Ever thought about hacking a car or a satellite? Well, that's exactly where my conversation with cybersecurity entrepreneur, Mike, takes us this episode. We bridge the gap between the humdrum aspects of IT and network security and the truly thrilling components - think along the lines of cybersecurity crossed with Fast and Furious!
Transitions are rarely smooth and moving from government roles to the private sector is no exception. Mike and I delve into the murky waters of shifting careers, bringing forth stories of intelligence projects and the necessity of meticulous documentation. We throw light on the stark contrasts between governmental and private sectors, discussing how ambition is often curtailed by organizational constraints.
To wrap up, Mike and I turn our attention to the pressing need for training and support for budding entrepreneurs in cyber and computer science programs. Drawing upon the successes of Israel, we urge the US government to steward such initiatives. We also wander down Mike's memory lane as a startup founder, highlighting the significance of treating people right and the success that follows. If IT and security get your gears grinding, you're going to love this deep dive into the world of hacking, transitions, and entrepreneurship.
Website: Trackd.com/signup
support@trakd.com
LinkedIn: https://www.linkedin.com/in/starrmc/
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going, Mike?
00:00:00
It's really good to finally have you on the podcast.
00:00:03
I mean, we've been trying to get this thing together for
00:00:06
quite some time now, but you know, I'm really excited for our
00:00:09
conversation today.
00:00:10
I think it'll be interesting.
00:00:12
Speaker 2: Yeah, fantastic to be here.
00:00:14
Thanks for having me on and, yeah, my, my travel schedule is
00:00:16
a little hectic, and so I appreciate you dealing with the
00:00:19
flexibility to have me on the show.
00:00:23
Speaker 1: Yeah, absolutely it's .
00:00:25
It's like playing 3D, chess or something you know, juggling and
00:00:28
everything.
00:00:29
Not only my guest schedules, but you know my schedule of
00:00:32
working a full-time job, raising a kid, running a podcast.
00:00:36
I mean, it's like the, the, the .
00:00:40
The preciseness that I have to be with my schedule is insane.
00:00:44
Speaker 2: It's, it's frustrating at times.
00:00:47
You think generative AI would have us figured out, given all
00:00:51
the all, the all the press around, all the things that it
00:00:53
can do, and it's miraculousness.
00:00:56
Speaker 1: Oh, I've been looking into AI to be an assistant at
00:00:59
this point.
00:01:02
Speaker 2: Can you?
00:01:02
You got to get out like hologram generation, so that you
00:01:05
can either either feign being here or with your, with your
00:01:08
newborn.
00:01:09
Speaker 1: Right, I don't know which one will be better.
00:01:13
Well, mike, you know I always start everyone off with uh,
00:01:20
given their background, you know how you got into IT, what that
00:01:23
journey was like?
00:01:23
Um, you know what made you want to go down this route?
00:01:27
Speaker 2: Yeah, it's a.
00:01:28
It's a, I guess, probably not a super great story, um, but I
00:01:32
was given the option to take a pre-calculate course in high
00:01:35
school or a Cisco like CCNA course, and I figured the ladder
00:01:40
had significantly less math.
00:01:42
And so I took that route and fell in love with configuring
00:01:47
the routers and switches and, uh , maybe, maybe a little bit of
00:01:50
my millennial uh tendencies of, like instant gratification of
00:01:56
watching, uh, you know, routes and packets being delivered as
00:01:59
soon as you're done uh with, with, uh, router configuration.
00:02:02
And so after that, I just, I, you know, I chose university
00:02:06
based on a Cisco Cisco certified academy university.
00:02:11
Uh, got selected, uh, for an internship down in DC, and I've
00:02:14
been ever been down here ever since, um, just trudging away at
00:02:18
, uh, you know, it, and, uh, I got to work at the help desk at
00:02:22
an undergrad and that solidified my my you know, I guess, uh, uh
00:02:28
like hunting for, like tinkering and troubleshooting
00:02:31
and all these like weird things that are.
00:02:33
You know, it seems like when you, when you first run into a
00:02:36
problem, you're like, oh, it should be this simple thing.
00:02:38
You dig in, you're like, oh, well, that's not the case, uh,
00:02:41
and and so, yeah, just the constant um brainwrecking which,
00:02:45
as you can see is has caused aggressive hair loss.
00:02:48
But uh, I do it anyway.
00:02:50
It's uh, it's fun, fun time.
00:02:53
Speaker 1: Yeah, I've, I've definitely experienced my fair
00:02:55
share of hair loss as well.
00:02:57
Um, you know, that's, that's uh , that's fascinating, because
00:03:03
you know, when I was in high school, if I was, if I was
00:03:06
confronted with the choice of getting a CCNA or pre-calic, I
00:03:09
would have taken pre-calic all day long.
00:03:12
Really, um yeah, oh yeah.
00:03:14
I mean, when I, when I finally got kind of my first bit of IT
00:03:19
experience it was in college and right from the start I hated
00:03:23
networking, everything about it.
00:03:26
Um, when I when I got out of college and I got into, you know
00:03:30
, the professional side of the career, of actually being on the
00:03:33
help desk and whatnot, you know , I figured, okay, it's, it'll
00:03:36
be a good time to get some certs .
00:03:37
Uh well, let's start with network plus, right?
00:03:40
Because everywhere online says, oh, start with network plus, it
00:03:43
builds you up from there, right .
00:03:45
And I mean I, I couldn't stay awake while reading the network
00:03:49
plus study guide book.
00:03:50
I couldn't stay awake and I'm like, all right, maybe
00:03:53
networking isn't for me, let's just try and make the jump in
00:03:55
the security.
00:03:57
Speaker 2: Yeah, it's, it's an ordinarily boring uh like you
00:04:00
have to trudge through gobs and gobs of just so such boring shit
00:04:06
, uh, before you get to a point where you have enough knowledge
00:04:09
to actually do really interesting stuff.
00:04:11
Uh, and when I tell people all the time that you know, it's
00:04:14
like, well, how do, how, like what you do is extraordinary,
00:04:17
blah, blah, blah.
00:04:17
I'm like anyone can do this.
00:04:19
Uh, you just have to be willing to.
00:04:20
It's just how much.
00:04:22
How much boring bullshit can you, can you stomach before you
00:04:25
quit?
00:04:25
Uh, and so, yeah, I mean truly that you know, and that's just
00:04:29
kind of been my mantra and you know it's.
00:04:31
It's not different from security or or software
00:04:35
development or any of these kinds of things.
00:04:36
Um, there's now, there's different levels of of
00:04:39
boringness, of course, uh, across each of these, but any
00:04:42
anyone can, can you know, get into IT, get into security,
00:04:45
software development?
00:04:46
Um, it's just how, how, how much are you willing to train
00:04:51
your brain to, to enjoy the boring?
00:04:54
Speaker 1: Yeah, that, uh, that's a really good point, you
00:04:58
know, and I I haven't heard someone explain it like that
00:05:01
before of of trudging through the boringness of what this
00:05:05
field can actually be.
00:05:06
You know, not not every aspect of security I find to be, you
00:05:11
know, extremely like riveting or attention grabbing, right Like
00:05:16
network security shocker.
00:05:18
I do not like application security.
00:05:21
I do not like, right, Um, you know, those sorts of things I
00:05:25
hate.
00:05:26
But when we start talking about hacking cars, when we start
00:05:29
talking about hacking satellites and all that sort of stuff,
00:05:32
right, it starts getting interesting to me, it wakes me
00:05:35
up, peaks my interest, even though you know someone would
00:05:38
argue well, oh, you should, you should know the network side of
00:05:42
that, because you're going over the network, it's.
00:05:43
You know, those kinds of people are pushed away from me
00:05:47
intentionally.
00:05:49
Speaker 2: You know what it's interesting to hack these kinds
00:05:51
of low, a calm, low level systems, um, you actually have
00:05:55
to have a similar expertise around, uh understanding of how
00:05:59
protocols work, as you do, to be like a good network engineer,
00:06:02
uh, or or internet operator, uh.
00:06:04
And so, yes, it's, you know, you don't just jump into
00:06:07
internet operations and build a you know global network, Uh,
00:06:10
first you got to understand, uh, you know what the hell is an IP
00:06:13
header right, yeah, it's.
00:06:16
Speaker 1: Uh, it's challenging.
00:06:18
You know, like I feel like I know probably the bare minimum
00:06:22
right Of those areas to to get by.
00:06:25
You know, I know what I need to know to to be able to do my job
00:06:28
effectively, but when we start talking about, like, the
00:06:31
different you know aspects of a header, or the different aspects
00:06:35
of what's included in a body, and you know things like that,
00:06:39
it starts going over me.
00:06:40
It's right, like there's other experts out there that have that
00:06:43
stuff.
00:06:43
All I need to know is what my tool is, queuing off of what
00:06:46
we're looking at and go from there.
00:06:48
Right, and it's um, it's absolutely a building block, but
00:06:53
I feel like it's a specialty for a reason, right, like, not
00:06:57
not everyone needs to go 12 feet deep into it, right, it's um
00:07:01
it's something that you can know bits and pieces about.
00:07:06
You know when, when you were in school and getting this, you
00:07:10
know certification did you?
00:07:12
Did you think forward of what you wanted your life or your
00:07:16
career to look like outside of that or after it?
00:07:19
Speaker 2: You know, what's funny is, uh, I never, I I never
00:07:22
ended up actually getting a CCNA.
00:07:24
Uh, I took the cert once and I failed it.
00:07:28
Uh, and I failed it because I spent too much time on one of
00:07:33
the simulations trying to understand the totality of the
00:07:35
network, uh, as opposed to just solving the one one, um, the
00:07:40
actual problem, uh, so I took that as a lesson, like, hey, if
00:07:43
you actually pay attention and read and I've always been a
00:07:45
terrible test taker but, um, what really?
00:07:48
What solidified me in that mind is kind of a tangent to your
00:07:51
question is that, like, just because you have a cert or just
00:07:54
because you don't have a cert, doesn't make you, uh, have,
00:07:57
doesn't make sure, make you either peg you immediately as a
00:08:00
better network engineer or a worse engineer in either
00:08:02
scenario?
00:08:03
Um, what I, what I like to say to people that are chasing certs
00:08:06
is if, if that's the thing that you need to help you study,
00:08:09
then then you do that.
00:08:10
If you need that, that, that structure, some people don't, uh
00:08:13
, and you know that says the same thing with, with uh,
00:08:16
university and higher level education.
00:08:18
Um, but as far as, like, what the hell did I want to do with
00:08:22
my career.
00:08:23
Um, I didn't really understand what I wanted to do until I took
00:08:28
a like a cybersecurity class.
00:08:30
I took like a uh uh.
00:08:31
I participated in the North Eastern Collegiate Cyber Defense
00:08:33
Competition in in my alma mater as the network weenie and um.
00:08:39
I started chatting with um, uh, some of the hackers that were
00:08:43
sponsoring the event, and and um applied to a Homeland Security
00:08:48
uh, summer uh, uh uh internship.
00:08:52
And what I found down there was that being at the NSA would be
00:08:58
the most badass thing you could, could ever do.
00:09:01
Like that was my goal.
00:09:01
And I was like, oh, it's going to take me 10 years to get into
00:09:03
NSA and you're never going to respond to me and blah, blah,
00:09:06
blah, uh.
00:09:07
And so that's what I focused on .
00:09:08
I, you know, I applied, I don't know, probably to 150 or 200
00:09:11
openings, uh, all across the nation at the at the agency and,
00:09:15
um, I mean, a year went by and nothing happened.
00:09:18
And then I got the call from the agency actually two of them
00:09:21
in contiguously, within 10 minutes of one another,
00:09:25
completely separate interviewers didn't know one another called
00:09:29
me, no kind of overlap.
00:09:30
And yeah, that kind of like kicked off my career, like truly
00:09:36
kicked off my cyber career when I joined the agency.
00:09:40
So then I was like, well, shit, now what do I do with my career
00:09:43
, now that I have my dream job?
00:09:45
Right?
00:09:48
Speaker 1: Yeah it's.
00:09:49
I always tell people it's really important that once you
00:09:52
hit your goal, to reset your goals pretty quickly afterwards,
00:09:55
because if you don't do that, you'll get there and you'll kind
00:10:00
of coast right and there's more to it, there's more to grow in,
00:10:03
there's more to become an expert in and whatnot.
00:10:06
So I find that really interesting, right If you going
00:10:12
into the different agencies and applying around, because I
00:10:17
myself I spent a significant amount of time of my life
00:10:22
applying to different agencies, interviewing, getting into
00:10:26
different steps of the process, never hearing back, and it's a
00:10:32
really disappointing process for me because it's like.
00:10:35
Speaker 2: That's the area.
00:10:37
Speaker 1: It's just like okay, I guess this will just never
00:10:39
happen.
00:10:39
I wanted it to happen.
00:10:41
I guess it'll never happen.
00:10:42
After you got those first two phone calls, how long was it
00:10:48
until you were actually in your job, at your desk, doing the
00:10:52
work?
00:10:52
That's a great question.
00:10:56
Speaker 2: I believe it was about a year because I was still
00:11:07
at Homeland Security at the time and I remember this so
00:11:10
vividly.
00:11:11
I was getting.
00:11:11
It was like Metro system in DC is terrible, but I was
00:11:16
transitioning from the red line to the blue line, I was in Metro
00:11:19
Center if anyone, if any of your listeners are familiar with
00:11:21
this and I was about to board my train get the call.
00:11:24
They said can you do an interview?
00:11:27
I was like, yeah, sure, why not ?
00:11:29
Just like blown away that.
00:11:31
I actually got the call and then did that thing, was waiting
00:11:34
for my next train.
00:11:35
The next train showed up and then I got the same call and it
00:11:37
shows up as unknown or sometimes just all zeros, and you're like
00:11:42
, and at the time I was working at DHS.
00:11:43
I was like, oh, it's DHS, whatever.
00:11:45
Answered again, whatever.
00:11:47
And so that was, I think, june-ish of 2011, 12, maybe 12,
00:11:58
and then I started at the agency in 2013, something like that
00:12:03
maybe my dates are wrong, but it was quick comparatively because
00:12:07
I didn't have any international travel, I didn't have any
00:12:12
really close and continuing contacts with any foreign
00:12:14
nationals, any of that kind of stuff, other than Canada, which
00:12:18
doesn't really count, and so seven months and I had already
00:12:22
worked for DHS and so that probably accelerated the process
00:12:24
.
00:12:24
But, yeah, I think, if I'm remembering correctly, I think
00:12:29
my first day was January 13th and yeah, it was wild.
00:12:36
First six months I was an intrusion analyst doing some
00:12:42
crazy stuff with intrusion sets, malware, families, how they do
00:12:46
things, et cetera.
00:12:47
I got asked to transition over to a more operations-focused
00:12:53
team to build military intelligence and cyber
00:12:57
operations networks, and so that's really where I got like
00:13:01
hardcore really deep, really really wide understanding of the
00:13:06
understanding, the practicalities of networking and
00:13:11
really, you know, the NSA, let me do and I had my boss, his
00:13:16
boss, and his boss covered my ass hard because I should have
00:13:20
been fired probably 1 times, was pretty aggressive.
00:13:23
I'm still pretty aggressive, but I was significantly more
00:13:25
aggressive then.
00:13:26
And, yeah, we got done in three years.
00:13:30
What a lot of things they were planned for, like over the next
00:13:34
like 15 years or more, oh my God .
00:13:36
Yeah, so we spent a lot of silver bullets protecting my ass
00:13:41
, and so the thing I learned there is like having a leader
00:13:48
that supports you a good leader that supports you and isn't
00:13:51
intimidated by your aggression and knows how to temper you and
00:13:54
tell you like hey, you need to shut up and sit down, like this
00:13:57
is gonna hurt your career, and actually listen to them.
00:14:00
That's what made my career, having those folks cover my ass
00:14:07
and then also tell me like hey, dumbass, like cool it.
00:14:12
Speaker 1: Yeah, that's extremely important, you know,
00:14:16
to really understand your limits , right, and to be able to have
00:14:22
a manager that's able to, I guess, handle your ambitions and
00:14:27
counterweight it with the organization's expectations.
00:14:30
Right, like that's the biggest thing.
00:14:33
So I did a little bit.
00:14:35
It wasn't consulting work, it was like some third party, like
00:14:39
vendor, professional services.
00:14:41
Right, for the government earlier on in my career, and
00:14:47
that was the biggest thing.
00:14:48
I mean, that was such a painful experience.
00:14:52
Right, because for me it's like , okay, this is 30 minutes of
00:14:57
work, right, 30 minutes.
00:14:58
And I'm on a plane going back.
00:15:00
Right?
00:15:03
No, it was 10 days and you have to write down every single
00:15:09
command that you're gonna run.
00:15:11
Before you run it, you have to write down a reasoning behind it
00:15:14
, you have to write down what it's doing and then they put
00:15:17
someone sitting next to you that can barely spell IT to write
00:15:24
down exactly what you're doing and if it doesn't match up, you
00:15:27
have to attest to why it doesn't match up.
00:15:30
And that was just so.
00:15:32
It was so arduous, you know, and I couldn't imagine being
00:15:36
someone starting out your career and going into the federal
00:15:41
government, because when you have the personality of an IT
00:15:44
person, you're already curious, you're probably already
00:15:47
self-driven right, because no one that isn't doesn't make it
00:15:51
in this field.
00:15:52
Right, and so you probably are.
00:15:55
You already have the perfect mentality to be successful at a
00:15:59
startup moving a million miles an hour trying to make that
00:16:03
progress right, and then you're put into the government.
00:16:06
That is like this thousand year old behemoth that moves
00:16:11
extremely slowly.
00:16:12
I mean, you know, america's not obviously a thousand years old,
00:16:15
but you and I was saying like they're really old in every way,
00:16:19
shape and form, and so they move extremely slowly.
00:16:23
I couldn't imagine how that would have been.
00:16:27
Speaker 2: Yeah, dhs was fairly slow.
00:16:29
Now I was in the front office and so we things were moved much
00:16:36
more quickly in the front office of Homeland Security,
00:16:39
obviously necessitated by the needs of the homeland, and at
00:16:45
the NSA, like being part of the intelligence community, like
00:16:49
there's time sensitive things that go on and, as a result, you
00:16:55
know, very rarely did I run into an issue where we couldn't
00:17:01
move fast.
00:17:01
Well, where we were tempered and by typical bureaucratic
00:17:07
limitations that you would see at, like maybe the FDA or USDA
00:17:17
or some of these other non-intelligence community
00:17:22
organizations, and so when you have this kind of mission that's
00:17:24
, like you know, tied to national defense and has time
00:17:29
sensitive things, like there's less of it.
00:17:32
Now, I wish I could have done more and done faster, but of
00:17:36
course, there are implications to moving too quickly in certain
00:17:40
lines of work, and so, yeah, I mean so I finished three
00:17:45
projects and essentially wanted to start the fourth and they
00:17:49
like kind of had it just pat me in my head and they're like
00:17:51
you've done enough, you need to chill.
00:17:53
And so, as soon as that happened, I was like, you know,
00:17:56
screw this, I'm out.
00:17:58
And that's when I made my leap to start up land in 2015.
00:18:02
Speaker 1: Hmm, so you mentioned that you worked on.
00:18:07
Was it intrusion prevention or intrusion detection for the
00:18:12
agency?
00:18:12
A part of that?
00:18:14
Do you also deal with insider threat?
00:18:16
I mean, obviously I would assume that it's like totally
00:18:19
separate functionality and whatnot.
00:18:21
But you know, when we're thinking about intrusion
00:18:23
detection, primarily you're thinking about external trying
00:18:27
to get in, but a part of that is also insider threat.
00:18:31
Right, someone could be compromised that's already on
00:18:34
the end and get things that they shouldn't be so in that team or
00:18:39
in that workspace.
00:18:42
Are you also thinking about both sides of it or primarily
00:18:46
just external in?
00:18:48
Speaker 2: Yeah, for us it was just external stuff Focused on
00:18:52
the agency's goal, which is foreign intelligence.
00:18:55
There's, I'm sure, many teams within the agency that focus on
00:19:00
that, but that wasn't my charge.
00:19:05
Speaker 1: Yeah, I always just find the agencies interesting,
00:19:09
right, Because it's something I never, I always wanted to get
00:19:13
into, never got into it.
00:19:16
Speaker 2: But you know along there's all the secrecy around.
00:19:19
It makes it sound so sexy and interesting and, at the end of
00:19:22
the day, like you're just sitting at a cube like everybody
00:19:26
else, tapping at a keyboard like everybody else, which is
00:19:30
kind of cool.
00:19:31
It's extraordinarily cool, depending on what you're working
00:19:33
on, but there's a lot of allure and secrecy which drives a lot
00:19:38
of the FOMO and whatever else, but it's.
00:19:43
I could have easily been saddled in one of the shitty
00:19:45
roles with shitty leaders and have ended up rage quitting
00:19:52
after six months because I wasn't given the latitude to do
00:19:59
the things that I wanted to do, and so I just got
00:20:01
extraordinarily lucky where I landed.
00:20:02
But yeah, that's really just a matter of fact.
00:20:09
Speaker 1: Yeah, yeah, that's a really good point, like when I
00:20:12
first went on site to the agency that I did work with.
00:20:16
You drive up to this very nondescript building in the
00:20:22
middle of the mountains, right, you go inside, the lobby is
00:20:25
fantastic, you don't see any cubes or anything like that.
00:20:28
And then you walk like 100 feet , 150 feet, and it's just a cube
00:20:32
farm.
00:20:33
Like what the hell?
00:20:34
Like I did not expect this like at all, especially at this
00:20:38
facility.
00:20:39
You know, it's just nothing but cubes and they have several
00:20:42
floors of it, you know, oh yeah, that's describes every
00:20:47
headquarters I've ever walked into of any of the agencies.
00:20:50
Yeah, and.
00:20:52
I've been to a lot of them With , yeah, with you working for
00:20:56
that agency, do you have the opportunity regularly to engage
00:21:03
with other agencies, go on site with other agencies or whatnot?
00:21:07
Is it, once you're in and cleared sort of thing, you're
00:21:11
able to go where you need to go, or does not everyone get that
00:21:16
opportunity?
00:21:17
Speaker 2: Most don't.
00:21:17
Again, I was extraordinarily lucky on the things we were
00:21:21
doing and things that are working on, and so I was, you
00:21:27
know, afforded the opportunity and you know when the agencies
00:21:30
need your help they're willing to move mountains so that things
00:21:33
are easy for you to do the things.
00:21:34
But if they don't need your help or they don't want it maybe
00:21:41
they need it but they don't want it they make it
00:21:43
extraordinarily difficult and thankfully I never ran into any
00:21:46
of those hurdles and so, yeah, I just it was just looking back
00:21:53
at the three years is like the closest thing to a nerd can be
00:21:56
to like James Bondi than that I could ever imagine.
00:21:59
It was just, it was just cool.
00:22:02
You know, I'd go two, three months and be like, okay, I've
00:22:05
seen everything, and then my brain would explode at some cool
00:22:09
new shit that I saw and that just happened consistently until
00:22:12
I left.
00:22:13
So really cool.
00:22:14
But again, I got super lucky Because there's a lot of really
00:22:20
boring shit.
00:22:20
You get the NSA and at every agency.
00:22:24
Speaker 1: Yeah, I had a friend that told me that you know, once
00:22:28
you get in and you get read into different things like, your
00:22:31
mind will just blow up with like, oh, I can't believe that
00:22:35
we can do this, that we have this capability or whatnot, and
00:22:38
then they're going to sit you at a desk at a cube and they're
00:22:41
going to give you the most basic thing to work on.
00:22:42
You're going to feel so over qualified for your job and
00:22:46
whatnot.
00:22:46
It was just like it's a really interesting, like start contrast
00:22:50
.
00:22:50
You know from what you would think going into it.
00:22:53
But so when you're, when you're at the agency, you know,
00:22:57
towards the end of your tenure there are you thinking, oh, I
00:23:02
want to go into the startup world.
00:23:03
I want to go, you know, I don't know, work for Cisco or
00:23:06
something like that.
00:23:07
Because you have that specialty , you'd probably be worth your
00:23:10
weight in gold, you know, to Cisco.
00:23:14
I would think at least.
00:23:14
What were you thinking?
00:23:16
Maybe what spurred the thought to you know, make that jump.
00:23:21
Speaker 2: I wasn't really I had met a friend, or I had met a
00:23:28
guy through Mutual Friend at you know, a barbecue home, their
00:23:31
barbecue every year.
00:23:32
We got like big data centers based out here in Ashburn DC
00:23:36
area and a friend of ours throws a barbecue.
00:23:39
And so, you know, I got to invite, and you know, and met
00:23:44
this dude who at the time was an expert in software, defined
00:23:48
networking, openflow, and one of the few at the time before you
00:23:53
know, obviously OpenFlow is dead .
00:23:54
And so, you know, I wanted to push the envelope, continue
00:23:58
pushing the envelope at the agency.
00:24:00
And I said, after a couple of weeks of meeting him, I reached
00:24:04
out and said hey, how do you get people to buy into this SDN,
00:24:08
openflow bullshit.
00:24:09
And he goes why don't you just come do it for me at the startup
00:24:12
and I'll double your salary?
00:24:13
And I was like so, so, like there's no, like, no, no
00:24:19
intention.
00:24:19
I wanted to continue pushing at the agency.
00:24:24
And, yeah, working at the agency , living in DC with you know the
00:24:32
hour, commute, blah, blah, blah , all that kind of crap.
00:24:34
I was just like I can tangibly increase the way that I'm living
00:24:38
right now and from you know what I would have sold like
00:24:43
there are no roadblocks, you just do all the things.
00:24:45
And at the beginning, once I transitioned to my first startup
00:24:52
, it certainly was that it was cool and it was the first time
00:24:56
not to sound like an asshole, but it was the first time that I
00:24:59
was surrounded by people where I was like, oh shit, I'm the
00:25:04
dummy in the group, like I'm the idiot, and it was the best
00:25:07
feeling in the world.
00:25:07
I was like, oh, like this is this is fucking awesome.
00:25:10
And so, yeah, it was an amazing .
00:25:14
It was just there for like two years, but that original
00:25:21
infrastructure team that I was on was just a group of absolute
00:25:25
badasses.
00:25:27
Speaker 1: Yeah, that's.
00:25:28
You know what you bring up with the.
00:25:31
You know the money side of it right Now, where I'm at with my
00:25:37
career.
00:25:37
Yeah, I'd probably be a great resource for the agencies or
00:25:41
something like that, right, whatever you want to call it.
00:25:44
But the pay cut would be so substantial that I would
00:25:50
literally never be able to convince my wife to be like,
00:25:53
yeah, we're gonna move across the country.
00:25:55
We're gonna take a 50% pay cut and I'm gonna go do work that I
00:25:58
can't talk to you about for the next four years and then we're
00:26:02
gonna go do something else.
00:26:03
Right, Like that's an insane sell.
00:26:07
Speaker 2: Yeah, yeah, I mean it's a great.
00:26:10
Speaker 1: It's perfect when you're right out of like school,
00:26:12
you know when you're getting started.
00:26:14
It's absolutely perfect, but anything beyond is just unduable
00:26:19
.
00:26:20
Speaker 2: Yeah, and we I say we .
00:26:22
The US government has a really, I think, shitty outlook on this
00:26:25
thing.
00:26:25
Like you get trained whatever two, three, four years, you
00:26:29
become well versed in this thing , doing only certain things
00:26:32
people can, and then they bounce because they can make more
00:26:36
money and there's no resources outside of this.
00:26:38
Where I think, where I think, or a country that I think does
00:26:44
really well with this, is Israel .
00:26:46
Israel has this, you know, obviously this elite cyber force
00:26:48
, blah, blah, blah, and it's specifically built because
00:26:52
they're only conscripted for two years.
00:26:53
It's specifically built to get them as smart as they can
00:26:57
possibly be, and then when they get shit out of the military,
00:27:02
they have all these entrepreneurial resources and
00:27:06
the government helps them fundraise and all these kinds of
00:27:08
things.
00:27:09
And so, as a result, Israel's startup market, especially in
00:27:13
cyber, like it's really the only competitor, at least in the
00:27:17
cyber startup landscape in the world at least I'm concerned
00:27:21
about with like patent infringement, that kind of shit,
00:27:23
but just an amazing, amazing program.
00:27:30
And if the US government had this similar kind of program
00:27:34
with computer science and cyber and all this thing, like it
00:27:39
would drive, I think, innovation in the US even harder than it
00:27:45
already is.
00:27:48
Speaker 1: Yeah, that's a really good point.
00:27:49
You know, I actually I have on quite a few people from you know
00:27:54
Israel that have founded companies and every single one
00:27:57
of them have the same story.
00:27:58
Like I did this really cool thing for Israel's military, the
00:28:03
IDF, whatever it might be right , and now we're starting this
00:28:08
really cool company of doing this legacy thing like I don't
00:28:14
know vulnerability management or application security, whatever
00:28:17
it might be.
00:28:18
We're doing it differently than what everyone else is doing.
00:28:21
They've learned those skills over there.
00:28:24
They've learned those skills you know from their government
00:28:28
teaching them.
00:28:28
That's really interesting.
00:28:30
What you said that they even help them get funding right,
00:28:36
like that's like so abnormal right From anything that you
00:28:40
would hear about in America because, from what I understand,
00:28:44
once you're out you're out it's like you're dead to them.
00:28:48
They don't know you anymore.
00:28:50
You know it's like they don't want to deal with you.
00:28:53
Speaker 2: It depends on how valuable your knowledge is.
00:28:55
Speaker 1: But yeah, in general, yes, that's good, yeah, you
00:28:58
know like you really get cut off and so like that avenue of
00:29:04
still progressing and pushing forward in those areas are, I
00:29:09
guess, that kind of limited?
00:29:10
Was that your experience too, or maybe not so much?
00:29:16
Speaker 2: I mean I never had the.
00:29:18
I mean I kind of like dashed out the door there, right, and I
00:29:21
never looked back, and so I don't really have any.
00:29:25
Now I know, if I call you, know anyone that's still there, or
00:29:29
even those that have contacts to those that are still there,
00:29:32
like I could get through the process again in a heartbeat.
00:29:35
I know that, no doubt, and so I think that there's like, I
00:29:41
think there's again the skill set is really important.
00:29:43
How you left is really important, like I didn't leave
00:29:45
on bad terms, I just left because the opportunity was
00:29:49
greater on the outside, and so, yeah, I think that the
00:29:54
government could do more.
00:30:01
Our government could do more to entice on entrepreneurship and
00:30:05
that kind of stuff, especially in these kinds of programs,
00:30:08
especially coming out of the military right, like there's
00:30:12
stuff that the cyber operators in the armed forces of the US
00:30:15
can do that civilians just can't , based on our laws, and so
00:30:20
there's some really cool shit, and this is exactly what these
00:30:25
really military cyber operators are doing is they're learning
00:30:29
all these really cool tactics and they're taking the ones that
00:30:32
aren't national secrets and applying them to defense
00:30:35
mechanisms in these new vendors, or even I mean, they're all
00:30:39
defense mechanisms right, but taking potentially interesting
00:30:44
attack vectors or attack operations and morphing them
00:30:49
into more of a blue team type of so yeah, I think I like I have
00:30:54
nothing bad to say about my time at the agency other than they
00:30:59
could have paid me more.
00:31:01
But shit, anywhere you go, like that's kind of the sentiment I'd
00:31:04
be, like I don't know anybody that's like, oh yeah, like I'm
00:31:07
cool with this If you don't have to give me more money.
00:31:09
I think everyone would take a pay increase, regardless of what
00:31:12
they make.
00:31:13
Speaker 1: Right, right.
00:31:14
You're never going to, you're never going to turn that down.
00:31:16
I mean, most of us have significant others that'll,
00:31:19
that'll shoot us if we don't, if we don't take that.
00:31:22
Speaker 2: Right there, or or just my, my nagging desire to
00:31:28
buy more wine.
00:31:31
Speaker 1: Yeah, that's a rabbit hole that we could go down for
00:31:33
easily another hour.
00:31:34
You know I fairly recently, in the last couple of years, I
00:31:38
started going down the whiskey rabbit hole, oh yeah, where you
00:31:42
know.
00:31:42
Now I'm at the point where the whiskies that I want you can't
00:31:47
find it, you know, in the States , because it's made.
00:31:51
It's made here but it's sold at other countries to Japan.
00:31:55
So it's like OK, I have to go register for this auction and
00:31:59
get for it, and you know it's a rabbit hole that that I mean.
00:32:05
I guess I'm overall happy I went down.
00:32:08
I'm sure my wife isn't, you're right.
00:32:13
Speaker 2: So you're admitting that you're a tater.
00:32:16
Speaker 1: I mean, I guess.
00:32:22
Speaker 2: Yeah, I couldn't.
00:32:23
I couldn't deal with with the tatering for the, the
00:32:27
listenership that doesn't tater.
00:32:28
Is this, these, those that chase these, these super
00:32:32
sensationalized bottles of whiskey?
00:32:34
But what I found is that if you join there's there's a bunch of
00:32:39
like private barrel programs.
00:32:40
One of my favorites is our, our bourbon on Reddit, and they
00:32:46
have fantastic bottles.
00:32:47
It's run.
00:32:48
Can you remember this dude's name?
00:32:50
But his handle is J8KE.
00:32:52
I assume it's pronounced Jake, that's how I read it every time
00:32:56
I get an email from him.
00:32:57
But it's a fantastic program and I've gotten amazing bottles
00:33:01
from it.
00:33:01
Whistle pig, penelope barrel but yeah, I can talk about
00:33:07
whiskey forever.
00:33:08
Tequila wine.
00:33:09
I'm just, I suppose, like an alcoholic is part of part of the
00:33:14
, the nature of being an IT and cyber, I think.
00:33:18
Speaker 1: Drinking coffee is real.
00:33:19
Yeah, it's.
00:33:21
I mean, at a lot of places it's even like encouraged.
00:33:24
You know, like I remember my first big role.
00:33:29
I was working, you know, at a credit bureau and the director,
00:33:35
you know, once or twice a week, would invite everyone to go to
00:33:39
the bar with him and he would pay for everything.
00:33:42
Whatever you want to get, just go get it.
00:33:44
You know, yeah, and it's like man, this is, I mean, this is a
00:33:47
lot of fun, but what's the lasting impact?
00:33:52
Because, you know, now I'm expected to show up tomorrow on
00:33:55
time, which I always did.
00:33:57
But man, it's a different ball game when you've been out all
00:34:00
night drinking with your director and you know handling
00:34:03
it like that.
00:34:04
Speaker 2: But the other thing is like you're expected to go
00:34:07
right.
00:34:08
If not, then you're seeing, you know, be made a pro and all
00:34:11
this kind of thing.
00:34:11
And so what I?
00:34:11
What I felt, like what we tried to do at Track and what you
00:34:15
know I've granted, our team is small and I think we do that
00:34:17
fairly successfully is, you know , we do, we do team things that
00:34:21
are fairly inclusive, especially for those that don't drink, and
00:34:24
I'm I'm very happy that this kind of mocktail culture has
00:34:30
started to make its way into mainstream.
00:34:33
And I don't think we've been.
00:34:33
You know, I fly the team out to a city every every six months
00:34:39
so we can do in person things because we're completely remote,
00:34:41
but I don't think we've been to a place that doesn't have
00:34:44
mocktails, and so even even we're going to New Orleans in a
00:34:48
couple of weeks for our end of year planning sessions and look
00:34:50
back, and every place we go to, even even in the drinking
00:34:54
culture that is New Orleans, there are mocktails for the team
00:34:58
members that don't drink.
00:34:59
So it's it.
00:35:03
There are plenty of plenty of opportunities.
00:35:05
Where I can, I can see organizations that don't have
00:35:07
these kinds of inclusive events, and so, yeah, we try to be
00:35:16
mindful about that at Track and I, you know, implore everybody
00:35:20
to.
00:35:21
Speaker 1: Yeah, absolutely so, you know, let's let's talk about
00:35:26
what it's like, I guess, founding the startup and going
00:35:30
through that whole process.
00:35:32
You know, I have a friend that I worked for earlier on in my
00:35:35
career.
00:35:36
Now he's a CEO of a company and he said the the biggest
00:35:41
difference between, you know, his last role, that I that I
00:35:44
knew him from in his current role, is that if there's
00:35:47
something wrong with the company , something wrong with the
00:35:49
culture, whatever it might be, he used to be able to just point
00:35:54
the finger, you know, at the CEO, be like hey, it's that
00:35:59
guy's the problem.
00:36:00
You know, he has to do something, I can't do anything.
00:36:03
But now he's like no, the finger, like I can't point it at
00:36:07
my board, it's me, you know, I'm the one where, if I wake up
00:36:11
one day and I make a bad decision, you know I'm the one
00:36:15
that has to correct that.
00:36:16
You know, it's no one else's job to do that.
00:36:18
So can we just talk a little bit about that change, because I
00:36:23
would think that that that change, that switch and
00:36:27
mentality, you know, didn't happen overnight.
00:36:29
But can we talk about how you, you know, went down this path of
00:36:33
being a founder of a startup and you know what you're doing
00:36:36
and whatnot.
00:36:38
Speaker 2: Yeah, I think the mentality of ownership,
00:36:40
regardless of the scenario, happened far before I became a
00:36:45
founder, and I think that if it hadn't, I would have certainly
00:36:47
failed.
00:36:48
I I'm certainly not a natural empath and anyone that knows me,
00:36:55
even for you, know 10 minutes or so.
00:36:57
We'll tell you that this, that they concur, and so I've spent a
00:37:00
lot of time putting a lot of effort into being good at being
00:37:06
human, is what I call it, and and one of the books that that I
00:37:12
read, that change that had the.
00:37:14
It certainly had the largest impact, and I, you know, I read
00:37:16
it at least once a year is called Leadership and Self
00:37:19
Deception by the Arbanger Institute, and it's absolutely
00:37:22
fantastic.
00:37:22
Essentially, the plot is that, or the focus of the book is that
00:37:25
you should be treating people like people that have wants and
00:37:31
feelings just like yours, as opposed to objects and hurdles
00:37:34
that need to be bulldozed in order to achieve your goals.
00:37:38
And, of course, I'm butchering it and I implore you also read
00:37:42
it.
00:37:42
It's only 400 pages, is a very quick read and it's written as
00:37:48
fiction, so it's really interesting.
00:37:49
So so, yeah, I think that your, your friend, is spot on.
00:37:55
There's if anything goes wrong in the company is my fault and I
00:37:58
truly believe that it's not just, you know, just conjecture
00:38:03
and lip service.
00:38:05
I think I believe that my team would, would echo that and and.
00:38:11
But I think you truly have to believe this thing, otherwise it
00:38:14
is just lip service and you, you foster this culture of of
00:38:17
hate and discontent and all these kinds of things.
00:38:22
And so founding founding tract was you know what my last start?
00:38:27
I've got acquired.
00:38:28
A last start I worked at was my startup got acquired by a large
00:38:33
security company.
00:38:34
And because you know this problem, that we're solving a
00:38:36
track, that I've been dealing with it for over a decade and
00:38:39
finally I just like the reason I started track was rage.
00:38:41
I was like this this problem is so inordinately difficult and
00:38:43
frustrating and disruptive that, like I just have to, I just
00:38:49
have to solve it like it's solvable, I just have to solve
00:38:56
it and never look back like that .
00:39:00
This I tell people that this is the best job I've ever had and
00:39:04
the day, if ever, the day, I was in the, the day, if ever the
00:39:12
day comes that I have to, that I'm not tracked anymore and I
00:39:17
have to get a real job.
00:39:18
I call it a real job because then you have like things, like
00:39:21
people that you have to answer to Bullshit, that you like it's
00:39:25
not your baby anymore.
00:39:26
That that's what really keeps me driving forward right.
00:39:31
Like one, I never want a real job again.
00:39:33
And two, like the team that we have is just the absolute best
00:39:38
team I've ever worked with.
00:39:39
And and, yeah, I get to be the dumb guy again, which is, which
00:39:43
is fantastic.
00:39:44
So, yeah, I there are a handful of these, these like CEO
00:39:51
founder Groups that you go to in this, I'll describe a founder
00:39:55
being a founder in one word, and I'll be was a responsibility
00:39:58
and or a couple words right, responsibility and leadership
00:40:03
and all this kind of bullshit.
00:40:04
And when, when it came to me, I was just like it's fucking
00:40:06
awesome, that's job ever like, just fucking awesome.
00:40:11
Speaker 1: Yeah, that's, um, it's, it's a, it's a different
00:40:15
kind of mentality, I guess.
00:40:17
Right, because if it's gonna succeed, it's on you and if it
00:40:21
fails it's on you and you know, for, from my perspective, right
00:40:25
and I've talked about this before Having a family and going
00:40:30
from a nine to five to doing your own thing is Maybe the most
00:40:35
like scary thing I could think of, right and and uh, because,
00:40:42
like you, there's no room for error, there's no room for
00:40:45
messing up or not working hard, not succeeding.
00:40:48
You know all those things Matter and they just don't.
00:40:52
They just don't randomly happen , right, they happen over years
00:40:58
of extremely hard work and dedication, and and always, you
00:41:03
know fine tuning, you know even the smallest things, so that
00:41:06
they, they come together and work correctly, right, so what,
00:41:11
what?
00:41:11
What's the solution, that that you have built currently, and
00:41:15
what's the problem that you're trying to solve with your
00:41:17
company?
00:41:18
Speaker 2: Yeah, great question.
00:41:19
Uh, so so what we found is that most people, when they're going
00:41:23
to fix their software vulnerabilities, are crossing
00:41:25
their fingers, hoping patches won't break their shit.
00:41:27
And so we built the platform that not only unifies
00:41:31
vulnerability management and patch management.
00:41:32
Essentially, this dichotomy that's been this false dichotomy
00:41:36
that's been perpetuated in the workplace, where security is
00:41:38
only does security things and it only does it Things, and they
00:41:41
throw each shit over the wall and under the bus and that's
00:41:43
kind of shit.
00:41:43
In addition to building this unified platform to do both, we
00:41:49
we also let you know how patches have broken other people's shit
00:41:52
before you apply it to yours.
00:41:54
Speaker 1: We do this for outsourcing.
00:41:55
Speaker 2: We're able to collect telemetry on how patches break,
00:41:57
break other systems or how they're, how they're affecting
00:42:00
Other systems as we install them , and then we anonymize and
00:42:02
share it with everybody else in real time.
00:42:03
So, come patch Tuesday or whatever, you can see, oh, four
00:42:07
people have applied this patch.
00:42:07
We haven't detected an issue that no one's reported.
00:42:10
One, oh four hundred, oh four thousand, oh, four million.
00:42:13
Right, we're not there yet, but that's the idea.
00:42:16
Is this, uh, you know, collective defense idea, which
00:42:20
Isn't, isn't?
00:42:21
Uh, obviously it's not new, right, this is a NATO term.
00:42:23
But also the first startup I worked at called ironet cyber
00:42:24
security, which unfortunately just declare bankruptcy, founded
00:42:30
by jennel key, philax, and or was was really this eye opener?
00:42:33
A fantastic idea of like you can't Like.
00:42:35
This is a cliche, cliche thing to say.
00:42:38
Like the, the defenders have to be right every time.
00:42:43
The bad guys only have to be right once and it's it's.
00:42:44
It's not reasonable to expect One company to defend against
00:42:49
all the things and I need to argue like one particular tool
00:42:56
Used by everybody sharing all this intelligence.
00:42:57
Still not reasonable to expect everybody to be right 100% of
00:43:01
the time, but it's as close as we can get to to Perfection, and
00:43:07
that's, you know, crowd sourcing, data working together,
00:43:10
blah, blah, blah.
00:43:14
And and I think the best, best, what's the word I'm looking for?
00:43:22
Example of how this works or or how it's been useful is General
00:43:30
McChrystal's book called team of teams.
00:43:32
What an amazing.
00:43:34
Essentially details how jsoc was created, I believe, for the
00:43:38
the war event war, the war event war in Afghanistan, getting the
00:43:42
intelligence communities to cooperate, so so we could
00:43:45
actually make a progress there.
00:43:47
An absolute killer of a book, really really well written and
00:43:54
just super interesting, both both from a behavioral science
00:43:57
standpoint, but also like if you're interested in how the
00:44:00
agency is the military, these kinds of things work.
00:44:02
It's really, really cool.
00:44:04
Speaker 1: Oh, wow, I'll have to definitely pick up that book.
00:44:06
I've, uh, I took like a few months hiatus from From reading
00:44:12
books and then we're listening to audiobooks, right like the
00:44:16
the first like six months of the year.
00:44:18
I Just like steamrolled through my book list and now I'm just
00:44:23
like burnt out on books.
00:44:24
But yeah, I'm slowly, you know, ramping back up and looking for
00:44:28
that right book.
00:44:29
So I'll definitely check out those that team of teams book
00:44:32
that you mentioned.
00:44:33
Speaker 2: Yeah, I get it, I, um .
00:44:35
So I, I haven't read anything.
00:44:37
Non, I haven't read anything for for work outside of like
00:44:41
real worship, but for books In in a long time.
00:44:45
I, you know, I, you know, I complain.
00:44:47
I fly all the time, I'm on united all the time and I
00:44:49
complain About wi-fi not being available, but every time it
00:44:52
doesn't work, especially when I'm on a, you know,
00:44:55
coast-to-coast flight across the us, I, I silently cheer because
00:44:59
I can actually read.
00:45:00
Uh, and I've, you know, been reading fan fantasy novels.
00:45:03
Is this kind of way for me to want?
00:45:05
I just love fantasy, but it's a great way to just kind of like
00:45:08
decompress and Recharge.
00:45:11
And so, yeah, I haven't, really I haven't read a business book
00:45:14
or like a how to be, like how to be good at being human book,
00:45:17
and in a long time it's all about, you know, shooting
00:45:20
fireballs out of fingers and dragons and all that kind of
00:45:23
shit.
00:45:23
So, yeah, I, but I, but I get it.
00:45:26
It if you, if you don't pace yourself, it's hard, it's hard,
00:45:30
it's a lot of, you know, reading these kinds of books is
00:45:33
draining, but, um, sometimes at the same time, really exciting.
00:45:37
Speaker 1: Yeah, yeah, that's uh , that's a good way of putting
00:45:41
it.
00:45:41
It can be really draining and exciting all at the same time, I
00:45:44
guess.
00:45:45
Um, so, with with what you're doing right now, that's really
00:45:51
interesting.
00:45:51
I wonder if there's a way for you to somehow plug into, you
00:45:57
know, like the, the error feeds of different systems, whether or
00:46:01
not someone's a you know a customer of yours, right, like,
00:46:05
let's say, someone you know deploys a patch on patch Tuesday
00:46:08
for Microsoft, and you just see the error report like, oh,
00:46:11
someone you know had an issue with this thing, right, um, is
00:46:16
there, is there an avenue for that?
00:46:18
Is there a way that you're, you know, potentially exploring,
00:46:23
gaining new intelligence or you know stats around those sorts of
00:46:27
things, or is it?
00:46:29
Is it strictly you know, more open source or through your own
00:46:33
customer base?
00:46:34
I guess?
00:46:35
Speaker 2: Yeah, right now it's just through our customer base,
00:46:36
and we're looking to build this, this open community, uh, to
00:46:40
help operators understand, like, essentially, what we call, what
00:46:43
I call operational risk.
00:46:45
Right, like I, you know, I'll set this, I say this all the
00:46:47
time.
00:46:47
It's like security is not free, and I'm not talking about cash,
00:46:50
right, there's operational risk associated with implementing
00:46:53
security controls and, at at best, the security people are
00:46:57
just ignorant to it.
00:46:57
At worst, they're, they just don't care and and so you know,
00:47:03
today, the way that we, we operators, reason about, like,
00:47:06
is this patch going to break my shit?
00:47:08
As we go on the red day, we go to twitter, we, you know, go
00:47:10
down these websites, um, and and pray, and so what we, what
00:47:17
we've built, attract is is this idea that you can see how many
00:47:21
people have installed this thing , how many, how, what's the
00:47:24
percentage of failure rate globally across our install base
00:47:27
?
00:47:27
Um, we're working on a what I call similarity analytic, which
00:47:31
essentially shows, like, how close to how similar is your
00:47:34
shit to my shit?
00:47:34
And did it break that stuff?
00:47:36
And and over time, we want to, we want to build that and expand
00:47:41
that, uh, and so we have.
00:47:42
You know it, uh, uh, currently, the platform is entirely free,
00:47:47
um, but one of the things that's great about our platform is
00:47:49
that, uh, finding and fixing your vulnerabilities across all
00:47:52
of your operating systems.
00:47:53
We'll always be free, uh, and we support every major operating
00:47:56
system except for mac os.
00:47:57
Mac os will come live and into one of next year, um, but, but
00:48:01
it's.
00:48:01
It's why we've had so much success, I think, in our early
00:48:04
adoption, even though our product is is generally fairly
00:48:07
infantile and it's in its development stage.
00:48:09
We've been in market for about six months with our, with, um,
00:48:13
what we call a private beta, but it's, it's.
00:48:14
It's fairly uh, uh, it's certainly stable, but there's of
00:48:19
course, always improvements, um , but, but yeah, you can.
00:48:23
Anyone can log in, go, you know , trackcom, sign up.
00:48:26
All you need is a business email address and if you want to
00:48:30
use it on your personal lab, just reach out to me like a
00:48:32
trackcom and I can set you up an account.
00:48:34
Uh, uh, that gets past the, the business filter.
00:48:39
Speaker 1: Yeah, that is.
00:48:39
That's really fascinating because, you know, I literally
00:48:44
earlier today I got off a call of someone arguing with me that
00:48:50
all, all of our applications are so extremely unique that we
00:48:54
can't group these things together in configurations.
00:48:57
I'm like guys.
00:48:59
Doesn't make any sense Like that.
00:49:03
We're using open source libraries, right, like we might
00:49:07
be deploying them differently, but but we're not rewriting Java
00:49:11
.
00:49:11
Speaker 2: Yeah, unlikely, like people say this all the time is
00:49:14
like you may have one or two arbitrarily compiled uh
00:49:17
executables on your endpoint, but Over 99 of your, your system
00:49:21
is fucking Linux.
00:49:23
Right, it's rail, or it's maybe in, whatever is running a Linux
00:49:25
kernel, or it's just, or its windows, uh, but it's 99 the
00:49:30
same.
00:49:30
And so the the thing that you're afraid of, like now, if
00:49:35
you're like afraid of Upgrading from, like, java 5 to Java 9.
00:49:38
Okay, that's kind of scary, I'll give you that.
00:49:40
But but keeping up with minor updates, like we've, we've
00:49:44
deployed about 2000 patches now across all of our agent installs
00:49:48
and not a single one has caused a single disruption.
00:49:51
This includes five patch Tuesdays now, um, sorry, april,
00:49:57
may, june, july, august, seven, seven patch Tuesdays, and not a
00:50:03
single one has broken.
00:50:04
Now We've had some failures, um , and we've, you know, been able
00:50:07
to to deal with those, but failures that didn't, they
00:50:09
didn't cause any disruptions, uh , which is a big deal, um, and
00:50:14
so, you know, I, my, my, my mantra is you know, less than
00:50:18
two percent of patches Ever fail , and this is uh fueled by an
00:50:23
independent study, um, our private study, and but but
00:50:28
people aren't really going to play restaurant, let with their
00:50:31
um with their critical infrastructure.
00:50:32
But, um, even when it does cause failures, uh, the the reduction
00:50:39
in cyber risk, even doing so blindly, is far greater than the
00:50:44
operational risk.
00:50:45
But at the end of the day, operators, you're asking them to
00:50:50
risk impacting their lives, right?
00:50:51
Maybe they got a Tinder date or a daughter's recital or a
00:50:54
dinner, you know?
00:50:55
Whatever the hell they have, book club, whatever it is, like
00:50:58
a wine tasting, for example.
00:50:59
Like, if you're going to patch today or patch next week because
00:51:04
your life's potentially going to be impacted, like I'm pushing
00:51:07
, I'm not, I'm not board of directors, I'm not the CEO to
00:51:10
your, to your earlier point, right?
00:51:11
Like I'll get paid to worry about that shit.
00:51:13
I got my life to live and so that's what we're trying to
00:51:17
solve for is, you know, giving people confidence and being able
00:51:20
to quantify what, what their fear actually is in these things
00:51:26
and and declare what safety is in a certain, in a handful of
00:51:31
types of thresholds, so that they can actually auto patch,
00:51:33
but in a way that's safe and compliant with their
00:51:37
organization but, most importantly, the operators'
00:51:38
lives.
00:51:39
Speaker 1: Hmm, yeah, that that definitely really hits home.
00:51:43
When I was working out of another company many years ago,
00:51:48
when I lost all my hair, you know if we, if we, had to deploy
00:51:54
a patch on a certain system, it was like, okay, you know, let
00:52:00
me cancel plans for the weekend.
00:52:02
Yep, you know who's on call, make sure that the right
00:52:05
person's on call Like there was so much worry and that would be
00:52:10
all that I would think about for two or three weeks.
00:52:12
Yep, you know, and it sounds dumb, but these updates would
00:52:17
break our system in so many different, seemingly random ways
00:52:21
and the vendor would never tell us if there was other reports
00:52:25
of this issue.
00:52:25
Yeah, and there was other issues in other customers.
00:52:29
It's like, guys, if I need to deploy a hot fix after I deploy
00:52:32
this update, just tell me.
00:52:34
I'm more than happy to deploy it because I don't want any
00:52:37
issues.
00:52:38
You know, at 2am, 3am, waking me up, that's what I'm going to
00:52:42
be mad, you know.
00:52:43
And of course they would never tell me and of course it would
00:52:47
always happen, like almost every single time.
00:52:49
That was the most, that was the most painful thing you could
00:52:52
ever go through as an engineer, as an operator, you know, going
00:52:55
through this yeah, now, don't get me wrong in the early 2000s
00:52:59
and late 90s, like shiprock all the time.
00:53:02
Speaker 2: And so this is where all that fear is steeped in, and
00:53:04
what's really interesting and this kind of goes into my
00:53:07
interest in human behaviors is that it's non-generational
00:53:12
meaning.
00:53:13
Old folks like you and me have taught Gen Z to be afraid of
00:53:17
patching even though, empirically, the likelihood of
00:53:20
an issue coming up is almost zero, and so it's really really
00:53:24
interesting to understand.
00:53:25
And you know, one of the cool things, one of the things that I
00:53:29
just enjoy doing, is, you know, getting people to change
00:53:34
behavior, which is inordinately difficult, but doing so in a way
00:53:38
that's comfortable enough for them that they're even willing
00:53:40
to try it at all.
00:53:44
Speaker 1: Well, mike, you know, I think we're unfortunately
00:53:48
running out of time here.
00:53:49
I feel like we could go for another hour or two, especially
00:53:52
in the bourbon.
00:53:53
Yeah, absolutely.
00:53:54
Maybe we'll do a part two to this episode.
00:53:57
I think that'll be fun, but we have to have bourbon.
00:53:59
You know something like that.
00:54:01
But you know, before I let you go, how about you tell my
00:54:04
audience, you know where they could find you, where they could
00:54:07
find your company, if they wanted to learn more information
00:54:10
and, you know, maybe sign up, for you know getting their hands
00:54:13
on the solution?
00:54:14
Speaker 2: Yeah, absolutely, you can reach out support at
00:54:16
trackcom and it's spelled T-R-A-C-K-D for your Unix and
00:54:21
Unix nerds it's track D.
00:54:22
For those that are not Unix nerds it's just tracked.
00:54:24
But, mike at trackcom, trackcom slash, sign up whatever you
00:54:29
guys want, linkedin, mike Starr on LinkedIn and the Baldwin that
00:54:33
shows up.
00:54:34
And, yeah, happy to have a conversation either about tract
00:54:38
or anything in general, cyber, computer science, behavioral
00:54:43
things and like how humans behave, wine, whatever it is.
00:54:47
But I'll be warned I can talk at nauseam, so awesome.
00:54:53
Speaker 1: Well, thanks, Mike.
00:54:53
I really appreciate you coming on and I appreciate everyone
00:54:57
listening to this episode.
00:54:58
I hope you enjoyed it.
00:55:00
Speaker 2: Awesome.
00:55:00
Thanks, joe, for having me Appreciate you.
00:55:02
Speaker 1: Absolutely, that was awesome.
00:55:04
Thank you very much.