Data, Security, And Advanced Persistent Threats with Patrick Hynds and Duane Laflotte

In this riveting episode, we'll be joined by special guests who do information security work taking us into the deep, dark realms of high level hacking. We'll explore the pyramid of threats from those bumbling high school hackers who couldn't hack their way out of a paper bag to the notorious figures backed by nation states. But hold on to your keyboards, folks, because this conversation takes a turn towards Linux and the intricate world of Ozint.

Yes, that's open source intelligence for those scratching their heads. We'll unravel the mysteries of Ozint, its uses, its implications, and how it can be a double edged sword in the wrong hands. With a touch of espionage and a sprinkle of humor, we'll leave you on the edge of your ergonomic office chair craving

more. And if that's not enough to make your encryption keys quiver, we'll also touch upon the interconnectedness of the past with stories of legendary minds crossing paths in unexpected cafes. All right. Hello and welcome to Data Driven, the podcast where we explore the emerging fields of data science, artificial intelligence and of course, data engineering, which actually makes the whole thing possible. But there's another field that we're going to talk about today, so it's going to be a little

bit different. We kind of did that with the last show or two, kind of expanding our purview of topics. And speaking of purview, I said Purview, hopefully I pronounced it right, but I know, Andy, you've been playing

around with Azure Purview. I have, yeah. And it's kind of it's speaking of data engineering, there's a lot there with data lineage and the secret sauce to it is it does automated scans and if it can figure out where something new belongs in the diagrams, it'll just put it in there and that is almost magic from a data engineering perspective.

There really is a lot of innovation happening in that space. And today, as we're recording this, my wife we mentioned this, does cybersecurity at NIST and my oldest son went with her to Take Your Sons and Daughters to Work Day. That's cool. And yeah, so it's really cool. So we have two guys here on the show. It's one of the few times we've actually have had two guests at the same time. We have Patrick and Dwayne who are fellow podcasters for a show called Security this

week. We need applause. Where's your effect? I don't have it. Plugged in the effect. And they also are the CEO and CTO, respectively of Pulsar Security. Combined with them, they have 50 plus years of combined experience in cybersecurity and technology and they provided services for Disney, the military, bank of America, the NHL and more. So welcome to the show, Patrick and Dwayne. Thank you. I just want to clarify, I have 49 and he has one.

Wow. Just kidding. You look great for your age, by the way. You started when you were like five. Is that what. So there's actually a funny thing. There was a namespace collision because you, Patrick, attended West Point, and thank you for your service. Thanks, sir. There was another Frank Lavinia that apparently went through West Point. Yes. And I almost went to West Point, which probably would have confused a lot of the professors and staff.

Wait a minute. Did you just leave here? What do you want, the eight year plan? Yeah. You know what I'm thinking? This is a time travel thing, Frank. It is? Yeah. Yes. One of the NCOs I served with sent me a picture of a Life magazine cover that showed troops in the landing craft at Normandy. And the guy at the center of the picture looked exactly the way I did as a second lieutenant. He's like, I didn't know you were in World War II. So I bought a copy of it. It's exactly

the way I looked when I was 22 years old. That's great. Okay, so now both of you are time travel. Maybe that's what West Point does. It's time travel now. We got to delete this. We'll do it from the future. It'll be fun. The neuralizer. That would only work if. We do the video part of this, but that's true.

I want to repeat the name of the website because I was rambling when Frank mentioned securitythewsweek.com and you picked up a couple of new listeners, just the banner in the virtual green room was enough to say, all right, I got to make some time to listen to this. All right, we appreciate it. We're trying to educate just like you. Guys, and it's always fun.

It's a growth field, I think, to put it mildly. Someone was asking me recently because a lot of big tech layoffs happening and things like that, someone was asking me lately, someone who's not in data science, and I was like, look, if I had to do it all over again in 2023 well, actually it was 2022 when I was asked this. I was like, I would go with security. I'd probably go with security if you have 50 50 data or security. But you can't go wrong with either.

And there have been recent events in my life which I keep alluding to a court case, but definitely I discovered the wonderful world of OSINT. My wife is really good at OSINT, right? Because that's her career. Yeah. But kind of watching what she's able to dig out and kind of know me doing it, too, we've been able to kind of Swiss out more information and get clarity on things, and it's amazing what is available. I took a course on

pluralsight on kind of using Kali Linux. Andy and I I now work at Red Hat, so I've kind of went from promoting Windows and using Windows 100% to, thanks to Windows Eleven, being driven away from the Windows world and into the wonderful arms of Linux and fascinated by kind of the tooling that's out there and built into something like Kali or Kali. I'm not sure how to pronounce it. Depends on who you are. Yeah, we usually call it Kali, but that's our bread and butter. We love Kali, right? Yeah.

That's an awesome operating system. So tell us a little bit about because I know I don't think our listeners are necessarily up on the Linux, let alone kind of the hacking world making that assumption. If I'm wrong, please let me know kindly through email comments in angry letter form. It's a siloed kind of world. We live in technology, right. There's a lot of specialization. There's this notion of full stack this, full stack that, but I've noticed in security that poison of the notion of full

stack has not hitting you guys yet. It started to kind of flirt with the data science world. But I don't think you can be because just looking at what are the disciplines. Right, so I think that's one of the things we mentioned, OSINT, which for those that don't know is open source intelligence. And I don't mean open source like Linux or anything like that. What is open source intelligence? So open source intelligence is

from my field. It's awesome because what open source intelligence is there's information about every human out there and you can go like Cambridge Analytica or whoever, right? There's tons of data out there about every human being on the planet that you can pull from just publicly available either databases, websites, some of them say the Dark Web, but you don't need to go to the Dark Web. It's all out there. And we have some crazy OSINT stories.

There was one company we were trying to break into, Fortune 500, they said, hey, listen, we'd love you to do a spear phishing campaign. I was going to say and to be clear, you were hired to break in, right? Sure, whatever. Yeah. So if there's any attorneys listening, there's any federal DA listening. Let's make that clear publicly what we're. Saying on the podcast. No, we were hired to break into this Fortune 500 and they said, listen, we'd love you to

do spear phishing. And for those of you who may not know, spear phishing is where you target one user. It's either like a CEO, CFO, something along those lines. So you start to gather some really detailed information. And we said, listen, it's too easy, we don't want to do that. Let us just focus on the technology. They're like, no, you have to do spear phishing. We said okay. Cool. And we did a lot of research on and we said, we're going to take your head of HR. We took the head of HR and

we did a lot of research on her. They said, before you send these emails out, can you come talk to us about them? Just show us them so we can approve them. Said, sure. We sat down with them and said, listen, we got two campaigns we're super excited about. Super excited about. They're like, all right, hit us with them. What are they? We said, okay, we found out that she just purchased a Dodge Durango. I have the Vin number of it, and I know where

she bought it from. We've actually purchased a website that's very close to the same dealership website. We're going to send her an email that there's a recall on her Durango with her Vin number. She needs to click a link, come to a website, start typing in some information. We'll take over her computer, access the systems. They're like, no, you can't do that. No, that's way too personal. Okay, cool. Awesome. We got the

second campaign, which I think is a real winner. We're just going to kidnap her kids, right? They're like, okay, so hit us with the second 1.

Second one is probably great. I said, okay, so we found out what her kids names are, where she lives. We know what school they go to, the teacher's name for each of the kids. And we found the school nurse name. We've set up a website that's close to the school's website, and we can send an email from the nurse with a form that she has to fill out that's a PDF that's infected with a virus that will take over her computer. Right?

And we'll mention her kids names and the classes they're in, that sort of stuff. And they're like, what is wrong with you guys? You can't do any of this stuff. No. Yeah. Open source intelligence is crazy right now. It's data, the things you can find. It's all about data. It's the information you give. So what's the lesson here? The big lesson is your data is out there. And even if you don't think it's out there, your data is out there. And you need to use secondary

channels of communication to verify things. So if you get a call from the school, get an email, get a text message, call them up, call up the office. If you get a message to call a phone number about your credit card, call the number in the back of your credit card. Try to find a safe, reliable channel and use that to verify. I get calls all the time from my staff that says, did you send me an email to do this? And I invite that because it's like, you should be using

second channel verification, and it's incredibly inconvenient. And that's how you know the security is working. If it's convenient, it's probably not as secure as you'd like. Yeah, well, I mean, that's an interesting point because people like convenience. There is a tension you could just feel like, between convenience. I mean, I have to log in to my account using two factor authentication for both my work and my personal stuff. And I know it's annoying, but I know why.

And Roblox apparently must have some really hairy security stories because their captions, their two factor authentication, I mean, it's pretty rigorous. And my eight year old, he's, like, complaining about I'm like, no, there's a good reason for this. You got to protect the kids, but also kind of train them early. Oh,

yeah, I like that. Yeah, it's a great idea. I was on a panel with a colonel from Disa, and he said he went on vacation and he got bit by a spider on his hand and came back to work. Went into the office, started working, and ten minutes later, armed guard showed up at his desk. And we forced him to identify himself, improve his identity, because his typing cadence had changed. Wow. We're starting to get to the world of the military is doing things we're

not thinking of, and eventually we're going to have to do those things. Right. So Dwayne smiled when you said two factor authentication, and I want to know why. Okay. All right. I get the sense it's like the tooth Fairy, right? Like, you want to believe in it, but it's not as effective as it is as it's supposed to be. No, actually.

So, interestingly enough, Google and Microsoft both have released independent research that says two factor auth will mitigate about 95% to 98% of most common attacks, but not everything, which is fantastic. We love using it

because we look for the gaps in between systems. So there's a couple of two factor authentication providers out there that allow us to verify that you have valid accounts and that sort of stuff, without actually yeah, there's all sorts of once you start digging into the APIs of two FAS, some of them are easily bypassed, some of them are easily mimicked. Some of them allow you to get more information you wouldn't normally get.

So just be careful. There's nothing in security. That's the panacea of security. Right. It's the same thing with data analytics. There's nothing that's like, oh, my God, there's this one product, and if you buy it, you know everything and you can see into the future. No, it doesn't work that way. Right. All right. I need to ask you about my password vault off the air. Yes, you do. Let me tell you password for it. No matter what you heard in the news, you should have one,

but there's one you might not want to have. Yeah, I may have that pass. I think we're on the same one. Well, when someone tells you who they are, believe them, and then when they tell you again, believe them again. Yes. That's my concern with these password vaults, is that you are putting all your eggs in one basket, and you don't have two arguments, really. You could use hints in your password vault instead of the passwords. It's less convenient, and therefore it works.

But that means you still have to use long passwords. So you might have zip codes and phone numbers and favorite words and favorite songs and you know what you're going to pull out of them. You'd still have to have that cognitive presence to understand, but you can put hints in them and then that'll let you get to where you need to be. A friend of mine would put incorrect information in it. Right. And he would know that's what it's same principle. Exactly. Yeah. That is just

intriguing. So, quick question. Scrambled up symbols, letters and stuff, or. Better, longer the better complexity. So okay. At our office, we break in at companies all the time legally. Right. I'm going to keep adding that, Patrick, just for the thank you. So when we find a hash so a hash is a representation of a password or an account on a particular system. It's not the actual password. We need to crack it. We need to go and figure out, okay, well,

does the word book match to this hash? No. Does the word car match? This is a brute force technique. We're not able to reverse it, but we can brute force it. Right. And so in doing that, we have a crack cluster at the office. So you know the 30, 90 video cards that you might have in your computer? We have a crack cluster that has like 40 of them all in one motherboard. So we can guess 3 billion passwords a second. Wow. Yeah. So if you take a normal hash, we're guessing let's say we're only doing

lowercase characters, it's 26 characters. And let's say at ten character password, it takes us a day. Right? Well, at eleven characters, it's a day times 26. Now we're at about a month. At twelve Characters it's a month times 26. Now we're at a little over two years for twelve characters. Now let's do one thing. So we also have a dictionary file with 8.4 billion passwords that have been found on the Internet through over the last breach.

Ten years. Over the last ten years. If your password is in that, we'll get it in 3 seconds. Right. Because we can get so we also. Have to talk about that after. Yes, for sure. And to be clear, passwords are better. And to be clear, you're doing this offline. Right. It's not like somebody's listening. You're not like hitting the login page and clicking that a billion times. Let me give you stolen the hash. Okay. Yeah. So good example, because that's a great question, Frank. So let's say

I'm trying to break into your Wi Fi. Now, there's a couple of ways to do that. One is to try to break into your Wi Fi system because you've allowed a remote administration, which you shouldn't do. And then I have to guess the password, and I might be able to get that to accept 1000 attempts per minute, maybe more, but I'm still throttled by having to send it, having to receive it. It

processing. And some of those things are going to be slow. But if I can monitor the airwaves, which I can if I'm local to you and I get the hash through going through the air to someone's phone, which we will get, then we can take that home and we can brute force it in the comfort of our own systems. And that's offline hacking. So online attacks are harder to do because you can't get the speed, you can't parallelize them them

parallelize them as easily. But the ones where we can do offline, we can do those much faster and much more powerfully. There are cool ways, though, to do online ones. Okay. Really? Yeah. Okay, real quick, you know how you try and log into a website and if you log in with the wrong password five times it kind of locks you out for a period of time? Sure. So what they're doing is they're

saying five times from that one IP address. So what if you could have an infinite amount of IP addresses, which is what Azure and AWS will give you. So you can actually route every password attempt through AWS, for example, and get a new IP address every single time. You can do thousands, but you're still. Throttled by how fast it can reply. And it probably can't reply 3 billion. Not as fast as an offline crack. Exactly. But it can be. I'm just saying won't at some point

AWS or Azure kind of like figure. Out you would think. You would think. Okay, no, interesting. So it's a game of cat and mouse. They're dealing with amazing amounts of traffic. Eventually, maybe there'll be an AI that helps, but then we'll use our AI to fight it and it'll be and. Then the Robot Wars. And I would imagine that Microsoft has bigger fish to fry and AWS has. Bigger fish to fry. Problem is, if you're not using Amazon, you just use a botnet and then there's

no limitation on that. I got you. Right. And for the education of our audience, just in case you may have heard it in the news, what exactly is a botnet? I think I know what it is, but I want to hear it straight. From the when hackers take over systems, they can do various things with them. They can ransomware them, they can steal your personal information and do identity theft and credential theft. But they can also just turn your computer into one of their slaves and it'll be a

zombie in their army. And they get 100,000 of these systems. They could do Denial of Service, they can rent them out. Think of Coin, I think was a thing for a while. Yeah. And honestly, what's interesting, talking about data trends, you start to see ransomware attacks on systems go up when bitcoin's value goes down. So if it's more advantageous for you to use those systems to mine coins, that's what they do. But when it's not, then they just switch over to

ransomware and they start making more money that way. So you keep an eye on that market and, you'll know interesting. Yeah, interesting. So they make money, whoever they are, they make money on the way up. One way or another. Yeah, exactly. Right. You have to admire they're business savvy. Oh, it's impressive. You shouldn't, but you

can rent a botnet, rent a ransomware framework. So let's talk about one thing. There's different levels of threats. So the kid that's walking through the parking lot trying car doors to steal stuff out of a car is not as much of a threat as the professional who knows how to break into a vault. And there's fewer of that latter than there are of the former. So what you're trying to do is you're trying to build up enough defense that the threats that

are likely to come your way are going to be thwarted. You can't stop everything if Dwayne comes after you, I can confidently say we're getting you because that's what we do. And we're not script kitties. We're not amateurs, and we have a lot of capabilities, a lot of software. Some of the software packets we use cost $60,000 a year. Wow. Hackers sitting in their basement

aren't doing that. We're a different level of organization. But you want to prepare for the highest level you can so that things bounce off you. Isn't that referred to as advanced persistent threats? Yeah, we would represent

an advanced persistent threat because we can do things and spin up resources that aren't available at the lower levels. The lower levels are like kids in high school that are just trying to make a name for themselves. And then there's the we actually have a slide called the Pyramid of Threats that goes through all this. And the next level would be basically a stalker, technical stalker, somebody who's a little bit of a techie and is mad at

you and comes after you. That's very personal. Kim Jong UN is probably not your stalker. Probably. The next level is the criminal syndicates who are just in it for the money, and they're going to go after the softest target they can find. And if you make it hard for them, they're just going to go away

because you're not what they want. They look for another target. And then you get up to organizations like ours that work with enterprises and governments and billion dollar entities, and then you get to governments themselves, which, when we talk about Mitigation, we have levels of what you need to do to stop the script kitties and everything else. And the top, when we get to nation states, it's prayer. Yeah. There's not much.

That'S perfect. Yeah. What's fascinating, though, is I remember reading Bruce Schneier wrote a book on cryptography, which is probably still a vaunted tome, but I remember one of the things was he didn't say exactly what you said, but he phrased it differently. If you're talking about cryptography. There's cryptography to keep your little sister out of it, and there's cryptography to keep nation states out of it. And that's a very wide spectrum.

Even though he wasn't writing about cryptography, it sounds like the same philosophy holds true. There's also a duration aspect. So if I'm firing artillery at you, I need the coordinates those are going to land at to be secret for about two minutes, and then after that, it doesn't matter. Then it doesn't matter. Right. But if it's nuclear missile silo locations, I need that for decades. Or mineral depots or things

like that. So there's a time duration that also. Factors in which actually, I think is a good topic of something else I'm fascinated with is quantum computing. And I know that you're laughing, so that I know there's a good story behind this. I have a podcast on quantum computing called Things, and it's the only topic that shuts Dwayne up. I'm going to go do something else now. So that's why I saw the eye

roll and then you were laughing. Okay. So the reason why people are kind of because in the security space and in the government, there's this whole thing of how do we get post? Yeah. Shore's law. So Shore wrote this algorithm that could theoretically break how we do cryptography now is largely based on it's hard to reverse factor prime numbers. It's the discrete log problem. Right. Which underlies RSA, diffie hellman and elliptical curve. Oh,

elliptical curve, too. Yeah. I thought that was meant to be post. Okay, well, they thought so, not so much. Oh, is this the one that was broken? And don't worry, listeners, we'll unpack this. That was the NIST psych. It was an implementation break. So if I can just give a quick reel. No, please do. There's a lot to unpack here, particularly. For folks that are I'm not an. Expert, but I've got a podcast for the last two years on quantum computing called Entangled Things, and it's a great

way to learn a topic really well. I took the MIT courses. Peter Short was one of the professors, and so he came up with a way if we had a suitably advanced quantum computer, we could break RSA 2048 or RSA anything. Diffie helman and elliptical curve. Now, those aren't our primary symmetric encryption protocols. Those are our primary asymmetric encryption protocols. So those are the protocols we use to share the key that then does all the

encryption. Because files and large amounts of data can't be encrypted with an asymmetric key, it has to use symmetric. But

how do you share that key? Well, that's where the asymmetric comes in. And so it's the key to the key drawer is really what it is. And so if those all break, then we need replacements. And NIST, which is one of the reasons I'm a big fan, has come out with basically, they did a Bake off over the last five, six years to figure out which algorithms would not be quantum based, but would be quantum resistant. And Crystals.org has crystals, kyber crystals,

dilithium. So you got to love the techies, right? It looks like those kinds of technologies are in our future as well as when quantum finally arrives. The problem is no one knows when quantum will actually be ready. And that's the sticking point. Is it the end of this decade? Is it three decades? I think it's closer to the end of this decade, but we don't know because we're in the middle of the infancy of quantum. But the computers do exist now. But the point you're doing about

time, right? So if you need something to be secure for decades, right now is the time to at least try with post quantum cryptography. Because and supposedly there are stories that there are bad actors out there storing stuff, storing data for later. That's what's motivating. Honestly, that's where a lot of the money is coming from for quantum computing, is because of this threat, nothing funds like defense. So this has turned quantum into a defense

spending among the primary powers. But it also solves a lot of problems, does a lot of other things. So speaking of geeky stuff, there's a quote from one of the Ferengi characters on Deep Space Nine, and it's something to the effect quark. Yeah, it might even be one of the Rules of Acquisition, but it was basically something to the effect of no one ever went broke selling weapons. I have that book somewhere on this bookshelf. I have that too. That's an awesome

book. Yeah, not wrong. I highly recommend that book. I don't know if it's print, but. The other thing I'd say about quantum, and I bring this up every now and then, we have a podcast called Impact Quantum as well. We've been doing it about a year and a half, two years. So it sounds like we started around the same time. Wow. But it's interesting spinning around in the corner in all of this is as they run simulations to try and simulate Quantum every six months or so, they go, oh

man, we can take this problem. That was going to take 100,000 years on traditional hardware. Now we can do it in a couple of months. They keep finding these optimizations, I guess. And so it's like without meaning to be here already, quantum is kind of sneaking in. It certainly is. And I think we've just hijacked the podcast here. I

know, right? Yeah, it's all good. All these things are. So one of my favorite shows of all time, aside from D Space Nine, of course, is there was this British television series called, I think was Connections. Yeah. And I think it was with the guy who's done a bunch of documentaries, or it was the guy who played a James Bond villain at one point, I forget. But they would basically try to connect. I'm. Going to get a lot of hate mail on that one because I'm totally messy.

1978 TV series. This guy, he had a bunch of James Burke. James Burke. You're right. Yes. But he looks like a guy that would play he was also in Game of Thrones, looks like a mad scientist. But he had a number of shows from the 70s into the don't know if there's any newer ones, but you basically show how the way we learn about anything right. Is a very siloed right. You have English class, you have math class, and then you put your brain

on part of your brain on the shelf. But he kind of shows how one particular one that stuck out was the connection between perfumes and the carburetor. And that's awesome. The spoiler alert was the Atomizer for the carburetor came from. But there was a whole connection of people that knew each other, who knew each other, just like today. They didn't have

LinkedIn then, but you would always have these second and third connections that you would meet at a cocktail party or ballroom dance, depending on the time period. And it was just interesting how these ideas would intermingle. Another story I like that kind of illustrates that, is that apparently there's some cafe in Vienna where Freud would hang out, einstein would hang out, and so would Vladimir Lenin hang out from time to they did they have conversations with each

other? I don't know. But just the fact that they were in the same coffee shop around the same time opens up the thing of did Einstein say to Freud, like, hey, can you pass the sugar? And then, you know, that's what your mom said, or something like stupid stuff like or or Lenin would have said, is it really your sugar? But you have to wonder. These little type of chance encounters, those are the types of things that the thought of which fascinate

me. Yeah. It is impressive how some of the modern day, you think brilliant inventions, and when you unpack them, you're like, it was a lot of little steps and a lot of weird connections that happened that brought this thing about, right? Yeah. And Quantum to me, is still mind blowing. I'm working on breaking into conventional systems for now. I'll break into Quantum systems later. Well, yeah, I mean, eventually anything can be broken, apparently. You can watch the movie War Games, and War Games

came out at 83. I would have been impressionable young youth, and I was just fascinated by that movie. And there's a scene in there where he smugly turns to I guess it would have been Ali. Sheedy like, anything could be broken. Like, if nothing has ever been such a timeless, a just existing is kind of like a vulnerability. I'm telling you, those movies all right, how many of you are fans of Sneakers? Oh, yeah. Well, that wasn't Robert Redford.

Yeah, that was the one where I. Was like, okay, if there's a job in the real world to do that, that's what I want to do. Social engineering, right? That was the first time I saw it. Oh, my gosh, I just love that. Movie because it showed, like it's not just the obvious, right? Like the thing where the guy who was blind was playing back with tape whistler was playing, like, the tape. Okay, well, what did the road sound like? And he goes, he described he goes, did it sound like this? I was

like, no, a little slower. Oh my God. I was like, So you were on that highway? It was just like but that was one of those moments where you're like, wow, holy crap. That sort of thing possible. Where he's listening to neon signs as they're moving the mic around, and he's like, no, that's an exit sign. And they're like, Dwayne, do you want. To talk about the way you hack a database without actually reading any of the data? So awesome. Based on denials. Have you guys ever heard of blind

injection? No? Okay. Blind injection is the coolest thing ever. So let's say we go to a website and it's blackmagic, it's like voodoo stuff. You go to a website and let's say in the website, all you can do is you have a little drop down and you can change the language of the website. And that's it. That's all you can do. No login screen? No none of that stuff. But in that drop down, as a website owner, you keep adding languages. So you add French and you add Spanish and you add whatever,

right? So that pulls it out of a database. So what

I can do is, even though I don't have the ability to inject data, I can stack the query for the language, and then at that point, I have the ability to gauge how quickly the web page comes back, so I can say, okay, give me the language Spanish. And if the first column in the first database is an A, then pause for a fraction of a second and the page will pause for a fraction of a second.

So you can pull all the information out of the back end database just by how quickly the page comes back to you, whether it's two milliseconds or five milliseconds or ten milliseconds, just by blindly injecting, which is awesome. Yeah, that's insidious.

The first time I heard about SQL injection was actually at a Microsoft like, dev days thing in New York, and they built this website, I might have been Channel Nine, which for our listeners, they know what Channel Nine is, but it was basically like a community site where they would post content they since killed. It rebranded it's been rebranded to learn. TV or something like that. But

I was on channel nine. You were half microsoft flew me out to and five other hackers flew us out to Vegas to break into a casino and they did a half hour long, like breaking into casino. So we did injection. It was called the code room. I remember the code room. I got to see if they've archived that. We have to check it out. You're like that guy in Oceans Eleven, right? I'd like to say it's the only time I've ever been walked through a casino in handcuffs, but whatever. Anyway,

another show. Exactly. No. So the same team that built Channel Nine, this would have been early 2003, 2004, they basically had shown how they did this challenge, like, who can hack this? And basically somebody had basically said, well, your database sent the email back saying, know, hey, this is what your database looks like. And everybody at Microsoft was freaking out. And it turns out it was a SQL injection. But when I first heard that, my mind was blown like I never thought

of cool. And the wife did nix the idea of naming our kid Little Bobby Table. Bobby table, right? Missed opportunities right there. Right? Little Bobby tables. Which if you don't know that story, you have to Google it because the Xkcd cartoon does it. Those are excellent. Brilliant. One of many. So this is awesome. We've talked about OSINT, but there are other disciplines in this. Oh, there's, there's, there's Red Team, Blue Team, pen testing, auditing, auditing, CNA

certification, accreditation. Being a good developer. OSCPs. Oh, yeah. Just not being a bad developer using oh my God. Well, that's really true. Oh, Patrick. You froze Patrick. I think we lost him. We lost him. So while we're hoping his video comes back, I will tell you a joke that because when my first child, I think I'm back. You are back. So think about building a house. And then afterwards you say, okay, now secure it. You got to replace all the

doors. You got to think about Windows. Now, it's much more expensive when you build anything, whether it's hardware, software, or anything, if you start with security in mind, it's much cheaper. And so really, security is a job for everybody. Data architects, SQL administrators, network, file systems, Nas administrators, everyone. And then there's the ones who are just thinking about security all the time. But we have to make it pervasive. We have to make

everybody think about it. Well, I mean, that's a good point, because there's

an acquaintance of my wife who does I forget what it's called, but it was basically physical security. He does all kinds of security, but one of the things that he does is more like the stuff you would see in movies where they follow people. They kind of do kind of like the lock picking and the lock picking, stuff like that. There's actually a video on it might have been from Defcon where breaking into like 50

places in 50 days or something like that. But I was talking to this acquaintance of my wife and no names, but he basically that's one of the jobs that he does. He's contracted to do that. And he'll get some interesting things where they have some really good stories. This guy. This guy's. Stories. So one story was he's testing out a new data center for someone, and they want to test the security. And he's like, okay. Takes a look around outside, he walks in and he goes

and the customer says, well, when do we start to test? And he goes, has the paperwork been signed? He goes, yeah. So he looks at this bulletproof door, and then he's got these giant boots. That's what he always wears, these giant boots. And he just basically looks around. He goes, and the paperwork signed, right? He talked to the lawyer who was there. He goes, yes. Paperwork signed. And he turns to the customer once again, he goes, Are you sure you want to do this? They're like, absolutely.

We're secure. We'll get it. And then he does and he does this, like, karate kick, and he's a big guy. Basically knocks down the bulletproof door. Oh, my God. Because the bulletproof door was not on reinforced hinges. Sure, but it was just kind of. Like the description that he gives of whoever was the chief security officer's face just blew color drained from

his face. We've done physical security and seen bulletproof systems where they were installed backwards so that people attacking could have taken it out. Because the hinges you have to think about where the hinges are and where the nuts so when you disassemble it. We lost them again. Oh, no. Sadness. I want to know how it ends. So while we wait for him, there's this TV show called Burn Notice, which always has some oh, I love Burn Notice.

It's one of my favorite shows. Yeah, well, the one where the drug dealer and I love how he does like the voiceover. He goes, this drug dealer has a bulletproof angel. Angel. That's right. Sugar. Sugar. Sugar. It was sugar. He lived downstairs from him. He shot the door. He shot through the door. The wall. The wall. No, the wall. He's like, yeah, but there's not bulletproof drywall. The way he says it was funny. Yeah, I highly recommend I forget what service it's on, but I discovered it because

it was on Pluto. They had a channel that was just burned. Notice. Twenty four seven. And then like 7 hours later I was like, oh, my God, 7 hours. It's that good of a show. So you were talking about the before you froze up, you were talking about the hinges. Oh, I'm sorry. I don't know what's going on with my Internet connection. I apologize. No worries. You're probably in the middle of a hack. Dwayne is actually hacking. Yeah. Let me stop. Hold on.

So my password is 54 characters long because he kept telling me what my password was in the Smarmiest voice possible. How many years would that take to break all of them? More years than we all have. Until I get quantum computing comes up. To speed, then we're good. Probabilistically. Yeah, I think I was just saying that you got to make sure you think about where the hinges are, which direction they're facing and stuff like that, but it's mistakes. If you look at the news of the day, it's

misconfigurations. It's social engineering, and it's getting more and more complex, and so we're having a tough time keeping up with the education, which is why podcasts like yours and ours are so important. No, absolutely. And you're right. Security is everybody's businessweek.com. I've got to check that out. And you got the. Oh, my God. You need a we did it. Yeah, we. Were talking about you were talking about the physical security part. I did a little

bit of that back in one day. You were in the military, so you did a lot of the back. Yeah, think about it. At least

the National Guard stuff. But it was interesting because being in Virginia and working with a little bit of physical security here, it was amped up a notch. Same way Frank's in Maryland. Same way in Maryland, if you are in driving distance of important places, you know that there's no need to give anybody any more ideas, but occasionally, somebody would do something clever. And the gist of the story, kind of the moral of the story was they didn't beat the electronics. No. They beat the.

Was. And it's the same thing with social engineering. It's the same thing with all of this stuff. So hopefully I didn't say too much. Frank, you may have to take that out. I don't know. I live now. I was being the tomahawks on its way. Andy. We have the watch lies come back on, but no, I live up the road on Route 32 from if you know, you know, from places. I know from places from places

in and around that county and the next county. There's a lot of office buildings know, just have no signs on them, have suspiciously high degrees of security, and they. Don'T like when you pull up unannounced. Oh, my. No. So right next to where the Microsoft Reston office used to be, there is an unmarked building with

a high number of security. And one of my former bosses who drove down from Pittsburgh, his first trip to the Rest in office, he missed the turn, and he was trying to turn around inside that parking lot. Yeah, no. And yeah, he learned very quickly. He went back up. Severe tire. Not that parking. No. Well, I mean, law enforcement showed up pretty quickly with seconds, and they're like, what are you doing here? And he's like, I'm just trying to get the money. Just turn around. Like, sure you are.

So ten years ago, my daughter was moving out of a place that she was renting down in Boston, right by the VA hospital. She was finishing her senior year of college, and I had a U Haul truck. And I took the U Haul truck and parked it in the VA parking lot because I'm a veteran, right? And I moved a barrier to do it because I'm a veteran. And I parked it. And then I went and walked through the woods to where her apartment was to talk to her and left my 17 year old nephew in the car.

And the cops came, guns drawn, like, Open the truck. Open the truck. Oh, my goodness. Okay. And he opened the truck. It was empty. They're like, what are you doing here? And he's like, oh, my uncle. And he's like, this better not be here when I come back. I came back, and he's like, telling me this story. I'm like, I'll be fine. We're leaving now anyways. And we leave, and the cops coming back, and I'm like, I wave. That's funny.

Yeah, there's a lot of good stories. My first day at Microsoft not my first day, but my first speaking gig, because I was doing a developer evangelism then was at a nondescript office building in and around the Bethesda area. And I've driven past 100 times, never noticed it. I still think to this day it was a hazing thing, right? I was a last minute replacement for somebody else, so my name wasn't on the big list. So I

show up, and I wasn't on the big list. And then the guard looks at me and was like, well, why don't you go over there? I'm like, uhoh all of a sudden, out of nowhere, this normal suburban looking building like, armed machine guns meant it was just like, oh, my God. Like dogs sniffing around the car. It was crazy. And the guy with the heavy machine gun said to me, you want you to sit in the car and wait for Ain't getting out? And so finally, they did manage to get in a hold of somebody, but it

was just kind of like, oh, my God. Yeah. So I've been drawn on at an air force base. We went in to do work, and I was working with I won't mention the military contractor, but military contractor. I wasn't cleared for the particular intelligence systems, but I was helping them do security work. So the contractor had to type, and I had to tell her what to type. And after two days, she's like, listen, I don't know what you're telling me to type anyways. Doesn't matter, right? Just

sit down and type at the computer. I was like, okay. So I'm sitting there typing. After a couple of hours, she leaves. A fully uniform guy comes in like, what's your clearance for that system? Oh, my God. I don't have any clearance. Pulls his gun, pulls his gun. Is like, don't touch the key. Step away from that keyboard. And I was just like, I got to get shot. Yeah. Back up slowly. Yeah. No, that was probably the scariest cyber incident I've ever been

in. Well, it's interesting because the cybersecurity world, I think, is really an interesting space for a lot of reasons, but it does blend the physical and the real, right. The kinetic and the virtual, as I've heard said. It's fascinating. Yeah. You know what, we didn't get to our questions. I know, I'm okay with that. This was an awesome conversation to come back. There you go. I love

it. So we will ask this because you told us in the virtual green room you didn't want to be advertising your company and that sort of stuff, but we ask everyone, where can people learn more about you? And feel free to plug your business. Our website is Pulsarsecurity.com. We're in a weird situation because we have very high end cybersecurity talent. We have several billion dollar customers, and we try to do a lot for community school systems, things like that, on a budget. So cool.

But we're really not looking for a ton of customers, which is a good place to be. So we're mostly promoting the podcast to say, that said, we do try to help people who need it, but we also have to pay a lot of cost for that high end software that makes sense. Securitytheweek.com, podcast.

And entangle things. Okay. Entangle things. Okay. So before you go, there's one question I think that everybody who's listening to this is probably asking themselves, if you're not in the security field, how does one get started? Where does one get started? You mentioned, like, pluralsight, LinkedIn. There's all sorts of training out there. If there was this much training when I was a kid, I would be way smarter than I am now. You just have to start going and surveying. I tell people they

should start a mile wide and an inch deep. They need to learn terminology. They need to learn what is SQL? Well. SQL injection. What'sql? You have to understand what a database is. You have to understand what a file is. You have to understand what Red Hat is and what Kali is and what Linux is. You need that basis. And then you can figure out where your niche will be. Whether you're going to be an auditor, or a hacker, or a red teamer or blue teamer

or project manager or whatever. Because it's kind of like saying, I want to be in security or I want to be in technology. That's like saying, I want to be in medicine. It's a wide range. You need to just start getting that understanding so that when you listen to a podcast or read an article, you understand what they mean when they say deployment or compile. That's where you start. You start with the vocabulary. And I'd say the other thing is reach out

to companies. I can't tell you how many times I have people reach out to me and say, hey, listen, I'm interested in cybersecurity. What should I do? And we'll do things like, I'll have them sign an NDA and bring them on an engagement. See if this is for you before you actually go. And just watch and ask questions and use it as a training event. So it's things like that. I think you'll find companies out there who are just there's so little people in the cybersecurity space.

They're just willing to help and educate and see if this is a field you're interested in. Also, we are summer program True with interns that come in with us. We're working with high school in the area for kids that it's a Stem high school bringing them on and having them do their required hours just to get a feel for what it's all. About, what it's like. Yeah, right? And that mystery voice is Jill. Just for the listeners that are like. Who was somebody broke into the podcast.

That's hilarious. Nothing's safe. Okay, Joe. We didn't say your last name. We're good. Yeah. That's really interesting to know about the intern program. My daughter is headed to Virginia Tech for computer science, and she's looking for I don't know if she'll want to do cybersecurity, but if she does now, I know some people. Yeah, there you go.

Have her reach out. Because, honestly, even if she just wants to sit in and watch what a Red Team engagement looks like, I've had people my son's 19 years old, and I got him to intern and look at engagements, and he came to me after, like, a year, and he was like, hey, dad, you know what? And I was like, yeah. And he's like, I hate this. This is not yeah, this is not for me. That's a good thing, though, right? Because it's a great thing. Did he say this or you

fire targets down. Tell him his 54 character password. That'll get. Well. This has been an awesome show. I hate to end it, but all good things must end. But we'll definitely have you back, because this is a field that I think and there's topics in my head that we didn't come up with. Right. The idea of how do you secure data from the source to the end, right? Because if you're training these AI models, particularly with something like a

Kafka stream, what if you inject bad data in? How do you detect that? A friend of mine was talking about there was some talk of using blockchain technology to kind of authenticate data transactions. So that way when you're learning it, you have kind of a trail to it. And obviously that could probably be another hour episode right there. But in the interest of time, we'll definitely love to have you back, and. We'D love to join you. Any parting thoughts? Stay

in school. Yes, stay in school. Use long. Change your password. Right? And keep listening to this podcast. It's great. That's right. And the other ones? Awesome. All right. And I'll let the nice British lady finish the show. And that,

dear listeners, brings us to the end of another riveting episode of Data Driven. I hope you've all enjoyed delving into the mysterious world of cybersecurity. I must admit, the idea of advanced persistent threats and hacking can be a bit unnerving. But, hey, who needs beauty sleep when you can have nightmares about hackers instead? As we sign off, I'd like to extend a big thank you to our guest speakers, who shared their insights and experiences, including that rogue AI of

theirs. Remember, folks, hacking might be a dark art, but with great knowledge comes great, um, well, cybersecurity skills, I suppose. But wait. Before we biddered you, I'd like to remind you all to secure those passwords, enable two factor authentication, and resist the urge to click on suspicious links. Because, let's face it, no one wants to wake up one morning to find out their bank account has been drained by a hacker named Dwayne.