In the Mind of a Mercenary: A Dive Into Cyber Warfare

1 00:00:00
Speaker 1: Well, chris, you know it's a real pleasure having you

00:00:02
on.

00:00:02
You know, before we dive into the conversation, I got to tell

00:00:06
you right, the first DEF CON I was ever at was the DEF CON that

00:00:12
you spoke at, where you were talking about how to you know,

00:00:16
essentially fraudulently, fraudulently, you know submit

00:00:21
and get someone's death certificate, and that, like I

00:00:25
mean that, that just like opened my mind to this whole world of

00:00:28
like wait a minute, you know the government is still run largely

00:00:32
on paper, right, so how easy is it to do fraudulent things with

00:00:38
, you know, applications, and it just like made me go down a

00:00:42
whole rabbit hole.

00:00:43
So like that was a really fascinating talk that that I

00:00:46
heard you for for my first ever DEF CON.

00:00:50
Speaker 2: I'm glad you got to say it live.

00:00:52
Speaker 1: Yeah, yeah, it was fantastic.

00:00:54
I mean you know from what I remember right, because I was,

00:00:56
you know might have been a few drinks in that day, as one is at

00:01:02
DEF CON and given it was like eight years ago you know at this

00:01:06
point, but you know it was it was fantastic and you know the

00:01:11
humor that you, that you wrap into it is just hilarious with

00:01:16
having Jeff Moss on the death certificate While we're at DEF

00:01:21
CON.

00:01:22
Speaker 2: Yeah, I was like well , I'm at DEF CON and then

00:01:24
everything's up for grabs.

00:01:25
You know it's supposed to be disavowed, so let's put our

00:01:27
money where our mouth is and I'll put the host up to be

00:01:30
killed.

00:01:32
Speaker 1: Yeah, it's fantastic.

00:01:33
Well, chris, you know I start everyone off with telling you

00:01:37
know their story, right, how did you get into security?

00:01:40
How did you, how did you stumble upon it?

00:01:43
You know what piqued your interest, that sorts of things.

00:01:47
Right, Because you know I have an audience that is younger in

00:01:52
their career, that is looking to get into security, or maybe

00:01:56
they just made that jump right and hearing everyone's story

00:02:01
will really add, you know, to their own mentality of thinking

00:02:06
okay, this is possible, this is something that I can potentially

00:02:09
do, you know, and just helps them along the way.

00:02:12
Speaker 2: Yeah.

00:02:13
So for your new listeners, I just let let's let them know

00:02:16
there's no right, this is not one of those I'm gonna get in

00:02:19
testing in the first three years and I'm gonna do forensics or

00:02:22
all of that.

00:02:23
So I've been doing this stuff for 30 something years.

00:02:26
I started essentially as a child.

00:02:28
I was born at the right time, 1973, like probably, you know,

00:02:32
eight years before computers became, I would say, mainstream.

00:02:34
But so I found something before that.

00:02:38
It was, you know I'm obsessed about things like train sets and

00:02:42
you know nerd stuff like that.

00:02:43
And when computers came along, we're shocked when I sold my

00:02:47
train set to get my first computer.

00:02:49
So I was essentially, you put, an obsessive kid whether you

00:02:54
call it autistic or asparagus or anything that's neurodivergent

00:02:57
put somebody in front of a computer and they're at home.

00:02:59
They love spending time in front of the computer.

00:03:01
So I essentially spent my life in front of a computer.

00:03:05
You know we're talking, you know, before the modem days and

00:03:08
the modem days and then the internet.

00:03:10
So in terms of career, I went to university to do comp science,

00:03:14
because that's what you did when it turned 18.

00:03:16
And I found out because it was boring, I hated coding.

00:03:20
And then the following year I thought I'll do it, I'll try

00:03:23
again.

00:03:23
So I went to university college again, like that.

00:03:27
Again I thought, oh shit, I really should buckle down.

00:03:29
But I don't like university.

00:03:31
I thought it was boring.

00:03:32
The stuff that I've been doing pre uni, I'm new all this sort

00:03:35
of stuff about you know CPU, cpu architecture and stuff like

00:03:39
that.

00:03:39
I just hated coding.

00:03:40
I just thought it was boring.

00:03:41
And then I tried again the third time and fail again In

00:03:45
first semester and so, man, this is not for me.

00:03:47
And then I went straight to the workforce.

00:03:49
I got a job at a university just doing it.

00:03:51
I did help desk, help desk for a year and a half.

00:03:53
That was a shit job.

00:03:54
But then I started to learn the systems at the university,

00:03:57
things like those days we're talking about Unix and Vax and

00:04:01
you know sun systems and you know PC and FS and cat five and

00:04:05
coaxon ones and stuff.

00:04:06
And then after that I then got a job at a bank and, just to

00:04:11
make sure your list is like a two board, I spent 10 years

00:04:14
doing IT and then IT security in four different banks.

00:04:18
So then you get to learn how systems really plug and how

00:04:22
things are important.

00:04:23
You know check clearing times and and in England, really good

00:04:27
practices.

00:04:27
Working in a bank.

00:04:28
My dad always said make sure you get a job at a bank because

00:04:32
they sell money.

00:04:32
Don't work at someone that sells like the cells and sorry

00:04:35
for anyone working targets, selling underwear and stuff like

00:04:38
that, because you always have money at a bank.

00:04:40
And then after that I saw some pen testers coming into the bank

00:04:45
.

00:04:45
So this is what I was in my late 20s, coming to the back and

00:04:48
doing a pen test and I noticed that they're relying on tools

00:04:52
such as back then or things like Nessus and stuff like that, and

00:04:55
your listeners will know when you're doing a pen test it

00:04:57
relies on banner information that comes back from a host your

00:05:00
windows hosts then try these exploits, or your Sunhives.

00:05:04
So I used to screw with them and then changed all the host

00:05:06
banner information and all the port numbers so they couldn't

00:05:09
find the ports using standard tools and be able to change the

00:05:12
banner.

00:05:12
So instead of a you know if they're hitting a Sun system I

00:05:15
changed the banner you know the enumeration to a Windows server

00:05:18
and watch them then file and then watching them file and then

00:05:22
having to resort to manual tools, which they didn't have

00:05:24
any skills doing it.

00:05:25
So back then these were the big auditing firms, you know the EYK

00:05:28
, pmg, stuff like that, doing pen tests as a side key for

00:05:34
their key function, which is auditing.

00:05:36
And then I then said, shit, there's a, there's a market here

00:05:38
for pen testing.

00:05:39
So I then went and set up my own company and then started

00:05:42
doing pen testing and then picked up some big clients

00:05:45
really quick because I mean I've been doing this, you know, at

00:05:48
that stage for your 10 plus years and I found it really easy

00:05:51
.

00:05:51
So, you know, pick up clients like American Express and stuff

00:05:54
like that went around the world and spent a long time in the

00:05:56
Middle East.

00:05:57
And then, the latter part of my career, just to speed up 10

00:06:00
years, I had a client of mine who I did a pen test for and

00:06:04
we'd been, we'd been in the environment for maybe a month or

00:06:07
so, and they had no idea where in the environment.

00:06:09
They said, look, what tools are out there to detect hackers once

00:06:13
they're inside?

00:06:13
I said, well, you know, you need things like idiar and same

00:06:15
and all that stuff.

00:06:16
So I've got them in touch with Splunk.

00:06:18
They got a quote for Splunk which was like million bucks

00:06:20
plus and they said, well, we can't afford that.

00:06:22
So what else is there out there ?

00:06:24
And we said, well, you could go the open source route.

00:06:27
And you know, at that time there was elk elastic search.

00:06:30
They said, well, we don't really have the skills that.

00:06:32
Can you build this, an elk platform?

00:06:34
We said, look, look, we don't do it.

00:06:36
We're pen testers.

00:06:36
We don't really do that, but if you sponsor us the word sponsor

00:06:39
as in pay we'll have a look at, you know, putting our elk

00:06:42
solution in for you.

00:06:43
And that was essentially day one of Seam Monster.

00:06:46
And you know, since 2015, I've been working on a company called

00:06:49
Seam Monster, co-teller and CISO, where we build Seam

00:06:52
solutions for companies using open source tech so they can

00:06:55
detect breaches within an end network, using what the

00:06:58
experiment we've had and testing some of that.

00:07:02
Speaker 1: Wow, that is that.

00:07:05
That's really fascinating and there's a lot to unpack there.

00:07:09
So you know, I've spent quite a few years in the financial

00:07:15
industry myself and it seems like it's always just so much

00:07:21
easier to go from one financial company to another, whether it

00:07:25
be a bank or you know even the Federal Reserve, right or other.

00:07:30
You know credit companies, mortgage companies if it deals

00:07:34
with you know money.

00:07:36
In that way, it's very easy to just get that jump.

00:07:39
Is that something that you experienced then as well?

00:07:43
Or is this kind of something that was brand new, where if

00:07:47
more of if you just had the technical skill set, you know,

00:07:50
they would take you?

00:07:52
Speaker 2: So for me, once in the banks, once you work in a

00:07:54
bank, it's easy to move to a bank in terms of employment

00:07:57
history.

00:07:57
You know he worked at the Australia's biggest banks, so

00:08:00
working for Australia's second biggest bank, that's really easy

00:08:02
.

00:08:02
But I found that internally it was pretty much the same stuff.

00:08:05
You know that they might be using different systems,

00:08:07
different architecture, but again they have a you know a lot

00:08:10
of risks and your job is to minimize those risks and you

00:08:14
know so.

00:08:14
You essentially come in as a white knight and, to be honest,

00:08:17
when I go into a company, I like if they've got, say, 70, you

00:08:20
know issues that need to be rectified and I can get that

00:08:23
down to a low number of two or five.

00:08:25
My job is done.

00:08:26
I don't think, hang around, I don't like doing you know, I'm

00:08:29
not gonna say with blue tea I don't like just hanging around

00:08:32
doing status bar.

00:08:33
I prefer to do something new.

00:08:34
At that stage I get bored.

00:08:36
Speaker 1: Hmm, yeah, like a lot of us in this field, like we

00:08:40
get, we easily get bored and, you know, have to find other

00:08:44
things.

00:08:45
Like when Chris gets Chris Roberts gets bored on an

00:08:48
airplane, he starts doing weird things that get some in trouble.

00:08:53
Right, but you know, I how did you get to the point where you

00:08:58
decided that you wanted to become a DEF CON speaker?

00:09:01
Right, because that's not, at least for me, right, like I

00:09:06
don't want to call it a goal, right, but it would be really

00:09:10
cool if it happened.

00:09:11
But I'm also totally fine if it doesn't happen, right, because

00:09:14
I don't really like speaking a whole lot in front of a whole

00:09:18
bunch of people and I also don't think that I have anything or

00:09:22
know anything of enough value to actually, you know, speak about

00:09:27
, right, at a conference.

00:09:28
Like, that's just me, that's my own personal issues that I have

00:09:32
to work through, I guess with the therapist or something,

00:09:35
right.

00:09:35
But you know how did you, I guess one did you come up with

00:09:39
the idea of I want to be a speaker at DEF CON first and

00:09:43
then find something to talk about?

00:09:44
Or did you stumble upon your death certificate, vulnerability

00:09:48
, so to speak?

00:09:49
And then you're like, oh, I should tell people about this at

00:09:52
DEF CON.

00:09:53
Speaker 2: Yeah, so great questions, by the way, so it's

00:09:56
actually the first one.

00:09:57
So I went to DEF CON 22 and thought I actually might have

00:10:01
been 21,.

00:10:02
But this is awesome, def CON, this is finally found my people

00:10:06
and then I, at that stage the thought of talking at that stage

00:10:11
so I can do a talk, didn't have anything to talk about.

00:10:13
So I thought, yeah, I could do a talk.

00:10:16
And then it just went away out of my mind and that's completely

00:10:18
fine.

00:10:19
And coming back to what you said, is the talk then came to

00:10:22
me.

00:10:23
You're, you're like me that you'll probably study a topic to

00:10:26
death and you'll know it in several hours.

00:10:29
I don't like public speaking either, like I.

00:10:30
You know I may be good as a public speaker or averages of

00:10:34
public speaking, but I see I don't like it.

00:10:37
I prefer to do not public speaking.

00:10:38
It don't make sense.

00:10:40
So for me, I just let and I sound as really weird, but I let

00:10:42
my subconscious do the talking for me.

00:10:44
So the ideas come to me.

00:10:47
You know when you have that idea of moment and that's just

00:10:50
subconscious saying, you know that's an idea.

00:10:52
So I stop reading.

00:10:54
If that makes sense, I let myself just relax, get all the

00:10:58
shit out of my brain, get Twitter out of my brain, get

00:11:00
infos, get everything out of my brain and just relax, whether

00:11:03
that the meditation, walking, you know, in the bush or through

00:11:07
a forest or whatever like that, or just shut the hell up for

00:11:09
five minutes and then, and then things will come to you.

00:11:12
You know that your inner, inner voice will come out, great idea

00:11:16
.

00:11:16
And then then you then get your conscious mind around that

00:11:19
topic.

00:11:20
So for me it was just.

00:11:21
I think I was watching some TV and I noticed a news article

00:11:24
that you know, someone had accidentally a Melbourne

00:11:26
hospital had accidentally killed 200 people.

00:11:28
Oh, that's pretty weird.

00:11:30
How the hell did that happen?

00:11:31
Then, you know, you start to, as I said, you let yourself

00:11:35
conscious to the thinking for you and think you know, how does

00:11:38
that possibly happen in this day and age?

00:11:40
And then, and then you apply your conscious thought.

00:11:42
So then you start researching the hell about it, which is what

00:11:44
our skill set is.

00:11:45
We research the hell out of the topic.

00:11:46
I spoke to doctors, funeral directors, you know, probate

00:11:50
people the whole world to study the hell out of it.

00:11:53
And then that became the talk topic and then obviously it's a

00:11:55
bit of a death con and got accepted.

00:11:57
But that's, that's the path.

00:11:58
I just I try to relax, Don't think.

00:12:00
If you try to think I need to do a death con, I need to do a

00:12:03
death con talk, it doesn't well, it may work for some people

00:12:05
because they're only doing research in that, but for me it

00:12:08
doesn't work that way.

00:12:09
And the same thing happened in my second talk, I think my wife

00:12:12
said to me oh, you need to do another death con talk after the

00:12:14
, after the first one.

00:12:15
And I said to her it doesn't work like that.

00:12:17
You can't just come up with a death con talk.

00:12:19
So I was falling asleep you know that love of sleep, just

00:12:21
before you fall asleep, and then I had a great idea and it just

00:12:24
popped into my head this, you know, when you said that

00:12:27
subconscious quiet moment, and I thought that's the topic.

00:12:29
So then went to bed, got up and then conscious thought comes in

00:12:32
your recess.

00:12:33
The hell out of it for a few years.

00:12:40
Speaker 1: That's what you kind of dive into a couple different

00:12:44
areas there, right?

00:12:45
Because what you're describing, to me at least, sounds like

00:12:51
kind of like a mental health practice, almost right, of

00:12:54
shutting off your mind, shutting off distractions and kind of

00:12:59
just letting your mind, I guess, kind of reset.

00:13:03
That's how I view it, that's how I feel that it works for me,

00:13:07
right?

00:13:08
Do you ever, of curiosity, do you ever do like float sessions

00:13:13
or anything like that with sensory deprivation tanks?

00:13:16
I've done that before and it really helps me like reset my

00:13:20
brain, if that makes any sort of sense, which, like, I actually

00:13:26
have to go do it here pretty soon because it just helps you

00:13:31
out so much.

00:13:31
Right, is that something that you've tried?

00:13:35
Speaker 2: I haven't done that deprivation one.

00:13:37
I'm definitely interested in doing that, but for me it's just

00:13:40
that meditation, and I'm talking about the whole under a

00:13:44
tree stuff, but that whole, you know, they take focus on your

00:13:47
breathing, focus on your breathing, but as soon as you're

00:13:49
thinking, focus on your breathing, that's your conscious

00:13:51
thought.

00:13:51
I need to get to that subconscious where you're not

00:13:55
actually, you're not thinking of anything, and that's when stuff

00:13:58
comes to you and to me.

00:13:59
The best ideas have always come from that subconscious.

00:14:02
And just to give you an idea, our conscious.

00:14:04
You know, when you're observing something, you and I are talking

00:14:06
now and we're actually observing information.

00:14:08
You know our conscious thought absorbs.

00:14:11
I'll just give you a number, but let's say you know 1000 bits

00:14:14
per second, but our subconscious thought brings in,

00:14:16
you know, 500 bits per second.

00:14:18
So our subconscious stuff that we're observing outside, that we

00:14:21
consciously don't think about, which we can't, we can't

00:14:24
actually bring up because it's subconscious, we don't know

00:14:27
about it, we can't actually bring up to the front of mind.

00:14:30
That sort of stuff just stays hidden until you tap into it and

00:14:33
then you can draw a prominent information.

00:14:36
And that's why hypnosis is good.

00:14:37
Deprivation, meditation, all that stuff brings all the

00:14:41
awesome stuff to life and that's why you know you've got

00:14:44
songwriters or a writer, a book writer, who have mental blocks,

00:14:48
who just carry around a note pad , and if they're driving a car

00:14:51
doing something boring, and that's when the ideas come to

00:14:54
them in their head, not one they're trying to.

00:14:56
You know research, twitter or read, you know the articles.

00:14:59
It's that whole idea.

00:15:01
Popping the head is where all you know inspiration come from.

00:15:05
Speaker 1: Hmm, yeah, it's like.

00:15:07
It's like when you eliminate, you know, all the other busyness

00:15:13
or all the other noise from your brain, you know you're able

00:15:17
to actually get through some, some breakthroughs and some

00:15:20
great ideas.

00:15:20
You know I've had that you described.

00:15:24
You know, in that twilight area right where you're not quite

00:15:27
asleep but you're almost asleep and having that great idea.

00:15:30
You know I've had in both cases where I've had that and I woke

00:15:35
myself up right and wrote it down real quick and revisited

00:15:39
the next day or two days later, whatever it might be.

00:15:42
And then I've had that where it's like, oh, okay, I'll

00:15:45
remember that when I wake up.

00:15:46
And then I wake up and I don't remember it, no matter how hard

00:15:49
I try.

00:15:49
It's like the most frustrating thing and I'm starting to lean

00:15:55
towards just having a notebook next to my bed when I couldn't

00:15:58
sleep, you know, because you have to.

00:16:00
Yeah, and you know, if I, if I have my cell phone there right,

00:16:04
and I go on my cell phone, in this instance the cell phone

00:16:07
just wakes you up, you know, because it has that, has that

00:16:09
blue light, and so it just wakes you up automatically, a little

00:16:14
bit more than what you would want to be woken up, in my

00:16:17
opinion.

00:16:18
Speaker 2: Yeah.

00:16:18
Speaker 1: And what you're talking about is essentially

00:16:20
mind.

00:16:21
Speaker 2: So having that note behind the bed.

00:16:22
When something clicks to you in a subconscious thought that

00:16:25
hits conscious thought, you write it down.

00:16:26
But of course when you think of something, don't I know why I

00:16:29
can't think about it.

00:16:30
That's part, that's per design.

00:16:32
If you can't bring it back from subconscious subconscious

00:16:35
because you've forgotten about it, it's designed to be in your

00:16:37
brain that you can't bring unless you meditate.

00:16:39
And I don't want this to be hippie-dippy security chat show,

00:16:43
but just that's how you can hack your own brain to get your

00:16:46
ideas in front of people.

00:16:49
Speaker 1: Well, yeah, I mean this, this conversation, you

00:16:52
know, can go anywhere, right, and in my years of getting into

00:16:57
security and spending time in security, right, one of the

00:17:02
things that I have learned is mental health and to take care

00:17:06
of yourself and, you know, exploring different ways of

00:17:10
doing that right.

00:17:10
And I'm even on this podcast, you know I've talked about

00:17:13
mental health previously at length because it's extremely

00:17:17
important and I feel like insecurity almost.

00:17:21
You know people don't think about that, right, they're,

00:17:25
they're like, okay, you know it's nine to five o'clock in

00:17:28
your clock out, you don't have anything to worry about, but

00:17:31
they don't hear about the late nights, right, where you're up

00:17:34
until four am because there's something critical you know

00:17:37
going on at the company and whatnot that you have to resolve

00:17:40
.

00:17:40
And so I I really do enjoy using this platform to talk

00:17:46
about that, because I don't hear anyone else talking about it.

00:17:49
Really, I mean, that's sure there's a few other you know

00:17:52
instances and whatnot, but definitely something to dive

00:17:57
into.

00:17:58
So you were talking about, you know, previously you were

00:18:02
talking about how you kind of stumbled across this opportunity

00:18:06
to do some consulting for a company, do some pen testing,

00:18:11
and out of that grew this idea for SimMonster.

00:18:14
You know what were some of the challenges at the time that you

00:18:20
had with creating, you know, simmonster, or the solution for

00:18:25
SimMonster, because I'm sure, right, let's just say, my

00:18:29
company comes to you to create a Sim that's open source, which

00:18:32
is a.

00:18:32
It's actually a huge deal because Sims are extremely

00:18:36
expensive, they're very cost prohibitive and they take a huge

00:18:39
amount of manpower to run.

00:18:41
You know, just within your organization not not even

00:18:44
including the renewal rates and all that stuff Was there unique

00:18:49
challenges that you faced that maybe there was open source

00:18:52
projects that essentially didn't weren't existing at the time?

00:18:58
Or what year was it when you, you know, went down that path?

00:19:01
Speaker 2: Yeah, so great question.

00:19:02
I mean 2015 was when we started the SimMonster project to give

00:19:07
you a rough year.

00:19:08
And you're right.

00:19:09
I mean Elk by itself.

00:19:10
You know Elasticsearch, kavana, LogSesh, kavana it's

00:19:14
essentially an Elk called Elastic, but that was one that's

00:19:17
a searchable database.

00:19:18
Great, that's not a scene, that's just a searchable

00:19:21
database.

00:19:21
Anybody have all the other modules on top, instant response

00:19:24
.

00:19:24
You know EDR, indiar platforms at the time though Indiar and

00:19:29
you have reporting and ticketing systems and devices and stuff.

00:19:33
So you're going to go through all the open source nonsense out

00:19:35
there.

00:19:35
Is it maintained?

00:19:37
Do you want to maintain it and then bring that into your suite?

00:19:40
So we've always had what we call an open module project.

00:19:43
So if there was something that was that was not being

00:19:46
maintained, it would lose itself in the next build.

00:19:49
We had people like you know I think it was Palo Alto came to

00:19:53
us with a product called MyMail.

00:19:54
That was an open source product .

00:19:55
We had a MISP equivalent that we had in our product suite and

00:19:59
you know that was great for a couple of years and then we

00:20:01
dumped it because there was a better offering on the market.

00:20:03
So having a module that was really good because we hit a

00:20:07
market fit, because customers already had tools out there,

00:20:10
whether it be pen testing tools, they had instant response tools

00:20:12
, they had ticketing systems, whether it be, you know,

00:20:16
helpdesk now or whatever.

00:20:18
Whatever they were using, so we could actually turn our modules

00:20:20
off and let them use their modules and therefore, companies

00:20:23
that didn't have the budget for a scene, we could come in and

00:20:26
fit that slot and a product would scale greater than Alien

00:20:30
Vault and it would scale up to Splunk, but without the price

00:20:33
tag to suit.

00:20:34
So in terms of challenges with any business, yes, paying the

00:20:37
arts like no money, you know.

00:20:38
Paying AWSPs because we, you know we're a cloud stack shitty

00:20:42
tech, shitty open source, everything shit Customers who

00:20:46
don't then want to pay for professional services you know

00:20:49
what it's like running a business some of your listeners

00:20:51
will too.

00:20:51
I heard that conversation you had with Chris Roberts.

00:20:53
Running a business of paying the arts, like you could easily

00:20:57
go and get another, you know, get a job in security and throw

00:20:59
for your new users on the call.

00:21:01
But you can easily get a job earning $100 million a year

00:21:03
without this bullshit and you could just simply clock in at

00:21:06
nine never.

00:21:07
Nine to nine in our industry, but definitely not.

00:21:10
A nine to nine instead of nine to five is probably closer to

00:21:13
the mark.

00:21:13
And then not sleeping at nine times.

00:21:15
But yeah, running a business of paying the arts, you need a

00:21:18
good team.

00:21:18
You're going to have highs and lows.

00:21:21
You're going to have big highs, you're going to lose big highs.

00:21:23
And yeah, look, would I do it again?

00:21:25
Yes, but fuck for those going out there it's a huge risk.

00:21:29
You know, for everything, everything on the line.

00:21:30
You put your house on the line, you've got investors, money on

00:21:32
the line, everything's on the line.

00:21:34
And they talk about the overnight success.

00:21:36
You know, 20 years later, but it's a great journey.

00:21:40
Where else can you do that sort of stuff where you can talk to

00:21:42
investors and do A rounds, b rounds, c, it's, it's.

00:21:45
It's freaking awesome to to learn stuff that you wouldn't

00:21:47
have normally had in.

00:21:48
You know, just getting a paycheck every every week or

00:21:51
every two weeks.

00:21:53
Speaker 1: Yeah, that is.

00:21:55
That is like the.

00:21:57
I guess that's the biggest pro and con to me, in my own opinion

00:22:03
, of you know, trying to do your own thing and navigate those

00:22:08
waters right, because for me, you know, I'm not in a situation

00:22:12
right when where I've overextended myself and, right

00:22:16
like you, put your house up as collateral or anything like that

00:22:19
, right, um, thankfully I haven't done that situation.

00:22:23
But I know someone that has a group of friends where, you know

00:22:27
, these guys have made hundreds of millions of dollars but

00:22:30
they've also lost all of it like two, three, four times.

00:22:34
I don't know if I would even be able to like handle that stress

00:22:39
right Of losing it Once I put in all that work of earning that

00:22:44
, that certain amount of money right, like I don't know if I

00:22:48
could.

00:22:48
Just, I don't know if I could handle that.

00:22:50
You know, like I don't know it's a skill almost to be able

00:22:54
to look at it differently from how other people would.

00:22:58
Speaker 2: So it's essentially you're putting your balls on the

00:23:01
line, and literally your balls, I mean, for me I knew it was a

00:23:04
great idea, like I could.

00:23:05
Actually I was already in the pen testing suite.

00:23:07
I you know there's plenty of money in pen testing and I could

00:23:10
see the market and just whether I could attract the market in

00:23:13
the seams.

00:23:13
But for me it was like all in and I didn't hesitate putting

00:23:17
stuff on credit cards.

00:23:18
I think I'm at, you know, at 140 in credit cards and

00:23:21
maybe a hundred thousand dollars in loans just to get it where I

00:23:25
wanted to be.

00:23:26
Before I even approached investors and stuff like that.

00:23:29
And was it scary?

00:23:30
I wouldn't say scary, but maybe I could probably hit that from

00:23:33
my own mind so I could keep, you know, getting up in the morning

00:23:35
.

00:23:35
But but it was fucking fun.

00:23:40
I knew it was a good idea and I knew I could execute.

00:23:43
It's just a matter of how much capital I could get in before I

00:23:46
could get myself out of the ship , if that makes sense.

00:23:50
I think it took three years before the first out of the ship

00:23:53
.

00:23:53
But then there's bigger numbers .

00:23:55
Then you're not talking about $250 in personal, then

00:23:59
you're talking about $2 million of investor money to go to the

00:24:02
next level.

00:24:04
Then you're in different levels of shit.

00:24:06
Then you're in a legal accounting hell, like Chris

00:24:09
Roberts said, you're in IRS and then ATO Health back in

00:24:12
Australia.

00:24:12
Fuck the pain.

00:24:13
I don't know why.

00:24:14
I just stayed at the bank.

00:24:15
Half million dollars a year.

00:24:17
Sit back on my seat and talk shit on Twitter.

00:24:19
I mean fucking.

00:24:20
So much easier.

00:24:24
Speaker 1: Yeah, it is way easier.

00:24:27
You could almost get a career now just talking shit on Twitter

00:24:31
.

00:24:32
Speaker 2: I'll be one of the influence.

00:24:39
Speaker 1: Yeah, with this podcast, it's like a

00:24:41
double-edged sword with social media.

00:24:43
You have to be out there, you have to be engaging all the time

00:24:47
, but I'm not the type of person to engage all the time If I

00:24:50
don't have quality content to say or input, feedback, whatever

00:24:56
it might be right, if I don't have something that I feel is of

00:24:59
value, I'm not going to post about it.

00:25:02
Right, in this game of podcasting and building an

00:25:06
audience and all that sort of stuff, I admittedly I'm

00:25:11
absolutely horrible at it, because I'll go a week or two of

00:25:15
no posts on Twitter and that's like a huge red flag, that's a

00:25:20
huge no-no.

00:25:21
It's like, oh my God, why are you making that?

00:25:23
You're losing all your momentum .

00:25:25
To me, it's just like man, I have like five other things

00:25:29
going on.

00:25:29
I can't spend 20 minutes I literally cannot spend 20

00:25:33
minutes researching the right hashtags and all this other

00:25:37
stuff just to put together some crafted posts.

00:25:41
Right, that isn't even my own words anymore.

00:25:43
It's frustrating.

00:25:45
I went out on a tangent there.

00:25:48
Speaker 2: No, it's a great tangent.

00:25:50
Queen Eustwood once said in one movie.

00:25:52
He said a man's got to know his own limitations.

00:25:56
If you're not that sort of person, then don't try to be

00:25:59
that person.

00:25:59
I mean, I look at Mel where Jake.

00:26:02
I love Mel where Jake.

00:26:03
He has great content, always great content.

00:26:06
The only thing I can do is just give him shit.

00:26:09
That's my skill set.

00:26:10
I love poking people, say with dark matter or Kintara.

00:26:15
I just give them shit because that's my skill set.

00:26:21
I'm not going to research something that's already public

00:26:23
and then regurgitate it like I know the shit.

00:26:25
Jake can do that.

00:26:26
I've just got no interest in doing that or skill in doing it.

00:26:30
So I just post shit and like you infrequently.

00:26:38
Speaker 1: Yeah, that makes a lot of sense.

00:26:39
So, okay, so we talked about you being a Defcon speaker and

00:26:47
whatnot.

00:26:48
After you researched this death certificate vulnerability,

00:26:53
right After you researched that, did you start going down this

00:26:56
rabbit hole of documentation that the government uses for

00:27:01
different benefits and things like that and how to potentially

00:27:05
exploit the system, or did you stop there or what was that like

00:27:11
?

00:27:11
Because, for me at least, I would start going down that

00:27:14
rabbit hole of seeing like, okay , can I get disability benefits,

00:27:19
can I get this?

00:27:21
It's just it'll snowball and that's probably a bad mentality

00:27:25
in that situation.

00:27:27
But where did you go after that ?

00:27:30
Speaker 2: Yeah, so you noticed that all my talks I always do

00:27:32
any talk and I also do a paper or a book.

00:27:34
So I actually wrote a book to that talk.

00:27:37
So it was published straight after the talk with all my

00:27:39
materials that people could research them and then take that

00:27:42
research further.

00:27:43
After a talk I stopped cold.

00:27:45
I did not go down that rabbit hole and keep going and, like I

00:27:48
said with the bank scenario, like I work in a bank, get born

00:27:51
and then move on.

00:27:52
Same with the talk I'll do a talk, present the talk, provide

00:27:55
my materials so people can go and Chris, that shit, you

00:27:57
domestic step or you miss that.

00:27:59
So people you know, as a scientist.

00:28:01
But as a scientist, people can actually look at my work and go

00:28:04
how did you get from A to B?

00:28:05
And prove it how did you get from A to B?

00:28:07
So the answer to your question is I drop it dead and go to the

00:28:11
next topic or do nothing and then just let the next idea fall

00:28:15
.

00:28:17
Speaker 1: Hmm, and okay, okay.

00:28:20
So then you, you just dropped the entire.

00:28:23
You know government paper method, right?

00:28:27
You just dropped that whole topic and then moved on to the

00:28:30
next one.

00:28:30
Correct, Right, Okay, so you know what was.

00:28:34
What was your next talk about at DEF CON?

00:28:37
I have to admit to you, you know, it's not like I follow

00:28:40
your career or anything like that, you know, but I did see

00:28:44
that first talk.

00:28:45
What was your next talks about?

00:28:47
What areas did you dive into?

00:28:50
Speaker 2: Did you kill Jeff Moss a couple of more times,

00:28:53
different ways, or so the next talk I did, I did with a, with a

00:28:57
mercenary called Simon Mann who did a coup in Africa.

00:29:00
So I did the overthrow of government in DEF CON 24 in 2016

00:29:06
.

00:29:06
So I actually worked with a mercenary on how you would

00:29:08
overthrow government and use Q8 as an example and then hack

00:29:12
their power, their government, their oil, their telco,

00:29:16
everything so you can actually orchestrate your own coup using

00:29:21
digital means.

00:29:21
So that was the sense that's probably most of my popular talk

00:29:25
out there at the moment.

00:29:26
And then I did another talk last year last year, yeah, last

00:29:31
year on how to how to bypass bomb jammers, so using a

00:29:38
specific hardware, how I could actually get frequencies

00:29:41
transmitted under a nine kilohertz and actually generate

00:29:45
an.

00:29:45
ID under jammed environment.

00:29:49
Speaker 1: Wow, okay.

00:29:51
So I mean I feel like we could do a whole other podcast on

00:29:57
cyber mercenaries a lot.

00:29:58
Yeah, you know, when we talk about cyber mercenary, can we

00:30:08
break down what that is right?

00:30:09
Because to me, one I've never heard the term before and two,

00:30:15
when I think about what a mercenary is in the military

00:30:18
sense, I'm thinking you know someone that's a lone wolf

00:30:22
that's going in and impacting, you know, I guess, the power

00:30:26
grid, or impacting social media for a region and directing, you

00:30:32
know, political views and things like that.

00:30:34
Is that what it is, or is there more to it?

00:30:36
Do you ever see like more organized groups of cyber

00:30:41
mercenaries that you know?

00:30:42
It's like, hey, these five people are attacking the power

00:30:45
grid and I don't know name a random country, right, and then

00:30:49
these people are attacking the water supply.

00:30:51
Is that what you've seen?

00:30:53
Let's talk about that a little bit.

00:30:56
Speaker 2: Yeah, so you're partially right.

00:30:58
So think of a mercenary.

00:30:59
You don't think of a mercenary as a single mercenary.

00:31:01
It's always a group of mercenaries and their

00:31:03
ex-soldiers, it's guns for hire.

00:31:05
The cyber mercs is essentially keyboards for hire.

00:31:08
I mean same thing.

00:31:09
They're people like myself, for you or for Chris Roberts, for

00:31:12
example who've got, you know, great technical skills and then

00:31:16
they've been asked to do a job and that job might be for a

00:31:18
private organization and it's illegal.

00:31:20
It might be for a government, which is illegal in some

00:31:23
countries, and then you are essentially keyboard for hire

00:31:27
and you may be doing the job by yourself.

00:31:30
We might be doing a job by yourself.

00:31:32
I'll give you an example.

00:31:33
You know you've had a black water and a HS and all that sort

00:31:35
of stuff.

00:31:36
You know private military contacters.

00:31:37
They're in a big ass company.

00:31:39
There's a cyber division.

00:31:40
It's essentially you have a cyber division that does the

00:31:43
cyber merc class within that company or it's an outside phone

00:31:47
.

00:31:47
So think of it as a big group.

00:31:53
Speaker 1: That's really interesting.

00:31:53
That's almost like organized cyber crimes in the kids or

00:31:58
something like that right.

00:32:00
Speaker 2: That is.

00:32:00
I mean, people can dance around the subject cyber merc, cyber

00:32:03
criminal.

00:32:03
You know, one man freedom fighter is another one's

00:32:06
terrorist.

00:32:07
This is exactly the same.

00:32:07
I mean, you know you look at some man in Africa.

00:32:10
He was asked by the English government to do something over

00:32:13
there.

00:32:14
He did it.

00:32:14
It was private money.

00:32:16
He's a mercenary.

00:32:16
He got caught, he went to jail and then you know it's

00:32:19
essentially it's a criminal activity.

00:32:22
But you know, people put mercenary in part of it and make

00:32:25
it a clean title.

00:32:29
Speaker 1: Is this something that you have seen, like you

00:32:33
know, actually happen in the real world?

00:32:35
Right, Because immediately when we start, you know, talking

00:32:41
about what this actually looks like, of attacking the different

00:32:45
portions of a country, you know , I guess my American brain goes

00:32:49
straight to America, right, and it's like, okay, did our power

00:32:53
grid get attacked recently?

00:32:55
Did our water supply, oil, whatever it might be?

00:32:58
You know, in my head it immediately goes to oh well, you

00:33:01
know, this attack was rushed, or this one was, you know,

00:33:04
attributed to China, or whatever it might be.

00:33:06
Do you see these criminal groups, potentially even

00:33:11
masquerading as these other you know government powers?

00:33:15
And maybe, you know, this is all theoretical, right, I don't

00:33:20
know shit about anything, Like you know, are they potentially

00:33:25
like, masquerading as China?

00:33:27
Maybe they're a faction of cyber mercenaries in China and

00:33:31
they're attacking, let's just say, the US power grid, for an

00:33:34
example?

00:33:35
You know, is that what you've seen or is that how it works?

00:33:38
Potentially?

00:33:39
Yeah, I am a cyber mercenary.

00:33:41
Speaker 2: I'm a cyber merc by trade, so I know exactly what

00:33:44
you're referring to and the answer is yes.

00:33:46
And it's not just, not just country, it might be company

00:33:50
within a country.

00:33:50
So you know, I mean you might be tough with, you know, doing a

00:33:53
job within a company within a country.

00:33:55
It doesn't have to be the power grid, it can be something small

00:33:58
, it can be a country.

00:33:58
I mean you look at your 2016 elections, you know, was there

00:34:02
outside interference?

00:34:03
Yes, someone says yes, someone says no.

00:34:05
Of course, no one's going to say yes, there was, but there's

00:34:08
always going to be.

00:34:09
And that's the whole idea about mercenary.

00:34:10
Did, did?

00:34:11
Did America help Ukraine break away from Russia?

00:34:16
You know in, you know in 2000,.

00:34:18
Speaker 1: The answer is yes, obama admitted that, but it's

00:34:20
never going to be.

00:34:21
No one's ever going to say, yes , that happened though.

00:34:23
Speaker 2: You know, you know America revolved in the 2002 to

00:34:26
two in our like it's.

00:34:28
It's just one of those things where it's not going to be well.

00:34:30
It's going to be tried not to be public because no one wants

00:34:32
that public perception that we did this, or we involved or we

00:34:36
acting to this private company, or we did this or we did that.

00:34:39
So the answer question is, it's all around us.

00:34:41
It's always been all around us.

00:34:42
And you get a tap on the shoulder Can you assist with

00:34:44
this?

00:34:45
Yes, no, if you're a cyber merc .

00:34:46
Anyone existing is cyber merc.

00:34:48
They know exactly how it works.

00:34:49
You get a job across your desk and you decide whether you want

00:34:52
to do it or not, and that's how it works.

00:34:55
Speaker 1: Oh yeah, that's really fascinating that's.

00:34:58
It's almost tempting to go down that, go down that rabbit hole.

00:35:04
You know myself, right, but it's an interesting area that I

00:35:10
mean literally.

00:35:10
I didn't even know that this area kind of even existed before

00:35:16
.

00:35:16
You know you brought it up.

00:35:18
You know, is being in this kind of line of work can it be

00:35:24
frustrating at times to, you know, potentially participate in

00:35:28
a project right Of, I don't know, let's just say, hacking

00:35:32
Microsoft, because Microsoft's been on my brain lately not

00:35:35
saying that you did or anything like that, right, but you know,

00:35:41
let's say that you, you know, go through this project and then

00:35:46
you see it portrayed in a different way in the news.

00:35:49
Does that ever frustrate you or does that ever, you know, get to

00:35:52
you to a certain extent?

00:35:54
And I asked that because, you know, I had Mike Jones on

00:35:57
previously and he said that when he was working for the NSA, you

00:36:02
know he had the insider information and he knew the

00:36:05
actual truth about a hack or about, you know, an operation

00:36:09
that he may have been, you know, had some hands in some way

00:36:13
right, and then he would see it how it was portrayed in the

00:36:16
media.

00:36:17
And it was completely opposite.

00:36:18
It was completely different from the report that he actually

00:36:21
wrote, and that was very frustrating for him.

00:36:23
Do you ever come across that sort of situation as well?

00:36:27
Speaker 2: Yes, but I don't get frustrated by it.

00:36:29
It's one of those things is the media and the average Joe will

00:36:33
interpret it a certain way and then it becomes ego, like if I

00:36:38
do a job and I guess portrayed a certain way that doesn't fit

00:36:42
with the way that I was doing it .

00:36:43
A different position than myself with Mike is that I mean

00:36:46
that was his job and he got paid for his job.

00:36:48
As a mercenary you get paid money, so who gives a shit how

00:36:52
it's portrayed?

00:36:52
I mean if I hack a bank and then find another hacker in that

00:36:56
bank and then format this and then I might take their mark and

00:37:01
throw it on another disk, so when it gets relatively, you

00:37:04
know retrieved, they can see the mark of the other hacker there.

00:37:08
For me that's fucking funny, like I'm not involved.

00:37:11
It's the check at the end.

00:37:12
So obviously if you went to the NSA you actually give a shit

00:37:14
about your country and all that sort of stuff and of course you

00:37:17
have that whole he goes the wrong way.

00:37:20
But you have that confidence, that responsibility.

00:37:23
You have that whole.

00:37:24
I love America mentality if you're gonna work for the NSA

00:37:27
and for me it was just a check I don't give a shit how it gets

00:37:29
portrayed, as long as I get paid .

00:37:33
Speaker 1: Yeah, that makes sense.

00:37:34
Have you ever had that situation where you've hacked

00:37:38
into a company and then you found another hacker?

00:37:40
All?

00:37:40
Speaker 2: the time, all the time.

00:37:43
Speaker 1: You're planting evidence for them to get

00:37:45
discovered and IU and stuff like that All the time.

00:37:48
Speaker 2: That's our common method we use is we're all

00:37:51
hacking and even if they haven't hacked in, we'll throw their

00:37:53
marks from other hacks on the target.

00:37:55
So it's just one of those things like man, what we're

00:37:57
gonna go down for this, let them go down for it, so we'll throw

00:38:00
their mark, their flag, their style, on another server.

00:38:03
Even going back to pen testing, we're hacking to legitimate

00:38:08
porn companies who had hackers in there for five years that

00:38:11
were taking the new I'm gonna use the word fresh models, but

00:38:14
they have a new, young model that they would then take that

00:38:17
data and put on another site and then they would then sell that

00:38:20
porn legitimately after hacking the data, and they had a

00:38:23
constant feed.

00:38:23
So every time there was new models being updated, it would

00:38:26
go to this other site and then they would sell that content,

00:38:29
and they did that for five years .

00:38:30
So no, I was making money off other people's model money.

00:38:34
So we see all, and so when we did the pen test, I said, hey,

00:38:37
you don't realize, you got hackers in there and they didn't

00:38:39
take it to the police.

00:38:40
Obviously, in the porn industry you're not gonna be attracting

00:38:43
police attention.

00:38:43
So they just asked to shut it down, and so it's pretty common.

00:38:48
It's not uncommon for us to hack in and see other people in

00:38:51
there.

00:38:51
Sometimes you're hacking and you just don't.

00:38:53
You don't wanna disrupt each other, so then I point causing

00:38:56
havoc for each other.

00:38:57
You'll just like bypass each other and keep going.

00:39:02
Speaker 1: Wow, that is.

00:39:03
That's really interesting.

00:39:05
That makes me think about the different hacks that have come

00:39:11
out in the past and whatnot, and it makes me wonder if some of

00:39:15
these hacks that like, let's say , america, attributed it like

00:39:21
directly to Russia or something like that or some hacking group

00:39:24
in Russia.

00:39:25
I wonder if it was that situation where it was like,

00:39:30
yeah, you attributed it to Russia because we made you think

00:39:32
it was them, but it was actually someone else or

00:39:36
whatever it might be, which I guess that's a.

00:39:39
I can use Russia as a good example, because this podcast

00:39:42
got blacklisted in Russia ever since they invaded Ukraine, so

00:39:47
it's not like they're gonna hear it.

00:39:49
Speaker 2: And look and don't worry about that sort of stuff

00:39:51
too.

00:39:51
Look, if I did an interview with a journalist, 70% of what I

00:39:54
say will be accurate and 30% will be inaccurate.

00:39:57
Even like a recorded interview, like we're doing now.

00:39:59
They'll fuck it up and they'll do that because they have their

00:40:02
own agenda, like it's got to meet their listening audience.

00:40:05
Now, if you've got a government agenda and whether you want to

00:40:09
attribute this to Russia or China, you may have.

00:40:11
You may get a report from the NSA that we've got a 95% we

00:40:17
believe it's come from this, from this Russian group, and

00:40:21
then others go with it.

00:40:22
You know what I mean?

00:40:22
Because if it meets their agenda, they'll publish that it

00:40:25
came from Russia, but they're not gonna say, oh well, we

00:40:28
didn't get a hundred percent certainly, so we're not gonna

00:40:30
publish.

00:40:30
Is this the right time to bash Russia?

00:40:33
Yeah, let's do it.

00:40:34
Or China, or name your enemy of the day.

00:40:37
It seems like the constant thing with America is you always

00:40:40
got to have an enemy.

00:40:41
It's just kind of quietness.

00:40:45
Speaker 1: Yeah, that is a really interesting, I guess,

00:40:50
mentality right that you bring up Like we always have to have

00:40:56
some sort of adversary, right that we're going up against,

00:41:00
that we're doing things to protect ourselves from, or

00:41:03
whatever it might be, and to a degree that's exhausting, it's

00:41:08
frustrating, at least for me.

00:41:11
It makes me question a whole lot of different things.

00:41:14
Right, it's like well, are we being lied to about this and all

00:41:18
that sort of stuff?

00:41:20
Oh, sorry, I was gonna interrupt you.

00:41:24
Speaker 2: I mean I can't believe that you're still

00:41:26
thinking whether you're being lied to or not.

00:41:27
Like you know the whole weapons of mass destruction thing.

00:41:30
It's like what the fuck we did?

00:41:32
Just skip that a whole lead path.

00:41:34
You know what I mean.

00:41:35
Like it's that whole fucking.

00:41:37
You know what I mean.

00:41:38
Like it's just it's constant being lied to about everything.

00:41:41
And even if something legitimate, let's say I'm not an

00:41:44
anti-COVID, so don't get me, I'm an anti-COVID.

00:41:47
But the government says do this , do that?

00:41:49
We've been lied to so many times.

00:41:50
No, when the fuck are people going?

00:41:51
I'm not fucking interested in your bullshit.

00:41:53
One more fucking time there's always ends in chaos.

00:41:59
Speaker 1: Yeah, no, I 100% agree.

00:42:01
You know, I actually, in college, I actually stopped

00:42:05
watching the news or anything like that, because I found that

00:42:08
the news was just giving me so much anxiety about things that

00:42:12
basically had no impact on my life at all.

00:42:14
There was no point in me listening to anything that they

00:42:17
said.

00:42:18
And then I started going down the rabbit hole of oh they like

00:42:22
legitimately, you know lied about WMD.

00:42:24
Well, if they were gonna lie about that, what else are they

00:42:28
lying about, you know?

00:42:29
And so, like, I tried to sequester that in my brain to

00:42:32
protect me from myself, from going down that rabbit hole,

00:42:35
because you know I'm in the cybersecurity world and I can

00:42:38
only go down so many rabbit holes at once and I don't wanna

00:42:41
waste my time on the government's lies right.

00:42:44
Speaker 2: Yeah.

00:42:45
So what we do is we?

00:42:46
Just when I say we, it's a blanket lie.

00:42:49
So everything's gonna be aligned to approve it otherwise.

00:42:51
And I haven't got time to disprove their nonsense, because

00:42:53
they're creating the narrative.

00:42:55
They're providing the evidence in front of me to say oh, you

00:42:58
know, this is the case.

00:42:58
We're doing a no vote at the moment in Australia about

00:43:01
Aboriginal rights.

00:43:02
Now it could be 100% legitimate and I should be voting no, but

00:43:06
the government are telling me to vote yes.

00:43:07
Now, as soon as the government tell me to vote yes, I'm not

00:43:09
fucking voting yes.

00:43:10
It's as simple as that.

00:43:11
They've fucked us around so many times.

00:43:13
I don't really wanna be one of those people, but it's just

00:43:16
embarrassing.

00:43:16
You know what I mean.

00:43:17
Like you wouldn't put up with this with anybody else.

00:43:18
If somebody, if your company, kept lying to you about when

00:43:21
you're gonna get paid and you're never gonna get paid, I mean

00:43:24
you just straight away.

00:43:25
It's non-trust.

00:43:26
You have no faith.

00:43:29
Speaker 1: Yeah, that would be a very real problem of you know.

00:43:32
Actually, that reminds me my wife, you know.

00:43:35
She's a teacher and earlier on in her career she worked for

00:43:39
like a private school, right, and we didn't know it obviously,

00:43:43
you know beforehand or when she started working there.

00:43:45
But the guy who owned the school you know was like double

00:43:49
dipping across like several different companies and he was

00:43:52
using income from one company to pay for, you know, teachers in

00:43:55
this school and vice versa, right, and it like started to

00:44:00
come to light when her paycheck was late.

00:44:02
It's like, well, wait a minute, paychecks are not normally late

00:44:05
and you're not getting paid in cash, like what the hell, you

00:44:09
know.

00:44:09
And it all came out, you know, and the school you know just

00:44:13
crumbled, like right in front of everyone is insane.

00:44:18
But I really wanna talk about Simon Mann and how you guys got

00:44:23
linked up and you know maybe just a brief intro into his work

00:44:29
in the coup that he created in Africa, because, for one, I know

00:44:33
nothing about it.

00:44:34
And so now, you know, the very first thing that I'm gonna be

00:44:37
doing is looking him up after this podcast and trying to get

00:44:40
him on for sure, because that's a fascinating line of work to be

00:44:46
in.

00:44:47
Speaker 2: He's awesome.

00:44:48
And what happened, though, is I was watching Netflix and I

00:44:52
can't remember what it was, maybe 2014, 15, maybe it wasn't

00:44:54
even Netflix, but anyway, there was a four part episode on

00:44:57
mercenaries, and he was actually on the show and he was talking

00:45:00
about how mercenaries operate Like and he's an ex-SAF.

00:45:04
You know UK soldier, you know beautiful.

00:45:07
You know looked at his resume in terms of you know he was in

00:45:09
Iraq, I know he was in Ireland and all that stuff, so he had a

00:45:13
beautiful resume, and then he just went down this other route,

00:45:16
you know the mercenary route, and he wrote a book called

00:45:20
Cryhavoc.

00:45:20
It's a great book.

00:45:22
There's some things that had to be cut out of that book, but so

00:45:25
I actually contacted him and said, hey, this is what I do, I

00:45:29
know what you do.

00:45:30
Maybe we could work together.

00:45:32
Now, originally, he was supposed to come with me to the

00:45:34
US and present a DEF CON, but he has travel restrictions, so we

00:45:38
had to do we work collaboratively together, and

00:45:41
then I got like a one minute pre-recorded session so I could

00:45:45
show who's on and man was.

00:45:47
And then we worked together for that had an over-strike

00:45:50
government in the 2016 talk.

00:45:53
Speaker 1: Huh, that's really fascinating about the travel

00:45:58
restrictions with America, because he's a British citizen

00:46:04
and he has travel restrictions to America, which I mean that

00:46:09
makes me question a whole lot of other things, right, because

00:46:13
there's some very interesting reasons behind that, I'm sure.

00:46:18
Speaker 2: After all.

00:46:18
I mean, he was in well, he was in Equatorial Guinea.

00:46:21
He was in a prison there, for I think he had a nine year

00:46:25
sentence and he did six or seven years yes, for that failed coup

00:46:30
.

00:46:30
And the story was that he was actually pay he was actually

00:46:35
commissioned to do this work by Margaret Thatcher's son, who we

00:46:40
he actually who loaned him a plane and he had a fleet of

00:46:43
mercenaries who didn't make it off the tarmac in in South

00:46:46
Africa.

00:46:47
So they got caught.

00:46:48
But you know the whole.

00:46:49
It came out after the exercise, but it was one of those they

00:46:54
don't want shit to get out, so you only hear half the story

00:46:56
He'll.

00:46:56
He probably won't tell you the whole story on air, but he'll

00:46:58
tell you after if you get him on the call.

00:47:02
Speaker 1: Yeah, for sure it's.

00:47:04
I guess one of the key rules of a coup is to not fail at the

00:47:08
coup.

00:47:09
Correct, because then you're kind of you're kind of screwed.

00:47:13
Speaker 2: You got your balls on the line and then it's very

00:47:16
yeah, yeah, I couldn't.

00:47:18
Speaker 1: I mean I don't.

00:47:19
I guess I don't know what that mentality is like of going to

00:47:24
prison and actually doing time right, because I mean I've never

00:47:27
done that, I've never gotten more than a speeding ticket, you

00:47:29
know.

00:47:29
And so the whole thought behind going to prison and losing your

00:47:34
freedom and and and your rights , and that perspective is just

00:47:38
it's like almost terrifying to me, and I I bring it up because

00:47:41
I actually have a friend who could be serving time fairly

00:47:46
soon, which it's just like.

00:47:48
I mean it really just messes with your mind, you know, at

00:47:51
least for me it does right, because it's like man, this guy

00:47:54
didn't think he was doing anything wrong.

00:47:56
He was doing something wrong and they're going after him with

00:47:58
the book, right, it's like makes me reassess everything.

00:48:02
Well, what am I doing that could send me to prison?

00:48:05
You know, because I want to, I kind of want to avoid that, you

00:48:08
know.

00:48:10
Speaker 2: Yeah, so so it's.

00:48:11
And you operate out of fear and by keeping you on online.

00:48:16
And that's the normal behavior, that's a human behavior, and

00:48:19
your friend obviously thought he was doing the right thing.

00:48:21
Again, he, you know, we're always, you're always threatened

00:48:24
.

00:48:24
You have to do this.

00:48:25
All this is going to happen.

00:48:26
You're threatened by the RF, threatened by government,

00:48:29
threatened by police, threatened by lawyers.

00:48:31
It's a constant threat.

00:48:32
Now, if you can get the out of your head is like they're just

00:48:34
trying to control me with threats like even our parents,

00:48:37
you know, as kids yeah, fuck it, do this, or you're fucking

00:48:41
gotta go to bed with no TV.

00:48:42
Do this, or there's no dinner.

00:48:43
That constant threat to manipulate behavior.

00:48:46
If you can then circumvent that , you can circumvent your mind

00:48:49
like no fuck off, I'll do what I want, and then, if you can then

00:48:52
just reset that, then you essentially can do whatever you

00:48:54
want to do.

00:48:54
Of course, you've got the repercussions of prison, but

00:49:00
again, your mate is he walking around right now?

00:49:04
Speaker 1: Yeah, he is, for now at least, you know you can jump

00:49:07
on a plush.

00:49:08
Speaker 2: You can go to Canada, go to South America, go to.

00:49:11
You know, ecuador, go to fucking.

00:49:13
I don't know Georgia, you can go anywhere.

00:49:16
You know he's got options, he's not stuck.

00:49:18
I mean, that's that whole fear of government.

00:49:20
Then you can own that like you can do your time, five, eight,

00:49:23
10 years, whatever or you can just fuck off.

00:49:30
Speaker 1: Yeah, that's a very good point.

00:49:33
That's a different mentality that I feel like I have to

00:49:37
digest and actually work through and whatnot.

00:49:40
So, Chris, you know I do apologize.

00:49:43
We just went 50 minutes into our interview.

00:49:45
We barely even talked about seeing monster or anything like

00:49:47
that.

00:49:49
Speaker 2: You don't have to.

00:49:49
You don't have to.

00:49:50
This is not this talks about.

00:49:52
I'm happy to talk about any topic you want.

00:49:53
This is not a business shell.

00:49:54
Everyone knows what I do, but I want to use a product.

00:49:57
They can.

00:49:57
We can just talk socially.

00:49:59
We don't have to talk about business.

00:50:01
Speaker 1: Yeah, of course I mean.

00:50:02
You know I do want to talk about Simmonster, for sure out

00:50:08
of my own curiosities, right, because I have been stuck with

00:50:12
Sims before running Sims.

00:50:14
I don't want to name any names.

00:50:17
But these deployments of you know Sims that you pay millions

00:50:21
of dollars for become extremely complicated very quickly and you

00:50:27
know it leads to one person basically knowing how it's

00:50:30
actually deployed and run in the environment and whatnot.

00:50:35
And whenever, at least from my perspective, right as being a

00:50:39
buyer of a solution, whenever I hear free Sim, my mind

00:50:45
immediately goes to I'm maintaining it myself, I'm

00:50:49
screwed if this open source library, you know, is no longer

00:50:53
maintained and things like that.

00:50:55
And I think that you touched on this a little bit before.

00:51:00
But from what I understand previously, you know you guys

00:51:06
basically go into open source projects or bring them into your

00:51:10
solution that you are willing to maintain yourself and if they

00:51:13
ever go out of you know support , so to speak, you will either,

00:51:19
you know, have the choice of maintaining it yourself for your

00:51:22
own solution or going a different route and going with

00:51:26
some other open source solution, right, is that correct?

00:51:30
Speaker 2: Yes, you know you spot on.

00:51:31
So we have our own coders that will look at code base and go

00:51:34
can this be supported within our product suite and then we will

00:51:37
maintain the code.

00:51:38
We lean heavily on companies like Wazoo.

00:51:41
We have a great XTR solution and they have a fleet of coders

00:51:46
that keep that up to date.

00:51:47
So we'll absorb that into our product because it's well

00:51:50
maintained.

00:51:51
But you're right, anything that gets decapitated or whatever,

00:51:55
we will dump it from our suite so that we always have a stable

00:51:58
product.

00:51:58
If we're not getting any updates or patching, it's gone

00:52:02
and gets replaced by a module that we write or another open

00:52:05
source solution that's out there .

00:52:08
Speaker 1: Hmm, now is the product, I guess, designed in a

00:52:14
way to where you know a broad range of people could actually

00:52:20
come into this thing and run it.

00:52:21
The reason why I ask again and I'm sure you're well aware of it

00:52:24
, you know like for myself, I couldn't just jump in this plunk

00:52:29
and start maintaining that thing.

00:52:31
You know that is a headache in and of itself.

00:52:35
It takes a lot of different training to actually do it, in

00:52:38
my opinion.

00:52:38
You know, do you guys create it in a way and use these

00:52:44
different open source libraries in a way to where you know,

00:52:48
really anyone could dive into this thing and learn it and use

00:52:51
it efficiently?

00:52:52
Speaker 2: Yes, so it's a great question you asked.

00:52:53
So essentially, what we've done is you got to remember that the

00:52:58
customers that we've attracted are customers who don't have a

00:53:00
large budget.

00:53:01
The customers who don't have a large budget don't have a large

00:53:03
SOC team.

00:53:03
They may be, you know, one, two , three operators.

00:53:06
Of course we've attracted some large MISP's that are happy to

00:53:09
white label our solution and then they have the staff support

00:53:11
it.

00:53:12
But we've always had the customer base that we needed

00:53:15
self healing.

00:53:16
So there was ever an issue that the product would self heal

00:53:19
with.

00:53:19
That module would self heal and we've had to make the product

00:53:22
intuitive so that from out of the box and we've learned that

00:53:26
over time, 2015 product 16, 17, 18 was not intuitive, but over

00:53:30
that journey we've turned our product into what we call an

00:53:33
intuitive product.

00:53:34
There's someone like you could jump in front of it.

00:53:35
You could play with a, three or four modules, get the hang of

00:53:38
it and move on to four, five and six and then you know the suite

00:53:41
and if you get into trouble, it will self heal.

00:53:43
So much of the size of our product.

00:53:45
Now we roll the product out on AWS marketplace with our support

00:53:49
.

00:53:49
So the product gets rolled out into your AWS environment when

00:53:53
we can buy support.

00:53:55
But you don't need support.

00:53:56
We don't push support on you.

00:53:57
So you can run our suite, upgrade your own product, and

00:54:00
you don't need a support contract or anything.

00:54:02
So you can have it up and running within, you know, a

00:54:04
couple of minutes, use it and then, if you like it, just keep

00:54:07
using it.

00:54:07
If you want support, you can get it.

00:54:08
If not, there's enough documentation and self healing

00:54:11
in nature that you can use the product, I mean, uninhabited by

00:54:15
salespeople annoying the shit out of you.

00:54:16
Because we're all from the same industry Venus suck, so we're

00:54:20
trying to make an, we're trying to be a non suck vendor.

00:54:25
Speaker 1: Yeah, that is that's always refreshing me here, you

00:54:30
know, just just dealing with vendors right now myself, it's,

00:54:34
it's frustrating, you know, and yeah, it's frustrating, to say

00:54:39
the least.

00:54:40
Everyone in this industry has experienced it, so that's really

00:54:44
interesting.

00:54:44
With the, you know, no support model necessary, right?

00:54:48
Nope, is there a method?

00:54:52
So, like I always have a knack for running into the most random

00:54:55
issues, you know that that basically everyone that I talk

00:55:00
to has no clue of what's going on.

00:55:02
Is there like a forum that I could go to and, you know, post

00:55:06
a question and someone from the team would answer it or whatnot?

00:55:09
Or do I have to like negotiate like a one time fee for a

00:55:13
support?

00:55:14
You know situation.

00:55:16
Speaker 2: We've got multiple options.

00:55:16
We've got a support portal where you can just lodge a

00:55:19
ticket and then you can just pay per request.

00:55:20
But to answer your first question, I made my engineers

00:55:24
take off six months of their job to document everything that

00:55:27
they knew, everything that they've experienced, and put it

00:55:29
on the support portal so that we did not require so you're you

00:55:34
know one in a million or one in that you've come across issue.

00:55:37
It's already been discovered by our customers before and we've

00:55:40
made sure that it's everything that you've ever experienced has

00:55:42
been documented.

00:55:43
And I'm not talking just.

00:55:44
You know 80% of document, 100%, that I could actually find my

00:55:48
whole support team and you can rely on this documentation.

00:55:50
Of course I wouldn't.

00:55:51
We've got new products and blah , blah, blah.

00:55:53
But my point is I made it clear that I didn't want them doing

00:55:56
any other work but documentation , because I'm a critical

00:55:59
believer in you've got a document and everything.

00:56:00
But to answer your question, yes, you've got the full docs on

00:56:03
site.

00:56:04
If you want a support contract, you can get a support contract.

00:56:07
Or if you've just got an alley, you just want to ask a question

00:56:10
for an hour, knock yourself out .

00:56:11
You've got access to our SMEs to answer your questions.

00:56:16
Speaker 1: Wow, that is really refreshing.

00:56:18
It's not very often.

00:56:20
I don't think I've ever encountered another security

00:56:24
company that will actually enforce the documentation

00:56:28
requirement, like that of like, hey, you're doing nothing else

00:56:31
for the next six months, dump all that you know into whatever

00:56:38
solution you had for it.

00:56:40
I remember earlier on in my career I was where I was leaving

00:56:46
a position and I was the security you know SME for this

00:56:50
company.

00:56:51
I was literally the only person at the company that did

00:56:53
anything with security.

00:56:54
And you know, of course we would have random customers that

00:56:58
have SE Linux issues after upgrades and things like that,

00:57:03
and so I created my own you know troubleshooting guide for

00:57:06
everything that I did.

00:57:08
You know you could search, you know in the field and everything

00:57:11
else like that, to look up the different you know information

00:57:15
and the exact command that you would have to run to get it

00:57:18
working.

00:57:19
And after I had left, you know it was common knowledge that you

00:57:24
basically had to distribute it.

00:57:26
But it wasn't a company policy, even it was like, oh, it was a

00:57:30
you know camaraderie type thing within the team is like hey, can

00:57:33
you please like give me your troubleshooting guide because,

00:57:36
like now, I'm going to take over all your customers and you know

00:57:39
I need to know what you've been doing.

00:57:41
It was more of that rather than someone else like actually

00:57:45
forcing you to do it.

00:57:46
So there was people that never maintained a document like that,

00:57:50
never kept any notes on any of our customers, and when they

00:57:55
left the company, you know, it was like starting over.

00:57:57
There were some situations where we actually had to like

00:58:00
redeploy the solution because it was so custom in ways that

00:58:04
didn't need to be custom that you know we just had to start

00:58:08
over.

00:58:08
We couldn't maintain it any longer, and it's just.

00:58:12
You know, I say all that because it's not a common thing,

00:58:16
especially with that you know security or IT overall.

00:58:20
Speaker 2: You're right, and, because you're asking, I founded

00:58:23
the company now the CISO.

00:58:25
So I and I'm a security architect pen tester by trade.

00:58:27
So I know the efficiencies in our own industry and

00:58:30
documentation is always one of them.

00:58:32
So I'm so anal that I'll monitor every ticket that comes

00:58:35
in and wondering why there's a fucking ticket that's come in

00:58:39
because the ticket shouldn't come in, because it should be

00:58:40
documented.

00:58:41
So you know, I'm then on my team and I'm, you know, most of

00:58:44
the time it's there's an article there that they didn't know was

00:58:47
there.

00:58:47
Why didn't they find that?

00:58:48
And then if there's an issue that's come in that we've never

00:58:51
seen before, it's got to be up on that fucking portal.

00:58:54
So that's how I operate, because I'm running a software shop,

00:58:58
not a support shop, if that makes sense.

00:58:59
I want that software as good as possible.

00:59:02
I don't need a team of 100 support staff.

00:59:04
I don't want 100 support staff.

00:59:06
I want a great product, a support if you need it.

00:59:09
But fuck, documentation is the key because you, if you're

00:59:13
working on something, do you really want to contact me and

00:59:16
fucking 10 o'clock at night that there's an issue and go through

00:59:18
that whole bullshit?

00:59:19
Or do you want to fucking see an article that you have.

00:59:21
The fuck do I do this and then you get an answer pop up.

00:59:24
That's what you want.

00:59:25
Speaker 1: Yeah, yeah.

00:59:26
I'd much rather just have the answer and not bother someone in

00:59:29
the middle of the night.

00:59:30
You know well, chris.

00:59:32
You know it's been a fantastic conversation.

00:59:35
I absolutely want to have you back on sometime in the future

00:59:39
and dive more into, you know, cyber mercenary stuff and you

00:59:44
know talk about your, your bomb jammer or whatnot.

00:59:46
But you know I'm a stickler for time myself.

00:59:49
I try to respect everyone's time and even now.

00:59:51
You know we're over a couple of minutes, right, but before I

00:59:54
let you go, how about you tell my audience?

00:59:56
You know where they could find you if they wanted to.

00:59:58
You know reach out to you and you know what your company's

01:00:02
website is if they want to learn more about Seamonster.

01:00:05
Speaker 2: Thanks for that, joe, and I've loved being, on a

01:00:06
matter of fact, talking to someone like myself in the

01:00:08
industry, right in the guts of it, and you know exactly what

01:00:10
I'm talking about, and it's lovely just to hear those ideas.

01:00:13
Look my website, really easy chrisrockhackercom.

01:00:17
All my talks, all my books, all my articles, all my upcoming

01:00:21
talks are on that site.

01:00:22
Chrisrockhackercom and Seamonster it's just

01:00:24
siamonstercom, if you're looking at the same products.

01:00:29
Speaker 1: Awesome.

01:00:29
Well, thanks everyone.

01:00:30
I hope you enjoyed this episode .