of called to the dead cow.
And they're famous for other reasons.
And I'm like, wait a minute.
He's the loft.
He's called of the dead cow.
And now is probably when I should mention the nickname for our hacking group at NSA came to be known as the pit.
And so I'm a member of the pit.
pit. I'm one of the founders, architects of the first penetration testing team at NSA, and we called it
the pit. So I'm like, it's the loft, it's the pit. It's called it the dead cow. I'm like, guys,
let's get our picture taken together. So I had somebody take our picture. I was like, you guys don't
know this, but this is really historical because, you know, dark side, dark side white hat guy,
inside of the good. But, you know, smart guys. Nobody's Uber that I've ever met. Most of the people,
that especially from the early days are all pretty humble.
Yeah.
You always hear about all the real elitist, arrogant jerks.
And there are some out there, but most of the people that are really serious about this craft,
as it were, are pretty humble and pretty eager to share and, you know, love to swap stories
and share stories.
And I've certainly had a lot of great opportunities to do that.
One of my idols, you know, one of our motivations back when we were,
forming the pit.
And we formed,
we,
when we were reorganized into this thing called secure
systems and network attack center,
the snack,
the center of excellence for computer and network security.
Back in 1994,
we got moved to a new building and we got moved to an office.
And we nicknamed our office the pit.
And one of our
motivators was a book called
the cuckoo's egg,
written by a gentleman named Cliff Stahl.
Cliff Stahl is like a, you know, Berkeley, astronomer, you know,
physicists, smart guy.
And he had noticed that by a matter of circumstances,
that somebody was breaking into the university mainframe
and stealing a lot of government secrets
because back in those days,
the only thing that was connected on the internet
was mainframes from either, you know,
the government and research university.
and he set out to track down and find the people that were breaking in.
Fascinating story, sort of invented forensics,
and he documented his experiences in a book that's called the Cuckoo's Egg.
Must read, if anybody's interested at all in this discipline.
A couple years ago, again, pre-COVID.
In fact, I'm going back to the same conference.
where I met Cliff Stahl
end of this week, but I was at a security
conference up in Canada. He was the
keynote. So I'm like,
fanboy, I get to meet Cliff Stahl. And he's
a goofy, quirky,
weird kind of guy. He did a keynote presentation
with a view graph projector.
That's how quirky this guy is.
2019. Probably don't even
know what a view graph is. Overhead projector.
Yeah. His talk
was a...
Transparency. Yeah, the transparency.
that he laid down on a box that
lit up through a lens
that would project.
I mean, old school.
Totally, totally geeky and quirky and cool.
And I had to go up and introduce myself
and meet him, get my picture taken with him.
And I told him I was NSA.
And he's like, oh, yeah.
He visited NSA as part of his tale
of trying to figure out how to hack,
catch these bad guys that turned out
to be East German hackers.
And to my
chagrin, the only time I've really been nervous to give a talk, because my, you know, he did the keynote and I think I was the second or third talk after him.
He's sitting in the front row.
You know, one of my heroes, he's going to sit and listen to me and give a talk.
But that's how cool he was.
I've met the guy that wrote PGP, Phil Zimmerman, a couple years ago.
I've pretty much met all the pioneers at some point.
And what's funny is a lot of those people.
people because they got into it out of necessity.
They didn't start out as computer scientists and they didn't start out as programmers or
administrators.
They just had a job and computers became a thing.
And so they wanted to learn about it and make it work to get something done.
A lot of them went back to their day job.
You know, Cliff Stahl is still an astronomer or whatever he does.
And a lot of these other guys that were a lot of university professors, university researchers,
they went back to their first love.
There's very few of the early rounded people that actually,
oh, you know, saw the dollar signs and went with it and came Uber millionaire.
Jeff, to backtrack a little bit, do you want to talk about, I mean, you mentioned it briefly,
why you ended up leaving the NSA after.
Even before that, though, you do have, when we met at a conference, you showed me orders
or military-wise, I'd call them orders,
but a document authorizing you to do,
was it the very first pen test of an outside organization?
All right.
It's the same question to the same story.
Okay.
And so I'll try to, there's a lot,
I have a lot of stories, I apologize.
Hopefully people are entertained.
This is a podcast.
People love stories, Jeff.
All right, so I'll keep going.
And they can play me at 1.5, which makes you go even quicker.
So, you know, I'm in the pit.
We're doing all these, you know, pen tests of military bases throughout the world
and NSA facilities and other classified environments.
And for whatever reason, and all I can say is because I was the big.
business major. I was sort of the, I became the biz dev person and was trying to formalize what we did.
I was the only one that was really interested in talking to, you know, managers and suits and, you know,
people other than just talking the tech and doing the stuff, talking to the lawyers. So in doing all
that, we were putting together a methodology and we were writing it down so it could be a
repeatable process. It was something that had a beginning and end and, and, and, and, you know,
we'd take into account all the things we needed to think about before,
during,
and after doing the engagement.
And somewhere along the line,
I started working with some people from another organization called DISA,
defense information systems agency,
I think is what it's called.
And they got me connected to some people at the Department of Justice.
And, you know,
everybody was just,
the internet was new.
everybody was plugging into the internet
and everybody was like
all the potential for the internet
but then they were also saying
oh but maybe we should think about security
so I went down
to D.C.
This is 1996
the first time I met them was probably April
or May, went down to the Department of
Justice buildings
went into some big beautiful
conference room
mahogany walls, big huge table,
everything's wood, meeting with these people.
And basically they wanted us to do a pen test of their internet presence.
And I'm like, yeah, sure, no problem, we can do that.
So I go back and talk to the lawyers and lawyers like, well, hello, time out.
It's an unclassified network.
That's kind of new and different.
And NSA is responsible for the security of classified systems,
but the organization that was responsible for the security of unclassified organizations at the time
was NIST, the National Institute of Standards and Technologies.
And at the time, that was kind of a tongue-in-cheek kind of running gag, because NIST didn't have
a whole lot of capability in any technical respect, similar to the kind of stuff that NSA did.
So I'm talking to the lawyers.
I'm like, well, can we make this happen?
And the lawyer's like, yeah, we can make it happen, but there's hoops that you've got to jump through.
So we proceeded to go through several weeks and months of hoop jumping to make this happen.
And one of the first things he told me was, well, when you have this type of relationship,
it's got to be sort of a handshake agreement between cabinet-level positions.
And like, well, what does that mean?
He said, what it means is the attorney general, which is what the DOJ rolls up under,
basically has to ask the Secretary of Defense for a favor.
and say, hey, can you have your guys come over and take a look at our system?
So you asked me to look it up.
I've got a copy of the original email, not email, I'm sorry, letter.
They came from the office of the Attorney General saying,
hey, your guys have been talking to our guys, and I'm paraphrasing it.
And basically, we want you to, well, I can read it to you.
Therefore, I am formally requesting that DISA and NSA work with us to provide
a vulnerability assessment on the security posture of DOJ sensitive systems and network connectivity
to include the system network architecture, SNA, and virtual telecommunications access method,
VTAM, it's government, everything's got to have an acronym, also the secure network architecture.
Did I say that already?
I am requesting that the assessment begin with the testing and evaluation of the security configurations
in the financial management information system, which is used by several components.
within the DOJ.
It goes on and on,
a little over page,
signed by the Attorney General at the time,
Janet Reno.
You got that?
Yeah.
Yep.
Okay.
And it was actually addressed to the person
that was designated
within the,
by the Secretary of Defense at the time,
the Assistant Secretary of Defense
responsible for C3I,
the Honorable Emmett Page,
Jr.
Wow.
Okay. So that was the first step. And then what had to happen was, gosh, I hope I get this in the right order.
This is a response from NSA. Of course, letters by the government, they're all written by peons like me, and they just eventually get up and sign by the people.
You've seen the movies where they throw papers in front of the president and he just signs them one after another.
So this is a draft letter from Emmett Page back to Janet Reno saying,
basically, we're on it.
And there's another letter that I have.
This is from somebody at Dessa to the Department of Justice saying, basically, we're on it.
And probably then the most interesting one is,
and it's had an official process.
processing form because it's got to have lots and lots of signatures to approve it.
But this is the letter that was drafted by or the signature of the director of NSA.
And if you see that there.
Yeah.
Right there on the bottom line, I am the point of contact for this project, which says, yeah, we'd be happy to, you know, members of the system, the network attack center will go down and do this.
Now, on the cover sheet, it actually talks about, I think you can see this here.
It had a code name.
Project Eagle.
The effort is Project Eagle.
So this letter, which is, you know, a copy of it, but it's signed and it's dated.
You'll see the date 21 August.
1996.
Yeah.
1996.
So that's super cool.
This is what to happen.
of course the letter's signed this is all going back around getting all the signatures it had not yet been delivered yet i think the 21st august nineteen ninety six was like a wednesday or thursday
the weekend before and it's before the letter had been delivered uh the doj website was popped first hack of an of a dod or government website uh rather famous
the hackers defaced the entire,
basically replaced the entire website.
They replaced Janet Reno's picture
with a picture of Adolf Hitler.
They had all sorts of more colorful things on it.
And this happened like on a weekend,
the weekend before this letter was going to be delivered
and we were going to be golden.
So I get a call Monday morning from my contact at the DOJ
saying,
We had a problem over the weekend.
We were hacked.
I don't know if you heard about it, but help.
And so I'm like, well, let me see what I can do.
I hung up the phone.
I called the lawyers up, the general counsel's office, and I explained to them what happened.
And I said, you know, we're this close to being legal to going down there and doing the work.
What do I have to do in order to get a team of people down there the next day?
I mean, I want to help them out.
Right.
They've had, you know, they're desperate.
They need help.
what can we do for them?
And they gave me three criteria.
They said, well, don't go on your own accord.
Make sure you're sent by management.
Get the request in writing from the DOJ.
And don't go alone.
I mean, that was it.
I'm like, okay, I assembled a team.
I called back to DOJ and said, send me something that requests this.
I got it, you know, hours later.
And then we went to our management and said,
hey, this is what's happening.
Will you let us go?
And they said yes.
So Tuesday morning we go down and we're looking at everything.
Of course, in those days, everybody had their own servers that were serving up their web servers that were part of their network.
Maybe they were outside of their network.
Maybe they weren't.
But when they discovered the breach, the DOJ admins, they took the systems down, took them offline and wiped them and rebuilt them.
So whatever evidence might have been there was largely gone to begin with.
Yeah. I mean, there were no forensic guides. There were no rules back then. This is 1996. Nothing had been written yet about how to do this other than Cliff Stahl and the cuckoozeg. But what he was talking about was mostly on phone lines and phone switches and PBX's public exchange servers, all phone related. So we're there Tuesday, Wednesday. There were other systems that hadn't been affected, but we were looking for evidence of tampering and any footprints, as it were, electronic footprints to see a
if we could pull anything together.
We're there Tuesday, we're there Wednesday.
We go down Thursday, mid-morning Thursday.
I got a call from somebody back in the pit.
And they said, Jeff, the shit's hit the fan.
You guys got to drop what you're doing and come back now.
So we dropped what we were doing.
We went back and got raided into the deputy director's conference room.
And the lawyer that I'd been working with for the previous year
proceeded to read us the riot act in yelling at me in particular.
for doing something that was potentially illegal
that could get the director not only fired but prosecuted,
and what the hell were you thinking?
And I'm like, you knew about it?
Well, and technically, when I called the lawyers on that Monday morning,
both the general counsel, this guy, and his deputy answered the phone,
and I said, I've got an issue who wants to take it,
and the general counsel deferred to his deputy.
So I did this with the deputy general counsel, not the main guy.
But it's the main guy that was yelling at me.
So I got put on double secret probation since I was the ringleader.
And the first time I've ever heard of the church proceedings was when the lawyer was yelling at me saying,
don't you know you violated the NSA charter?
Don't you know you could get the director fired if not prosecuted?
I was put on probation.
I was investigated internally.
I found out many years later because I bumped into this lawyer.
after 20-some-odd years at DefCon, ironically.
Turns out they were not only trying to fire me,
they were trying to prosecute me as well.
That attorney or the administration, the director?
The powers of B.
This was above him and it was above me.
In fact, I learned that, you know,
I mean, I didn't pissed off at this guy for 20-some-odd years
for yelling at me when we were buds.
And it turns out he was getting a lot of,
black too because he had ultimately sent us or his office had sent us.
Yeah.
His deputy, his deputy resigned.
But, you know, after going on double secret probation and having to talk to internal
security and tell the story and pretty much everybody I talked to, like, that's it.
You were just trying to help.
It kind of soured me on continuing to work there.
We eventually were exonerated and we got pulled back into the,
the deputy director's office and a bunch of the senior level management were talking to us and
counseling us and they basically said, you know, we like what you guys do. We want you to do it,
but if you're going to do it here, you have to follow our rules. And so we said, fine. I was
gone from NSA by the end of September of 1996. So like six weeks after this all went down,
I was gone from NSA because it was end of the fiscal year. They had done.
they were doing a buyout to get people to leave.
This is one of the fallouts of the Soviet Union and fighting for budget.
They were paying people to leave.
And we'd been kind of toying around a bunch of us.
We're looking for, you know, more high paid jobs in the private sector and all that kind of stuff.
So I took the first offer that came along and I was offered money to leave and I got the hell out of Dodge.
and, you know, end of September, 1996, you know, tried not to let the door hit me on the way out,
type of thing.
Which, you know, is, you know, looking back on it almost 30 years later, if it hadn't
gone south, I mean, you know, there was something cool and fun and patriotic about doing it
there.
You know, we were thinking we were doing a good thing.
You know, there was the allure of more money out in the private.
sector, but I'll tell you what, when I went out into the private sector more than I got an
increase in pay, it was the idea that I could be hired by a company to do a pen test one week,
do the job for the next couple weeks, take a couple weeks to write the report, you know, maybe
a month later, come in and present our findings, giving recommendations, and we were done.
In and out, you know, maybe a month, maybe six weeks.
where six weeks at NSA, we would have still been trying to get permission to run the PIN command.
Right.
So much more than the money was the lack of the bureaucracy and the more focused, less complicated.
There's a job to do, do it, report on it, give the feedback, thank you, you're done type of thing.
That was very refreshing.
But the reason I left NSA was because I was very much, they tried to get me to leave.
involuntarily, but I kind of took the opportunity when they gave it to me to get out and go out
to the private sector where largely I've had a more receptive audience of my clients over the
years.
Not every time do they want to hear what I have to tell them in terms of how they're insecure
and what they need to do differently or what they need to invest in.
but generally
if you can explain it to people
and I think I do a reasonable job of explaining to people
why they should care, why they should worry
what they need to do to invest in
or at least, okay, you've got limited resources,
here's your options,
here's the pros and cons of what you decide to do
or not do, so at least they can make an informed decision
or at least what I believe is a more.
informed decision about how to approach this thing that we now call cybersecurity and protect your
organization. And oh, by the way, we're losing and nobody can afford to do everything that
they need to do to provide that mythical 100% level of protection because it doesn't exist.
And yet, we have a very burgeoning industry that keeps going and hundreds of billions of dollars
are spent on technology where what all.
ultimately causes many companies to fall is a process issue or a failure of people and personnel
to do something pretty trivial. Yeah. When you get down to it.
How does- Keep spending your money, people.
How does, you know, when we look at the United States and we are a free country and
limits on the government is a good thing. And, and yet,
I don't want to say in yet as though we should erase freedoms in any way, shape, or form.
But how does the NSA, particularly in this infosec environment, how does the NSA compete against countries like China, Iran,
you know, country, Russia, that do not have any moral compunction, any laws that, you know, limit their government's reach,
How do we compete against that?
Well, that's a very complicated question to answer.
And philosophically, it does, and I just, this came up a while ago in a conversation.
I now have the opportunity to say it, so I'll say it.
But I think it's, one should think twice about automatically assuming that what we're doing,
is moral because we're doing it to protect us.
I'll just throw that, just throw that out there just to make people think.
But generally speaking, you know, we are a moral, responsible society and government that does operate under rules.
And most people take the rules fairly serious.
There's always exceptions.
And because there's rules and there's bounds.
And more than that, there's just.
there's so much that could happen.
There's so much that could go wrong.
And you never know what's going to happen and where and where do you,
you know,
where do you put your attention and focus and your limited resources.
We're almost setting ourselves up as a society,
if not pockets of industry within our government,
which some would argue that the government should be protecting.
It's not really a winnable situation in my,
in my opinion.
Whereas other countries,
we are certainly told that they,
you know,
aren't as strict on rules and regulation.
And, you know,
I doubt if Chinese hacking groups,
whether they're military or paramilitary
or funded by the government
are going through a lot of procedures
and bureaucracy and red tape,
just a perception.
So, I mean,
we handcuff our,
self. And of course, you know, I work tangentially. I have relationships tangentially with a lot of
people that are involved in, you know, the mission of protecting the country, cybersecurity,
national defense, and so on and so forth. To be honest, and if any of them are listening,
I apologize ahead of time. But, you know, given my experience working with the government and
under the private director, I've always felt that if you're working for the government,
it's because you're not good enough to make it in the private sector,
so you're kind of second tier to begin with.
And there are exceptions.
I mean, that's just a very broad blanket,
probably ignorant statement that you need to say.
But in my experience,
the real cutting-edge stuff happens in the private sector.
And here's why.
For better or for worse, in the private sector,
everything's driven by the dollar.
Everything is financially motivated.
companies exist because they're trying to make money.
That's free commerce.
That's what we do is a free country.
And I often tell my clients in the private sector when they talk about risk.
And I mean, you hear all these words bandied about like risk and vulnerability and threat, security.
I tell my clients and anybody to listen, frankly, you know, when I was in the military, I was working for the military.
when I was working as a civilian,
the idea of risk was all computed around loss of human life.
Troops on the battlefield, citizens abroad and domestic,
embassy workers, state department employees and stuff like that.
But it all had to do with loss of life.
In the private sector, it's all about money.
That's very different,
especially when everything you do comes at a cost.
or everything you don't do potentially comes at a cost.
So it's a different motivational factor.
And I'm not saying it's a...
Somebody posted on LinkedIn in the last day or two.
We're losing you just a little bit.
I think your signal's a little low.
Oh, no.
Yeah, can you repeat that last thing?
Can you hear me now?
Yeah, we got you.
Okay.
How far last do you need to go?
Just like the last sentence or two, yeah.
What I'm saying is the idea of risk, why you do security, why you do the things,
it's very different if you're, you know, pursuing the national defense, which is basically
loss of human life at some degree versus the private sector, which is how much money you're
going to lose or how much money are you going to spend or how much revenue are you going to
lose or how much, you know, it's all a financial basis. And it's not that one is right and
that is wrong. It's just a very different. And in a lot of ways in the private sector, it's a lot
better to understand dollars and cents. Right. You know, that's a pretty easy equation to
understand. In the national defense concept, it's, you know, how do you put a price on a human
life. Right. Right. Right. I mean, you intuitively don't want to lose anybody's lives, but, you know,
I'm sure we've all seen reports or heard people talk about, you know, generals planning battles
and, you know, even the Normandy invasion in World War II. Everybody knew people were going to die.
Right. And the calculations that were being done on what was an acceptable level of loss,
of human life given the potential gain.
I mean, and that's where I defer to the people that do work for the government and do work
for the national defense because they do take that very seriously and it's very hard,
but it's also very politically motivated and there's a lot of stuff, bureaucracy and stuff
that goes on with that, where maybe I'm taking the easy road out by just working in the private
sector and it's all about money.
questions for Jeff. Yeah, we do. But I want to ask you, so in your opinion, does, you know,
the government is notoriously cheap, right? The government is notoriously what they pay soldiers,
what they pay case officers, what they pay NSA analysts and operators, what they pay their federal
law enforcement. Like, it is not, and for a lot of the jobs, whether it's a soldier or an FBI
agent or whatever, there are not a lot of comparable jobs on the outside so they can pay on the
cheap. When it comes to the NSA, though, you know, you guys may be a GS-12 or GS-13 step-5,
but then you can turn around to Mandia and Crowdstrike or Crowdstrike, whatever, and earn three
times, four times what you're making. Do you feel that the NSA needs to, you know,
to that the government in general needs to deal with this new reality.
And the NSA should pay people what they're worth on the outside in order to keep that talent.
I mean, the short answer is yes, but it's complicated because,
and this is where I kind of do have a little bit of deference to the people that do, you know,
work for the government because they do believe in the mission and our patriots.
things like that.
But there is this stigma at the very least that if they were really good what they did,
they'd be getting the private money and the bigger dollars, making them more.
But that doesn't mean that everybody out in the sector that's making the big bucks is
deserving of the big bucks.
Good of what they do, right.
You might not necessarily want them deciding who vips and who dies either.
Right.
Right.
Right.
I mean, I talk to a lot of people, you know, since I go out to a lot of conferences, I was at a conference last weekend.
And I was, after I spoke, I was talking to probably a dozen college students that had come from one college.
And they were just peppering me with questions.
And refreshingly, they did not ask change when I talked to students.
How much does this pay?
How much can you make in cybersecurity?
They're mostly interested.
They have a passion for technology.
They have a passion for whatever this stuff is.
But I try to tell people, you know, find something you like to do.
Find something you enjoy doing it.
Don't get hung up on the money because you can make a lot of money and think that that
arriving and making it.
But I have yet to meet anybody that's happy and satisfied because they make
UGabs of money.
but I know a lot of people that are really happy with what they're doing and really satisfied with their job that some do make a lot of money, some don't make a lot of money.
Some are in the government, some aren't in the government.
But the happiest people I know are the ones that are doing what they love and feeling like they make a difference.
And I think you can certainly, I mean, I've been doing the credit card industry for 20 years.
You know, I go home at night and fall to sleep thinking, well, I've allowed a company to make money.
on credit card interests, boo-hoo.
In contrast, that with somebody that goes to night and fall asleep
because they knew they helped save lives or, you know,
promote the national defense.
So, you know, it's a hard nut to crack,
but I think there's a stigma that, at least for me,
that if you're for the government,
it's because you could have it in the private sector
where they pay the big bucks.
Of course, a lot of people put their time in in the government,
and then they get the posh job at the big companies out in the private sector.
And, you know, most of the people you know and see,
and I'm grossly generalizing, I'm not impressed by the people that you see,
the public figures, the ones that are always getting interviewed on CNN
and all the different news channels.
Yeah.
And so on and so forth.
The people that really are good at doing all this stuff and love it
and are passionate about it,
You don't know who they are.
I don't know who they are because they're just in the trenches doing it.
And they're doing it for whatever makes them satisfied.
And, you know, God bless them because, you know, we need those people.
I think it's interesting because you talk about the mission.
And I can see how similar to the military, the people in the NSA have a mission and a purpose.
And as you experienced, I think the challenge with the mission,
and patriotism and that sense of purpose,
the only thing that stands between that and bitterness
is like one bad manager, one bad leader.
And they can steal that entire sense from a person.
How is the NSA when it comes to their leadership development
and their management development, things like that?
Yeah, I don't know.
I don't know that there.
When I was there, which was, you know, for the better part, 30 years ago,
there was a stigma between, you know, if you want to advance in your career,
go up the pay grade ladder.
To get beyond a certain level, you had to get into management.
So you had to go, there was either the technical track or the management track.
And management track is who made the big bucks.
But, you know, if you were good at the technology, and I use that term loosely,
technical could be your cryptologist.
Technical can be anything.
but technical not management, you know, labor, not management.
The people that were really good at it and wanted to advance had some point had to kind of suck it up and like, well, if I want to go further, I got to get into management.
I don't know that they've completely solved that.
I was actually invited back to NSA last fall for an alumni open house because they're basically trying to recruit people that used to work there because they're hiring.
there's certainly a need.
And we talked about how they don't pay well.
And someone like me who is ignorance expired over 20 years ago, I simply asked,
is there any way to streamline me getting back in?
You want me.
I'm certainly capable.
I certainly have a lot of experience.
But there's that background investigation and getting the next again.
And the very long-winded answer that I really never got a good answer was.
no, there is no shortcut.
But, gosh, I was, I think I was at RSA a few years ago,
and I went to the NSA booth because that's sort of a pilgrimage
every time I go to RSA conference.
And I met a young lady at the booth.
And she's like, oh, you're Jeff Mann.
I'm like, oh, she knows who I am.
She knows my stature in the industry and my background and stuff.
And she said, oh, I used to go to school with your daughter.
So I'm like, oh, okay.
So she had no idea who I was other than I was the father, a classmate of her.
So my daughter now is in her early 30s.
This woman's in her early 30s.
She's senior level management at NSA.
And she's the smartest person around.
But my gosh, I mean, early 30s probably has been at NSA since college.
So she's got maybe 10 years experience.
And she's in a really senior level role.
that doesn't give you warm fuzzies and it's nothing personal against her right it's not because she's a woman
it's not because she's young it's because she's got maybe 10 years of experience and how much of that 10 years
has been off on the 2020 program getting more education and training and and doing this that and the other
and my impression is they're they're working with what they've got to work with right and and again it's
nothing it's not a knock on her personally i'm sure she's you know she seems to be very
smart and very wonderful, but she's made comments about how NSA is on top of their game at this open house.
The director was talking about how NSA is on the top of their game.
He's a very compelling speaker.
But I'm like, yeah, then I started talking to some of the people.
I'm like, yeah, you're still full of it.
And that's just my opinion.
So they talk a good game, but at the end of the day, it's still a government job.
And they've got lots of stupid bureaucracy and rules and regulations.
and because they're sort of the only game in town and they sort of look inward,
they don't see the big picture and they don't see the outside.
I've been trying to offer them, hey, I've been out in the private sector for 25, 26, 27,
28 years now.
I've learned a few things that maybe you would say you want to be more engaging to the private sector.
Why don't you bring me in to let me tell you how to maybe do that?
because, you know, your me first approach, we're NSA, you should listen to us.
That's not going to cut in the world world because people are like, yeah, you know,
well, yeah, you're NSA.
What does that mean at the end of the day?
And gosh, I hope I'm not getting fired or arrested after this.
And one last question before we get to, like, fewer questions.
I'm curious about, you know, like, you know, when, when back during the naval era,
when you had the letters of Mark, you know, during, you know, when we've had these times when the government can control and, you know, everything, we had the idea of sort of privateers.
Do you think that the government, in this cyber warfare world, in this cyber environment, when there are 14-year-olds who are just brilliant and doing crazy, you know, amazing stuff and, you know, there are groups out there, do you think that the government in this,
one arena should turn to like a privateer model?
It's an interesting question.
I would say I was having a conversation in the last couple weeks with some people at one of the conferences I go to and they were talking about, actually it might have been on the podcast I do, but they were basically talking about how, you know, there's certain hacker groups out there that are just going after certain certain.
not necessarily nation state actors, but, you know, sex trafficking, child trafficking type of groups.
You know, there's conscientious hackers that just kind of go after them just because it needs to be done.
And it's not technically sanctioned by the government, but sanctioned by anybody, but nobody's really complaining.
So, I mean, that's my most recent frame of reference.
I would say I don't, my bias is NSA or the government puts its fingerprint on it.
It's going to get stupid at some point.
Could there be sort of a handshake unofficial?
Well, there's this shadow group out there that's just doing the responsible right thing.
That might work for a while.
But, of course, that could go wrong for many reasons, too, because, you know, absolutely.
power corrupts absolutely.
But, you know, the serious hackers out there that are socially minded, you know, socially
conscious want to do the right thing and are frustrated at bureaucracy and the
limits the government puts on out of necessity, but it makes it very difficult to do what
needs to be done in a fashion or a manner that can and should be done.
Yeah, I don't know what you would call it, if you would call it,
privateering per se or just looking the other way.
Does there need to be some oversight?
Does there need to be some kind of stopgap?
But I could see that happening.
On the other, on the flip side, do I believe in vigilanteism?
Not necessarily.
That sounds intuitively wrong.
But, I mean, anything can work for a while.
and anything can go south when the wrong personality
and the wrong motives come into play.
You know, people often ask about hacking back
and whether that should be done by companies,
you know, or leave that to the government.
Right.
Yeah.
You know, this is where it kind of, you know,
the difference between the private sector,
you know, money, that's the risk
and the government protecting, you know,
the U.S. and U.S. entities and things like that,
that's where it gets a little bit fuzzy for me and tricky, but I tend to want to, like, I'd rather
have the government in control of the actual war fighting, because that's sort of what they're
in the business of doing, because I think it could get real ugly and lots of bad things
could happen to innocent people if it's done by the wrong people for the wrong reasons,
or even the wrong people for the right reasons, but outside of the boundaries of control.
control.
You know, there's a reason why we have a Geneva convention, which, you know, it doesn't make
sense at some level.
Like, why do we have people sitting down coming up with rules on how to conduct warfare?
At some level, it makes perfect sense.
And another level, it's a head scratcher.
It's the same type of thing for hacking and hacktivism and stuff like that.
It makes sense at one level and at another level.
It's like, man, you don't want to go there.
That's very sketchy.
And I can go either way, depending on my mood and depending on what the situation is.
So, so again, I'm sorry, but one more following question, because you mentioned the Geneva Convention.
And I'm curious, in your experience, if a non-state actor, you know, a hacker crew shuts down a hospital over ransomware, should they be considered a viable military target?
Hmm.
That's an interesting question.
from a Geneva convention perspective, and again, this is a conversation we had on our podcast a couple weeks ago with a gentleman named Josh Corman.
You know, it used to be that the hackers sort of had the bad guys.
You know, hackers can be good or bad.
But the bad guys used to have sort of a code of conduct or ethics that you wouldn't go after, you know, like a children's hospital and hit them with malware or ransomware.
but the perpetrators, the bad guys that are doing this,
they're looking for targets of opportunity.
They're not looking at who it is as much.
So there is this idea that, you know,
there used to be some idea of responsible crime.
And that kind of can go away at some point.
So are they, should they be targeted by a military action?
I would tend to say yes.
But again, that's the situation where
there's private groups, there's hacking groups, you know, good guys groups that are actively
targeting those types of organizations and doing what they can to take them down in a logical,
technological sense.
I don't think it's in a military sense, in a physical sense.
But yeah, there's certain lines that get crossed that most people will say, yeah, that's something
that shouldn't be done.
That's not cool.
And it used to be that there was responsible criminals that wouldn't do something like that,
but that seems to have gone out the window.
So, you know, whatever works to get the stuff to stop happening, I'd be tempted to condone that to a degree, if that makes sense.
I agree with you.
I mean, I was just curious, I mean, you're the expert here, but I feel as though if, you know, according to the Geneva Convention,
if they're responsible for the loss of life, they're a viable target.
But I don't know from a cyber perspective, somebody as experienced as you, what your thoughts would be.
All right, let me get a question.
Well, final comment on that.
I mean, what's interesting to me is, again, we talked earlier about some things that are kind of coming full circle or overlapping.
Maybe this was off the air, but, you know, signals intelligence is becoming a thing again.
the idea that risk now because we're targeting hospitals,
they can't afford the security, can't afford the ransom, critical infrastructure,
you know, the idea of the risk being lost of human life is kind of becoming a thing
that's more tangible than real in the private sector.
So it's not a it's not a full circle thing, but it is a blending.
where more action is required and more action from the government is necessary,
even if that means regulation and regulatory compliance, but also assistance.
Right, right.
It is an interesting time we're living in, but I think it's interesting that risk in the private sector,
which has been money for so long, is now starting to be human life again,
which is something that the military understands.
So, yeah, maybe they should step.
been.
So, viewer
questions.
M. Corbyn,
thank you very much.
Really appreciate it.
Does Bitcoin have a future
as a tool for power
projection in the future?
And also,
what is your take
on the 2000 U.S.
China Hacker War?
I try to avoid
Bitcoin as much as possible.
Does it have a future?
No comment.
And I haven't heard
of the other one.
I don't do a lot in the technology realm.
I focus more on people and processes.
That's just a general disclaimer.
So try to ask me another question.
I'm sorry I can't answer the first one.
Johnny, thank you very much for the donation.
I don't see a question.
If you have one, please throw it in the chat.
Oh, I see another one.
Global Media, thank you very much.
Support the team house.
Get those likes up.
Yes, everybody.
If you haven't liked this, please throw us a like.
And hit us and subscribe if you haven't.
Johnny, thank you very much.
I wonder if Jeff thinks CPU architecture can be secure.
Until Apple, TSM have been shown to have unpatchable physical vulnerability in chips, which leaks secure keys.
Yeah.
I had a chief scientist, I believe it was, in my early days at NSA.
say, so it would have been in the 80s, maybe early 90s, that used to have a mantra,
what can be created by man, can be broken by man.
So in that context, you know, can CPUs ultimately be made 100% secure, unbreakable?
No.
To me, we're having two different discussions that often get lumped under this mantle
of cybersecurity.
And that's the idea of securing all the things as much as possible.
So securing, creating a secure state, which is kind of a noun.
And then the second thing is security.
What do you do given you can't do the first?
What do you do to monitor and detect and respond to your network, your environment,
given that something inevitably is going to fall in terms of the technology.
So in that sense, what I'm saying is, no, I don't think CPUs can be ultimately secured 100%.
But given that, what do you do?
Maybe you don't invest as much on trying to find a better CPU.
what is done these days by the organizations that you referred to is probably good enough for most people,
but it's the few that care and the few that are going to be impacted the most by somebody that
figures out a compromise, figures out a way around, or work around what we used to call a feature.
They're the ones that need to care about it, but they need to know how to detect it to minimize the damage
and to respond to it.
I am a proponent of the process.
Security is something you do.
It's not a state that you achieve.
There's making things secure, and then there's security, which is the diligence and the monitoring
and the standing guard and standing watch so that you see the attack when it's happening,
you intercept it early, you minimize the damage.
That, to me, is the essence of security.
Do you think that hardware manufacturers and software manufacturers,
are transparent enough
with like the community in terms of
what they think the weaknesses are
so that people can be diligent
or do you think they could be more transparent?
Short answer is no.
I don't think there's as transparent
as they could be
the podcast that I do,
Paul Security Weekly,
Security Weekly.com.
Paul Asidorian,
but Paul and Paul Security Weekly,
he works for a company
that does hardware hacking,
hardware vulnerability research company.
I don't need to say the name.
I'll let him do that.
Go to Security Week, you know, figure it out.
But he focuses a lot on hardware vulnerabilities right now.
So that's a topic that comes up a lot in our podcast over the last year or so.
And he reports very routinely on the research that he's doing with his day job on the
insecurities of hardware and how hard it is to,
to secure hardware.
And it's not really the new frontier because it's been around forever.
I mean, I worked at NSA when it was all hardware and there was no software.
So, you know, it's semantics.
It's blurring the lines.
But, you know, hardware is also prone to insecurities and vulnerabilities and
bugs and weaknesses and misconfigurations.
and they're out there.
They typically don't become publicly known
until either somebody exploits them
or some researcher discovers it
and then it's, you know,
the sky is falling.
You have to temper it with, you know,
the likelihood that somebody's going to go after
or something like that,
going to go to that degree of attack
that they're going to try to exploit that.
A general principle
I'd say is, you know, the bad guys are going to do whatever works, whatever's the easiest.
I mean, they have their own cost-benefit analysis, as it were. So they're going to do what's
works and what's easy, and they're going to hit the targets that are vulnerable. They don't,
they don't necessarily target specific organizations, which to me is one of the big 800-pound
gorillas in the room, is that we have this industry that makes people protect against all sorts of
stuff. Most of the bad guys aren't targeting specific organizations. If they did, they sort of have
unlimited resources and they can go after them any way they can and they can take the time. And if it means
exploiting a hardware vulnerability, they will. I think the line is drawn when the hardware vulnerability
that can be exploited in a way that is sort of reproducible. And it can be. It can be
something that's, you know, random in terms of let's find somebody who's vulnerable.
We don't care who it is.
Right.
Even if it's a children's hospital and let's exploit it and make money off of it.
Commodity, you know, commoditize types of attacks that, that, you know, target anybody.
No offense, it's just we're just targeting whoever's vulnerable.
Do you think that ransomware as a service has kind of like increased that type of tendency that
you know, you might have ransomware gangs that do have those codes.
But then when it's ransomware as a service,
you just have some script kitty out there who's like,
ah, fuck it, I'll just find whoever, whoever will pay.
Well, I mean, it's simple economics.
And it's, you're not really paying attention to who the target is.
It's whoever's vulnerable that you can make money off of.
I mean, ransomware in general, I think, has changed the dynamic of cybersecurity.
significantly because, you know, the way I was classically taught about this problem, which
we, back in the early days, we called data security or information security.
And most people have probably heard of the CIA triad, the three components of security
of data being confidentiality, integrity, and availability.
So confidentiality, keeping secrets secret, integrity, knowing that the data is valid.
It hasn't been altered or tampered with.
And then availability.
Can you get to the data when you need it?
Most of this cybersecurity industry, which is mostly technology-based,
focuses on the confidentiality problem, trying to keep things secret,
trying to keep things safe, trying to keep things inaccessible in terms of stealing it.
You know, denial of service has been a problem off and on.
distributed denial of service has been a problem off and on over the last 20 years or so.
But we sort of solved those problems.
Integrity issues, faking the data.
Do you trust the data?
You know, that can kind of come into play with fishing schemes and fraud schemes, scams and stuff like that.
But availability, that's something that we haven't really invested a lot of technology.
solutions in it and everybody believes that believes that technology is how you solve the problems.
And it's even more twisted than that because it's not just ransomware where we're going to
hold your data and if you don't pay, we don't give it back to you and you lose access to it.
But now it's sort of the, I don't know if somebody's come up with a good term for it, but holding
the data and threatening to release it rather than just sending it back to you.
sort of, I don't know what's a good term for it, but that's been coming up more.
Yeah, the exploitation.
Yeah, yeah.
Yeah, that, there are no good, there are no good technical solutions to prevent that
other than the things that we've been preaching for the last 30 years of sort of basic security hygiene to try to, you know, prevent that stuff from happening.
I mean, we don't, with all the ransomware attacks that are out there, you don't,
often hear people talking about how the ransomware attack was launched in the first place,
how it, you know, got into the environment, but it's usually a fishing attack, which is not a
technical failure, although you could argue that it could be. Why am I getting an email in my
inbox that's got a fishing link in it? Why isn't there technology out there that filters out,
or blocks it? But there's that aspect of it, but we don't have a lot of good technology.
out there that prevents people from clicking on a link or falling prey to a really, really convincing,
clever fishing scam.
Right.
Or, you know, to date myself back almost 30 years to open an attachment of a document
in an email that I got from a trusted source that says, hey, read this.
And by doing so, I've launched a virus or malware, what we used to call viruses and
Trojans and malware, but what we perjortively call ransomware these days.
Right.
Well, I mean, in these days and times, it's amazing how many organizations aren't even enforcing
a basic, like, 2FA, like, you know, a 2FA to log into stuff.
It's incredible the basic steps that aren't being taken often.
I agree with that.
And what I often shake my head out is the fact.
that while there's so many vendors out there that are trying to sell you convincing solutions,
there's for, and I'm talking primarily the private sector, because that's where I've been most of the
last 30 years. Without regulation, without compliance, most companies aren't going to do it,
because why should they? They don't have to. And until they get popped, until they get breached,
they don't get the religion of, oh, we really should have done that.
I've been doing the payment card industry for 20 years.
The PCI data security standard is a pretty decent, high-level set of rules of things that you should do to secure your organization, your network to protect data that you care about being stolen.
You know, specifically it's credit card information, but you can apply it to anything.
most organizations that I work with are doing it because they have to.
And in the early days, they weren't saying, you know, even before PCI, when I was working with companies in the private sector, and even in the beginning of days of PCI, the questions I was being asked from companies that I worked for was, what do we, they weren't asking, what do we need to do to be secure?
they were asking, what is everybody else doing that's a peer in my industry so that, you know, I can do as little or as much as anybody else so that when something bad happens, I can say, well, I was doing best practice and therefore not get fined or not be held liable or accountable because it could happen to anybody. And it could happen to anybody.
it's a weird it's a weird dynamic but most companies out there if they don't have a reason to do it
they're not going to do it but you can sort of explain that in a financial model because everything's
you know money based in terms of the risk model well it hasn't happened yet why should we spend
something on you know spend money to protect against something that hasn't even happened yet
So there's a there's a there's a financial logic to it and of course it blows up when the bad thing happens and that's when we get called in and we help them straighten things out and you know they get religion.
But you know what's in the news these days in the private sector? Critical infrastructure. Utility companies.
I you know and people are talking, you know, I hear people talking about well there's there's this this and
missed that and
miter attack framework and do this and that and the other
and there's all these things I'm like
they're a utility somebody in that company
is is you know
collecting credit cards to pay
for the water bill the electric bill
so they know PCI's in there somewhere
if you just did what PCI said to do
you'd be pretty much okay
but nobody seems to be connecting the dots on that
PCI is this
oh nobody likes to talk to PCI
that's old it's stupid you know
It's not flashy and new and shiny.
Right.
But it is today because PCI 4.0 is now the law of the land.
Do you have anything else for Jeff?
How long do you think it will take?
Thanks, John Jones.
How long do you think it'll take for AI-based security controls
to become as complex in the private sector
as layer seven firewalls are today?
Oh, God.
AI, the latest buzzword thing that I'm trying
avoid ever dealing with.
You could probably map this to other things.
Like you're using the firewall is the analogy.
Everybody's got a firewall these days.
I'm sorry, they don't have firewalls anymore because their infrastructure is now in the cloud
and it's protected by software.
10 years with a little bit of acceleration.
I'll say five years.
That's my guess.
and then
from Corbin
Oh
Justin Zulu thank you very much
What are some things that average person could do
To protect themselves going forward
Probably the biggest thing is
Put
what the industry calls
Multi-Factor authentication
What we used to call two-factor authentication
On everything
I'm not a personal
fan of password vaults
because I'm old school enough to think that you shouldn't put all your secrets online, period,
or trust technology, period.
War Games, 1983.
Don't trust the Whopper.
But use a really, really, really long password,
and I would even advocate phrases, poems, song lyrics,
try to think of obscure song lyrics,
and then apply random, you know,
uppercase, lowercase, special characters.
Everybody knows to substitute, you know,
the number four for the letter A and the number three for the letter E.
But don't do it on the first letter last year.
Last letter.
Don't do it on every letter.
Put spaces in between the words.
Or, better yet, put spaces in between somewhere in between the word
and not between the words.
Because that's going to protect against password cracking.
reinforcing. But more than that, I would say, make sure you're always using some sort of
multi-factor authentication on everything. There's a lot of, there's a lot of people talking about
using password vaults and you get to use those super long, random password generated things that
are stored in the vault, but password vault companies have fallen victim to compromise,
so they're not a perfect solution.
In fact, I interviewed the CEO of LastPass last summer at Black Hat as part of the podcast I do.
We did live interviews of executives.
That was an interesting conversation.
I didn't know the guy wasn't the founder of the company of LastPass.
He had become CEO like October, you know, two years ago, you know, months before they had not won but two major breaches.
So I was kind of like, ouch.
But, I mean, I'm old school.
I don't believe that you should put all your eggs in the technology digital basket.
I think this is your best tool right here.
My current domain password for my day job company is like, I think it's like 38 characters long.
It's a song lyric.
It's a line of a song that's, you know, a song that I know.
And I mix it up a little bit enough to just protect against the cracking.
but just the sheer length of it,
38 characters.
Nobody's going to guess it.
I would even say if you knew
what album
I was
citing a lyric to
because of the various permutations,
yeah, you could compute force,
but it would take you a while
because I mix up the spaces
and the upper characters
and lower characters
and special characters and stuff like that.
So, but because I grew up typing with 10 fingers and not thumbs, I can type my 38 character password in faster than probably most people can do a 10 or 12 character password where they're just doing it like this.
But that's just me being a crotchety, crumagony old timer, get off my loan, get off my lawn.
So, Jeff, my question, because I do use a password vault, like my question to you would be in this, in this digital world,
where everything we do requires a password and obviously you don't want to reuse the same password.
But how do you manage 30 passwords without a vault?
Do you write them all down?
Do you personally just remember them all?
Like how does the average person manage that?
Well, A, I'm not the average person.
Yes.
For better or for worse.
You know, we used to talk about having passwords you care of.
about in passwords that are the throwaway passwords. Of course, I've talked to developers that, you know,
are doing stuff in, you know, Azure or AWS where they need to know like 300 passwords for all the
various different, you know, systems that they got working on. You know, that can be a little bit
excessive. But I guess I'm more of the mindset that you have the throwaway path. You need to make a
password, have a decent, but have, but I'm okay with repeating a password.
for accounts that I don't care about.
Now, the, you know, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the, the,
you don't want to use a password in multiple cases and use it on some place where something's
going to get stolen, something you care about.
So I sort of distinguish the throwaway password.
Oh, I've got to sign up for something.
I got to create an account.
I'm never going to use this again.
Some form or, I need to have, I have a, I have a, I have a, I have a, I have a, I have a, I have a
throwaway password that's just something lame.
And then the passwords on the accounts that I care about, which are much fewer,
they're either unique or there are permutations on a very, very long stream.
But there's a couple considerations to be made, and I can argue myself out of this,
because it's not just stealing the hash and cracking it and trying to figure out what the password is.
there's if you're using it in multiple places and it gets compromised in one place it can be used in many other places that's another type of attack
there's the possibility that you know even your best password somehow gets intercepted in while you're using it where it's in a fashion where it can be copied you know more more rare but still a still a possibility but
the bad guys don't often do it that way because there's easier ways to do it.
So I guess I'm, I could be proven wrong.
I'm happy to be proven wrong and argued out of it, but I'm still of a mind that I have
throwaway passwords that I'll use repeatedly in many places.
And I don't care if you knock over this account and that account and that account and
that account because I just set up the account so I could download the white paper,
damn it and read it.
Right.
But, you know, I mean, shoot, my rental car company that I use, and I won't say which rental car company I use, when I initially set up the password on my first app, they asked for a pin.
So I have a four-bidget password on my car rental company.
And I keep thinking I should change it, but then I keep thinking, but I don't really care if somebody rent some car in my name because I could probably sort that out.
I'm not going to be ultimately held reliable for it.
And who's going to do that anyway?
So I have a four-digit pin that is my password to my car rental company to this day.
And I said it probably 25 years ago.
Jeff, tell us about your podcast and where people can go to find it.
Sure.
I'm on a podcast called Paul Security Weekly.
You can find it at Security Weekly.
You can find it at securityweekly.com.
And if you search on all the podcast catchers,
and I think we're on YouTube and Twitch,
securityweekly.com is the way you'll get there for subscribing.
Paul Acidorian is the Paul in Paul Security Weekly.
He started the podcast with his friend Larry Pesche back in 2006, I believe.
So it's one of the oldest security podcasts around.
And it was built on the premise of practitioners just sitting around having drinks, talking shop.
Paul's a cigar smoker.
So much like your studio there, the liquor flows freely.
The cigars are smoked.
And I met Paul about 10 years ago when I worked to work for this vendor that was a friend of mine.
And he got me involved in the podcast.
I've been doing it about nine years now.
But we're a weekly podcast.
Paul actually made it his own company at some point, which was acquired at some point.
But it's a network of shows.
We drop about probably 10 hours of content a week.
There's Paul Security Weekly, the flagship, application Security Weekly, Enterprise Security Weekly,
business security weekly, and twice weekly security news segments.
So lots of content.
But people that at the end of the day are practitioners that are in this because they're passionate,
about it. We talk shop. We talk about all sorts of things like we've been doing tonight.
And for people listening, we'll have a link in the description to go and check it out. And where else
can people find you? I do a lot of conference speaking to this day, thanks to my friend that
pushed me out into the conference world. I'm going to be, I'm actually going to be up in Canada
later this week at a conference called Atlantic Security Conference.
Atlantic Security Conference.
I'll be at B-Sides, Harrisburg, Pennsylvania in two weeks.
End of the month, I'm going to be in Boise, Idaho at the Boise, ISSA conference.
In May, I will be in St. Louis at the Show MeCon hacker conference.
So a lot of conferences, I'll be around for what we call Hacker Summer Camp, you know, B-Sides,
Degas and Black Hat and DefCon.
be out in San Francisco for RSA. I'm on Twitter, although nobody's on Twitter anymore,
but you can find me there at Mr. Jeff Mann. If you spell my name right, you can find me on
LinkedIn. Go to YouTube and type in my name and security, and you'll find many recordings
of talks I've given. My NSA days, my first couple years where I was in the crypto shop, I did
to talk and I had the marketing team come up with a sticker for it because hackers love stickers.
So I did Tales from the Crypt Analyst.
And then when I did the talk about the NSA Red team, the first pen testing team, that was the sequel,
more tales from the Crypt Analyst.
And this year I'm giving a talk in commission's new art.
I'm giving tales from the Crypt Analyst the afterlife.
That's the talk I'm giving this year.
We throw stickers up on our door.
We want as many, uh, we want as many, uh, we want as many of the,
those stickers as we
one of each. Yeah, if you have
them, we'd love to.
I'm going to have to get more of these
made. More of these
made because I'm down
the last couple, but the woman
that is responsible for
all these stickers,
her Twitter handle is one dark
one. She does a lot of graphic art
for a lot of the hacker conferences
and the B-side. So I call
her a con artist.
She literally is a con artist.
I have two more
questions real quick.
Sure.
And D might have some from Patreon
bet. M. Corbyn, thank you very much.
Any way to circumvent hackers for hire
used by foreign nations?
Pay them more.
Muhammad Sivani, thank you very much for the
very generous nation.
So there's a couple questions. Do you like
Ubikis for passwords?
I've not used them, but
yes. I think
they're a good thing to do if you want to
drop the money for them. Yes.
Seriousness of quantum
Hold on, sorry, I lost that.
Seriousness of quantum compute threat
and Chinese-Surbanus threat.
We'll get there.
But like any other technology,
it'll have the potential for being used for good and bad.
So in the old days of the Cold War,
it was often referred to the Cold War as a game of
cat and mouse. You know, the Soviets would do something that would be devastating, but eventually
we'd figure it out. And then we'd do something that was devastating and eventually they'd figure it
out. So kind of this cat and mouse game, I think the same is roughly true with all the technological
advances. Quantum being that what we were talking about a year ago, but of course, AI is the thing
now that is that everybody's talking about so has the potential for good has the potential for evil it's
overhyped and not there yet the quantum thing is becoming real but you know until quantum is
computing is available on the smartphone or reasonably affordable by people that you know aren't
nation state status um you know it's not going to be an issue yet the what's interesting though about
quantum, I will add, is because quantum has the ability to break things when it becomes popular,
that is stuff that was even encrypted in the past, that's where you start to have to think about
now what you're protecting with the current cryptography, especially for stuff you're storing,
because it could be cracked in the future by quantum computing.
So think about what you're saving and thinking about why you're saving it and storing it.
and keep in mind that what you're storing now based on what algorithms you're using to store it
could become susceptible to compromise but like everything else security related
maybe the protection isn't just coming up with a stronger algorithm maybe it's preventing it from being stolen in the first place
or if it does get stolen you catch the people doing it and and prosecute them
I mean, there's always more than one way to solve the problem.
There are no single point solutions, quantum included, AI included for, okay, we've got this, so we're done, we're good.
We can walk away now and not think about it.
Right.
How best, and it's still from Mahavistvani, how best to develop U.S. talent earlier, like Unit 80,200.
And I think this goes into maybe the idea of when,
obviously there are a lot of legal things people can do now
to develop their hacking skills, unlike the past.
But let's say you have a kid who is curious,
maybe with a criminal bent, kind of in their due well,
but reforms his ways.
Is there a way?
Do you feel like there's a way to bring these,
these people into the government?
Well, not speaking for the government, I would say yes.
But, you know, the government has rules.
I mean, I had, you know, when I was hired at NSA,
I had to go through a background investigation.
I had to go through a polygraph.
They wanted to know all your deepest, darkest secrets.
And they claimed at the time it wasn't necessarily
if you had done something in your past,
it would mean you didn't get,
hired, they just wanted to know about it so you can get blackmailed in the future.
Right.
So, I mean, I think the government's getting smarter at knowing that they have to sort of
cast a wider net and not necessarily go after the cookie cutter stem person.
I mean, I'm the living proof of that.
You know, I was not a critical skill.
I was not a STEM person.
I was hired by NSA and I did some things that were meaningful.
And I probably wouldn't be, you know, given my GPA and given my educational background,
if it wasn't for those aptitude skills tests recognizing my potential, I would not have been hired by NSA then or even to this day.
So what I'm trying to advocate for is let, you know, let's figure out a way to find the people,
with the potential and the aptitude that aren't necessarily the cookie cutter, you know, they're in a,
they're in a STEM curriculum, or they're from a certain neighborhood, or there are a certain
skin color, or there are a certain ethnicity, or there are a certain orientation. Let's find the people
that have the potential and the aptitude because they test well in a certain skill set, and let's
promote that. That, to me, transcends all the other issues. Yeah. And I'm the living,
proof of that because I had no business being hired by NSA if all they were looking for was
computer scientists, engineers, and mathematicians because I was neither of the three. But I ran circles
around the people that they hired that did have those degrees that left after three years with a
graduate degree and went off and made a lot more money out in the private sector.
Right. We have a couple of weeks. Yes, I have a chip on my shoulder about that. We have a couple
of questions coming in. So I just want to make sure we get to them.
thoughts on matter most messaging.
I'm not sure I know what that is.
Yeah, I think it's a new secure signal, like signal style.
I'm not sure of it.
Also from Mohamed Savani, how much difficulty does a red teamer like you have
keeping up with a relentless pace of development and knowledge needed
like networks to VMs to OSIN to Caledinix tools, etc.
right. So I don't do the red teaming anymore. I hung up my hat or my gloves on doing that about 20 years ago.
I've been for the last 20 years trying to talk to people about the possibilities and what could happen and what could go wrong and what they need to do to prevent it from a process perspective rather than keeping up with the technical stuff.
That being said, because we talk about this ad nauseum on the podcast, because other co-hosts are actively red teamers, when we do get down to it, while the technology has changed and the techniques necessarily changed, the underlying motivations and methodologies, the foundational principles of security have not and generally do not change.
So in that sense, I don't need to keep up with it because nothing has changed.
And then, you know, sprinkle it on top of that for all the stuff that's going on,
the number, the two reasons why companies still get breached,
the two most common reasons why companies get breached to this day,
to this day in 2024 is something to do with weak passwords or stealing passwords,
exploiting passwords and the exploitation of trust relationships.
And those are two broad terms.
But very rarely is it technology related.
I mean, we were talking about vulnerabilities and CVE scores a couple weeks ago.
And, you know, the statistics for something like only 3% of all the published CBEs have ever been used by bad guys to steal something to exploit something.
And yet we have an old industry built around driving down the vulnerability count, driving down the vulnerability count, CVE, CVE.
Yeah.
And so the CBEs, what you mentioned, are the critical vulnerability that come out through the various, like, Microsoft has it serve.
Is it CVEE Tuesday or Wednesday?
I don't remember.
But basically.
Well, it's patch Tuesday.
Passed Tuesday.
The CBE is as common vulnerability.
Common vulnerability.
Okay.
What's the E stand for?
I can't think of what it is.
But basically, I mean, what we're really getting down to is most companies are running a vulnerability scanner of some ilk and responding to the results.
And the results are ranked critical, high, medium, low based on some sort of statistical calculation, which is called a CVE score.
And it's got lots of different factors involved.
and I'm somewhat generalizing,
but my almost 30 years of experience in the private sector,
most companies jump at the scan results
and not anything else that they do in their security program.
And so the argument and the discussion we've been having
on our podcasts over the last couple months
is what happens when a vendor discovers a vulnerability
in something that they produce
because somebody discovered it
and disclosed it, whether they got a bug bounty or not, but they told the vendor about it,
and the vendor decides to fix it, but not issue a CVE.
Right.
Does it ever get to the scanner?
Does it ever get a finding?
Does it ever get a ranking?
And do companies ever respond to it by doing the patch or the version upgrade?
That, I think, is a very serious issue from the perspective of most companies.
They had it drilled into their heads that everything starts.
with what does the vulnerability scanner tell us to do?
Because everything we do is associated with driving down the vulnerability count
because that's how we manage risk.
Overly simplistic, wrong, and we could go another couple hours talking about that.
But we shouldn't.
Another one, Mohamed Svani again, thank you very much.
Final, finally, for the lads, how much difficulty do the glories,
I guess that's the new slang for feds,
have in tracing Monaro transactions.
Beautiful Algo, LOL, asking for friends.
Of course, Mohammed.
We're always asking for friends.
Sure.
But when it comes to crypto and stuff like that,
a lot of people have this impression that it's anonymous.
But it's really not.
And can you tell us a little bit, you know, from your experience or from your knowledge, like how do the feds track Monero or Bitcoin or anything else like that?
I mean, I can't speak definitively because I don't work with them or for them anymore.
But given what little I know about it, you know, if they're motivated to track it, they can track it.
There are ways to do it.
I would hesitate to say that they're tracking everybody just because,
because they're financially and economically bound just like everybody else.
But if they have a reason to go after you, the indicators are there.
I mean, if you're asking, are you safe to do it and the government's not watching you?
I think a certain amount of big brother fear is probably healthy.
but
you know
I wouldn't lose sleepover either
I think one of the
you know
and you know
it was Darkside Diaries
Jack Reister
who actually you know
recommended you to me
and in one of his episodes
he had meant
they talked about
a
Department of Homeland Security
Operation Against
Child Pornographers
and how they tracked
you know
So the crypto going in, and the thing is they may not be able to track, like, crypto in terms of where it's going inside the system.
But eventually you've got to cash out, and they can follow it to that cash out point.
They can follow it from the buy point.
They can follow it from the cash out point.
So I think, you know, just kind of emphasizing on your point, if you think you're getting away with something, you're probably not.
well I mean probably a similar analogy is you know encrypting data and data was encrypted initially for transmission for communication and the mantra back then or even if you're doing it in the modern world for storage but if you're encrypting data to protect it sooner or later you're going to want to decrypt it so you can use it or you can refer to it or you can access it.
So the attack points are either before it's encrypted or after it's decrypted.
So I think that's a similar analogy to what you're painting.
Jack Reesider saw him as Shmukon.
That's probably where you saw him.
I'm episode 83, if anybody wants to go listen to it.
I'm the second part, second half of episode 83.
It's entitled NSA Cryptologists.
I met Jack again at DefCon a couple of years.
ago and I'm like, oh, you do Darknet Diaries. You should really interview me. And he checked me out.
And he's like, yeah, I really should. So, you know, different elements and aspects of the story
I've been telling the night would come out in the Darknet Diaries episode. Yeah, he's a really
great guy. Andrew just asked a question. Does the cyber liability insurance run its own
penetration testing teams? I'm not aware of any that do it directly, but a lot of times the insurance
riders are very closely connected to other companies that do provide some level of assurance that
the insurer E, if that's the right term, is insurable. And they would simply do it. But I mean,
the first couple of years of the insurance, cyber insurance industry was all questionnaires. And,
and, you know, that was supposed to magically, you know, validate that you were worthy of the cyber
insurance, especially if there was a claim file.
So I don't think any of them do it directly, but they certainly, because of claims against
it and the need to, I'm not an insurance expert, but actuarial tables, you know, figuring out
how much you need to charge people that want to have this type of insurance based on how many
claims are going to be filed and what's fair and all that kind of stuff.
and the insurance companies can still make profit.
They're starting to get more responsible.
I mean, cyber insurance has been around for almost 10 years,
and I remember being asked about it almost 10 years ago,
and I'm like, people are silly to think that they can skirt or dodge regulatory compliance
by just getting cyber insurance, and in this context it was PCI,
because I'm like, have you ever tried to file a claim against an insurance company?
you can be damn sure that they're going to come back and say,
were you doing all the things that you should be doing?
So if you think the PCI assessment or audit was bad,
wait until the cyber insurance and jester comes out and starts looking under the hood.
And a lot of times I think what they'll do is they'll hire like the forensics people
to go in and say, well, they didn't do this and the insurance company will have an easy out.
Right. Yeah.
But I have heard of, I mean, partnerships, I guess, or relationships.
where the insurance carriers do have relationships.
Again, they don't do it themselves,
but they probably have partner companies that will do a little tire kicking,
a little bit of vetting of the people trying to get the policy
to make sure that they're meeting some sort of minimal standards.
Similar to like, you know, I don't think insurance companies hire doctors.
They don't have doctors on their payroll,
but you have to get a physical to get a life insurance policy most of the time.
Right.
So they have partnerships and relationships or, you know, you have to have the notarized
signature of a doctor.
Heck, I got to renew my driver's license.
And I'm like, I can do it in the mail, right?
Except for I got to have the back of the form filled out by the eye doctor saying I can still see.
Right.
So the insurance companies will hire somebody that will boot up Cali and say, yeah, okay, you know,
we ran port scans are fine, yeah, whatever.
But then if things go awry, the insurance company can also, the claim,
can also be like, oh, well, you weren't meeting this thing.
Yeah, it's very complicated.
There's certainly something to be said for, you know, some sort of minimum level of security,
which is typically measured by some sort of compliance standard.
And the cyber insurance companies are certainly getting smarter.
But you trigger me a little bit because there's also,
this prevailing attitude in our world and in our industry that the ultimate test is a pen test,
which at some level, yeah, if you can afford it, that might be true because that's rubber
hits the road, live fire tests. Most companies don't want to pay for that. And I'm guilty of this.
When I first came into the private sector, I started with, let's do a, we called it a pen test,
but it was really a vulnerability assessment. Let's see what you got.
Let's see what we have to work with.
Let's see what your holes are, your vulnerabilities are, and let's start by closing them.
I kind of thought that the industry would evolve.
Right.
Almost 30 years ago.
God, that's almost 30 years ago.
But, you know, when I got back into this, you know, talking to Red Team and Penn Testing companies in the last 10 years or so, I'm like, wow, it's become, this is the ultimate test and this is where you start.
You should not start your journey of security with a pen test.
That's the last thing you should do, literally.
That's the last thing you should do because there's all sorts of more cost-effective
economic ways to put security in place and test it and stop gaps and check it.
And the ultimate live-fired test when you think you're ready for it and you're mature enough is a pen test, a real pen test.
Not a vulnerability scan, not a necessary.
scan, not a, you know, somebody running a tool suite or this, that, or the other.
But, you know, an actual, you want people to try to come after you, and you're going to pay them to do it,
let them do it.
Again, which is the methodology that was portrayed in the movie Sneakers, which came out in
1992.
Right.
Jeff, thank you for spending your Monday evening with us and sharing all the
Heck, it's almost Tuesday.
Secret. I know. I know we've kept you so long. We really appreciate it.
We will be back on Friday with Jonah Mendez.
Otherwise, Jeff, any final thoughts? Any final things you want to put out there before we get going tonight?
There's no way to summarize this. Be diligent. Be smart. Be caring.
And don't believe the vendor.
Thank you, Jeff.
And again, people can find you on Twitter at Real Jeff Man.
Mr. Jeff, Mr. Jeffman on Twitter.
You can find me on LinkedIn.
Two F's one N.
Two Fs one end.
And the podcast, one more time for everybody, please?
Paul's Security Weekly.
You can find this at simply securityweekly.com.
All right.
Well, thank you so much, Jeff.
And we will see all you guys out.
there on Friday.
Hey, thanks for indulging me with all this time.
Absolutely.
Thank you, Jeff.
We really appreciate your time.
We had a question from Andrew.
I'm going to ask you real quick.
And this last question we're going to take, if I'm a Fortune 500 company, what is a PennTest going to cost me?
It's probably a percentage of your revenue.
The presumption is a Fortune 500 company is a mature,
enterprise and so you're going to pay more but there's a lot of i mean last time i looked
uh nine out of the 10 fortune 10 companies 98 of the 100 fortune 100 companies have to do
PCI at least in some part and PCI is notorious for taking a very minimal approach to pen testing
so um it could cost you a lot but it's very much dependent on what you want to get out of it
And if you want to do a pen test, the first conversation you should have is what are the goals and the objectives?
Because they are legion and you need to understand what you're asking for before you ask for it.
And you should expect to pay accordingly.
Most companies aren't ready for it, even in the Fortune 500, frankly.
I'd say maybe 10% of the Fortune 500 are really, really mature enough and ready for a pen test to really have a pen test.
Penn test being no holds barred.
Can somebody get in by any means to do something?
But again, that's the goal or the objective.
Are they trying to steal something?
Are they trying to gain access to something?
Are they trying to prove a point?
Are they trying to, you know, whatever it is, exfiltrate data, lock the data.
I mean, I don't know how many pen tests out there
that emulate a ransomware attack.
Right.
I don't know.
I'm going to have to ask my friends that do that.
And I don't think they do that.
When you talk about this full scope pen test,
you're not just talking about hackers.
You're talking, or like, the technical aspect.
You talk about social engineering.
You're talking about physical, like devian olam and those guys.
You're talking about the entire gamut, correct?
Yeah, I mean, and I apologize.
because, you know, somewhere in the time that I took off from this industry, this term red teaming came about.
What I call pen testing is comprehensive.
Correct.
But most people would call what I'm describing as a pen test these days a red team.
It's deviant Olaf, by the way.
That's how you pronounce that.
Okay.
I said Olam for years.
I said Olam.
So we interviewed them, but it's OLAF.
But, yeah, I mean, no holds barred means somebody wants to go.
go after you and they're going to do it by any means possible. It's it's it's not simply now the
presumption was when the internet came along that the path of least resistance the easiest way
rather than physically having to go to a place and try to break into it was like oh they're connected
to the internet let's try to get in over the internet but once defenses came up in terms of
the technology and the network perspective you know
the physical type of thing was back on the table.
And, you know, the irony is if you really want to go after a particular company
and you're motivated and you have resources, no holds barred means you'll try everything.
There was a movie came out, I don't know, in the 2000s maybe Harrison Ford.
It was called Firewall.
and no spoilers, but the premise of the movie is Harrison Ford's like a firewall admin or a network admin at a bank.
And the bad guys kidnap his family and put guns to their heads and said, you know, give us the passwords.
Give us the UB key.
Give us the RSA key.
You know, help us through the multifactor authentication.
Log on to this firewall that will get us into the network.
that'll get us to the safe to steal the money
because we've got guns to your family's head.
You know, that's rather extreme.
Right.
But for motivated nation state, bad guys that are really going after you,
that's the measures that they'll go to.
Most companies, you know, can't and shouldn't afford to pay for a simulation of that type of exercise,
but you ought to kind of at least talk about it, you know, table top it.
You know, what would happen if somebody did X, Y, or Z?
But not everybody needs to worry about that because most bad guys aren't going to do that
because it's easier just to launch the ransomware attack
or send out the fishing attack and just see who bites.
And they're not targeting you specifically.
They'll just target whoever takes the bait.
And if it happens to be a children's hospital and people die,
you know, that's not what they're worried about.
Right.
Problematic world we're living right now.
Dee, did we have anything on Patreon?
No.
Okay.
Jeff, thank you so much.
We deeply, deeply appreciate your time.
I appreciate you giving me the time in the audience.
And yeah, feel free.
Anybody that's listening to reach out to me,
LinkedIn's probably the best way to
find me. I do honestly try to respond to people. Happy to give back, happy to answer questions
and mentor where I can. And check Jeff out on Paul Security Weekly. It's P-A-U-L-S Security Weekly,
correct? It is, but the website, if you go there, is just simply securityweekly.com.
All right, guys. You'll find us there. We will see you guys on Friday. Take care out there.
All right. Thanks.