NSA "Red Team" Hacker | Jeff Man (throwback episode) - Free Transcript | The Team House

You can see his face, eyes, eyes, eyes, eyes, eyes, eyes.

His eyes are visible, they are visible.

Or... you can just take a look.

“The laws are to be arrested by the Autobahn. The spy knows that spy is the one who has been arrested or the spy has been arrested.”

He is arrested only on his own. He is only on his own. The Autobahn is in the hand of the spy. The spy is in the hand of the spy. He can be killed by the spy. The spy is in the hand of the spy. And he is in the hand of the spy. With the spy with the world's best knowledge, he is right.

The spy is in the hand of the spy. The legendary spy is in the hand of the spy. He is in the hand of the spy. He is in the hand of the spy. He is in the hand of the spy. That's the music for your ears.

“The spy is on his ears. He is in the hand of the spy. He is in the hand of the spy.”

Everybody, welcome to the teamhouse episode 269, I'm Dave Part, co-host Jack Murphy. Behind the wheels are steel. Tonight we love to welcome our guest, Jeff Mann, an essay for 10 years, 28 years in the crypto and hacking community outside the NSA. So Jeff, thank you very much for coming out from the shadows and sharing your time with us. They are happy to join you here this evening. Looking forward to having a fun conversation.

A little stroll down memory lane as it works. I just want to hit everyone up before we get started and let you know about our Patreon. You can find the link down in the description. If you guys sign up, you get access to all of these episodes at free. We really appreciate you guys supporting the channel. So if you can, please go take a look at it. Again, the link is down in the description.

“Jeff, on to you. One of the things we like to ask our guest is, what's your origin story?”

Like how did you grow up and what led you into the crypto world, the cryptography world? Well, it's a great question. And ironically, on the podcast that I'm a co-host on, Paul Satterty Weekly, we often start with the interviews with the same kind of how to get your start question. And for many years, if somebody asked me how'd you get your start, I'd say, well, you know, I sort of cut my teeth. I got started at NSA. But I realized a couple years ago that that doesn't really tell the story.

The real story is how did I get to NSA in the first place?

And I'll try to be succinct. I grew up in a family of pretty smart people. My dad was a physicist. He actually, in the 1950s, came to the Washington D.C. area. Went to work for the Naval Research Laboratory around the time that they were experimenting with hydrogen bombs, hydrogen devices. I guess the first one was not technically a bomb. He used to tell stories about how he was on a ship in the South Pacific. And he got to watch the detonation of the first hydrogen device, a blitterating, a little atole called anandweetot.

So my dad being a physicist and me being like many people having daddy issues, I grew up as like I'm not going to be a physicist. I don't, I tried to avoid physics and I did. And I'm the youngest of four boys. We all like to do puzzles. We're all sort of analytical problems solving. And I really grew up doing puzzles, crossword puzzles, crypto quizzes back when we used to have newspapers and comics pages.

There always be like a little Caesar cipher type of cryptogram that you had to solve, usually like a famous quote or something like that.

Yeah, I went to college, didn't know what I want to do. I graduated with a business degree because it was the easiest major I could find that required the least amount of work, the least amount of term tapers and I didn't have to take physics. My mom at the time had gone back to work and she was working for a different naval institution called Naval Surface Weapons Center at the time. And she actually got me a summer intern job before my senior year of college working ironically for a physicist. Only this guy was doing anti-submarine warfare research.

My first week on the job, my first day on the job he asked me, what do you kn...

And he's like, well, I could explain it to you, but yeah, there's a book came out recently. It explains it about as anything. It's good as anything does. So he handed me a copy of the hunt for red October.

“So I thought this is really cool. My first week on the job and I get to sit and read a book.”

So summer intern job graduated looking for what I want to do with a business degree, was putting in applications to a lot of different places.

My mom who worked in human resources or personnel as they called it back in the day, she had a friend whose daughter had gotten a job at this place called the National Security Agency. And being born and raised in Maryland, I'd never heard of it because it used to be very clandestine and nobody knew it existed. Nobody was supposed to know it existed. There were no signs on the highway or anything like that. But I filled out a standard government application, mailed it in, got a response from him and went to Fort Mead for a couple days of aptitude and skills testing, psych exam, polygraph, all sorts of different prodding and poking.

But most of it was just taking these various skill level exams aptitude tests and long story short is I scored really well on the test and so they offered me a job.

What I didn't know was they just hired me when I first went to work for NSA and this is back in 1984. I'm sorry, 1986, 84 was at George Orwell book.

“I was, I was granted a secret clearance, but I was going through the background investigation to get a top secret clearance. So I had to wait a couple months while I was waiting. I essentially went on a bunch of job interviews.”

And I ended up in what at the time was the defensive side of the house, which we called it, the time communication security, soon to be renamed information security, later on to be renamed information assurance, now sort of dissolved and you have US cyber command, but I'm getting ahead of myself. So I went to work for the manual cryptosystems branch and they were looking for someone to do cryptographic analysis of manual cryptosystems that they produced and were fielded by primarily the military. So I went to work form. I had somebody that was there on assignment from the operation side of a real cryptanalyst. He sort of took me under my wing and became my mentor and he was actually the one that advised, "Yeah, this is a pretty good job. You should take this."

So one of my first assignments was actually my customer was US special forces, so there's a little connection there. And I can tell that story in a minute. But the day I knew that I was in the right place and I had found the right place to be was, you know, I'd mentioned growing up my whole family like to do puzzles.

“And when we would go to vacation at the beach in the summer, we'd buy a single copy of a Dell Crossword puzzle magazine that had all sorts of different types of puzzles in it, but they always had one or two logic problems.”

And we all love to do the logic problems. And there was usually like a little table that you could use to fill out and kind of help you solve all the clues. And basically the logic problems were like maybe eight or ten statements about a bunch of different things. And you had to try to just based on a couple clues, connect the dots and, you know, maybe it was, there's five different students taking five different classes, what's their favorite subject from five different teachers in five different classrooms. And they'd give you just very

large types of clues like Sally loves biology and it's next to the red room and statements like that you'd put it together and try to figure out whose class, you know, who's the teacher, who's the student, what's the subject that type of thing. My one day at lunch, you know, so that was something I grew up on one day at lunch, I'm talking to my mentor and he's working on something and I asked him where he's working on, he says, oh, I'm writing a logic problem, I'm like, oh, I love logic problems is yeah, I write logic problems as a side job for Dell Crossword puzzles.

So it was like, you know, the planets were in alignment, I knew I was in the right place. So my started NSA was really in cryptology and I was doing analysis of, you know, systems and really just designing systems, my very first assignment was to come up with a replacement, a new memory cryptosystem for special forces when they were deployed.

They had at the time one time pads, paper pads with the key, the random key w...

But if they had to, you know, exit some place real really quickly or they're on their run and they had to drop all their paper, they still wanted to have a way to communicate securely, so they needed to have a way of doing a memory cryptosystem. So that was my first assignment was to come up with a new memory cryptosystem for them.

In doing that, I had just been through, you know, the five months of waiting to get my clearance taking all sorts of introduction to cryptography classes, history of cryptography classes.

I've learned about things called cipher wheels, if you've seen a Christmas story, you know, the little orphan Annie decrypt ring, and I thought, you know, there ought to be a way to take a visionary table, which is what special forces used, which is the alphabet 26 offsets and a big table, which for special forces actually translated into,

“trying to get this on screen for you. I think it's a 123 unique three letter groupings that they called fry graphs. They would memorize these things, the commos.”

When you put something through a one time pad and a fry graph, it's considered impossible to decrypt, right?

Absolutely. There is no cryptographic solution for it. There's no brute forcing. It's completely random based on the fact that there's only two copies of the key in the world, one on each end, as long as it's not stolen or compromised and used only once, it's unbreakable. Anyway, I was struggling to, I wanted to use the same essentially algorithm, use these try graphs, and use this vision air table, and I thought there ought to be a way to do it on a wheel, so I figured it out with graph paper and drew one out, and my mentor helped me with it, and we kind of came up with the design.

“The first one was glued to cardboard. I took it with me the next time I went to what's that place in North Carolina called now for liberty. Yeah, used to be called for it. We can't say it anymore.”

But I turned my back to write on the board, turned around, and the thing was gone. They'd stolen it from me. I'm like, guys, where's my wheel? And they're all looking around. So, after a couple visits and bringing multiple hand-made copies, I finally said, you know, we're in the business of, you know, we're in a say, we're in the business of making crypto systems and all sorts of crypto for you. Why don't we just make a bunch of wheels? So, there is a machine shop at the time of NSA, because back in those days they were building little black boxes, engineering little black boxes that would go in different places.

So, I had them make a prototype of this thing that we called division air wheel. So, the three letter combinations would just line up. You get two letters and the third letter appears in the window.

They loved it, so we ended up producing 15,000 of them and distributing them to US special forces. This was all the different groups. This is probably in 1988, I would say, and as far as I can tell, they were using it up into the early 2000s until, you know, digital crypto solutions and encrypted phones and stuff became popular. So, that was my very first assignment, made a wheel, and if I may, shameless pitch, at Fort Meade, which is where national security agency is located in Maryland, there's something called the National Cryptologic Museum, and at the end of this month and April, a copy, one of the production models of what came to be known as the "Wiz wheel", or I came to learn that that's what they called it, is going to be put on display at the National Cryptologic Museum.

They're excited about it because, you know, they're not usually putting stuff on displays where the people responsible for it are still alive. I'm excited about it because, you know, something I did that was just a little, a silly little thing, as far as I was concerned, actually turned out to be very instrumental in the mission of the US special forces for over a decade. I had the opportunity to meet someone that was a former Green Dore, a couple years ago at Defcon, a hacker conference in Vegas, and actually a friend of mine met on, and found out he was a Green Dore and asked, "Oh, do you remember the "Wiz wheel", and he said yes, and they said, "Would you like to meet the guy that invented it?"

“So I met the guy, and long story short, he said, "You know, I think you might qualify for membership in our alumni association because you kind of made a significant contribution."”

So he got me a lifetime membership in the special forces association.

I was fantastic, yeah.

And I had the opportunity, you know, COVID came along kind of blue things up, but I had the opportunity to speak at their convention last year, it was in Indianapolis, which is chapter 500, like the Indie 500. And I asked the guys there when I was speaking, I said, "You know, I've been walking around with the prototypes, I have two of them."

And for, you know, 30 some odd years, I've never seen a production model of the "Wiz wheel" before.

And I put out in appeal, if anybody was willing to donate them, you know, I was trying to get a couple, one of which was to be put in the National Cryptologic Museum, that was the goal anyway. They came up with two, one has been donated, will be put on display. This is another one, this is a production model of the "Wiz wheel". And this one is designated if we ever get a contact for the special operations museum that's down in North Carolina, if we're liberty. Yeah, that's where we want to put the other one.

This is a little piece of history. That's amazing.

“So I'll pause for a minute, that's how I got my start.”

Just solving puzzles, got into crypto, designed something, came up with a little quick fix.

It was really just an aid for me, and ended up being something that was pretty critical to the mission.

Many missions that I don't even know about many international forces teams. Before we get deeper into it, since you're the first guest we've had on from NSA, we've done all kinds of different federal agencies. Could you explain to our audience a little bit about what the National Security Agency is, what their mandate is, their job, why they came about? Sure, I mean, I'm not a historian. I can give you a little bit of the history.

I've probably forgotten more than I know about it at this point.

“NSA, I believe, was started in the late '40s.”

It was sort of after World War II, organizations that were doing code breaking and things like that, and what worked to kind of got reorganized, and they came up with this idea for the National Security Agency. I want to say '48 or '49 was when it was convention. It was like an international information agency or something first, wasn't it? Yeah, you probably know more, and you can Google quicker while I'm talking.

Yeah, sure. To get the exact story, it'll come back later on in my story, but I'll share it now.

The charter, the mission of NSA, is I always used to describe it to people, the operations,

what we call operations, is basically to be the big ear of the country responsible for primarily monitoring and intercepting signals. Anything that was going out over the airwaves, which back in those days was mostly radio, a little bit of, you know, eventually television, you know, maybe some telephones, but primarily radio waves, the whole spectrum of sound, NSA's mission was to listen to everything and try to intercept whatever they could from other countries, adversarial countries, third, you know, nation states, what we call these days, and, you know, just keep tabs on everything.

So at one level was a big collections agency, we collect a lot of information and there'd be people that would try to break codes and ciphers, when those were in play, others would translate foreign languages that they intercepted and there'd be other people that would read it and try to, you know, extract useful information that gets put together on daily reports that gets sent to the White House and the Pentagon and other places. Anybody with it, you know, it is a customer intercepted collections and communications that are collected.

“The broad level, that's what the mission has always been, with some rules that were put in place in the early 70s after Watergate and Watergate investigations,”

Senate Subcommittee hearings that happened after Watergate, one of which was a Senate Subcommittee that was chaired by Senator Frank Church, and their output was called the Church proceedings, and they published several volumes of material, but in essence, what they discovered as a result of the Watergate investigations, the Watergate break in from the early 70s, was that the three letter agencies, like NSA, FBI, DCIA, had a lot of power and a lot of capabilities at their hands, with not a whole lot of any kind of oversight or rules dictating how they would operate in a rules of engagement as it were.

So, one of the outcomes of that was what I came to learn when I went to work ...

Foreign, foreign nationals, and specifically NSA cannot do what it does to US citizens. Now, fast forward to 9/11 in the Patriot Act, the rules kind of changed a little bit, but I mean, that's the charter that NSA was built on.

“So, but you guys are also in charge of like maintaining America's communication security, as far as the US government, right?”

Well, yeah, I was just warming up to that, like when I went to work for NSA, I was working on what we would have called the defensive side, information security, communication security, and it was probably classified that maybe 10 or 15 or 20% of the personnel and the resources of NSA. So, even when I was there at the time, there were people there that had been there for a while working the mission for a while, and everybody sort of had a chip on their shoulder. Everybody who's considered infosuck as we called it sort of the bastard stepchild, because operations got all the headlines, operation got all the budget, operations got all the glory,

and infosuck, which was the mission of providing secure communications and crypto to all of the US, whether it's the military or any level of government where they needed to have secure communications. That was NSA's purview, that was NSA's responsibility, infosuck side.

So, I came into an organization that kind of had an inferiority complex, always did and probably always will, of course, doesn't exist anymore.

But it was there was always this conflict between operations, what everybody knows NSA, that the fact they know what NSA is, what they're doing and then us doing the really important stuff that you don't get any credit for, making sure that people can't steal any of our communications. So, a lot of cryptographers, a lot of mathematicians coming up with the algorithms and the machines, the little black boxes that would secure the communications for the military, primarily any level of government, interdepartmental communications.

You know, embassies abroad and things like that.

“And you went in, you said you went in in around 86, is that correct?”

Correct. So, the Cold War was still a very real thing at that point in time. Yes, yes, it was, which is one of the main reasons why I was hired. I was hired at a time when NSA was hiring a hundred people a week, and they've been doing that for a couple of years, because they've gone through a lean time in the 70s where they really didn't hire that many people.

The guy that was my mentor had been hired in the early 70s, and then they just had a handful of hires from like the early 70s to the early 80s. And they really hired a bunch of people, this is where I get a chip on my shoulder.

We didn't call it stem back then, they call it critical skills, but they were mostly looking for mathematicians, computer scientists and engineers.

And if you added a degree in any of those fields, you would get a job offer. And you were paid on an accelerated pay scale, so you got paid extra. I think the engineers made the most, but don't quote me on that. You know, anywhere from 10, 15 to 25% more than what I was making is just a peon regular employee. But, you know, they hired me because I scored well on the aptitude test, the skills test.

And so I was not a critical skill.

And those 100 people around me that were hired the same week I was, they were first in line for promotions, they were first in line for training opportunities, first in line for diversity tours, going to other organizations. Because the game at the time was, if you wanted to be promoted up past a certain level, you had to have what was called a professionalization degree. And the professionalization degree would be similar to the search that we know of in the cybersecurity field these days. And to get that professionalization, you had to have a certain amount of work experience, certain amount of diversity of work experience, working in different places.

You had to have continuing education and various depending on what field you were choosing in various other things.

“You had to go into the computers, you have to write a computer program at some point and so on and so forth.”

So, I being just a regular employee was, you know, not getting the opportunity to get the diversity tours.

I tried to get into an intern program and I wouldn't qualify for it, not beca...

I would say what it is on air, people would be shocked.

“But, you know, my mentor did a good job of kind of nurturing and talking to friends of his like on the operation side of the house and getting me some diversity tours on my own because he knew I was going to need it.”

Yeah, they hired a bunch of people. They would go off to get a graduate degree and the government would pay for it. They called it the 2020 program. So they'd work 20 hours, go to school for 20 hours. And then they had to give back government time to offset the time that they went to school. But what they failed to figure out for many years was the clock was running at the spot where they were in school.

So you could literally go to grad school, get a graduate degree completely paid for by the government.

And after about three months, you could quit and go out to the private sector and get paid more.

“And that's what a lot of people did. So they were kind of growing by attrition.”

And because I didn't qualify for the 2020 program initially, I didn't get to go to that. I didn't get to do the intern programs. I just sat in this little office and designed a wheel that was used by special forces for 12 years and I'm told saved lives. I was also there at this sort of the beginning of the computer age.

You know, IBM PCs were kind of a thing. I think my first office, I had a standalone IBM PC. It wasn't networked yet.

It didn't have Windows on it. It was just DOS. In fact, I think my first one didn't even have a hard drive. But one of my early assignments, I can't say it was my second assignment. But one of my early assignments in this office was I was approached by another customer, another military branch. And they were, they were responsible for communicating with one time paths with people that shall we say had been recruited in certain places in Eastern Europe. And the one time paths that they were using in the field were really tiny and they could hide in the heel of your shoe type of thing.

And they were printed on rice papers so that when you used it, you could destroy it by eating it. But the case workers, the handlers were in skiffs, controlled spaces, offices on the, you know, on the good side of the world. And their version of the one time path was sort of like a legal pad. But they came to us and they said, you know, it takes us hours and hours to decrypt and encrypt these messages because they're getting situation reports from these people. And they said, there's this PC sitting on our desk. Is there any way we could use that and me being young and naive.

Like, yeah, I don't see why not. Of course, I didn't know it at the time, but I was working for an engineering organization whose mantra was there's no such thing as software. There's only hardware to all they did was build little black boxes. So I took up the project of coming up with a design for writing a computer program that could run on the IBM PC and taking the one time pad key and instead of printing it on paper, putting it on a floppy disk, which I forgot to grab.

“I'm so I have to look at the save icon on your on your work. And that's what a floppy disk is like.”

And I had to go through an engineering process, a design review process called the FSRS functional security requirement specification. It was specifications to build secure hardware and I was building a software program. So I kind of had my to fudge my way through it. I had to go through a review process with all the executive management of infosec. Infosec was organized. It was it was a directorate and inside the directorate were various groups and every every group had offices and divisions and so on and so forth.

But all the group chiefs and there was like five or six of them got together and that was the board of directors as it were. And I had to present the idea to them and they said, yeah, go ahead and do it. And I came back with a design and had to go through its own security review which produced issues that had to be addressed and I went through that process. And eventually went back and pitched it to them and said, okay, I've met all the security requirements, met all the objections, we're ready to go, it's ready to field.

And the director, the chairman of the board, I don't know what his exact title was at this point, he said, okay, well, let you do this and literally he said, don't do this again. To my knowledge it was the first software based system that NSA ever produced and it was simply a computer program that would automate the process of doing a manual encryption and decryption with a one time pen.

I actually ran into somebody about ten years ago at a conference that remembe...

So just to like, it correct me if I'm wrong trying to paint the picture here the person on the end user in good guy land is taking like an oregon trail floppy disk putting it into the computer and then typing in the encrypted message he had received and the computer would spit out the decrypted method. And conversely if he wanted to send a message he's typing in a message hitting the button to encrypt it and the trick was one of the secrets of a one time path is you use one page at a time as much as it is you need and then you destroy it.

“So we had to come up with a way of securely deleting a page of key at a time off the floppy disk and part of that was coming up with a secured deletion or secure overwrite routine that was a requirement.”

And so I went searching and asking various offices you know can you can you show me one can you give me the specs for one and it had never been done before so we had to come up you know it was a requirement but we had to come up with what would this look like. So we had to come up with a routine for doing an overwrite of the one time pad key that was on a floppy disk doing it and enough so you know other really smart people at similar agencies couldn't figure out how to wait to read the read the data off the off the.

Not be drive you used to be like a flimsy piece of plastic were stuff was printed on it near bits bits and bytes in various sectors kind of like a vinyl album yeah smaller and much more compact and you know things they get deleted off of memory space on floppy disk and hard drives traditionally at least in those days didn't really get deleted you just you would move the needle to a different part of the record and start writing new information there. And the one to where your information was which was sort of kept in a master list on the drive or on the floppy disk that was a race so you didn't have the location anymore but nothing was done to remove the data off the drive itself eventually it would come around and get overwritten so we had to figure out how do we zone in on exactly where it is and delete the right amount of keys can be done so there was some.

“Engineering as it were software designed it had to be done and people weren't happy about it but they let us do it.”

You know in the late 80s or around that time. How are you keeping up with what was going on in the computer industry because it was moving fast like I remember.

I'm like an 88 hearing about like the first one gig hard drive and thinking what would anybody ever do with a gig about hard drive that's the same.

Okay I had the same thought when I got my 10 megabyte hard drive on my IBM PC yeah who would ever fill that up and now I think I have more storage space on my smart phone than the super computer threes to use in the early days of Venice so yeah I mean there was.

“It's politically polite answer to that question. On the operation side all you've had all you have to do is figure out how to intercept stuff and as communications got.”

More advanced in terms of the cryptography you you and other sister organizations perhaps come up with other ways of capturing the data perhaps maybe before after it's been encrypted or decrypted.

You know and that's the land of espionage and so on and so forth on the info sex side. It was actually really a struggle and I saw it at the very beginning and it came to a head you know later on in my career in the early 90s where. He was catching up with info sec which was you know responsible for taking three to five years to design a little black box and we'll get it to you when it's ready and we're responsible for providing you know all this year communications.

First I'm skipping for it a little bit but the the first real test of that for the government in general.

It came out called pretty good privacy which you know don't quote me on what year it came out probably late 80s early 90s and it was an encryption program and it was written with public algorithms not NSA designed algorithms and it was based on what we call public key cryptography which is.

You have a pair of keys one that does the encryption and one that does the de...

The laws are to be arrested by the battle law that the spy and the spy are the one that is the extra gold or the smega.

This is the case in the country. And with the checkout with the world because best conversion is right. The checkout with the world is the best conversion. The legendary checkout from Shopify is just the shop on your website. This is the social media and everything is between it. That's the music for your eyes.

How does it end up with Shopify? Can it be helped to get a real help?

Can you tell us the truth? The laws are to be arrested by the battle law that the spy and the spy are the extra gold or the smega. If you are online every day, multiple times a day, but the idea is you have a public key that is used to encrypt the data and that can be sent anywhere.

“It's not secret. And the only way you decrypt a message that's been encrypted with that key is if you hold the secret key and you hold that close.”

That's the private key. And it's a one-way relationship like that. So you have to do a key exchange. If I want to communicate with you, I give you my public key. You give me your public key. We do something to verify. We're really talking to each other. And then we're often running. We can send messages to each other.

Well, so fast forward a little bit. I left the manual cryptosystems office. I was there for about three years and then I did finally get into an intern program.

There's not much to this story. It'll get quick. I went over to the operation side of the house. I did happen to be there during Desert Shield Desert Storm. So I got my certificate. The appreciation for participating in Desert Shield Desert Storm. I was an intern. So I was doing six month tours in various office. My last tour of the intern program was back on InfoSex side in what was called fielded systems evaluations. So we're back into the, I'm back on InfoSex. It's the early 90s.

There was a time when one of our clients, and this was probably, I would guess, 93 or 94.

“One of our clients, one of the military branches, came to NSA and said, "Why are we spending multimillions of dollars on a secure communication system with you guys?”

Why can't we just use PGP?" And that was really a slap in the face to the power structure, at least the InfoSex side of things. And there was literally an all-hands-on-deck call put-out for everybody in InfoSex to stop what you're doing. Everybody work on an attack against PGP. And there were a couple guys in an office nearby that actually did come up with an attack against it. And they were paraded around his heroes and got huge cash awards.

They were taking down the pentagon, the white house. I mean, the red carpet was rolled out for these guys. Months later, you know, when all the dusts settled down, you know, everybody's got a short attention span. They did a lunch and learn in our lab to just tell us peons that worked with them about the attack that they'd come up with PGP. And what they essentially had done was figured out a way to send a document. Let's say a word document. Only it wasn't word. It was put some predecessor.

And they found some unused bit space in the document that they were able to insert a virus as it were. And, you know, if they sent this document to somebody and contract them into opening the document,

“it would execute this code that would essentially steal the key rings, the secret key rings,”

and attach it to an email back to whoever it sent the key mail. That might sound familiar to you guys if you keep up with cyber security, scheme rights today. Sounds a little bit like a fishing attack.

Yeah.

But I remember sitting there and, you know, hearing them describe this, and then they got to the point where they're asking, you know,

and it doesn't anybody have any questions. And I raised my hand. I said, "Wouldn't this work against our stuff too?" And they kind of looked at each other and they're like, "Well, yeah."

“I said, "Well, so what's the big deal?" I said, "Well, our mission was to come up with an attacking MPGP, and that's what we did."”

Okay. That's what, if that's how you sleep at night. But yeah, I mean, well, and which is very, and I'm not, it was funny then at the time, and it's kind of a funny story now. But, you know, I mean, they did make a difference. They did come up with an attack. But as is true, most often, and I've been in this business, you know, 40 some years, when you're attacking crypto very rarely, are you going after the algorithm itself?

You're going after the implementation and either the implementation of the cryptography itself, or what we call the key management or the key distribution. So they didn't essentially break the algorithm. They just stole the key. Right. When has that ever happened before in the history of the world? Jeff, can I back you up real quick? I just want to ask because you were, you know,

the Soviet Union was a real threat when you joined the NSA, and then they denied the wall fell. And the Soviet Union was no longer, did the NSA at all go through any kind of identity crisis,

“where there are issues where, like, who's our enemy now?”

Or did you guys just kind of have a mission and drive forward? Um, there, I don't know if anybody in power would admit to it, but absolutely, there was issues because once the Great Satan fell, that was Reagan's turn for President Reagan's turn. Do evil empires of union? Do evil empires?

Once they fell, yeah, for the first time in a long time, NSA had to worry about, you know,

budget requisition. They had to go before Congress and justify what they were doing. Right. And I'm not a conspiracy theorist, but, um, you know, desert shield desert storm happened shortly after the wall fell. And, you know, terrorism became kind of the thing that kept things alive, but that wasn't really a clear, clear and present danger,

holding my Tom Clancy books. Um, it wasn't something you could put your finger on. I mean, I, you know, I remember watching videos about terrorists when I was waiting for my, my top secret clearance to come through and, and, you know,

“classified briefings at the time about, you know, what did the terrorists do back in the 70s and 80s?”

They'd hijack planes, they'd blow 'em up, you know, that was the thing back then. Um, you know, there was, there was, you know, one plane in particular that, you know, nobody knew it, but there was people on it from NSA and CIA and there was suspicions of whether people knew, um, there was nothing about locker-by. Uh, I can neither confirm nor deny, but it's been a long time, so it's probably declassified at this point.

Um, there was the one plane where, um, they landed somewhere and they, they killed a passenger and shoved them out the wind, the pilots went down. Yeah. Yeah. And, and it was, uh, I think it was a, I think it was a navy and listed person. Y'all was a diver, I think, right?

And they, they, the reason they tagged him or, or pulled him out is because he was in uniform because, uh, what I remember hearing at the time, the, you know, the briefing I got, the video I watched about that was there's a, uh, a flight attendant that had been asked to collect the passports of all the passengers. And for whatever reason, US citizens get a blue passport, but government employees get a red passport. Uh-huh. And so she was able as she was collecting the passports to somehow hide the fact that she was collecting red passports.

I mean, when I was at NSA, I was issued a red, you know, it was more like a burgundy passport. Yeah. That's your official passport to use on international travel. And you're only allowed to use that password, but then I was pulled aside and said take both. And I did. And, uh, you know, for the official get through customs, the red one comes out everywhere else. It was the blue password. I'm just Joe citizen, much because of that experience of that plain being hijacked.

So, um, yes, there wasn't identity crisis. There was a justification, uh, for budgets that had never been, uh,

realized before. And computers were becoming much more a thing. I mean, we sort of leapfrogged over the whole machine age into the digital age.

NSA was largely unacquipped for that, uh, and, and slow to, slow to respond.

You know, think, you know, probably too soon. But, you know, think a large ship that's, you know,

“pointed towards the pylon of a bridge. And, and how hard is it to steer that and turn that thing?”

I'm five miles away from that particular, what used to be that particular bridge. Um, so they were very slow. Uh, there, there was also a certain amount of, um, attitude. I would say in, in sort of the old guard where like, you know, people can, you know, was, is a Henry Ford, you can have whatever color car you want as long as it's black. I mean, they sort of had a monopoly, uh, on crypto. And, and so they weren't very quick to change.

Um, they did start farming things out to contractors and third parties, uh,

the classified telephone that was popular at the time that I was there called a secure telephone unit, STU, and they were up to the Stu III, the third version, which looked like an old-fashioned office desktop phone, and there were three contractors that were allowed to build it. It was RCA, GE, and motor roll, I believe, three models. Um, if you're old enough to remember those and have worked for the government. Um,

so early 90s, I'm back in this field, it systems evaluation office, and that's where I started doing, uh, uh, penetration testing. It is what we call it then, but trying to break into computers and network systems. We were assigned to break into military facilities throughout the world, and at some point we decided,

“why don't we just call it penetration testing because that's what the world's calling it. Let's become hackers.”

Um, so I was early 90s, um, the, you know, NSA trying to respond to the changing world. They reorganized and formed what they called the systems and network attacks center. It was the vision, was that it was going to be a center of excellence, and it had all the really smart people, and NSA has lots of really smart people, and they were going to be experts on everything related to computers and networks. And of course, we've been doing this for a couple years at that point with small team of people, and

we were, we had realized because of being involved in something that's interconnected, we realized very quickly. There's a whole lot of people in the world that are focused on this problem. I don't care who you are. You have a small subset of 10, 20, 100, 200 people. There's no way to compete against the whole world, right, for that kind of rainpower and distributed thinking. Let's say. Um, but they, they, they went about doing the reorganization, and that's when the,

the office that I was in got pulled into it, and we were sort of formally given the task, the small group of people that I worked with, of just doing, um, we called it vulnerability and threat assessment, but for lack of a venture, and we said, we're hackers, and we're, we're learning how to do pen tests. Um, so I was, we were formed officially, I guess, 93, 94, at least in terms of this new organization. We moved to it.

I'm sorry. I just wanted to, I'm curious, because you coming from cryptology, um, had computers been a hobby, uh, you know, had you been learning, um, C or like C plus, like, I don't know what language or languages were prevalent at that time, but, but how were you personally, and then as an organization, how were you men, how were you catching up with these teenage kids who had nothing better to do, and to figure out how to, you know,

break in a shit? Well, um, I mean, I graduated from high school in 1980, and I remember taking a computer math class, so it was late 70s, but it was, uh, you know, a very

“rudimentary type of PC. I think I was programming in basic, and it was kind of cool. We wrote our programs”

to punch tape. Um, it was, it was even before the, before the era of floppy disks. So, you know, I'd have two or three or four feet long of punched tape that I would have to feed into a machine to read my program. Um, so, you know, I was kind of interested in it. I had an older brother, one of my older brothers, uh, you know, sort of the brain of the family. Um, he was, uh, he got,

he was into physics and engineering, and he was always buying the new toy of the month, uh, so he,

you know, he built a computer, uh, you know, built it from scratch, kind of like you built, you know,

The old hand radios.

computer, very rudimentary, and then, you know, what was popular at the time, the apple to

be your Macintosh or something like that. He was always getting computers. He was the first one to have

the first video game, palm, and he was the first one to get an Nintendo and an Atari. Um, you know,

“I kind of grew up playing video games at the arcade. You know, everybody remember that, um, you know,”

put a quarter in a machine and play the game and, and he put in the quarters in. Um, so I, I was into it because it was new and it was kind of fun and different, but I wasn't like how does this work and digging into the inner of it. But at NSA, um, you know, when I was in the intern program, I had to write it. One of the assignments was to work for a programming office, and I had to write a computer program that was one of my assignments. And at the time,

NSA was converting from their own mainframe, super computers, that they had their own custom operating system on it. And, and, and their own primary programming language that all their number, crunching, crypt and crypt analytic, calculating statistical counting types of programs have been

“written on. They were migrating over to what at the time was fairly common. Unix work stations”

primary, uh, Sun, micro systems later, you know, Sun OS later to be called Sleras. So the IBM PC left and in came a, a Sun work station, the old pizza boxes, Spark 510s, whatever they called them. So I had to, I had to rewrite a program that had been written in a, in a proprietary language

of NSA in C. And, uh, of course, I got it to compile and then, uh, got it to hang the first time

I ran it because, uh, it, it worked, but it didn't optimize for the number crunching type of, thing it needed to do. So, you know, I did that. It was kind of cool, but I wasn't really into it, but the idea of breaking into things. That was kind of cool. The idea of going someplace where you weren't supposed to be learning a hidden trick or a hidden feature. There weren't many exploits in those days. It was mostly features of the operating system, undocumented or undocumented.

We're just learning the tricks of how to fool the computer or trick the computer and to giving you stuff. And, of course, a lot of stuff was there. And, uh, it wasn't that hard to do. And, you know, other people had figured out a lot of the ways to do stuff. So, you know, the terminology in those days was script-kitty. So starting out, I was much more of a script-kitty, just doing the stuff that other people had figured out, but trying it on our classified networks,

even though it was, you know, something that was discovered out in the real world. But, because I had a crypt analytic background, one of the things that I enjoyed doing was password-cracking. And, you know, of course, I didn't write the programs. I was using the programs that were available at the time, but learning out of tweak them and, uh, fine tune them. Password guessing was a thing back then. I was actually pretty decent at guessing passwords. Nobody does that any more

these days. Um, there was a lot of our, a lot of our customers when we were doing these fielded systems evaluations. We were going to military bases throughout the workflow. And,

they always had, like, some, you know, real whipper snapper teenager, but he was also, you know,

an E4 and E5 now. And, you know, because he knew computers, he was responsible for computers. So, he came up with an idea of coming up with a random password generator. Uh, and so they had all, you know, they knew passwords security was a thing back then. So, they wanted to come up with ways of defeating the password cracking tools or just making passwords less, uh, prone to being guessed. And, um, they inevitably were horrible because, you know, from a crypt analytics statistical

“brute forcing perspective, uh, they almost inevitably fell. I mean, I remember one guy,”

I want to say he was at a base, doesn't matter where he was, but he, you know, he thought he had this program that was really cool and it was producing really random looking passwords. And, we cracked 100% of them. In minutes, you know, it just, it was that bad. Um, so that's where I kind of, like, applied the crypt analytics stuff that I'd learned to sum to some aspect of it. And we didn't call it cybersecurity at the time. We, we actually called it internet security. Um, but that was

something I could kind of focus on as sort of a niche areas. I, oh, yeah, I'll focus on, like,

Password cracking and how to come up with strong passwords, your random passw...

any of the, any of the few types of crypt analytics things that were associated with operating

“systems at the time, um, that was sort of my focus. The other focus I had, I guess, was I, I worked”

with people, um, both while I was at NSA, and then even into the private sector days, years after, that with love to just break into a system, get root, it was all root because it was all unique back then and say they were done. And I was more like, well, we've just broken down into a computer or a server. Why don't we look at what's on it and see what's there? We're kind of information is there. They were all about the hunt and let's conquer another box that's rooted in other box.

Right. I was more about that analytical, what kind of information is here. And what can we learn about our, our, our target or our customers or, uh, what, what, what is sensitive here that might give us, uh, more of a clue of where to look next or, you know, if we found the frown jewels, uh, or, you know, this, whatever it was, but just looking at stuff. So I tended to do more of a analytical deep dive. Let's see what we've got rather than just keep knocking over boxes after

“boxes after boxes and saying we're done. Right. Who's it on? So, so how did that develop for you?”

Because while all these other people are trying to like get root, now you want to get into the system, you want to go through the various, like, uh, you know, file systems and everything like that. Right. Right. And, you know, and move throughout the system, like, what is that look like for you compared to what everybody else was focused on? So, back in those days, um, the sort of the methodology, uh, which ironically is based mostly off a, uh, a film that came out in the early 90s

called sneakers, Robert Redford and Ben Kingsley were the stars. Um, and that was sort of the first

movie that showed, um, what people would know more commonly referred to as a red team exercise these days, because, you know, a combination of computer hacking, but maybe physical penetration testing.

“Um, the methodology was simply back in those days. You have a target. You have a company,”

an organization. Um, everybody had their own IP routeable IP addresses. There was no masking back in those days or no private addressing. Everything was internet reachable, because everything was connected. So, you, you'd, you'd find out what the target was, whether it was a class C address, or a series of class C addresses, which is 255 potential addresses. And then you do a, um, uh, a probe of each IP address, do some sort of rudimentary scan to see what's alive, what's answering,

and so once you've found live targets, you do a port scan, which is basically, okay, what's,

what's this machine talking on, you know, in T, in TCP/IP, there's 65,535 potential channels that even talk on, and there's some commonly associated, uh, reserved ports that are associated with specific protocols, specific services, start with there, and most of the protocols, communication protocols back then were clear text. There wasn't a lot of encryption going on. Um, so you would find what they were talking on, and then, you know, that's usually when you could, you know,

connect to a system, maybe steal a password, maybe guess a password, maybe force, uh, one of the programs that was listening to hiccup and give you access, there's many different methods of doing it, but, uh, the goal then was to get access, and it didn't have to be root, it could just be any user account, and then once you had that foothold that toe in the door, then you've tried to elevate your privileges to root, and once you were on the system, there was any number of ways of doing that,

including reading the password file, which was world readable, anybody could look at what the password hashes were, the, I'm not using the word correctly, the encrypted passwords, they're hashed passwords, they could copy that and run it into your computer tracking program, which conveniently was called crack. Um, so elevating privileges, I mean, that was sort of the

modus operandi, the first thing to do is get the root, because once you're root, you have access to

everything, any file system, any folder, any, anything that was locked down and protected, root had access to, because root was what we called the god account. It could go anywhere, it could do anything, just why we used to say to our clients, if we've got root work done, but they would very rarely understand that, comprehend that and, and take it to heart, which is why it became beneficial

To say, okay, you're not getting it that we have root, but would you understa...

we're looking at your financials for the previous core, right? And we can, and we can see all of

“it, or we can look at the payroll and tell everybody, you know, what they're being paid and who got”

what bonus, and the people sitting next to each other, one person's getting paid 15% more, and he's a guy and she's a woman, and we can blow things up, or, you know, research data, or we know where the money is, you know, there's, there's any number of things. That tends to be something that, you know, I have no idea what you're talking about getting root, but you can do this, right? I mean, when I was, and I'm blurring the lines a little between my NSA days and my

private sector days, but when we first started out doing this at NSA, and people started, and we

started calling it pen testing, and we started being asked not by just, you know, our military customers, but like offices within NSA and other classified networks, you know, within the community, we started kind of having to come up with processes and kind of formalize a methodology, because we had to get permission to do it. You know, I mentioned early on in the interview, the church proceedings in the NSA charter. That became an issue at least early on because,

you know, even though we were white hat hackers were the good guys trying to break in, because we were NSA, we technically weren't allowed to break into computers and networks that were US, right? Oh, and operated, but, you know, as long as it was in the classified world, it wasn't really that much of an issue, but we did have to start talking to our general counsel,

and for whatever reason I volunteered to do that, you know, I was a business major. So finally,

I was like, oh, we need organization, we need structure. I can do that. My friends that I worked with, they were much more into the gears and, you know, the weeds of the technology and like, business processes, I got that, I can do that. So I started talking to the lawyers. I tell a story that, uh, well, to the level set, everything that we did in terms of our techniques for breaking into computers and networks, when we were working within the classified realm,

everything we did, uh, by rule, had to be classified at the level of our target. So naturally,

“if we were working on top secret systems, everything that we did was classified top secret.”

In order to get authorization to do top secret stuff against top secret targets, you had to go through bureaucracy and red tape and get all sorts of permissions, which took a god-awful amount of time. I mean, we literally would have to wait weeks to get permission to try to break into something that was even, you know, within NSA, like another organization, another officer within NSA. And of course, what nobody, what we didn't tell the powers of being,

we'd already broken in, we already knew how to do it. And then we do the paperwork of, you know, this is the way we're going to try it. This is our attack methodology and then we'd have to go off and get permissions, which was on a typed-up piece of paper that had to be signed or initialed by every level of management from our branch, on up to the group level, over to the group that was the target and down there management chain. And this is paper passing from

desk to desk secretary to secretary. It might sit on a desk for hours or days. So it would take weeks. I tell this story in a talk, I've given a couple of different conferences, but usually when I'm telling this story about what was our trade craft, what do we do? I have to

“qualify it's technically, I can't tell you what we did because it was top secret. And then at some”

point I say, okay, I'll tell you one. So I had this big disclaimer banner top secret. And I say, okay, one of our primary cyber weapons that we used to get against top secret systems was something called the ping command. Let that sink in or if you don't know what a ping command, it's a system-level

command that comes with every unix operating system. It's basically, and it's named after a

submarine son art, you know, it sends out a signal and waits for a response. Are you there? Yes, I'm here. And it'll ping every single address on whatever your target space is. Very rudimentary, very common, part of the operating system. It's a feature. But because the lawyers looked at it and said, well, you're eliciting the response from the target. Therefore, this has to be considered an active attack. Therefore, it qualifies this a top secret cyber weapon. Wow. That's the logic that

We were dealing with.

to the lawyers and started teaching them about our methodologies and their idea was, why don't you just show us what you do and we'll pre-approved it so that when you get a job requests to do an attack, you can just tell us well, we're going to do a little of this and a little of that and a little of this over here and a little of this and we'll be kind of like an alicart menu. And we already know what they are and what they do and we'll just pre-approved it and it'll be pretty quick. I'm like, yeah,

the problem is you don't know what you're doing until you're in the middle of it. Right. And you know,

“it starts with the probing, we call it recon. You know, what's out there and what's out there?”

What are they talking on? What, you know, how are they communicating? What are they listening on? What are the ports and channels that are open? So I went through a process, I would meet weekly with our lawyers and it's just sort of teach them the fundamentals of penetration attack, testing and hacking and how the computer networks work. And I say all this because one time I was showing the lawyer, even though he was sort of on an isolated subnetwork that he thought was

very super secret because he's dealing at all sorts of legal proceedings and investigations and

he had his folders and files and his computer that he thought was completely protected and

top secret. And I'm like, well, let's look at that. So we were sitting in our office, which was in a physical building that was different probably 10 miles apart. I said, let's go over to your network. See, here we are. Here's your file system. We're on your system now. We had him log in. And I said, let's look at your directory structure and I'm good looking through it and, you know, Unix file permissions, there's this concept of the owner, a group membership and then the world.

And for each category, there's the option of re-only, read and write, or read and write and execute.

“Let's just go with read for now. I was looking at his folders that were supposedly top secret,”

his eyes only. And like that folder is not only your readable, not only the lawyer readable,

general counsel is office readable. It's set to anybody read it. Look, I've just clicked on the folder. Here's all these files. Look, I can click on this document here and open up. He's like, oh my god, don't do that. That's all secret stuff. Oh my god. So he got this really great education on how to set file permissions. So he could actually lock down his folder. And you're not doing anything. You're pretty technical right now. But you're just accessing his network.

And he has open permissions. Like, you're not even technically really hacking. You're just showing him how much access a knowledgeable person would have. Right. Yeah. And that's a good way to sort of summarize it. I mean, the hackers that are out there these days, the security researchers, they're trying to come up with creative ways of breaking things using a methodology that's similar to what was done back in those days. But in the early days, it was much more just taking advantage

of what I would call undocumented features. Right. And the system do. And taking advantage of knowing more about how it works than the users. Because in the early days, most users didn't really know how it worked. They could barely get it to work. And they were happy if they could get it to work, and wasn't anybody telling them to do anything else. I have a question. And as you describe all of this, it actually reminds me a bit of Richard Marcinco's

Red Cell, which was testing physical security at military bases. You guys were of course doing that in the electronic space. I was wondering, did you guys get any sort of like pushback or political fallout from what you were doing, like people who were shocked or embarrassed, and maybe even angry, that you were able to penetrate their systems? Interesting segue question. Initially, no, when it was mostly military targets that they'd asked us to do it, and then internal

targets. I take that back. We did have one internal target one time that, you know, supposedly that they were isolated with internal segmentation, what we would call it these days. But sometimes there's a firewall or some sort of router with some sort of access control list in place.

“And we were doing initial programming. And I think we had a target of either an IP address,”

or maybe an IP range. But us being us, we just kept going. It's like, what else can we see? Where else can we go? And this particular target, which was an internal office, they did have some sort of monitoring in place. And they were detecting our activity. And we technically went

Beyond the bounds.

You know, everything was answering. We were just, we just kept going. There was nothing blocking us.

“We didn't subvert anything. We just, this is how far we could go. But there was a point where”

we sort of got called to the carpet. And I guess I've been doing a lot of the work. And I got called into a meeting with the customer and the poor guy. I still feel sorry for this guy. The guy that they had assigned to be like the investigator. He was apparently some branch of the military police. And he came in with like a stack of notebooks with printouts of all the activity that he'd seen us doing me doing and had it all printed out. Because they thought they'd call

a bad guy. He was like, they're ready to throw the book at us. And we're like, well, no, we had this request to do this thing. And we just kind of didn't know where the boundary was. And we just kept going. And then, oh, well, thanks for letting us know. We didn't realize it was that for us. And the guy was

like, he never got a chance to open it. I mean, he, it must have been a foot high. It's no closer to

the person. This might be a little sensitive. But I mean, as far as like the attack surfaces that

“you guys used, I mean, did you have to be inside the NSA to get to even watch this attack or were”

you guys replicating an outside attack, you know, perhaps a foreign adversary? Well, you know, our target's at least in that case were internals internal. And technically, whatever we was doing, what we were doing was classified at the level of the targets. So, technically, what we were doing was top secret. But it's probably a safe bet to think that we were doing a lot of the techniques that were publicly available, because guess where we were learning how

to do it, hopefully it's necessarily stuff. So, yeah, that's all I'm going to answer that question. What would be your relationship like? Because, like, I remember, you know, in the late 80s,

going to my local game shop to buy D&D stuff. And there's always a copy of 2600 there.

“And for people who don't know, 2600 was like, like the OG, I think, you know, hacker,”

like little booklet, magazine pamphlet, type, booklet thing. And then the DevCon started in early 90s. So, there was this, there was this vibrant hacker community out there that was moving along with times from, you know, Captain Crunch, you know, and freaking, and all that. How was your relationship with them? These people who were sort of breaking the law and on the cutting edge, but also like pushing it. Right. I mean, at the, at the time, we didn't interact with many of the

people in, in that part of the community. I've certainly, over the last 10 years or so, had to have the privilege of meeting many of those folks and comparing notes and so on and so forth. But I mean, we were certainly learning from them. I mean, we, we, you know, back in those days, it was bulletin boards, mailing lists, you know, our, our best resources was the internet and learning all the places where people were posting stuff about hacking and breaking into

things. So, we were certainly learning from them. And I, I would even say that we, we felt like we were behind them. I mean, when we were, when we were considering ourselves to be students and learning all this stuff. I mean, that, and they were doing it and we were just trying to pick up, pick up on it and learn from them. So, there was, I guess, from our perspective, a certain amount of respect. But, you know, there's a handful of people that kind of went south

of the long, got caught and prosecuted. You know, I have different opinions on some of those people. There was, you know, certainly, mythology associated with it. You know, there's sort of, you know, the elite elite hackers, you know, the, the Uber hackers is what we called them back then. You know, I, I hope to somebody meet someday meet some of them. But we were kind of learning and doing stuff and figuring out stuff. We certainly had access to a lot of resources that a lot of people don't

have access to. I mean, we had access to UNIX source code. And this is the before the days of Linux. And the UNIX source code is something that, you know, that the agency NSA paid, you know, God knows how much money for. So, you know, we were able to look at all the internals, all the function calls, all the libraries. So, I mean, we, we had a fair amount of opportunity to

Tear things about, we had a tear things apart.

everybody has. But we still consider ourselves to be students and learning. You know, it's funny because, you know, we'll get to why I left NSA in a little bit, hopefully. But, you know, was out in the private sector for for a few years doing the penetration testing and trying to get

basically trying to convince companies back in those days. If you're going to play on the internet,

you really need to have a firewall. You really need to have some sort of secure architecture.

“You need to have some sort of clue or plan is to what you're doing. So, you need to put a”

security program in place and figure out what it is. You want to protect and need to protect. And at some point, I got really frustrated with, you know, being hired by clients every six months to break in and we break in the same way time after time. And we tell them, this is really easy to fix and they didn't seem to want to care to fix it. And at some point, I'm like, okay, I'm done pen testing because that doesn't seem to be getting the message across and I ventured

into, you know, I needed, I needed to just be able to talk to companies and explain it to them and explain why they care and explain why it matters. And about the time I made that decision is about the time that this thing called PCI came along, the payment card industry. And I got, I got sucked into that, but it was nice at the time because there were a lot of companies that had to do PCI and it's a private sector regulatory security standard that's of buy and for the credit card

industry. So it's not a federally mandated thing. So it's a voluntary, but if you don't do it, you don't get to take credit cards if you're a retailer or any kind of business that wants to make money. So for me it was beautiful, because you can take a look at that, you can take a look at that, or... or...

you're just kidding.

The laws to be arrested by the Autobahn,

the spy-en-lose, the spy-en-lose, the extractor or the smegger. The spy-en-lose is only in your Autobahn. Later, the spy-en-lose is in the hand. The spy-en-lose is in the hand.

The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand.

The spy-en-lose is in the hand. The spy-en-lose is in the hand.

The spy-en-lose is in the hand.

The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand.

The spy-en-lose is in the hand.

The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand. The spy-en-lose is in the hand.

The spy-en-lose is in the hand. A lot of people, and I apologize if I hope this does not come across as a statistical. But as I meet all these people that are far and away from the Midwest, you know, got into phone freaking to get free long distance, and then later free cable, and they just kept going,

and they figured out some things. Nobody's had the experiences that I've had. Yeah, which, you know, and for me it was just, you know, the right time in the right place type of thing.

But I've never met anybody yet to this day that I'm like,

I'm completely in all of Uber Hacks to exceptions. The Uber Hackers. Most of them are almost as much as excited to meet me as I am to meet them.

“I remember before COVID, I think the last deathcon”

so it had been 2019, I was sitting around with some folks. And one of the guys I was sitting with was a guy whose name is Weld Pond. He's a member of the loft, which became famous back in the 90s for figuring, producing one of the first, if not the first, password cracking routines that would work on Windows passwords.

So it was called loft crack. And they were a hacker collective, a bunch of smart guys out of Boston, you know, Berkeley, Harvard, MIT, type people. And I'm sitting there with one of them, and then one of the other guys I was sitting with. I was introduced to, he's one of the original members of Call to the Dead Cal,

and their famous for other reasons, and I'm like, wait a minute. He's the loft, he's called to the dead cow. And now's probably when I should mention the nickname for our hacking group at NSA, came to me known as the pit. And so I'm a member of the pit.

“I'm one of the founders architects of the first penetration testing team at NSA,”

and we called it the pit. So I'm like, it's the loft, it's the pit, it's called to the dead cow. So let's get our picture taken together. Let me take our picture, I'm like, you guys don't know this, but this is really historical, because you know,

dark side, dark side, white hat guy, and side of the good. But you know, smart guys, nobody's, nobody's over that I've ever met. Most of the people that, especially from the early days are all pretty humble.

Yeah, you always hear about all the real elitists, arrogant jerks.

And there are some out there, but most of the people that are really serious about this, are really serious about this craft as it were, are pretty humble. And pretty eager to share and, you know, love to swap stories and share stories. And I've certainly had a lot of great opportunities to do that.

One of my idols, you know, one of our motivations back when we were forming the pit. And we formed, we, when we were reorganized into this thing called secure systems and network attacks under the snack. This center of excellence for computer network security back in 1994. We got moved to a new building, and we got moved to an office, and we nicknamed our office the pit.

And one of our motivators was a book called Decukuzek, written by a gentleman named Clifstall. Clifstall is like a, you know, Berkeley astronomer, you know, physicist, smart guy. And he had, he had noticed that by a matter of circumstances, that somebody was breaking into the university, mainframe and stealing a lot of government secrets.

“Because back in those days, the only thing that was connected on the internet,”

that was mainframes for me to, you know, the government and research university. And he, he set out to track down and find the people that were breaking in, fascinating story sort of invented forensics.

He, and he documented his, his experiences in a book that's called Decukuzek.

Must read, if anybody's interested at all in this discipline.

“A couple of years ago, again, recovered.”

In fact, I'm going back to the same conference where I met Clifstall, and to this week, but I was at a security conference up in Canada. He was the keynote. So I'm like fanboy, I get to meet Clifstall. And he's a goofy, quirky, weird kind of guy.

He did a keynote presentation with a view graph projector. That's how quirky this guy is. 2019. Brise probably don't even know what a view graph is. Overhead projector.

Yeah. His, his talk was a, Transparent. Transparent. Transparent.

Yeah. Yeah. Down on a box that, well, through a lens that would project, I mean, old school, totally, totally geeky and quirky and cool and it was and I had to go up and introduce myself and meet him get my picture taken with him and I told him I was NSA. He's like, oh yeah, he visited NSA as part of his tale of trying to figure out how to hack, and catch these bad guys that turned out to be Eastern and hackers.

“And to my sugar in the only time I've really been nervous to give a talk because, you know, he did the keynote and I think I was the second or third talk after him.”

He's sitting in the front row. You know, one of my heroes he's going to sit and listen to me, give a talk. But that's how cool he was. I've met the guy that wrote PGP, Phil Zenerman a couple years ago. I've pretty much met all the pioneers at some point.

And what's funny is a lot of those people because they got into it out in necessity. They didn't start out as computer scientists and they didn't start out as programmers or administrators. They just had a job and computers became a thing and so they wanted to learn about it and make it work to get something done. A lot of them went back to their day job.

A lot of these other guys that were a lot of university professors, university researchers, they went back to their first love.

There's very few of the early rounded people that actually saw the dollar signs and went with it and came to the military. Yeah, to backtrack a little bit, do you want to talk about it? I mean, you mentioned it briefly why you ended up leaving the NSA after. Even before that though, you do have when when when we met at a conference, you showed me orders or military wise that call them orders.

“But a but a document authorizing you to do, was it the very first pen test of an outside organization?”

All right, it's the same question to the same story. Okay, and so I'll try that. There's a lot, I have a lot of stories I apologize, hopefully people are entertained. It's not a cast, people love stories, Jeff. All right, so I'll keep going and they can play me at 1.5, which makes you can put it. So, you know, I'm in the pit, we're doing all these, you know, pen tests of military bases throughout the world and NSA facilities and other classified environments.

For whatever reason, and all I can say is, you know, it's because I was the business major. I was sort of the, I became the biz dev person and was trying to formalize what we did. I was the only one that was really interested in talking to, you know, managers and suits and, you know, people other than just talking to the tech and doing the stuff. Talking to the lawyers. So, in doing all that, we were putting together a methodology and we were writing it down, so it could be a repeatable process. It was something that had a beginning and end, and we'd take into account all the things we needed to think about before, during and after doing the engagement.

And somewhere along the line, I started working with some people from another organization called DISA Defense Information Systems Agency. I think it's what it's called. And they got me connected to some people at the Department of Justice. And, you know, everybody was just, the internet was new. Everybody was plugging into the internet. And everybody was like, "Ooh, all the, all the potential for the internet, but then they were also saying, "Oh, but maybe we should think about security."

So, I went down to DISA. This is 1996. I've probably the first time I met him, he's probably April or May, went down to the Department of Justice buildings.

You know, went into some big beautiful conference room, you know, Mahogany wa...

And basically, they wanted us to do a pen test of their internet presence.

“And I'm like, "Yeah, sure, no problem. We can do that." Well, I go back and talk to the lawyers and lawyers like, "Well, hello, time out."”

It's an unclassified network that's kind of new and different. And NSA is responsible for the security of classified systems. But the organization that was responsible for the security of unclassified organizations at the time was missed. The National Institute of Standards and Technologies. And at the time, that was kind of a tongue-in-cheek kind of running gag, because NIST didn't have a whole lot of capability in any technical respect similar to the kind of stuff that NSA did. So, I'm talking to the lawyers. I'm like, "Well, can we make this happen?" And the lawyers like, "Yeah, we can make it happen, but there's hoops that you got to jump through."

So, we proceeded to go through several weeks and months of hoop jumping to make this happen.

And one of the first things he told me was, "Well, when you have this type of relationship, it's got to be sort of a handshake agreement between cabinet-level positions."

“And I'm like, "Well, what does that mean?" He said, "What it means is the attorney general, which is what the DOJ rolls up under,”

basically has to ask the secretary of defense for a favor and say, "Hey, can you have your guys come over and take a look at our system?" So, you ask me to look it up. I've got a copy of the original email, not email, I'm sorry. Letter that came from the office of the attorney general saying, "Hey, your guys have been talking to our guys and paraphrasing it." And basically, we want you to, "Well, I can read it to you. I'm therefore, I am formally requesting that DISA and NSA work with us to provide a vulnerability assessment on the security posture of DOJ,

sensitive systems and network connectivity to include the system network architecture, SNA, and virtual telecommunications access method, VTAM. It's government, everything's got to have an acronym. Also, the secure network architecture, do I say that already?" I am requesting that the assessment begin with the testing and evaluation of the security configurations in the financial management information system, which is used by several components within the DOJ, because on and on, eight little over page, signed by the attorney general at the time, Janet Reno.

Did you got that? Yeah. Yep. Okay. And it was actually addressed to the person that was designated within the, by this secretary of defense at the time, the assistant secretary of defense responsible for the C3I, the honorable M8 page junior. Wow. Okay. So that was the first step. And then what had to happen was, I hope I get this in the right order. This is a response from NSA. Of course, letters by the government, they're all written by Pions like me,

and they just eventually get up and signed by the people. You've seen the movies where they throw papers in front of the prison. And it signs them one after another. So this is a draft letter from M8 page back to Janet Reno saying, "Basically, we're on it." And there's another letter that I have. This is from somebody at DISA to the Department of Justice saying, "Basically, we're on it." And probably then the most interesting one is, and it's having an official processing form.

Because it's got to have lots and lots of signatures to approve it. But this is the letter that was drafted by the signature of the director of NSA.

And if you see that there, right there on the bottom line, I am the point of contact for this project,

which says, "Yeah, we'd be happy to, you know, members of this system in the network attack center will go down and do this."

“Now, on the cover sheet, it actually talks about, I think you can see this here.”

It had a code name project. The effort is project eagle. So this letter, which is, you know, a copy of it, but it's signed and it's dated, you'll see the date 21 August. 1996. 1996.

1996. So that's super cool. This is what happened. You know, of course, the letters signed.

This is all going back and around, getting all the signatures.

It had not yet been delivered yet.

“I think the 21st August 1996 was like a Wednesday or Thursday.”

The weekend before, and it's before the letter had been delivered, the DOJ website was popped.

First hack of a DOD or a government website.

Rather famous, the hackers defaced the entire, basically, replace the entire website. They replaced Janet Reno's picture with a picture of Adolf Hitler. They had all sorts of more colorful things on it. And this happened like on a weekend. The weekend before this letter was going to be delivered and we were going to be golden.

So I get a call Monday morning from my contact with the DOJ saying, we had a problem over the weekend. You know, we were hacked. I don't know if you heard about it, but help. And so I'm like, well, let me see what I can do. I hung up the phone and called the lawyers up the general council's office and I explained to him what happened.

And I said, you know, we're, we're this close to being legal to going down there and doing the work. What do I have to do in order to get a team of people down there the next day? I mean, I want to help them out. They've had, you know, you know, they're desperate. They need help.

What can we do for them?

And they gave me three criteria.

“They said, well, don't go on your own accord.”

Make sure you're sent by management. Get the request in writing from the DOJ. And don't go alone. I mean, that was it. I'm like, okay, I assembled a team.

I got, I called back to DOJ and said, send me something that requests this. I got it, you know, hours later. And then we went to our management and said, hey, this is what's happening. Will you let us go? And they said, yes.

So Tuesday morning, we go down and we're looking at everything. Of course, in those days, everybody had their own servers that were serving up their web servers. That were part of their network. Maybe they were outside of their network. Maybe they weren't.

But when they were, when they discovered the breach, the DOJ admins, they took the systems down. Took them offline and wiped them and rebuilt them. So whatever evidence might have been there. So what's going on to begin with? Yeah.

I mean, there were no forensic guides. There were no rules back then. This is 1996. Nothing had been written yet about how to do this other than Clifstall and the Kukuzeg. But what he was talking about was mostly on phone lines and phones.

And phone switches and PBXs, public exchange servers. All phone really. So were there of Tuesday, Wednesday. There were other systems that hadn't been affected. But we were looking for evidence of tampering.

And then he foot prints as it were. Electronic foot prints to see if we could pull anything together. Were there of Tuesday? Were there of Wednesday? We go down Thursday.

Mid morning, Thursday. I got a call from somebody back in the pit. And they said, Jeff, the shit's at the faint. You guys got to drop what you're doing. Come back now.

So we dropped what we were doing. We went back and got braided into the deputy director's conference room. And the lawyer that I've been working with for the previous year, proceeded to read us the right act in yelling at me in particular. For doing something that was potentially illegal.

That could get the director not only fired, but prosecuted. And what the hell were you thinking? And I'm like, you knew about it. Well, and technically, when I called the lawyers on that money morning, both the general counsel, this guy and his deputy answered the phone.

And I said, I've got an issue who wants to take it. And the general counsel deferred to his deputy. So I did this with the deputy general counsel, not the main guy. But it's the main guy that was yelling at me. So I got put on double secret probation since I was the ringleader.

And I first time I've ever heard of the church proceedings.

“This was when the lawyer was yelling at me saying, don't you know you violated the NSA charter?”

Don't you know you could get the director fired if not prosecuted? I was put on probation. I was investigated internally. I found out many years later, because I bumped into this lawyer after 20 some odd years at Defcon, ironically.

Turns out they were not only trying to fire me. They were trying to prosecute me as well. That is that attorney or the administration director? The powers it'd be. The powers it'd be.

This was above him and it was above me. In fact, I learned that, you know, I mean, I didn't pissed off at this guy for 20 some odd years for yelling at me when we were buzzed. And it turns out he was getting a lot of flak too, because he had ultimately sent us or his office had sent us. Yeah, his deputy his deputy resigned.

But, you know, after going on trouble, double secret probation and having to talk to internal security and tell the story.

It meant pretty much everybody I talked to like, that's it.

You were just trying to help. It kind of sourd me on continuing to work there. We eventually were exonerated and we got pulled back into the deputy director's office and a bunch of the senior level management. We're talking to us and counseling us.

And they basically said, you know, we like what you guys do.

We want you to do it.

“But if you're going to do it here, you have to follow our rules.”

And so he said, fine. I was gone from NSA by the end of September of 1996. So like six weeks after this all went down, I was gone from NSA because it was end of the fiscal year. They had done it. They were doing a buyout to get people to leave. This was one of the fallouts of the Soviet Union fighting for blood.

We were talking about the joint with choppy feiners and we were trying to get rid of the checkout with the world for the best conversion. I'm Teresa and my experience at all entrepreneurs started with choppy feiners. I'm Teresa and my experience at all entrepreneurs started with choppy feiners.

I think choppy feins have the first day.

And the plan for making me no problem. I have many problems, but the plan for it is not a step from it.

“I have the feeling that choppy feiners continue to continue to continue.”

Everything is super simple, integrated and balanced. And the goal is that you can't invest in that. For all in the backstrums. Now, the choppy feiners point to DE. They're paying people to leave.

And we've been kind of turning around a bunch of us. We're looking for more high-paid jobs. Sure, in the private sector and all that kind of stuff.

So I took the first offer that came along.

And I was offered money to leave and I got the hell out of dodge. And to September 1996, tried not to let the door hit me on the way out, typically. Which is looking back on it on this 30 years later. If it hadn't gone south, I mean, there was something cool and fun and patriotic about doing it there. We were thinking we were doing a good thing.

There was the alert of more money out in the private sector. But I'll tell you what, when I went and out into the private sector, more than I got an increase in pay, it was the idea that I could be hired by a company to do a pen test one week. Do the job for the next couple weeks, take a couple weeks to write the report. Maybe a month later, come in and do presented our findings, giving recommendations.

And we were done. And then now maybe a month, maybe six weeks. Whereas six weeks in NSA, we would have still been trying to get permission to run the pen command. Right. So much more than the money was the lack of the bureaucracy and the more focused less complicated. There's a job to do it, report on it, give the feedback.

Thank you, your done type of thing. That was very refreshing. But the reason I left NSA was because I was very much, they tried to get me to leave involuntarily. But I kind of took the opportunity when they gave it to me to get out and go out to the private sector, where largely I've had a more receptive audience of my clients over the years.

Not every time do they want to hear what I have to tell them in terms of how they're insecure, and what they need to do differently, or what they need to invest in.

“But generally, if you can explain it to people, and I think I do a reasonable job of explaining to people why they should care,”

why they should worry, what they need to do to invest in or at least. Okay, you've got limited resources, here's your options. Here's the pros and cons of what you decide to do or not do. So at least they can make an informed decision, at least what I believe is a more informed decision, about how to approach this thing that we now call cybersecurity and protect your organization.

And, oh, by the way, we're losing, and it's, nobody can afford to do everything that they need to do to provide that mythical 100% level of protection because it doesn't exist. And, yeah, we have a very burgeoning industry to keep going and hundreds of billions of dollars are spent on technology

Where what ultimately causes many companies to fall is a process issue or a f...

pretty trivial, yeah, when you get down to it. How do you spend in your money people?

How does, you know, when we look at the United States and we are, we are a free country and limits on the government is a good thing. And, and yet, I don't want to say in yet as though we should erase freedoms in any way shape or form.

“But how does the NSA, particularly in this info-second environment?”

How does the NSA compete against countries like China, Iran? And, you know, country Russia did do not have any moral compunction, any laws that, you know, limit their, their government's reach. How do we compete against that? Well, that's, that's a very complicated question to answer. And, um, philosophically, it does, and I just, this came up a while ago in a conversation.

I now have the opportunity to say it, so I'll say it. But, um, I think it's, one should think twice about automatically assuming that what we're doing is moral because we're doing it to protect us. I'll just throw that, just throw that out there, just to make people think. Um, the generally speaking, um, you know, we are a moral responsible society in government that does operate under rules and, and most people take the rules fairly serious.

There's always exceptions and because there's rules and there's bounds and more than that, there's just, um,

there's so much to could happen, there's so much to could do wrong, and you never know what's going to happen and where and where do you, you know, where do you,

“where do you put your attention and focus and your limited resources?”

We're almost setting ourselves up as a society. If not pockets of industry within our government, which some would argue, argue that the government should be protecting. Um, it's, it's, it's not really a winnable situation in my, in my opinion, um, whereas other countries we are certainly told that they, you know, aren't as strict on rules and regulation and, you know, a doubt of Chinese hacking groups, whether they're military or paramilitary or funded by the government, are going through a lot of procedures and bureaucracy and right tape, that's a perception.

Um, so, I mean, we handcuff ourselves and, of course, you know, I, I work tangentially, uh, I have relationships tangentially with a lot of people that are involved in, you know, the, the mission of protecting the country, cyber security, national defense and so on and so forth, uh, uh, to be honest, and if any of them lists anything I apologize ahead of time, but you're given my librarians working with the government,

and under the private sector, I've always felt that if you're working for the government,

it's because you're not good enough to make it in the private sectors, so you're kind of second tier to begin with. Um, and there are exceptions.

“I mean, that's just a very broad blanket probably ignorant statement that you need to say.”

But in my experience, uh, the, the real cutting edge stuff happens in the private sector. And here's why, um, for better or for worse, in the private sector, everything's driven by the dollar. Everything is financially motivated, companies exist because they're trying to make money. Uh, that's free commerce. That's what we do is a free country.

Um, and, and I often tell my clients in the private sector when they talk about risk. And I mean, you hear all these words bandied about like risk and vulnerability and threat, security. Um, I tell, I tell my clients and anybody that'll listen frankly, you know, when I was in the, I was working for the military when I was working as a civilian, um, the idea of risk was all computed around loss of human life, troops on the battlefield,

citizens abroad in domestic, um, uh, embassy workers, state department employees and stuff like that. But it all had to do with loss of life. In the private sector, it's all about money. That's very different, um, especially when everything you do comes at a cost or everything you don't do,

Potentially comes at a cost.

So it's a different motivational factor.

And I'm not saying it's a, um, uh, somebody posted on LinkedIn. We're losing you just a little bit.

“I think you're, you're saying those a little bit.”

Oh, no. Yeah, can you repeat that last year? Can you hear me now? Yeah, we got you. Okay.

Um, how far last do you need to go? I just like the last sentence or two. Yeah. But what I'm saying is the, the idea of risk, why you do security, why you do the things.

It's very different if you're, you know, pursuing the national defense, which is basically

loss of human life at some degree versus the private sector, which is how much money you want to lose or how much money are you going to spend or how much revenue or you're going to lose or how much, you know, it's, it's, it's all a financial basis. And it's not that one is right in as wrong. It's just a very different, um, and in a lot of ways in the private sector,

it's a lot better to understand dollars and cents. Right. You know, that's a pretty easy equation to understand in the national defense, um, concept, uh, it's, you know, how do you put a price on a human life? Right. And, you know, right.

“That's what, I mean, you intuitively don't want to lose anybody's lives.”

But, um, you know, I'm sure we've all seen reports or heard people talk about, you know, you know, generals planning battles and, you know, even the norm of the invasion and World War II.

Everybody knew people were going to die. Right.

And, and the calculations that were being done on what was an acceptable level of loss, of human life, given the potential gain. I mean, and that's where I defer to the people that do work for the government and do work for the national defense because, um, they do take that very seriously and it's very hard. Um, but it's also, it's a very politically motivated and there's a lot of,

there's a lot of stuff bureaucracy and stuff that goes on with that, where maybe I'm taking the easy road out by just working in the private sector. And, well, all about money. Yeah. Yeah, we do, but I want to ask you, so, so in your opinion, then does, you know, the government is notoriously cheap, right?

The government is notoriously what they pay soldiers,

“what they pay case officer, what they pay NSA analysts and, and, and operators,”

um, what they pay their federal law enforcement. Like, it, it, it is not, for, and for a lot of the jobs, whether it's a soldier or an FBI agent or whatever, there, there are not a lot of comparable jobs on the outside, so they can, so they can pay on the cheap.

When it comes to the NSA, though, you know, you know, you guys may be a GS12 or GS13 step five, but then you can turn around to Mandia and CrowdStrike or CrowdStrike, whatever, and earn free time, score times what you're making.

Do you feel that the NSA needs to, the government in general needs to deal with this new reality and the NSA should pay people what they're worth on the outside in order to keep that talent. I mean, the short answer is yes, but it's complicated,

because, um, and this is where I kind of do have a little bit of a difference to the people that do, you know, work for the government because they do believe the mission and our patriots and things like that. But there, but there is this stigma at the very least that, if, if they were really good, what they did, they'd be, yeah,

and the private, the bigger dollars making them more closer. But that doesn't mean that everybody out in the sector that's making the big bucks is deserving of the big bucks. So, you might not necessarily want the deciding who wins and who dies either, right?

Right. Right. I mean, I, I talked to a lot of people, you know, since I go out to a lot of conferences, I was at a conference last weekend, and I was after I spoke,

I was talking to probably a dozen college students that had come from one college, and they were just peppering me with questions. And refreshingly, they did not ask, um, change when I talked to students. How much does this pay?

You know, how much can you make in cybersecurity? They're, they're loosely, if they have a passion for technology, they have a passion for whatever this stuff is.

I try to tell people, you know, find something you like to do,

find something you enjoy doing it.

Don't get hung up on money because, you know, you can make a lot of money. And that, or, I think, and making it, but I, I have yet to meet anybody that's happy and satisfied because they make, you got some money.

But I know a lot of people that are really happy with what they're doing and really satisfied with their job that some do make a lot of money. Some don't make a lot of money. Some are in the government, some aren't in the government. But the happiest people I know are the ones that are doing what they love

and feeling like they make a difference. And I think you can certainly, I mean, I've been doing the credit card industry for 20 years. You know, I go home at night and fall to sleep thinking, well, I've, I've allowed a company to make money on credit card interests.

You know, and contrast that with some of the good night and fall, mostly because they do, they help save lives. Or, you know, promote the national defense. So, you know, it's a hard, it's a hard nut to crack.

“But I think there's a stigma that, at least for me,”

that if you're at, for the government, it's because you could, in, in the, in the private sector where they, they pay the big bucks. Of course, a lot of people put their time in the government, and then they get the posh job at the big companies out in the private sector.

And, you know, most of the people you know and see, and I mean, I'm grossly generalizing. I'm not impressed by the people that you see the public figures,

the ones that are always getting interviewed on CNN,

and all the different news channels. Yeah. And so on and so forth. The people that really are good at doing all this stuff, and love it and are passionate about it.

You don't know who they are. I don't know who they are. Because they're just in the trenches doing it. And they're doing it for whatever makes them satisfied. And, you know, God bless them.

Because, you know, we need those people. I think it's interesting because you, you talk about the mission. And I can see how similar to the military, the internet, the people in the NSA,

have a mission and a purpose. And as you experienced,

“I think the challenge with the mission and patriotism”

and that sounds a purpose. The only thing that stands between that and bitterness is like one bad manager, one bad leader. And they can steal that entire sense from a person.

You know, how is the NSA when it comes to their leadership development and their management development, and things like that? Yeah, I don't, I don't, when I was there, which was, you know,

for the better part 30 years ago, there was a stigma between, you know, if you want to advance in your career, go up the pay grade ladder, to get beyond a certain level,

you had to get in the management. So you had to go, there was either the technical track or the management track. And management track has made the big bucks. But, you know,

if you were good at the technology, and I use that term loosely, technical could be your, or cryptologist, technical could be anything. But technical not management,

your labor not management. The people that were really good at it, and wanted to advance,

“had some point had to kind of suck it up,”

and like if I want to go further, I got to get into management. I don't know that they've completely solved that. I was, I was actually invited back to NSA last fall

for an alumni open house, because they're basically trying to recruit people that used to work there, because they're hiring. They certainly had need.

And we talked about how they don't pay well. And someone like me who is parents expired over 20 years ago, I simply asked, is there any way to streamline me getting back in?

You want me? I'm certainly capable. I certainly have a lot of experience, but there's that background investigation and getting it again.

And the very long winded answer

that I really never got a good answer

was no there isn't a shortcut. But gosh, I was, I think it was at RSA a few years ago, and I went to the NSA booth,

because that's sort of a pilgrimage. Every time I go to RSA conference, and I met a young lady at the booth, and she's like, "Oh, you're a chef, man."

And I'm like, "Oh, she knows who I am." She knows my stature in the industry, and my background and stuff. And she said, "Oh, I used to go to school with your daughter." So I'm like, "Oh, okay."

So she had no idea who I was other than I was the father of a classmate or first. So my daughter now is in early 30s. This woman's in early 30s. She's seeing your level management at NSA.

She might as smart as person around,

but like, I mean,

“early 30s probably has been at NSA's office.”

She's got maybe 10 years experience.

And she said, "I really seen your level role." Yeah. That doesn't give you warm fuzzies. And it's nothing personal against her. Right.

It's not because she's a woman. It's not because she's young. It's because she's got maybe 10 years of experience. And how much of that 10 years has been off on the 2020 program,

getting more education and training and doing this that and the other. And my impression is they're working with what they've got to work with. Right.

And again, it's nothing. It's not a knock on her personally. I'm sure she's, you know, she seems to be very smart and very wonderful. But she's made a comment about

how NSA's on top of their game at this open house.

The director was talking about how NSA's on the top of their game.

He's a very compelling speaker. But I'm like, "Yeah."

“Then I started talking to some of the people.”

"Yeah." "You're still full of it." And that's just my opinion. Yeah. So they talk at a good game.

But at the end of the day, it's still a government job. And they've got lots of stupid bureaucracy and rules and regulations. And because they're sort of the, you know,

only game in town and they sort of look inward. They don't see what the big picture and they don't see the outside. I've been trying to offer them, hey, I've been out in the private sector for 25,

26, 27, 28 years now. I've learned a few things that maybe you, you would say, you want to be more engaging to the private sector. Why don't you bring me in to let me tell you how to,

to maybe do that because, you know, your me first approach, we're NSA. You should listen to us. That's not going to cut in the world world,

because people are like, yeah, you know, oh, yeah, you're NSA.

“What does that mean at the end of the day?”

I get fired or I guess that. And one last question before we get to like, fewer questions. I'm curious about, you know, like,

you know, when, when, back during the Naval era, when you had the letters and mark, you know, during, you know,

when we've had these times when the government can control it and, you know, everything. We had the idea of sort of private tiers. Do you think that the government, this cyber warfare world in this cyber environment,

when, when there are 14 year olds who are just brilliant and doing crazy, you know, amazing stuff. And, and, you know, there are groups out there.

Do you think that the government, in this one arena, should turn to like a private tier model? It's an interesting question. It's been Teresa,

and my experience, and all entrepreneurs, started a Chobie-Fi episode through.

I, when the Chobie-Fi is already on the first day,

and the platform makes me no problem. I have a lot of problems, but the platform is not one step away. I feel that Chobie-Fi is on their platform, continually optimizes everything.

Everything is super, just an integral and an integral. And the time and the money, that I know that I can't invest in other things. For all of you, let's go.

Now, let's test Chobie-Fi.de. I would say, I was having a conversation in the last couple weeks with some people at one of the conferences I go to, and they were talking about,

actually it might have been on the podcast I do, but they were basically talking about how, you know, there's certain hacker groups out there that are just going after certain,

not necessarily nation-state actors, but sex trafficking, child trafficking, type of groups. There's conscientious hackers that just kind of go after them, just because it needs to be done,

and it's not technically sanctioned by the government, but sanctioned by anybody, but nobody's really complaining. So, I mean, that's my most recent frame of reference.

I would say, my bias is NSA or the government puts its fingerprint on it. It's going to get stupid at some point. Could there be sort of a handshake unofficial? Well, there's this shadow group out there

that's just doing the responsible right thing. That might work for a while, but of course that could go wrong for many reasons too, because, you know, absolute power corrupts absolutely.

But, you know, the serious hackers out there that are socially minded, you know, socially conscious, want to do the right thing, and are frustrated at bureaucracy,

and the limits that government puts on out of necessity,

It makes it very difficult to do what needs to be done,

in a fashion or a manner that can and should be done.

Yeah, I would, yeah, I don't know what you would call it, if you would call it private hearing, per se, or just looking the other way,

does there need to be some oversight,

“does there need to be some kind of stop gap,”

but I could see that happening. On the other, on the flip side, do I believe in vigilantism? Not necessarily.

That sounds intuitively wrong, but I mean, anything can work for a while and anything can go south when the wrong personality and the wrong motives come into play. You know,

people often ask about hacking back,

and whether that should be done by companies, you know, or leave that to the government. Right? Yeah.

You know, this is where it kind of, you know, the difference between the private sector, you know,

money, that's the risk, and the government protecting, you know,

“the US and US entities and things like that.”

That's where it gets a little bit fuzzy for me and tricky, but I tend to want to like,

I'd rather have the government in control of the actual war fighting,

because that's sort of what they're in the business of doing, because I think it could get real ugly, and lots of bad things could happen to innocent people, if it's done by the wrong people for the wrong reasons, reading the wrong people for the right reasons,

but outside of the boundaries of control. You know, there's a reason why we have a Geneva convention, which, you know, it doesn't make sense at some level like,

why do we have people sitting down coming up with rules on how to conduct warfare? At some level it makes perfect sense in another level. It's a head scratcher. It's the same type of thing for hacking and activism,

tough stuff like that. It makes sense at one level and another level is like, man, you don't want to go there. That's very sketchy. And I can go either way depending on my mood

and depending on what the situation is. So, so I, again, I'm sorry, but one more fall on question, because you mentioned a Geneva convention, and I'm curious in your experience,

if a non-state actor, you know, a hacker crew shuts down on hospital over ransomware, should they consider to viable military target? Hmm, it's a interesting question. From a Geneva convention perspective,

and again, this is a conversation we had on our podcast, a couple weeks ago with the gentleman named Josh Corman, you know, it used to be that the hackers sort of had the bad guys. You know, hackers can be good or bad. But the bad guys used to have sort of a

code of conduct or ethics that you wouldn't go after, you know, like a children's hospital and hit them with malware or ransomware. But the perpetrators, the bad guys that are doing this, they're looking for targets of opportunity.

They're not looking at who it is as much. So, you know, there is this idea that, you know, there used to be some idea of responsible crime, and that kind of can go away at some point.

“So, are they, should they be targeted by a military action?”

I would tend to say yes. But again, those, that's the situation where there's private groups, they're tracking groups, you know, good guy groups that are actively targeting those types of organizations, and doing what they can to take them down,

in a logical technological sense. I don't think it's, it's in a military sense, you know, physical sense. But yeah, there's certain lines that get crossed that most people will say, yeah, that's something that shouldn't be done. That's not cool.

And it used to be that there was responsible criminals that wouldn't do something like that, but that seems we've gone out the window. So, you know, whatever works to get the stuff that stop happening, I'd be tempted to condone that to a degree,

if that makes sense. I agree with you. I mean, I'm just curious. I mean, you're in the expert here, but I feel as though, if, you know, according to the Geneva Convention,

if they're responsible for the loss of a life they're viable target, but I don't know from a cyber perspective, somebody, as experienced as you, what your thoughts would be. All right, let me get you a final comment on that. I mean, what's interesting to me is we're, again,

We talked earlier about some things that are kind of coming full,

full circle or overlapping. Maybe this was off the air, but, you know, signals intelligence is becoming a thing again. The idea that risk now, because we're targeting hospitals, the can't afford the security, can't afford the ransom,

critical infrastructure, you know, the idea of the risk

“being lost a human life is kind of becoming a thing”

that's more tangible and real in the private sector. So, it's not a, it's not a full circle thing, but it is a blending where more action is required and more action from the government is necessary, even if that means regulation and regulatory compliance,

but also assistance. It is an interesting time we're living in, but I think it's interesting that risk in the private sector, which has been money for so long, is now starting to be human life again, which is something that the military understands.

So, yeah, maybe they should step in. So, viewer questions. M. Corbin, thank you very much, really appreciate it. There is Bitcoin have a future as a tool for power, projection in the future, and also,

what is your take on the 2000 US China hack award? I try to avoid Bitcoin as much as possible, to sort of have a future, no comment, and I haven't heard of the other one. I don't do a lot in the technology realm.

I focus more on people and processes. That's just a general disclaimer. So, try to ask me the other question.

I'm sorry I can't answer the first one.

Johnny, thank you very much for the donation. I don't see a question if you have one, please throw it in the chat. Oh, I see another one. Globe and Media, thank you very much. Support the team, how to skip those likes.

Everybody, if you haven't liked this, please throw us a like, and hit us and subscribe if you haven't. Johnny, thank you very much.

“I wonder if Jeff thinks CPU architecture can be secure?”

Intel Apple, TSMC, have been shown to have unpatible physical vulnerability in chips, which leaks secure keys. Yeah, I had a chief scientist, I believe it was in my early days at NSA, so it would have been in the '80s, maybe early '90s, that used to have a mantra.

What can be created by man? Can be broken by man?

So, and that context can CPUs ultimately

be made 100% secure, unbreakable? No. To me, we're having two different discussions that all can get lumped under this mantle of cybersecurity, and that's the idea of securing all the things as much as possible.

So, securing creating a secure state, which is kind of a noun, and then the second thing is security. What do you do given? You can't do the first.

“What do you do to monitor and detect and respond”

to your network, your environment, given that something inevitably is going to fall in terms of the technology? So, in that sense, what I'm saying is, no, I don't think CPUs can be ultimately secured 100%.

But given that, what do you do? Maybe you don't invest as much on trying to find a better CPU. What is done to these days by the organizations that you referred to is probably good enough for most people, but it's the few that care and the few that are going to be impacted

by somebody that figures out a compromise, figures out a way around to work around, a future, there are the ones that need to care about it, but they need to know how to detect it. It's a minimize the damage to respond to it.

I am a proponent of the process. Security is something you do. It's not a state that you achieve. They're making things secure, and then they're security, which is the diligence

and the monitoring and the standing guard and standing watch. So that you see the attack when it's happening, you intercept it early, you minimize the damage. That to me is the essence of security. Do you think that hardware manufacturers and software manufacturers

are transparent enough with the community

In terms of what they think the weaknesses are,

so that people can be diligent,

“or do you think they could be more transparent?”

Sure answer is no, I don't think there's transparency. It could be the podcast that I do Paul security weekly. Securityweekly.com, Paul Acidorian, the Paul and Paul security weekly. He works for a company that does hardware hacking,

hardware or vulnerability research. I don't need to say the name. I'll let him do that. Go to security weekly, you know, figure it out. He focuses a lot on hardware vulnerabilities right now.

So that's a topic that comes up a lot in our podcast over the last year. So, and he reports very routinely on the research

that he's doing with his day job on the insecurities of hardware,

and how far it is to secure hardware. And it's not really the new frontier, because it's been around forever. I mean, I worked at NSA when it was all hardware, and there was no software.

So, you know, it's semantics. It's blurring the lines, but you know, hardware is also prone to insecurities and vulnerabilities and bugs and weaknesses and misconfigurations. And they're out there.

They typically don't become publicly known until either somebody exploits on or some researcher discovers it. And then it's, you know, the sky is falling.

You have to temper it with, you know,

the likelihood that somebody's going to go after something like that going to go to that degree of attack that they're going to try to exploit that. A general principle I'd say is, you know, the bad guys are going to do whatever it works, whatever's the easiest.

I mean, they have their own cost benefit analysis as it were. So they're going to do what's works and what's easy, and they're going to hit the targets that are vulnerable. They don't necessarily target specific organizations, which to me is one of the big 800 pound gorillas in the room

is that we have this industry that makes people protect against all sorts of stuff. Most of the bad guys aren't targeting specific organizations. If they did, they sort of have unlimited resources, and they can go after them any way they can, and they can take the time.

And if it means exploiting a hardware vulnerability they will,

“I think the line is drawn when the hardware vulnerability”

that can be exploited in a way that is sort of reproducible, and it can become something that's, you know, random in terms of, let's find somebody who's vulnerable. We don't care who it is, and if it's a children's hospital, and let's exploit it and make money off of it,

commodity, you know, commoditized types of attacks that you've targeted anybody, no offense. It's just, we're just targeting whoever's vulnerable. Do you think that ransomware as a service has kind of, like increase that type of tendency that,

you know, you might have ransomware gangs that do have those codes, but then when it's ransomware as a service, you just have some script kitty out there who's like, "Oh, fuck it, I'll just find whoever, whoever'll pay." Well, I mean, it's simple economics,

and it's, you're not really paying attention to who the target is. It's whoever's vulnerable that you can make money off of. I mean, ransomware in general,

“I think has changed the dynamic of cybersecurity,”

significantly, because, you know, the way I was classically taught about this problem, which we back in the early days, we called data security or information security, and most people have probably heard of the CIA triad, the three components of security of data,

being confidentiality, integrity, and availability. So confidentiality, keeping secrets secret, integrity, knowing that the data is valid. You know, it hasn't been altered or tampered with, and then availability, can you get to the data when you need it?

Most of this cybersecurity industry, which is mostly technology-based, focuses on the confidentiality problem, trying to keep things secret, trying to keep things safe, trying to keep things inaccessible in terms of stealing it.

You know, denial of service has been a problem, often on distributed denial of service has been a problem, often on over the last 20 years or so, but we sort of solved those problems. Integrity issues, faking the data,

Do you trust the data, you know,

that can kind of come into play with fishing schemes,

and fraud schemes, scams, and stuff like that. But availability, that's something that we haven't really invested a lot of technology solutions in it, and everybody believes that technology is how you solve the problems. And it's even more twisted than that,

because it's not just ransomware where we're going to hold your data, and if you don't pay, we don't give it back to you, and you lose access to it. But now it's sort of the, I don't know if some of these come up with a good term for it,

but holding the data and threatening to release it, rather than just sending it back to you. So sort of, I don't know what's a good term for it, but that's why it comes up more. Yeah, it's definitely kind of a black man.

Yeah, yeah, yeah. Yeah, there are no good, there are no good technical solutions to prevent that other than the things that we've been preaching for the last 30 years of sort of basic security hygiene to try to, you know, prevent that stuff from happening.

I mean, we don't, with all the ransomware attacks that are out there, you don't often hear people talking about how the ransomware attack

was launched in the first place, how it, you know,

got into the environment, but it's usually a fishing attack, which is not a technical failure, although you could argue that it could be.

“Why am I getting an email in my inbox that's kind of a fishing link in it?”

Why isn't their technology out there that filters out or blocks it? But there's that aspect of it, but, you know, we don't have a lot of good technology out there that prevents people from clicking on a link or falling prey to a really, really convincing, clever fishing scam, or, you know, to date myself back almost 30 years

to open an attachment of a document in an email that I got from a trusted source that says, "Hey, read this." And by doing so, I've launched a virus or malware, what we used to call viruses and Trojans and malware, but what we, perjordively, call ransomware to these days.

Right. Well, I mean, in these days and times, it's amazing how many organizations

aren't even enforcing a basic, like 2FA, like, you know, a 2FA to log into stuff. It's incredible that basic steps that aren't being taken often. I agree with that, and what I often shake my head out is the fact that while there's so many vendors out there that are trying to

sell you convincing solutions, there's, for, and I'm talking primarily the private sector, because that's where I've been most in the last 30 years. Without regulation, without compliance, most companies aren't going to do it, because why should they? They don't have to. And until they get popped, until they get breached,

they don't get the religion of, oh, we really should have done that. You know, I've been doing the payment card industry for 20 years. It's a, the PCI data security standard is a pretty decent high level set of rules

“of things that you should do to secure your organization, your network,”

to protect data that you care about being stolen. You know, it specifically, it's credit card information, but you can apply it to anything. Most organizations that I work with are doing it because they have to. And in the early days, they weren't, you know, even before PCI, when I was working with companies in the private sector,

and even in the beginning of the days of PCI, the questions I was, was being asked from companies that I worked for was, what are we, they weren't asking, what do we need to do to be secure? They were asking, what is everybody else doing? It's a peer in my industry, so that, you know, I can do as, as little or as much as anybody else

that when something bad happens, I can say, well, I was doing best practice and therefore not get fine or not be held liable or accountable because it could happen to anybody. And it could happen to anybody. It's a weird, it's a weird dynamic, the most companies out there, if they don't have a reason to do it, they're not going to do it.

But you could sort of explain that in a financial model because everything's, you know, money based in terms of the risk model. Well, it hasn't happened yet. Why should we spend something on, you know,

“spend money to protect against something that hasn't even happened yet?”

So there's, there's a, there's a financial logic to it.

Of course, that blows up when the bad thing happens.

And that's when we get called in and we help them straighten things out. And, you know, they get religion.

“But, you know, what's in the news these days in the private sector,”

critical infrastructure, utility companies.

You know, and people are talking, you know, I hear people talking about, well, there's, there's, there's this, and this, that, minor attack framework and do this and that and the other, there's all these things. And like, there are utilities. Somebody in that company is, is, you know, collecting credit cards to pay for the

water bill, the electric bill. So they know PCI's and there's somewhere. If you just did what PCI said to you, you'd be pretty much okay. But nobody seems to be connecting the dots on that. And there's this, oh, nobody likes to talk to PCI.

That's old. It's stupid.

You know, it's, it's not flashy and new and shiny.

Right. But it is today because PCI 4.0 is now the law of the land. Do you have anything else for you? Yep. How long do you think it will take?

Thanks, John Jones. How long do you think it will take for AI-based security controls to become

“as a complex and a private sector as layer seven firewalls are today?”

Oh, God. AI, the latest buzzword thing that I'm trying to avoid ever dealing with. You could probably map this to other things. Like, you're using the firewall as the analogy. Everybody's got a firewall these days.

I'm sorry, they don't have firewalls anymore. Because their infrastructure is now in the cloud and it's protected by software. Hmm. Ten years with a little bit of acceleration. I'll say five years.

That's my guess. And then from Corbin. Oh, Justin, do you think you're much? What are some things that average person could do to protect themselves going forward? Probably the biggest thing is put what the industry calls multi-factor authentication.

What we used to call two-factor authentication on everything. I'm not a personal fan of password vaults because I'm old school enough to think that you shouldn't put all your secrets online period or trust technology period. Wargames, 1983, don't trust the water. But use a really, really, really long password.

And I would even advocate phrases, poems, song lyrics. Try to think of obscure song lyrics. And then apply random uppercase lower case, special characters. Everybody knows to substitute the number four for the letter A and the number three for the letter E. But don't do it on the first letter last year.

Last letter, don't do it on every letter. Put spaces in between the words. Or better yet put spaces in between somewhere in between the word and not between the words. Is that's going to protect against password fracking? We're forcing.

But more than that, I would say, make sure you're always using some sort of multi-factor authentication on everything.

There's a lot of people talking about using password vaults. And you get to use a super long random password generated things that are stored in the vault. But password vault companies have fallen victim to compromise. So they're not a perfect solution. But I interviewed the CEO of last past, last summer at Black Hat, as part of the podcast I do.

We did live interviews and for executives. That was an interesting conversation. I didn't know the guy wasn't the founder of the company of last past. He had become CEO, like October, two years ago, months before they had not won the two major breaches. So I was kind of like, Ouch.

But I mean, I'm old school.

“I don't believe that you should put all your eggs in the technology digital basket.”

I think this is your best tool right here. My current domain password for my day job company is like, I think it's like 38 characters long. It's a song where it's a line of a song that's, you know, a song that I know. And I mix it up a little bit enough just to protect against the cracking.

But just the sheer length of it, 38 characters.

Nobody's going to guess it.

Even it, I would even say, if you knew what album I was citing a layer to because of the various permutations.

Yeah, you could compute it through force, but it would take you a while. Because I mix up the spaces and the upper characters and lower characters and special characters and stuff like that. So, but because I grew up typing with 10 fingers and that thumbs, I can type my 38 character password in faster than probably most people can do a 10 or 12 character password. They're just doing it like this.

But that's just me being a, being a crotchity, crotchity, crotchity, old timer, get off my lung, get off my lung. So Jeff, my question, because I do use the password ball.

“Like my question, do you be in this digital world where everything we do requires a password?”

And obviously you don't want to reuse the same password. But how do you manage 30 passwords without a vault? Do you write them all down? Do you personally just remember them all? Like how does the average person manage that?

Well, A, I'm not the average person. Yes. For better for worse. You know, we used to talk about having passwords you care about in passwords. The throwaway passwords, because I've talked to developers that you know are doing stuff in, you know,

Azure or AWS where they need to know like 300 passwords for all the various different.

“You know, systems that they got working on.”

You know, that can be a little bit excessive. But I guess I'm more of the, the mindset that you have the throwaway path. You need to make a password. Have a decent but have, but I'm okay with repeating the passwords for accounts that I don't care about. Now, the, you know, the, the, the thinking on that is you don't want to use a password multiple cases and use it on some place where something's going to get stolen.

Something you care about. So I sort of distinguish the throwaway password. Oh, I've got to sign up for something. I've got to create an account.

I'm never going to use this anymore.

I need to have a password.

“So I, I, I have a, I have a, I have a throwaway password.”

It's just something lame. And then the passwords on the accounts that I care about, which are much fewer. They're either unique or there are a few permutations on a very, very long stream. You know, but the, there's a couple considerations to be made. And I can argue myself out of this because it's not just stealing the hash and cracking it and trying to, you know, figure out what the password is.

There's, if you're using it multiple places and it gets compromised in one place. It could be used in many other places. That's another type of attack. There's the, the possibility that it, you know, even your best password. Somehow gets intercepted in, in while you're using it, where it's in a fashion where it can be copied.

You know, more, more rare, but still a still a possibility. But the bad guys don't often do it that way because there's easier ways to do it. So I guess I'm, I could be proven wrong. I'm happy to be proven wrong and argue out of it. But I'm still of a mind that I have throwaway passwords that I'll use repeatedly in many places. And I don't care if you knock over this account and that account and that account because I just set up the account.

So I could download the white paper, damn it and read it.

Right. But, you know, I mean, shoot my, my rental car company that I use and I won't say which rental car company I use when I initially set up the, the password on my first app.

They asked for, they asked for a pin. So I have a forward, budget password on my car rental company. And I keep thinking I should change it, but then I keep thinking, but I don't really care if somebody rents a car in my name because I could probably sort that out. You know, I probably ultimately held reliable for liable for it. And who's going to do that anyway? So I have a four digit pin that is my password and my car rental company to this day.

And I set it probably 25 years ago. Jeff. Tell us about your podcast and where are like people can go to find it. Sure. I'm on a podcast called Paul security weekly. You can find it at securityweekly.com. And if you search on all the podcast catchers and I think we're on YouTube and Twitch securityweekly.com is the way you'll get there for subscribing.

Paul Asadorian is the Paul and Paul security weekly.

He started the podcast with his friend Larry Peshay back in 2006, I believe.

“So it's one of the oldest security podcasts around.”

And it was built on the premise of practitioners just sitting around having drinks, talking shop, Paul's a cigar smoker. So much like your studio there. The liquor flows freely, the cigars are smoked and I met Paul about 10 years ago when I worked to work for this vendor that was a friend of mine. And he got me involved in the podcast. I've been doing it in about nine years now. But where a weekly podcast, Paul actually made it his own company at some point, which was acquired at some point.

But it's a network of shows. We drop about probably 10 hours a content a week. There's Paul security weekly, the flagship, application security weekly, enterprise security weekly, business security weekly, and twice weekly security news segments. So lots of content. But the people that at the end of the day are practitioners that are in this because they are passionate about it.

And we talk shop, we talk about all sorts of things like we've been doing tonight.

And for people listening, we'll have a link in the description to go and check out. Where else can people find you? I do a lot of conference speaking to this day.

“Thanks to my friend that pushed me out into the conference world.”

I'm going to be, I'm actually going to be up in Canada later this week at a conference called Atlantic Security Conference at Atlantic Security Conference. I'll be at B-Sides Harrisburg, Pennsylvania in two weeks. And to the month, I'm going to be in Boise, Idaho at the Boise, ISSA conference. In May, I will be in St. Louis at the Show MeCon hacker conference. So a lot of conferences, I'll be around for what we call hacker summer camp.

You know, B-Sides, Vegas and Black Hat and Defcon, I'll be out in San Francisco for RSA. I'm on Twitter, although nobody is on Twitter anymore, but you can find me there at Mr. Jeff Man. If you spell my name right, you can find me on LinkedIn. Go to YouTube and type in my name and security and you'll find many recordings of talks I've given.

My NSA days, my first couple years where I was in the crypto shop.

I did a talk and I had a lot of marketing team come up with a sticker for it. His hackers love stickers. Yeah. Sales from the crypt analyst. And then when I did the talk about the NSA red team, the first pen testing team, that was the sequel.

And the more tails from the crypt analyst. And this year I'm giving a talk and commissions new art. I'm giving tails from the crypt analyst the after life. Yeah. We throw stickers up on our door.

We want as many of those stickers as we. One of each, yeah, if you have them, we'd love to. I'm going to have to get more of these made more of these made because I'm down the last couple. But the the woman that was responsible for all these stickers. Her Twitter handle is one dark one.

She does a lot of graphic art for a lot of the hacker conferences and the B side. So I call her a con artist. She literally is a con artist. I have two more questions real quick. In the way and D might have some from Patreon bet.

And Corbin, thank you very much. Any way to circumvent hackers for higher used by foreign nations. Hey, the more. My homets of on me. Thank you very much for the very generation.

There's a couple of questions. Do you like UB keys for passwords? I've not used them.

“But yes, I think they're a good thing to do.”

If you want to drop the money for them. Yes. I guess. Seriousness of quantum. I don't want to sorry, I lost that.

Seriousness of quantum compute threat. We'll get there. But like any other technology. It'll have the potential for being used for good and bad. So in the old days of the Cold War.

It was often referred to the Cold War as a game of cat and mouse. So the Soviets would do something that would be devastating, but eventually we'd figure it out. And then we'd do something that was devastating and eventually they'd figure it out. So kind of this cat and mouse game. I think the same is roughly true with all the technological advances.

Quantum being.

That what we were talking about a year ago.

But of course, AI is the thing now that is that everybody's talking about.

“So has the potential for good as the potential for evil?”

It's overhyped and not there yet. The quantum thing is becoming real. But until quantum is computing is available on the smartphone. Or reasonably affordable by people that. You know, aren't nation state status.

Or you know, it's not going to be an issue yet. What's interesting to about quantum I will add is because quantum has the ability to. To break things when it becomes popular that is stuff that was even encrypted in the past. That's where you start have to think about now what you're protecting with the current photography, especially for stuff you're storing because it could be cracked in the future by quantum computing.

So think about what you're saving and thinking about why you're saving it and storing it. And keep in mind that what you're storing now based on what algorithms you're using to store could become susceptible to compromised. But like everything else security related. Maybe the protection isn't just coming up with a stronger algorithm. Maybe it's preventing it from being stolen in the first place.

Or if it does get stolen, you catch the people doing it and prosecute them.

I mean, there's always more than one way to solve the problem.

There are no single point solutions quantum included AI included for. Okay, we've got this so we're done. We're good. We can walk away now and not think about it. Right.

How best in this still from the House of Honor? How best to develop US talent earlier like unit 8200.

“And I think this goes into maybe the idea of when obviously there's there are a lot of legal things people can do now to develop their hacking skills unlike the past.”

But let's say you have a kid who is curious, maybe with a criminal balance, bent kind of a narrative well, but reforms his ways. Is there a way, do you feel like there's a way to bring these these people into the government? Well, not speaking for the government. I would say yes, but you know, the government has rules.

I mean, I had, you know, when I was hired at NSA, I had to go through a background investigation. I had to go through a polygraph. They wanted to know all your deepest arc of secrets. And they claimed at the time it wasn't necessarily if you had done something in your past, it would mean you didn't get hired. They just wanted to know about it.

So you can get blackmailed in the future. Right.

“So, I mean, I think the government's getting smarter at knowing that they have to sort of cast a wider net and not necessarily go after the cookie cutter stem person.”

I mean, I'm the living proof of that.

You know, I wouldn't, I was not a critical skill. I was not a stem person, and I was hired by NSA, and I did some things that were meaningful.

And I probably wouldn't be, you know, given my GPA and given my educational background, if it wasn't for those aptitude skills tests, but recognizing my potential, I would not have been hired by NSA then or even to this day. So what I'm trying to advocate for is, let's, you know, let's figure out a way to find the people with the potential in the aptitude that aren't necessarily the cookie cutter. You know, they're in a stem curriculum or they're from a certain neighborhood or they're a certain skin color or they're a certain ethnicity or they're a certain orientation.

And let's find the people that have the potential in the aptitude because they test well in a certain skill set and let's promote that. That to me transcends all the other issues. Yeah. And I'm, I'm the living proof of that because I had no business being hired by NSA if all they were looking for was computer scientists and engineers and mathematicians because I was neither of the three. I ran circles around the people that they hired that did have those degrees that left after three years with a graduate degree and went off and made a lot more money out in the private sector.

Right. We have a couple. Yes, I have a chip on my shoulder. We have a couple of questions coming in. So I just, I just want to make sure we get to them.

Thoughts on matter most messaging.

You know, I'm not sure. I know what that means. Yes. Yeah. I think it's a new secure signal like signal style. I'm not sure. But I also from Muhammad Savani how much difficulty difficulty does a red teamer like you have.

“Keeping up with a relentless pace of development and knowledge needed like networks to VMs to ausen to call the next tools etc.”

So I don't do the red teaming anymore. I hung up my hat or my gloves on doing that about 20 years ago. I've been for the last 20 years trying to talk to people about the possibilities and what could happen and what could be wrong and what they need to do to prevent it from a process perspective rather than keeping up with the technical stuff. That being said, because we talk about this ad nauseam on the podcast because I'm, I'm other co-hosts are actively red teamers. When we do get down to it, while the technology has changed and the techniques necessarily change, the underlying motivations and methodologies, the foundational principles of security have not generally do not change.

So in that sense, I don't need to keep up with it because nothing is changed. And then you know, sprinkle a little on top of that for all this stuff that's going on. The number, the two reasons why companies still get breached the two most common reasons why companies get breached to this day. To this day in 2024 is something to do with weak passwords or stealing passwords, exploiting passwords and the exploitation of trust relationships. And there's two broad terms, but you know, very rarely is it is a technology related.

I mean, we were talking about vulnerabilities and CVE scores a couple weeks ago and, you know, the statistics for something like only 3% of all the published CVEs have ever been used by bad guys to steal something to exploit something. And yet we have an old industry built around the vulnerability count.

CVE, CVE. Yeah. And so the CVEs, which you mentioned are the critical vulnerability, like did they come out through the various like Microsoft have it serve.

“Is it CVE Tuesday or when is I don't remember.”

But base. Well, it's patch Tuesday. The CVEs is common vulnerability. Common vulnerability. Okay. What's the East hand for. I can't think of what it is. But basically, I mean, what we're really getting down to is most companies are running a vulnerability scanner of some milk and responding to the results.

And the results are ranked critical high medium low based on some sort of statistical calculation, which is called a CVE score. And it's got lots of different factors involved.

But, and I'm somewhat generalizing, but my almost 30 years of experience in the private sector, most companies jump at the scan results and not anything else that they do in their security program. And so the argument and the discussion we've been having on our podcast over the last couple months is what happens when a vendor discovers a vulnerability and something that they produce. Because somebody discovered it and disclosed it whether they got a bug bounty or not, but they told the vendor about it and the vendor decides to fix it.

“But not issue a CVE. Is it ever get to the scanner? Does it ever get a finding? Does it ever get a ranking into companies ever respond to it by doing the patch or the version upgrade?”

That I think is a very serious issue from the perspective of most companies, they've had it drilled into their heads that everything starts with what is the vulnerability scanner to us to do, because everything we do is associated with driving down the vulnerability count because that's how we manage risk. We can do some plastic wrong and we could go another couple hours. Another one, Mohammed Svani again, thank you very much. Final, finally, for the lads. How much difficulty do the glowies? I guess that's the new slang for feds.

We have been tracing Monero transactions. Beautiful LOL asking for friends. Of course, Mohammed. We're always asking for friends.

When it comes to crypto and stuff like that, a lot of people have this impres...

Can you tell us a little bit from your experience or from your knowledge? How do the feds track Monero or Bitcoin or anything else like that?

I mean, I can't speak definitively because I don't work with them or for them anymore, but given what little I know about it, if they're motivated to track it, they can track it, there are ways to do it. I would hesitate to say that they're tracking everybody just because they're financially, economically bound just like everybody else, but if they have a reason to go after you, the indicators are there.

“If you're asking or you're safe to do it and the government's not watching you, I think a certain amount of big brother fear is probably healthy, but I wouldn't lose sleep over either.”

I think one of the, you know, it was Darkside Diaries, Jack Rice that are actually recommended you to me, and in one of his episodes, they talked about a department of home and security operation against child pornographers and how they track the crypto going in, and the thing is, they may not be able to track like crypto in terms of where it's going inside the system, but eventually you got to cash out and they can follow to the cash out point, they can follow from the buy point, they can follow from the cash out point.

So I think, you know, just kind of emphasizing on your point, if you think you're getting away with something you're probably not.

Well, I mean, probably a similar analogy is, you know, encrypting data and data was encrypted initially for transmission for communication, and the mantra back then, or even if you're doing it in the modern world for stores, but if you're encrypting data to protect it, sooner or later, you're going to want to decrypt it, so you can use it or you can refer to it or you can access it. So the attack points are either before it's encrypted or after it's decrypted.

“Right. So I think that's the similar analogy to what you're painting.”

Jack Reesider, saw him in Shmoopown, that's probably where you saw him. Yep.

I'm episode 83, if anybody wants to go listen to it, I'm the second part, the second half of episode 83.

“It's entitled NSA cryptologist. I met Jack again at Defcon a couple years ago, and I'm like, "Oh, you do darknet diaries. You should really interview me."”

And he checked me out and he said, "Yeah, I really should." You know, different elements and aspects of the story have been telling them I would come out and in the darknet diaries episode. Yeah, he's a really great guy. Andrew just asked a question, "Does the cyber liability insurance run its own penetration testing teams?" I'm not aware of any that do it directly, but a lot of times the insurance writers are very closely connected to other companies that do provide some level of assurance that the insure E,

if that's right term, is insure a bowl, and they would simply do it. I mean, the first couple years of the insurance, cyber insurance industry was all questionnaires, and that was supposed to magically validate that you were worthy of the cyber insurance, especially if there was a claim file. So I don't think any of them do it directly, but they certainly because of claims against it and the need to, and I'm not an insurance expert, but actuarial tables, figuring out how much you need to charge people that want to have this type of insurance based on how many claims are going to be filed and what's fair and all that kind of stuff.

And the insurance companies can still make profit. They're starting to get more responsible. I mean, cyber insurance has been around for almost 10 years, and I remember being asked about it almost 10 years ago, and I'm like, people are silly to think that they can skirt or dodge regulatory compliance by just getting cyber insurance.

In this context, it was PCI, because I'm like, have you ever tried to file a ...

wait till the cyber insurance and just or comes out and just looking under the hood. And a lot of times, I think what they'll do is they'll hire like the forensics people to go in and say, well, they didn't do this and the insurance copy will have an easy out. But I have heard of, I mean, partnerships, I guess, or relationships where the insurance carriers do have relationships. I don't, again, they don't do it themselves, but they probably have partner companies that will do a little tire kicking a little bit of vetting of the people trying to get the policy to make sure that they're meeting some sort of minimal standards.

“Similar to like, you know, I don't think insurance companies hire doctors. They don't have doctors on the payroll, but you have to get a physical to get a life insurance policy, right, most of the time.”

So that, you know, they have partnerships and relationships or, you know, you have to have the motorized signature of a doctor.

I got to renew my driver's license and I'm like, I can do it in the mail, right, except for I got to have the back to the form of fill about by the eye doctor saying, I can still see. Right, so so the insurance companies will hire somebody that will boot up Callie and say, yeah, okay, you know, we ran poor scans are fine yet whatever, but then if things go awry, the insurance company can also the claim can also be like, oh, well, you weren't meeting this thing. It, yeah, it's very complicated. There, there's certainly something to be said for, you know, some sort of minimal level of security, which is typically measured by some sort of compliance standard.

And, and the cyber insurance companies are certainly getting smarter, but you, you, you triggered, you triggered me a little bit because there's also this prevailing attitude in our world. And in our industry that the ultimate test is a pen test, which at some level, yeah, if you can afford it. That might be true because that's rubber hits the road, live fire tests, the most companies don't want to pay for that, but there.

And I'm, I'm guilty of this, when I first came into the private sector, I started with, let's do a, we call it a pen test, but it was really a vulnerability assessment.

Let's see what you got, let's see what we have to work with, let's see what your holes are, your vulnerabilities are, and let's start by closing them. I kind of thought that the industry would evolve, almost 30 years ago. God, that's almost 30 years ago. But, you know, when I got back into this, you know, talking to bread team in pen testing companies in the last 10 years or so, I'm like, wow, it's become, this is, this is the ultimate test and this is where you start.

“And that you should not start your journey of security with a pen test, that's the last thing you should do, literally.”

That's the last thing you should do, because there's all sorts of more positive economic ways to put security in place and test it and stop gaps and check it.

And the ultimate live fire test when you think you're ready for it and you're mature enough is a pen test. Not a vulnerability scan, not a necessary scan, not a, you know, somebody running a tool suite, this that or the other. But, you know, a natural, you want people to try to come after you, and you're going to pay them to do it, let them do it. Again, which is the methodology that was portrayed in the movie Snickers, which came out in 1992. Right, Jeff. Thank you for spending your Monday evening with us and sharing all the.

It's almost Tuesday, I know we've kept you so long. We really appreciate it. We will be back on Friday with Jonah Mendez.

“Otherwise, Jeff, any final thoughts, any final things you want to put out there before we get going tonight?”

There's no way to summarize this. Be diligent, be smart, be caring, and don't believe the vendor. And again, people can find you on Twitter at Real Jeff Man. Mr. Jeff, Mr. Jeff. Mr. Jeff, Mr. Jeff, Mr. Jeff, Mr. Jeff, Mr. Jeff, Mr. Jeff. You can find me on LinkedIn. Two apps one in.

Two apps one in. And the podcast one more time for everybody, please? Paul, security weekly. You can find this at simply securityweekly.com.

All right.

And we will see all you guys out there on Friday.

All right. Hey, thanks for taking, letting indulging me with all this time. Absolutely. Thank you. Jeff, we really appreciate your time. We had a question from Andrew. I'm going to ask you real quick, and this last question we're going to take. If I'm a Fortune 500 company, what is a pen test going to cost me?

It's probably a percentage of your revenue. The presumption is a Fortune 500 company is a mature enterprise, and so you're going to pay more.

But there's a lot of, I mean, last time I looked nine out of the 10 Fortune 10 companies,

98 of the 100 Fortune 100 companies have to do PCI, at least in some part. And PCI is notorious for taking a very minimal approach to pen testing. So it could cost you a lot, but it's very much dependent on what you want to get out of it.

“And if you want to do a pen test, the first conversation you should have is what are the goals and the objectives,”

because there they are vegan. And you need to understand what you're, what you're asking for before you ask for. And you should expect to pay accordingly.

Most companies aren't ready for it, even in the Fortune 500 frankly.

I'd say maybe 10% of the Fortune 500 are really, really mature enough and ready for a pen test to really have a pen test. Pen test being no holds barred, can somebody get in by any means to do something. But again, that's the goal or the objective. Are they trying to steal something? Are they trying to gain access to something? Are they trying to prove a point? Are they trying, you know, whatever it is.

Exfiltrate data, lock the data. I mean, I don't know how many pen tests out there that emulate a ransomware attack. Right. I don't know. I'm going to have to ask my friends. And I don't think they talk. When you talk about the like this full scope pen test, you're not just talking about hackers or like the technical aspect. You talk about social engineering.

You're talking about physical, like deviant, all of them. And those guys, you're talking about the entire gamut, correct? Yeah. I mean, and I apologize because, you know, somewhere in the in the time that I took off from this industry. This term red teaming came about what I call pen testing is is comprehensive. Correct.

But most people would call what I'm describing as a pen test these days of red team.

“It's deviant Olaf, by the way, that's how you pronounce that.”

Okay. I said, I said Olaf for years. I said Olaf. So we interviewed him, but it's Olaf. Yeah. I mean, no holds barred means somebody wants to go after you. And they're going to do it by any means possible.

It's, it's not simply. Now, the presumption was when the internet came along that the path of least resistance, the easiest way rather than physically having to go to a place and try to break into it was like, Oh, they're connected to the internet. Let's try to get up in over the internet. But once defenses came up in terms of the technology and the network perspective, you know, the physical type of thing was back on the table. And, you know, the irony is if you if you really want to go after a particular company and you're motivated and you have resources.

No holds barred means you'll try everything. There's a movie came out. I don't know. And then 2000s maybe Harrison Ford was called Firewall. And the no spoilers, but the premise of the movie is Harrison Ford's like a firewall admin or network admin had a bank.

“And the bad guys kidnapped his family and put guns to their heads and said, you know, give us the passwords, give us the UB key, give us the RSA key.”

You know, help us through the multifactor authentication, log onto this firewall that will get us into the network that will get us to the safe to steal the money because we've got guns to your family's head. You know, that's rather extreme, right. But for motivated nation state bad guys that are really going after you, that's the measures that they'll go to. Most companies, you know, can't and shouldn't afford to pay for a simulation of that type of exercise, but you ought to kind of at least talk about it.

You know, table top it, you know, what would happen if somebody did X, Y, or Z, but not everybody needs to worry about that because most bad guys aren't going to do that because it's easier just to launch the ransomware attackers, send out the fishing attack and just see who bites.

They're not targeting you specifically, they'll just target whoever takes the...

And if it happens to be a children's hospital and people die, you know, that's not what they're worried about.

Right.

Problematic world, right now.

D, do we have anything on Patreon?

No. Okay. Jeff, thank you so much. We deeply, deeply appreciate your time.

I appreciate you giving me the time and the audience and, yeah, feel free anybody that's listening to reach out to me.

“LinkedIn's probably the best way to find me. I do honestly try to respond to people.”

Happy to give back. Happy to answer questions and mentor where I can. And check Jeff out on Paul security weekly.

“It's p-a-u-l-s security weekly, correct?”

It is, but the website, if you go there, is just simply security weekly.com. All right, guys. You'll find us there.

“We will see you guys on Friday. Take care out there.”

You can go there. You can go there.

NSA "Red Team" Hacker | Jeff Man (throwback episode)

Transcript

You can see his face, eyes, eyes, eyes, eyes, eyes, eyes.

My first week on the job, my first day on the job he asked me, what do you kn...

They had at the time one time pads, paper pads with the key, the random key w...

I was fantastic, yeah.

So, one of the outcomes of that was what I came to learn when I went to work ...

I tried to get into an intern program and I wouldn't qualify for it, not beca...

I actually ran into somebody about ten years ago at a conference that remembe...

You have a pair of keys one that does the encryption and one that does the de...

Yeah.

NSA was largely unacquipped for that, uh, and, and slow to, slow to respond.

The old hand radios.

Password cracking and how to come up with strong passwords, your random passw...

To say, okay, you're not getting it that we have root, but would you understa...

We were dealing with.

Beyond the bounds.

Tear things about, we had a tear things apart.

The spy-en-lose is in the hand.

He, and he documented his, his experiences in a book that's called Decukuzek.

You know, went into some big beautiful conference room, you know, Mahogany wa...

This is all going back and around, getting all the signatures.

It meant pretty much everybody I talked to like, that's it.

Where what ultimately causes many companies to fall is a process issue or a f...

Potentially comes at a cost.

I try to tell people, you know, find something you like to do,

She might as smart as person around,

It makes it very difficult to do what needs to be done,

We talked earlier about some things that are kind of coming full,

In terms of what they think the weaknesses are,

Do you trust the data, you know,

Of course, that blows up when the bad thing happens.

Nobody's going to guess it.

Paul Asadorian is the Paul and Paul security weekly.

Quantum being.

Thoughts on matter most messaging.

When it comes to crypto and stuff like that, a lot of people have this impres...

In this context, it was PCI, because I'm like, have you ever tried to file a ...

All right.

They're not targeting you specifically, they'll just target whoever takes the...

Compare and Explore

More Transcripts You Might Like

Why AI Needs Ethics First | Nekia Nichelle & Shekhar Natarajan | Live at CES 2026

Success, Spirituality & Staying Real | Shilpa Shetty Kundra x Shekhar Natarajan

Will.i.am on AI, Data Ownership & The Future of Nations | Shekhar Natarajan Podcast

Birthrights and Birthwrongs [TEASER]

Dames & Moore v. Regan

AI Needs Intention, Not Fear | will.i.am on Leadership, Creativity & the Future of Artificial Intelligence