Ever pondered what it takes to transform a childhood fascination with computers into a fruitful career in IT and security? Our guest, Chris, provides a captivating narration of his journey, showcasing how he climbed up the ladder from help desk jobs to security roles in banks. He paints an intriguing picture of his experiences with pen testers and how he got his adrenaline rush from manipulating banner information and port numbers.
Have you been seeking ways to unlock your subconscious mind and generate game-changing ideas? Chris and I venture into the realm of subconscious inspiration, discussing how hypnosis, deprivation, and meditation can be powerful tools. We also dig into the rollercoaster of running a business, laying bare the challenges, risks, and the exhilarating journey from startup to success.
As we navigate the intriguing world of cyber mercenaries, we weigh in on the potential for mercenaries to disguise as other government powers and the repercussions of hacking major corporations. We dissect the mindset of a cyber mercenary and discuss the complexities of attributing hacks to other countries. Wrapping up our discussion, we enter into the realm of government lies, conspiracy theories, and share the riveting story of Simon Mann, an ex-SAF soldier turned mercenary. Join us for this enlightening exploration.
LinkedIn: https://www.linkedin.com/in/chris-rock-siemonster/
Company: https://siemonster.com/
Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: Well, chris, you know it's a real pleasure having you
00:00:02
on.
00:00:02
You know, before we dive into the conversation, I got to tell
00:00:06
you right, the first DEF CON I was ever at was the DEF CON that
00:00:12
you spoke at, where you were talking about how to you know,
00:00:16
essentially fraudulently, fraudulently, you know submit
00:00:21
and get someone's death certificate, and that, like I
00:00:25
mean that, that just like opened my mind to this whole world of
00:00:28
like wait a minute, you know the government is still run largely
00:00:32
on paper, right, so how easy is it to do fraudulent things with
00:00:38
, you know, applications, and it just like made me go down a
00:00:42
whole rabbit hole.
00:00:43
So like that was a really fascinating talk that that I
00:00:46
heard you for for my first ever DEF CON.
00:00:50
Speaker 2: I'm glad you got to say it live.
00:00:52
Speaker 1: Yeah, yeah, it was fantastic.
00:00:54
I mean you know from what I remember right, because I was,
00:00:56
you know might have been a few drinks in that day, as one is at
00:01:02
DEF CON and given it was like eight years ago you know at this
00:01:06
point, but you know it was it was fantastic and you know the
00:01:11
humor that you, that you wrap into it is just hilarious with
00:01:16
having Jeff Moss on the death certificate While we're at DEF
00:01:21
CON.
00:01:22
Speaker 2: Yeah, I was like well , I'm at DEF CON and then
00:01:24
everything's up for grabs.
00:01:25
You know it's supposed to be disavowed, so let's put our
00:01:27
money where our mouth is and I'll put the host up to be
00:01:30
killed.
00:01:32
Speaker 1: Yeah, it's fantastic.
00:01:33
Well, chris, you know I start everyone off with telling you
00:01:37
know their story, right, how did you get into security?
00:01:40
How did you, how did you stumble upon it?
00:01:43
You know what piqued your interest, that sorts of things.
00:01:47
Right, Because you know I have an audience that is younger in
00:01:52
their career, that is looking to get into security, or maybe
00:01:56
they just made that jump right and hearing everyone's story
00:02:01
will really add, you know, to their own mentality of thinking
00:02:06
okay, this is possible, this is something that I can potentially
00:02:09
do, you know, and just helps them along the way.
00:02:12
Speaker 2: Yeah.
00:02:13
So for your new listeners, I just let let's let them know
00:02:16
there's no right, this is not one of those I'm gonna get in
00:02:19
testing in the first three years and I'm gonna do forensics or
00:02:22
all of that.
00:02:23
So I've been doing this stuff for 30 something years.
00:02:26
I started essentially as a child.
00:02:28
I was born at the right time, 1973, like probably, you know,
00:02:32
eight years before computers became, I would say, mainstream.
00:02:34
But so I found something before that.
00:02:38
It was, you know I'm obsessed about things like train sets and
00:02:42
you know nerd stuff like that.
00:02:43
And when computers came along, we're shocked when I sold my
00:02:47
train set to get my first computer.
00:02:49
So I was essentially, you put, an obsessive kid whether you
00:02:54
call it autistic or asparagus or anything that's neurodivergent
00:02:57
put somebody in front of a computer and they're at home.
00:02:59
They love spending time in front of the computer.
00:03:01
So I essentially spent my life in front of a computer.
00:03:05
You know we're talking, you know, before the modem days and
00:03:08
the modem days and then the internet.
00:03:10
So in terms of career, I went to university to do comp science,
00:03:14
because that's what you did when it turned 18.
00:03:16
And I found out because it was boring, I hated coding.
00:03:20
And then the following year I thought I'll do it, I'll try
00:03:23
again.
00:03:23
So I went to university college again, like that.
00:03:27
Again I thought, oh shit, I really should buckle down.
00:03:29
But I don't like university.
00:03:31
I thought it was boring.
00:03:32
The stuff that I've been doing pre uni, I'm new all this sort
00:03:35
of stuff about you know CPU, cpu architecture and stuff like
00:03:39
that.
00:03:39
I just hated coding.
00:03:40
I just thought it was boring.
00:03:41
And then I tried again the third time and fail again In
00:03:45
first semester and so, man, this is not for me.
00:03:47
And then I went straight to the workforce.
00:03:49
I got a job at a university just doing it.
00:03:51
I did help desk, help desk for a year and a half.
00:03:53
That was a shit job.
00:03:54
But then I started to learn the systems at the university,
00:03:57
things like those days we're talking about Unix and Vax and
00:04:01
you know sun systems and you know PC and FS and cat five and
00:04:05
coaxon ones and stuff.
00:04:06
And then after that I then got a job at a bank and, just to
00:04:11
make sure your list is like a two board, I spent 10 years
00:04:14
doing IT and then IT security in four different banks.
00:04:18
So then you get to learn how systems really plug and how
00:04:22
things are important.
00:04:23
You know check clearing times and and in England, really good
00:04:27
practices.
00:04:27
Working in a bank.
00:04:28
My dad always said make sure you get a job at a bank because
00:04:32
they sell money.
00:04:32
Don't work at someone that sells like the cells and sorry
00:04:35
for anyone working targets, selling underwear and stuff like
00:04:38
that, because you always have money at a bank.
00:04:40
And then after that I saw some pen testers coming into the bank
00:04:45
.
00:04:45
So this is what I was in my late 20s, coming to the back and
00:04:48
doing a pen test and I noticed that they're relying on tools
00:04:52
such as back then or things like Nessus and stuff like that, and
00:04:55
your listeners will know when you're doing a pen test it
00:04:57
relies on banner information that comes back from a host your
00:05:00
windows hosts then try these exploits, or your Sunhives.
00:05:04
So I used to screw with them and then changed all the host
00:05:06
banner information and all the port numbers so they couldn't
00:05:09
find the ports using standard tools and be able to change the
00:05:12
banner.
00:05:12
So instead of a you know if they're hitting a Sun system I
00:05:15
changed the banner you know the enumeration to a Windows server
00:05:18
and watch them then file and then watching them file and then
00:05:22
having to resort to manual tools, which they didn't have
00:05:24
any skills doing it.
00:05:25
So back then these were the big auditing firms, you know the EYK
00:05:28
, pmg, stuff like that, doing pen tests as a side key for
00:05:34
their key function, which is auditing.
00:05:36
And then I then said, shit, there's a, there's a market here
00:05:38
for pen testing.
00:05:39
So I then went and set up my own company and then started
00:05:42
doing pen testing and then picked up some big clients
00:05:45
really quick because I mean I've been doing this, you know, at
00:05:48
that stage for your 10 plus years and I found it really easy
00:05:51
.
00:05:51
So, you know, pick up clients like American Express and stuff
00:05:54
like that went around the world and spent a long time in the
00:05:56
Middle East.
00:05:57
And then, the latter part of my career, just to speed up 10
00:06:00
years, I had a client of mine who I did a pen test for and
00:06:04
we'd been, we'd been in the environment for maybe a month or
00:06:07
so, and they had no idea where in the environment.
00:06:09
They said, look, what tools are out there to detect hackers once
00:06:13
they're inside?
00:06:13
I said, well, you know, you need things like idiar and same
00:06:15
and all that stuff.
00:06:16
So I've got them in touch with Splunk.
00:06:18
They got a quote for Splunk which was like million bucks
00:06:20
plus and they said, well, we can't afford that.
00:06:22
So what else is there out there ?
00:06:24
And we said, well, you could go the open source route.
00:06:27
And you know, at that time there was elk elastic search.
00:06:30
They said, well, we don't really have the skills that.
00:06:32
Can you build this, an elk platform?
00:06:34
We said, look, look, we don't do it.
00:06:36
We're pen testers.
00:06:36
We don't really do that, but if you sponsor us the word sponsor
00:06:39
as in pay we'll have a look at, you know, putting our elk
00:06:42
solution in for you.
00:06:43
And that was essentially day one of Seam Monster.
00:06:46
And you know, since 2015, I've been working on a company called
00:06:49
Seam Monster, co-teller and CISO, where we build Seam
00:06:52
solutions for companies using open source tech so they can
00:06:55
detect breaches within an end network, using what the
00:06:58
experiment we've had and testing some of that.
00:07:02
Speaker 1: Wow, that is that.
00:07:05
That's really fascinating and there's a lot to unpack there.
00:07:09
So you know, I've spent quite a few years in the financial
00:07:15
industry myself and it seems like it's always just so much
00:07:21
easier to go from one financial company to another, whether it
00:07:25
be a bank or you know even the Federal Reserve, right or other.
00:07:30
You know credit companies, mortgage companies if it deals
00:07:34
with you know money.
00:07:36
In that way, it's very easy to just get that jump.
00:07:39
Is that something that you experienced then as well?
00:07:43
Or is this kind of something that was brand new, where if
00:07:47
more of if you just had the technical skill set, you know,
00:07:50
they would take you?
00:07:52
Speaker 2: So for me, once in the banks, once you work in a
00:07:54
bank, it's easy to move to a bank in terms of employment
00:07:57
history.
00:07:57
You know he worked at the Australia's biggest banks, so
00:08:00
working for Australia's second biggest bank, that's really easy
00:08:02
.
00:08:02
But I found that internally it was pretty much the same stuff.
00:08:05
You know that they might be using different systems,
00:08:07
different architecture, but again they have a you know a lot
00:08:10
of risks and your job is to minimize those risks and you
00:08:14
know so.
00:08:14
You essentially come in as a white knight and, to be honest,
00:08:17
when I go into a company, I like if they've got, say, 70, you
00:08:20
know issues that need to be rectified and I can get that
00:08:23
down to a low number of two or five.
00:08:25
My job is done.
00:08:26
I don't think, hang around, I don't like doing you know, I'm
00:08:29
not gonna say with blue tea I don't like just hanging around
00:08:32
doing status bar.
00:08:33
I prefer to do something new.
00:08:34
At that stage I get bored.
00:08:36
Speaker 1: Hmm, yeah, like a lot of us in this field, like we
00:08:40
get, we easily get bored and, you know, have to find other
00:08:44
things.
00:08:45
Like when Chris gets Chris Roberts gets bored on an
00:08:48
airplane, he starts doing weird things that get some in trouble.
00:08:53
Right, but you know, I how did you get to the point where you
00:08:58
decided that you wanted to become a DEF CON speaker?
00:09:01
Right, because that's not, at least for me, right, like I
00:09:06
don't want to call it a goal, right, but it would be really
00:09:10
cool if it happened.
00:09:11
But I'm also totally fine if it doesn't happen, right, because
00:09:14
I don't really like speaking a whole lot in front of a whole
00:09:18
bunch of people and I also don't think that I have anything or
00:09:22
know anything of enough value to actually, you know, speak about
00:09:27
, right, at a conference.
00:09:28
Like, that's just me, that's my own personal issues that I have
00:09:32
to work through, I guess with the therapist or something,
00:09:35
right.
00:09:35
But you know how did you, I guess one did you come up with
00:09:39
the idea of I want to be a speaker at DEF CON first and
00:09:43
then find something to talk about?
00:09:44
Or did you stumble upon your death certificate, vulnerability
00:09:48
, so to speak?
00:09:49
And then you're like, oh, I should tell people about this at
00:09:52
DEF CON.
00:09:53
Speaker 2: Yeah, so great questions, by the way, so it's
00:09:56
actually the first one.
00:09:57
So I went to DEF CON 22 and thought I actually might have
00:10:01
been 21,.
00:10:02
But this is awesome, def CON, this is finally found my people
00:10:06
and then I, at that stage the thought of talking at that stage
00:10:11
so I can do a talk, didn't have anything to talk about.
00:10:13
So I thought, yeah, I could do a talk.
00:10:16
And then it just went away out of my mind and that's completely
00:10:18
fine.
00:10:19
And coming back to what you said, is the talk then came to
00:10:22
me.
00:10:23
You're, you're like me that you'll probably study a topic to
00:10:26
death and you'll know it in several hours.
00:10:29
I don't like public speaking either, like I.
00:10:30
You know I may be good as a public speaker or averages of
00:10:34
public speaking, but I see I don't like it.
00:10:37
I prefer to do not public speaking.
00:10:38
It don't make sense.
00:10:40
So for me, I just let and I sound as really weird, but I let
00:10:42
my subconscious do the talking for me.
00:10:44
So the ideas come to me.
00:10:47
You know when you have that idea of moment and that's just
00:10:50
subconscious saying, you know that's an idea.
00:10:52
So I stop reading.
00:10:54
If that makes sense, I let myself just relax, get all the
00:10:58
shit out of my brain, get Twitter out of my brain, get
00:11:00
infos, get everything out of my brain and just relax, whether
00:11:03
that the meditation, walking, you know, in the bush or through
00:11:07
a forest or whatever like that, or just shut the hell up for
00:11:09
five minutes and then, and then things will come to you.
00:11:12
You know that your inner, inner voice will come out, great idea
00:11:16
.
00:11:16
And then then you then get your conscious mind around that
00:11:19
topic.
00:11:20
So for me it was just.
00:11:21
I think I was watching some TV and I noticed a news article
00:11:24
that you know, someone had accidentally a Melbourne
00:11:26
hospital had accidentally killed 200 people.
00:11:28
Oh, that's pretty weird.
00:11:30
How the hell did that happen?
00:11:31
Then, you know, you start to, as I said, you let yourself
00:11:35
conscious to the thinking for you and think you know, how does
00:11:38
that possibly happen in this day and age?
00:11:40
And then, and then you apply your conscious thought.
00:11:42
So then you start researching the hell about it, which is what
00:11:44
our skill set is.
00:11:45
We research the hell out of the topic.
00:11:46
I spoke to doctors, funeral directors, you know, probate
00:11:50
people the whole world to study the hell out of it.
00:11:53
And then that became the talk topic and then obviously it's a
00:11:55
bit of a death con and got accepted.
00:11:57
But that's, that's the path.
00:11:58
I just I try to relax, Don't think.
00:12:00
If you try to think I need to do a death con, I need to do a
00:12:03
death con talk, it doesn't well, it may work for some people
00:12:05
because they're only doing research in that, but for me it
00:12:08
doesn't work that way.
00:12:09
And the same thing happened in my second talk, I think my wife
00:12:12
said to me oh, you need to do another death con talk after the
00:12:14
, after the first one.
00:12:15
And I said to her it doesn't work like that.
00:12:17
You can't just come up with a death con talk.
00:12:19
So I was falling asleep you know that love of sleep, just
00:12:21
before you fall asleep, and then I had a great idea and it just
00:12:24
popped into my head this, you know, when you said that
00:12:27
subconscious quiet moment, and I thought that's the topic.
00:12:29
So then went to bed, got up and then conscious thought comes in
00:12:32
your recess.
00:12:33
The hell out of it for a few years.
00:12:40
Speaker 1: That's what you kind of dive into a couple different
00:12:44
areas there, right?
00:12:45
Because what you're describing, to me at least, sounds like
00:12:51
kind of like a mental health practice, almost right, of
00:12:54
shutting off your mind, shutting off distractions and kind of
00:12:59
just letting your mind, I guess, kind of reset.
00:13:03
That's how I view it, that's how I feel that it works for me,
00:13:07
right?
00:13:08
Do you ever, of curiosity, do you ever do like float sessions
00:13:13
or anything like that with sensory deprivation tanks?
00:13:16
I've done that before and it really helps me like reset my
00:13:20
brain, if that makes any sort of sense, which, like, I actually
00:13:26
have to go do it here pretty soon because it just helps you
00:13:31
out so much.
00:13:31
Right, is that something that you've tried?
00:13:35
Speaker 2: I haven't done that deprivation one.
00:13:37
I'm definitely interested in doing that, but for me it's just
00:13:40
that meditation, and I'm talking about the whole under a
00:13:44
tree stuff, but that whole, you know, they take focus on your
00:13:47
breathing, focus on your breathing, but as soon as you're
00:13:49
thinking, focus on your breathing, that's your conscious
00:13:51
thought.
00:13:51
I need to get to that subconscious where you're not
00:13:55
actually, you're not thinking of anything, and that's when stuff
00:13:58
comes to you and to me.
00:13:59
The best ideas have always come from that subconscious.
00:14:02
And just to give you an idea, our conscious.
00:14:04
You know, when you're observing something, you and I are talking
00:14:06
now and we're actually observing information.
00:14:08
You know our conscious thought absorbs.
00:14:11
I'll just give you a number, but let's say you know 1000 bits
00:14:14
per second, but our subconscious thought brings in,
00:14:16
you know, 500 bits per second.
00:14:18
So our subconscious stuff that we're observing outside, that we
00:14:21
consciously don't think about, which we can't, we can't
00:14:24
actually bring up because it's subconscious, we don't know
00:14:27
about it, we can't actually bring up to the front of mind.
00:14:30
That sort of stuff just stays hidden until you tap into it and
00:14:33
then you can draw a prominent information.
00:14:36
And that's why hypnosis is good.
00:14:37
Deprivation, meditation, all that stuff brings all the
00:14:41
awesome stuff to life and that's why you know you've got
00:14:44
songwriters or a writer, a book writer, who have mental blocks,
00:14:48
who just carry around a note pad , and if they're driving a car
00:14:51
doing something boring, and that's when the ideas come to
00:14:54
them in their head, not one they're trying to.
00:14:56
You know research, twitter or read, you know the articles.
00:14:59
It's that whole idea.
00:15:01
Popping the head is where all you know inspiration come from.
00:15:05
Speaker 1: Hmm, yeah, it's like.
00:15:07
It's like when you eliminate, you know, all the other busyness
00:15:13
or all the other noise from your brain, you know you're able
00:15:17
to actually get through some, some breakthroughs and some
00:15:20
great ideas.
00:15:20
You know I've had that you described.
00:15:24
You know, in that twilight area right where you're not quite
00:15:27
asleep but you're almost asleep and having that great idea.
00:15:30
You know I've had in both cases where I've had that and I woke
00:15:35
myself up right and wrote it down real quick and revisited
00:15:39
the next day or two days later, whatever it might be.
00:15:42
And then I've had that where it's like, oh, okay, I'll
00:15:45
remember that when I wake up.
00:15:46
And then I wake up and I don't remember it, no matter how hard
00:15:49
I try.
00:15:49
It's like the most frustrating thing and I'm starting to lean
00:15:55
towards just having a notebook next to my bed when I couldn't
00:15:58
sleep, you know, because you have to.
00:16:00
Yeah, and you know, if I, if I have my cell phone there right,
00:16:04
and I go on my cell phone, in this instance the cell phone
00:16:07
just wakes you up, you know, because it has that, has that
00:16:09
blue light, and so it just wakes you up automatically, a little
00:16:14
bit more than what you would want to be woken up, in my
00:16:17
opinion.
00:16:18
Speaker 2: Yeah.
00:16:18
Speaker 1: And what you're talking about is essentially
00:16:20
mind.
00:16:21
Speaker 2: So having that note behind the bed.
00:16:22
When something clicks to you in a subconscious thought that
00:16:25
hits conscious thought, you write it down.
00:16:26
But of course when you think of something, don't I know why I
00:16:29
can't think about it.
00:16:30
That's part, that's per design.
00:16:32
If you can't bring it back from subconscious subconscious
00:16:35
because you've forgotten about it, it's designed to be in your
00:16:37
brain that you can't bring unless you meditate.
00:16:39
And I don't want this to be hippie-dippy security chat show,
00:16:43
but just that's how you can hack your own brain to get your
00:16:46
ideas in front of people.
00:16:49
Speaker 1: Well, yeah, I mean this, this conversation, you
00:16:52
know, can go anywhere, right, and in my years of getting into
00:16:57
security and spending time in security, right, one of the
00:17:02
things that I have learned is mental health and to take care
00:17:06
of yourself and, you know, exploring different ways of
00:17:10
doing that right.
00:17:10
And I'm even on this podcast, you know I've talked about
00:17:13
mental health previously at length because it's extremely
00:17:17
important and I feel like insecurity almost.
00:17:21
You know people don't think about that, right, they're,
00:17:25
they're like, okay, you know it's nine to five o'clock in
00:17:28
your clock out, you don't have anything to worry about, but
00:17:31
they don't hear about the late nights, right, where you're up
00:17:34
until four am because there's something critical you know
00:17:37
going on at the company and whatnot that you have to resolve
00:17:40
.
00:17:40
And so I I really do enjoy using this platform to talk
00:17:46
about that, because I don't hear anyone else talking about it.
00:17:49
Really, I mean, that's sure there's a few other you know
00:17:52
instances and whatnot, but definitely something to dive
00:17:57
into.
00:17:58
So you were talking about, you know, previously you were
00:18:02
talking about how you kind of stumbled across this opportunity
00:18:06
to do some consulting for a company, do some pen testing,
00:18:11
and out of that grew this idea for SimMonster.
00:18:14
You know what were some of the challenges at the time that you
00:18:20
had with creating, you know, simmonster, or the solution for
00:18:25
SimMonster, because I'm sure, right, let's just say, my
00:18:29
company comes to you to create a Sim that's open source, which
00:18:32
is a.
00:18:32
It's actually a huge deal because Sims are extremely
00:18:36
expensive, they're very cost prohibitive and they take a huge
00:18:39
amount of manpower to run.
00:18:41
You know, just within your organization not not even
00:18:44
including the renewal rates and all that stuff Was there unique
00:18:49
challenges that you faced that maybe there was open source
00:18:52
projects that essentially didn't weren't existing at the time?
00:18:58
Or what year was it when you, you know, went down that path?
00:19:01
Speaker 2: Yeah, so great question.
00:19:02
I mean 2015 was when we started the SimMonster project to give
00:19:07
you a rough year.
00:19:08
And you're right.
00:19:09
I mean Elk by itself.
00:19:10
You know Elasticsearch, kavana, LogSesh, kavana it's
00:19:14
essentially an Elk called Elastic, but that was one that's
00:19:17
a searchable database.
00:19:18
Great, that's not a scene, that's just a searchable
00:19:21
database.
00:19:21
Anybody have all the other modules on top, instant response
00:19:24
.
00:19:24
You know EDR, indiar platforms at the time though Indiar and
00:19:29
you have reporting and ticketing systems and devices and stuff.
00:19:33
So you're going to go through all the open source nonsense out
00:19:35
there.
00:19:35
Is it maintained?
00:19:37
Do you want to maintain it and then bring that into your suite?
00:19:40
So we've always had what we call an open module project.
00:19:43
So if there was something that was that was not being
00:19:46
maintained, it would lose itself in the next build.
00:19:49
We had people like you know I think it was Palo Alto came to
00:19:53
us with a product called MyMail.
00:19:54
That was an open source product .
00:19:55
We had a MISP equivalent that we had in our product suite and
00:19:59
you know that was great for a couple of years and then we
00:20:01
dumped it because there was a better offering on the market.
00:20:03
So having a module that was really good because we hit a
00:20:07
market fit, because customers already had tools out there,
00:20:10
whether it be pen testing tools, they had instant response tools
00:20:12
, they had ticketing systems, whether it be, you know,
00:20:16
helpdesk now or whatever.
00:20:18
Whatever they were using, so we could actually turn our modules
00:20:20
off and let them use their modules and therefore, companies
00:20:23
that didn't have the budget for a scene, we could come in and
00:20:26
fit that slot and a product would scale greater than Alien
00:20:30
Vault and it would scale up to Splunk, but without the price
00:20:33
tag to suit.
00:20:34
So in terms of challenges with any business, yes, paying the
00:20:37
arts like no money, you know.
00:20:38
Paying AWSPs because we, you know we're a cloud stack shitty
00:20:42
tech, shitty open source, everything shit Customers who
00:20:46
don't then want to pay for professional services you know
00:20:49
what it's like running a business some of your listeners
00:20:51
will too.
00:20:51
I heard that conversation you had with Chris Roberts.
00:20:53
Running a business of paying the arts, like you could easily
00:20:57
go and get another, you know, get a job in security and throw
00:20:59
for your new users on the call.
00:21:01
But you can easily get a job earning $100 million a year
00:21:03
without this bullshit and you could just simply clock in at
00:21:06
nine never.
00:21:07
Nine to nine in our industry, but definitely not.
00:21:10
A nine to nine instead of nine to five is probably closer to
00:21:13
the mark.
00:21:13
And then not sleeping at nine times.
00:21:15
But yeah, running a business of paying the arts, you need a
00:21:18
good team.
00:21:18
You're going to have highs and lows.
00:21:21
You're going to have big highs, you're going to lose big highs.
00:21:23
And yeah, look, would I do it again?
00:21:25
Yes, but fuck for those going out there it's a huge risk.
00:21:29
You know, for everything, everything on the line.
00:21:30
You put your house on the line, you've got investors, money on
00:21:32
the line, everything's on the line.
00:21:34
And they talk about the overnight success.
00:21:36
You know, 20 years later, but it's a great journey.
00:21:40
Where else can you do that sort of stuff where you can talk to
00:21:42
investors and do A rounds, b rounds, c, it's, it's.
00:21:45
It's freaking awesome to to learn stuff that you wouldn't
00:21:47
have normally had in.
00:21:48
You know, just getting a paycheck every every week or
00:21:51
every two weeks.
00:21:53
Speaker 1: Yeah, that is.
00:21:55
That is like the.
00:21:57
I guess that's the biggest pro and con to me, in my own opinion
00:22:03
, of you know, trying to do your own thing and navigate those
00:22:08
waters right, because for me, you know, I'm not in a situation
00:22:12
right when where I've overextended myself and, right
00:22:16
like you, put your house up as collateral or anything like that
00:22:19
, right, um, thankfully I haven't done that situation.
00:22:23
But I know someone that has a group of friends where, you know
00:22:27
, these guys have made hundreds of millions of dollars but
00:22:30
they've also lost all of it like two, three, four times.
00:22:34
I don't know if I would even be able to like handle that stress
00:22:39
right Of losing it Once I put in all that work of earning that
00:22:44
, that certain amount of money right, like I don't know if I
00:22:48
could.
00:22:48
Just, I don't know if I could handle that.
00:22:50
You know, like I don't know it's a skill almost to be able
00:22:54
to look at it differently from how other people would.
00:22:58
Speaker 2: So it's essentially you're putting your balls on the
00:23:01
line, and literally your balls, I mean, for me I knew it was a
00:23:04
great idea, like I could.
00:23:05
Actually I was already in the pen testing suite.
00:23:07
I you know there's plenty of money in pen testing and I could
00:23:10
see the market and just whether I could attract the market in
00:23:13
the seams.
00:23:13
But for me it was like all in and I didn't hesitate putting
00:23:17
stuff on credit cards.
00:23:18
I think I'm at, you know, at 140 in credit cards and
00:23:21
maybe a hundred thousand dollars in loans just to get it where I
00:23:25
wanted to be.
00:23:26
Before I even approached investors and stuff like that.
00:23:29
And was it scary?
00:23:30
I wouldn't say scary, but maybe I could probably hit that from
00:23:33
my own mind so I could keep, you know, getting up in the morning
00:23:35
.
00:23:35
But but it was fucking fun.
00:23:40
I knew it was a good idea and I knew I could execute.
00:23:43
It's just a matter of how much capital I could get in before I
00:23:46
could get myself out of the ship , if that makes sense.
00:23:50
I think it took three years before the first out of the ship
00:23:53
.
00:23:53
But then there's bigger numbers .
00:23:55
Then you're not talking about $250 in personal, then
00:23:59
you're talking about $2 million of investor money to go to the
00:24:02
next level.
00:24:04
Then you're in different levels of shit.
00:24:06
Then you're in a legal accounting hell, like Chris
00:24:09
Roberts said, you're in IRS and then ATO Health back in
00:24:12
Australia.
00:24:12
Fuck the pain.
00:24:13
I don't know why.
00:24:14
I just stayed at the bank.
00:24:15
Half million dollars a year.
00:24:17
Sit back on my seat and talk shit on Twitter.
00:24:19
I mean fucking.
00:24:20
So much easier.
00:24:24
Speaker 1: Yeah, it is way easier.
00:24:27
You could almost get a career now just talking shit on Twitter
00:24:31
.
00:24:32
Speaker 2: I'll be one of the influence.
00:24:39
Speaker 1: Yeah, with this podcast, it's like a
00:24:41
double-edged sword with social media.
00:24:43
You have to be out there, you have to be engaging all the time
00:24:47
, but I'm not the type of person to engage all the time If I
00:24:50
don't have quality content to say or input, feedback, whatever
00:24:56
it might be right, if I don't have something that I feel is of
00:24:59
value, I'm not going to post about it.
00:25:02
Right, in this game of podcasting and building an
00:25:06
audience and all that sort of stuff, I admittedly I'm
00:25:11
absolutely horrible at it, because I'll go a week or two of
00:25:15
no posts on Twitter and that's like a huge red flag, that's a
00:25:20
huge no-no.
00:25:21
It's like, oh my God, why are you making that?
00:25:23
You're losing all your momentum .
00:25:25
To me, it's just like man, I have like five other things
00:25:29
going on.
00:25:29
I can't spend 20 minutes I literally cannot spend 20
00:25:33
minutes researching the right hashtags and all this other
00:25:37
stuff just to put together some crafted posts.
00:25:41
Right, that isn't even my own words anymore.
00:25:43
It's frustrating.
00:25:45
I went out on a tangent there.
00:25:48
Speaker 2: No, it's a great tangent.
00:25:50
Queen Eustwood once said in one movie.
00:25:52
He said a man's got to know his own limitations.
00:25:56
If you're not that sort of person, then don't try to be
00:25:59
that person.
00:25:59
I mean, I look at Mel where Jake.
00:26:02
I love Mel where Jake.
00:26:03
He has great content, always great content.
00:26:06
The only thing I can do is just give him shit.
00:26:09
That's my skill set.
00:26:10
I love poking people, say with dark matter or Kintara.
00:26:15
I just give them shit because that's my skill set.
00:26:21
I'm not going to research something that's already public
00:26:23
and then regurgitate it like I know the shit.
00:26:25
Jake can do that.
00:26:26
I've just got no interest in doing that or skill in doing it.
00:26:30
So I just post shit and like you infrequently.
00:26:38
Speaker 1: Yeah, that makes a lot of sense.
00:26:39
So, okay, so we talked about you being a Defcon speaker and
00:26:47
whatnot.
00:26:48
After you researched this death certificate vulnerability,
00:26:53
right After you researched that, did you start going down this
00:26:56
rabbit hole of documentation that the government uses for
00:27:01
different benefits and things like that and how to potentially
00:27:05
exploit the system, or did you stop there or what was that like
00:27:11
?
00:27:11
Because, for me at least, I would start going down that
00:27:14
rabbit hole of seeing like, okay , can I get disability benefits,
00:27:19
can I get this?
00:27:21
It's just it'll snowball and that's probably a bad mentality
00:27:25
in that situation.
00:27:27
But where did you go after that ?
00:27:30
Speaker 2: Yeah, so you noticed that all my talks I always do
00:27:32
any talk and I also do a paper or a book.
00:27:34
So I actually wrote a book to that talk.
00:27:37
So it was published straight after the talk with all my
00:27:39
materials that people could research them and then take that
00:27:42
research further.
00:27:43
After a talk I stopped cold.
00:27:45
I did not go down that rabbit hole and keep going and, like I
00:27:48
said with the bank scenario, like I work in a bank, get born
00:27:51
and then move on.
00:27:52
Same with the talk I'll do a talk, present the talk, provide
00:27:55
my materials so people can go and Chris, that shit, you
00:27:57
domestic step or you miss that.
00:27:59
So people you know, as a scientist.
00:28:01
But as a scientist, people can actually look at my work and go
00:28:04
how did you get from A to B?
00:28:05
And prove it how did you get from A to B?
00:28:07
So the answer to your question is I drop it dead and go to the
00:28:11
next topic or do nothing and then just let the next idea fall
00:28:15
.
00:28:17
Speaker 1: Hmm, and okay, okay.
00:28:20
So then you, you just dropped the entire.
00:28:23
You know government paper method, right?
00:28:27
You just dropped that whole topic and then moved on to the
00:28:30
next one.
00:28:30
Correct, Right, Okay, so you know what was.
00:28:34
What was your next talk about at DEF CON?
00:28:37
I have to admit to you, you know, it's not like I follow
00:28:40
your career or anything like that, you know, but I did see
00:28:44
that first talk.
00:28:45
What was your next talks about?
00:28:47
What areas did you dive into?
00:28:50
Speaker 2: Did you kill Jeff Moss a couple of more times,
00:28:53
different ways, or so the next talk I did, I did with a, with a
00:28:57
mercenary called Simon Mann who did a coup in Africa.
00:29:00
So I did the overthrow of government in DEF CON 24 in 2016
00:29:06
.
00:29:06
So I actually worked with a mercenary on how you would
00:29:08
overthrow government and use Q8 as an example and then hack
00:29:12
their power, their government, their oil, their telco,
00:29:16
everything so you can actually orchestrate your own coup using
00:29:21
digital means.
00:29:21
So that was the sense that's probably most of my popular talk
00:29:25
out there at the moment.
00:29:26
And then I did another talk last year last year, yeah, last
00:29:31
year on how to how to bypass bomb jammers, so using a
00:29:38
specific hardware, how I could actually get frequencies
00:29:41
transmitted under a nine kilohertz and actually generate
00:29:45
an.
00:29:45
ID under jammed environment.
00:29:49
Speaker 1: Wow, okay.
00:29:51
So I mean I feel like we could do a whole other podcast on
00:29:57
cyber mercenaries a lot.
00:29:58
Yeah, you know, when we talk about cyber mercenary, can we
00:30:08
break down what that is right?
00:30:09
Because to me, one I've never heard the term before and two,
00:30:15
when I think about what a mercenary is in the military
00:30:18
sense, I'm thinking you know someone that's a lone wolf
00:30:22
that's going in and impacting, you know, I guess, the power
00:30:26
grid, or impacting social media for a region and directing, you
00:30:32
know, political views and things like that.
00:30:34
Is that what it is, or is there more to it?
00:30:36
Do you ever see like more organized groups of cyber
00:30:41
mercenaries that you know?
00:30:42
It's like, hey, these five people are attacking the power
00:30:45
grid and I don't know name a random country, right, and then
00:30:49
these people are attacking the water supply.
00:30:51
Is that what you've seen?
00:30:53
Let's talk about that a little bit.
00:30:56
Speaker 2: Yeah, so you're partially right.
00:30:58
So think of a mercenary.
00:30:59
You don't think of a mercenary as a single mercenary.
00:31:01
It's always a group of mercenaries and their
00:31:03
ex-soldiers, it's guns for hire.
00:31:05
The cyber mercs is essentially keyboards for hire.
00:31:08
I mean same thing.
00:31:09
They're people like myself, for you or for Chris Roberts, for
00:31:12
example who've got, you know, great technical skills and then
00:31:16
they've been asked to do a job and that job might be for a
00:31:18
private organization and it's illegal.
00:31:20
It might be for a government, which is illegal in some
00:31:23
countries, and then you are essentially keyboard for hire
00:31:27
and you may be doing the job by yourself.
00:31:30
We might be doing a job by yourself.
00:31:32
I'll give you an example.
00:31:33
You know you've had a black water and a HS and all that sort
00:31:35
of stuff.
00:31:36
You know private military contacters.
00:31:37
They're in a big ass company.
00:31:39
There's a cyber division.
00:31:40
It's essentially you have a cyber division that does the
00:31:43
cyber merc class within that company or it's an outside phone
00:31:47
.
00:31:47
So think of it as a big group.
00:31:53
Speaker 1: That's really interesting.
00:31:53
That's almost like organized cyber crimes in the kids or
00:31:58
something like that right.
00:32:00
Speaker 2: That is.
00:32:00
I mean, people can dance around the subject cyber merc, cyber
00:32:03
criminal.
00:32:03
You know, one man freedom fighter is another one's
00:32:06
terrorist.
00:32:07
This is exactly the same.
00:32:07
I mean, you know you look at some man in Africa.
00:32:10
He was asked by the English government to do something over
00:32:13
there.
00:32:14
He did it.
00:32:14
It was private money.
00:32:16
He's a mercenary.
00:32:16
He got caught, he went to jail and then you know it's
00:32:19
essentially it's a criminal activity.
00:32:22
But you know, people put mercenary in part of it and make
00:32:25
it a clean title.
00:32:29
Speaker 1: Is this something that you have seen, like you
00:32:33
know, actually happen in the real world?
00:32:35
Right, Because immediately when we start, you know, talking
00:32:41
about what this actually looks like, of attacking the different
00:32:45
portions of a country, you know , I guess my American brain goes
00:32:49
straight to America, right, and it's like, okay, did our power
00:32:53
grid get attacked recently?
00:32:55
Did our water supply, oil, whatever it might be?
00:32:58
You know, in my head it immediately goes to oh well, you
00:33:01
know, this attack was rushed, or this one was, you know,
00:33:04
attributed to China, or whatever it might be.
00:33:06
Do you see these criminal groups, potentially even
00:33:11
masquerading as these other you know government powers?
00:33:15
And maybe, you know, this is all theoretical, right, I don't
00:33:20
know shit about anything, Like you know, are they potentially
00:33:25
like, masquerading as China?
00:33:27
Maybe they're a faction of cyber mercenaries in China and
00:33:31
they're attacking, let's just say, the US power grid, for an
00:33:34
example?
00:33:35
You know, is that what you've seen or is that how it works?
00:33:38
Potentially?
00:33:39
Yeah, I am a cyber mercenary.
00:33:41
Speaker 2: I'm a cyber merc by trade, so I know exactly what
00:33:44
you're referring to and the answer is yes.
00:33:46
And it's not just, not just country, it might be company
00:33:50
within a country.
00:33:50
So you know, I mean you might be tough with, you know, doing a
00:33:53
job within a company within a country.
00:33:55
It doesn't have to be the power grid, it can be something small
00:33:58
, it can be a country.
00:33:58
I mean you look at your 2016 elections, you know, was there
00:34:02
outside interference?
00:34:03
Yes, someone says yes, someone says no.
00:34:05
Of course, no one's going to say yes, there was, but there's
00:34:08
always going to be.
00:34:09
And that's the whole idea about mercenary.
00:34:10
Did, did?
00:34:11
Did America help Ukraine break away from Russia?
00:34:16
You know in, you know in 2000,.
00:34:18
Speaker 1: The answer is yes, obama admitted that, but it's
00:34:20
never going to be.
00:34:21
No one's ever going to say, yes , that happened though.
00:34:23
Speaker 2: You know, you know America revolved in the 2002 to
00:34:26
two in our like it's.
00:34:28
It's just one of those things where it's not going to be well.
00:34:30
It's going to be tried not to be public because no one wants
00:34:32
that public perception that we did this, or we involved or we
00:34:36
acting to this private company, or we did this or we did that.
00:34:39
So the answer question is, it's all around us.
00:34:41
It's always been all around us.
00:34:42
And you get a tap on the shoulder Can you assist with
00:34:44
this?
00:34:45
Yes, no, if you're a cyber merc .
00:34:46
Anyone existing is cyber merc.
00:34:48
They know exactly how it works.
00:34:49
You get a job across your desk and you decide whether you want
00:34:52
to do it or not, and that's how it works.
00:34:55
Speaker 1: Oh yeah, that's really fascinating that's.
00:34:58
It's almost tempting to go down that, go down that rabbit hole.
00:35:04
You know myself, right, but it's an interesting area that I
00:35:10
mean literally.
00:35:10
I didn't even know that this area kind of even existed before
00:35:16
.
00:35:16
You know you brought it up.
00:35:18
You know, is being in this kind of line of work can it be
00:35:24
frustrating at times to, you know, potentially participate in
00:35:28
a project right Of, I don't know, let's just say, hacking
00:35:32
Microsoft, because Microsoft's been on my brain lately not
00:35:35
saying that you did or anything like that, right, but you know,
00:35:41
let's say that you, you know, go through this project and then
00:35:46
you see it portrayed in a different way in the news.
00:35:49
Does that ever frustrate you or does that ever, you know, get to
00:35:52
you to a certain extent?
00:35:54
And I asked that because, you know, I had Mike Jones on
00:35:57
previously and he said that when he was working for the NSA, you
00:36:02
know he had the insider information and he knew the
00:36:05
actual truth about a hack or about, you know, an operation
00:36:09
that he may have been, you know, had some hands in some way
00:36:13
right, and then he would see it how it was portrayed in the
00:36:16
media.
00:36:17
And it was completely opposite.
00:36:18
It was completely different from the report that he actually
00:36:21
wrote, and that was very frustrating for him.
00:36:23
Do you ever come across that sort of situation as well?
00:36:27
Speaker 2: Yes, but I don't get frustrated by it.
00:36:29
It's one of those things is the media and the average Joe will
00:36:33
interpret it a certain way and then it becomes ego, like if I
00:36:38
do a job and I guess portrayed a certain way that doesn't fit
00:36:42
with the way that I was doing it .
00:36:43
A different position than myself with Mike is that I mean
00:36:46
that was his job and he got paid for his job.
00:36:48
As a mercenary you get paid money, so who gives a shit how
00:36:52
it's portrayed?
00:36:52
I mean if I hack a bank and then find another hacker in that
00:36:56
bank and then format this and then I might take their mark and
00:37:01
throw it on another disk, so when it gets relatively, you
00:37:04
know retrieved, they can see the mark of the other hacker there.
00:37:08
For me that's fucking funny, like I'm not involved.
00:37:11
It's the check at the end.
00:37:12
So obviously if you went to the NSA you actually give a shit
00:37:14
about your country and all that sort of stuff and of course you
00:37:17
have that whole he goes the wrong way.
00:37:20
But you have that confidence, that responsibility.
00:37:23
You have that whole.
00:37:24
I love America mentality if you're gonna work for the NSA
00:37:27
and for me it was just a check I don't give a shit how it gets
00:37:29
portrayed, as long as I get paid .
00:37:33
Speaker 1: Yeah, that makes sense.
00:37:34
Have you ever had that situation where you've hacked
00:37:38
into a company and then you found another hacker?
00:37:40
All?
00:37:40
Speaker 2: the time, all the time.
00:37:43
Speaker 1: You're planting evidence for them to get
00:37:45
discovered and IU and stuff like that All the time.
00:37:48
Speaker 2: That's our common method we use is we're all
00:37:51
hacking and even if they haven't hacked in, we'll throw their
00:37:53
marks from other hacks on the target.
00:37:55
So it's just one of those things like man, what we're
00:37:57
gonna go down for this, let them go down for it, so we'll throw
00:38:00
their mark, their flag, their style, on another server.
00:38:03
Even going back to pen testing, we're hacking to legitimate
00:38:08
porn companies who had hackers in there for five years that
00:38:11
were taking the new I'm gonna use the word fresh models, but
00:38:14
they have a new, young model that they would then take that
00:38:17
data and put on another site and then they would then sell that
00:38:20
porn legitimately after hacking the data, and they had a
00:38:23
constant feed.
00:38:23
So every time there was new models being updated, it would
00:38:26
go to this other site and then they would sell that content,
00:38:29
and they did that for five years .
00:38:30
So no, I was making money off other people's model money.
00:38:34
So we see all, and so when we did the pen test, I said, hey,
00:38:37
you don't realize, you got hackers in there and they didn't
00:38:39
take it to the police.
00:38:40
Obviously, in the porn industry you're not gonna be attracting
00:38:43
police attention.
00:38:43
So they just asked to shut it down, and so it's pretty common.
00:38:48
It's not uncommon for us to hack in and see other people in
00:38:51
there.
00:38:51
Sometimes you're hacking and you just don't.
00:38:53
You don't wanna disrupt each other, so then I point causing
00:38:56
havoc for each other.
00:38:57
You'll just like bypass each other and keep going.
00:39:02
Speaker 1: Wow, that is.
00:39:03
That's really interesting.
00:39:05
That makes me think about the different hacks that have come
00:39:11
out in the past and whatnot, and it makes me wonder if some of
00:39:15
these hacks that like, let's say , america, attributed it like
00:39:21
directly to Russia or something like that or some hacking group
00:39:24
in Russia.
00:39:25
I wonder if it was that situation where it was like,
00:39:30
yeah, you attributed it to Russia because we made you think
00:39:32
it was them, but it was actually someone else or
00:39:36
whatever it might be, which I guess that's a.
00:39:39
I can use Russia as a good example, because this podcast
00:39:42
got blacklisted in Russia ever since they invaded Ukraine, so
00:39:47
it's not like they're gonna hear it.
00:39:49
Speaker 2: And look and don't worry about that sort of stuff
00:39:51
too.
00:39:51
Look, if I did an interview with a journalist, 70% of what I
00:39:54
say will be accurate and 30% will be inaccurate.
00:39:57
Even like a recorded interview, like we're doing now.
00:39:59
They'll fuck it up and they'll do that because they have their
00:40:02
own agenda, like it's got to meet their listening audience.
00:40:05
Now, if you've got a government agenda and whether you want to
00:40:09
attribute this to Russia or China, you may have.
00:40:11
You may get a report from the NSA that we've got a 95% we
00:40:17
believe it's come from this, from this Russian group, and
00:40:21
then others go with it.
00:40:22
You know what I mean?
00:40:22
Because if it meets their agenda, they'll publish that it
00:40:25
came from Russia, but they're not gonna say, oh well, we
00:40:28
didn't get a hundred percent certainly, so we're not gonna
00:40:30
publish.
00:40:30
Is this the right time to bash Russia?
00:40:33
Yeah, let's do it.
00:40:34
Or China, or name your enemy of the day.
00:40:37
It seems like the constant thing with America is you always
00:40:40
got to have an enemy.
00:40:41
It's just kind of quietness.
00:40:45
Speaker 1: Yeah, that is a really interesting, I guess,
00:40:50
mentality right that you bring up Like we always have to have
00:40:56
some sort of adversary, right that we're going up against,
00:41:00
that we're doing things to protect ourselves from, or
00:41:03
whatever it might be, and to a degree that's exhausting, it's
00:41:08
frustrating, at least for me.
00:41:11
It makes me question a whole lot of different things.
00:41:14
Right, it's like well, are we being lied to about this and all
00:41:18
that sort of stuff?
00:41:20
Oh, sorry, I was gonna interrupt you.
00:41:24
Speaker 2: I mean I can't believe that you're still
00:41:26
thinking whether you're being lied to or not.
00:41:27
Like you know the whole weapons of mass destruction thing.
00:41:30
It's like what the fuck we did?
00:41:32
Just skip that a whole lead path.
00:41:34
You know what I mean.
00:41:35
Like it's that whole fucking.
00:41:37
You know what I mean.
00:41:38
Like it's just it's constant being lied to about everything.
00:41:41
And even if something legitimate, let's say I'm not an
00:41:44
anti-COVID, so don't get me, I'm an anti-COVID.
00:41:47
But the government says do this , do that?
00:41:49
We've been lied to so many times.
00:41:50
No, when the fuck are people going?
00:41:51
I'm not fucking interested in your bullshit.
00:41:53
One more fucking time there's always ends in chaos.
00:41:59
Speaker 1: Yeah, no, I 100% agree.
00:42:01
You know, I actually, in college, I actually stopped
00:42:05
watching the news or anything like that, because I found that
00:42:08
the news was just giving me so much anxiety about things that
00:42:12
basically had no impact on my life at all.
00:42:14
There was no point in me listening to anything that they
00:42:17
said.
00:42:18
And then I started going down the rabbit hole of oh they like
00:42:22
legitimately, you know lied about WMD.
00:42:24
Well, if they were gonna lie about that, what else are they
00:42:28
lying about, you know?
00:42:29
And so, like, I tried to sequester that in my brain to
00:42:32
protect me from myself, from going down that rabbit hole,
00:42:35
because you know I'm in the cybersecurity world and I can
00:42:38
only go down so many rabbit holes at once and I don't wanna
00:42:41
waste my time on the government's lies right.
00:42:44
Speaker 2: Yeah.
00:42:45
So what we do is we?
00:42:46
Just when I say we, it's a blanket lie.
00:42:49
So everything's gonna be aligned to approve it otherwise.
00:42:51
And I haven't got time to disprove their nonsense, because
00:42:53
they're creating the narrative.
00:42:55
They're providing the evidence in front of me to say oh, you
00:42:58
know, this is the case.
00:42:58
We're doing a no vote at the moment in Australia about
00:43:01
Aboriginal rights.
00:43:02
Now it could be 100% legitimate and I should be voting no, but
00:43:06
the government are telling me to vote yes.
00:43:07
Now, as soon as the government tell me to vote yes, I'm not
00:43:09
fucking voting yes.
00:43:10
It's as simple as that.
00:43:11
They've fucked us around so many times.
00:43:13
I don't really wanna be one of those people, but it's just
00:43:16
embarrassing.
00:43:16
You know what I mean.
00:43:17
Like you wouldn't put up with this with anybody else.
00:43:18
If somebody, if your company, kept lying to you about when
00:43:21
you're gonna get paid and you're never gonna get paid, I mean
00:43:24
you just straight away.
00:43:25
It's non-trust.
00:43:26
You have no faith.
00:43:29
Speaker 1: Yeah, that would be a very real problem of you know.
00:43:32
Actually, that reminds me my wife, you know.
00:43:35
She's a teacher and earlier on in her career she worked for
00:43:39
like a private school, right, and we didn't know it obviously,
00:43:43
you know beforehand or when she started working there.
00:43:45
But the guy who owned the school you know was like double
00:43:49
dipping across like several different companies and he was
00:43:52
using income from one company to pay for, you know, teachers in
00:43:55
this school and vice versa, right, and it like started to
00:44:00
come to light when her paycheck was late.
00:44:02
It's like, well, wait a minute, paychecks are not normally late
00:44:05
and you're not getting paid in cash, like what the hell, you
00:44:09
know.
00:44:09
And it all came out, you know, and the school you know just
00:44:13
crumbled, like right in front of everyone is insane.
00:44:18
But I really wanna talk about Simon Mann and how you guys got
00:44:23
linked up and you know maybe just a brief intro into his work
00:44:29
in the coup that he created in Africa, because, for one, I know
00:44:33
nothing about it.
00:44:34
And so now, you know, the very first thing that I'm gonna be
00:44:37
doing is looking him up after this podcast and trying to get
00:44:40
him on for sure, because that's a fascinating line of work to be
00:44:46
in.
00:44:47
Speaker 2: He's awesome.
00:44:48
And what happened, though, is I was watching Netflix and I
00:44:52
can't remember what it was, maybe 2014, 15, maybe it wasn't
00:44:54
even Netflix, but anyway, there was a four part episode on
00:44:57
mercenaries, and he was actually on the show and he was talking
00:45:00
about how mercenaries operate Like and he's an ex-SAF.
00:45:04
You know UK soldier, you know beautiful.
00:45:07
You know looked at his resume in terms of you know he was in
00:45:09
Iraq, I know he was in Ireland and all that stuff, so he had a
00:45:13
beautiful resume, and then he just went down this other route,
00:45:16
you know the mercenary route, and he wrote a book called
00:45:20
Cryhavoc.
00:45:20
It's a great book.
00:45:22
There's some things that had to be cut out of that book, but so
00:45:25
I actually contacted him and said, hey, this is what I do, I
00:45:29
know what you do.
00:45:30
Maybe we could work together.
00:45:32
Now, originally, he was supposed to come with me to the
00:45:34
US and present a DEF CON, but he has travel restrictions, so we
00:45:38
had to do we work collaboratively together, and
00:45:41
then I got like a one minute pre-recorded session so I could
00:45:45
show who's on and man was.
00:45:47
And then we worked together for that had an over-strike
00:45:50
government in the 2016 talk.
00:45:53
Speaker 1: Huh, that's really fascinating about the travel
00:45:58
restrictions with America, because he's a British citizen
00:46:04
and he has travel restrictions to America, which I mean that
00:46:09
makes me question a whole lot of other things, right, because
00:46:13
there's some very interesting reasons behind that, I'm sure.
00:46:18
Speaker 2: After all.
00:46:18
I mean, he was in well, he was in Equatorial Guinea.
00:46:21
He was in a prison there, for I think he had a nine year
00:46:25
sentence and he did six or seven years yes, for that failed coup
00:46:30
.
00:46:30
And the story was that he was actually pay he was actually
00:46:35
commissioned to do this work by Margaret Thatcher's son, who we
00:46:40
he actually who loaned him a plane and he had a fleet of
00:46:43
mercenaries who didn't make it off the tarmac in in South
00:46:46
Africa.
00:46:47
So they got caught.
00:46:48
But you know the whole.
00:46:49
It came out after the exercise, but it was one of those they
00:46:54
don't want shit to get out, so you only hear half the story
00:46:56
He'll.
00:46:56
He probably won't tell you the whole story on air, but he'll
00:46:58
tell you after if you get him on the call.
00:47:02
Speaker 1: Yeah, for sure it's.
00:47:04
I guess one of the key rules of a coup is to not fail at the
00:47:08
coup.
00:47:09
Correct, because then you're kind of you're kind of screwed.
00:47:13
Speaker 2: You got your balls on the line and then it's very
00:47:16
yeah, yeah, I couldn't.
00:47:18
Speaker 1: I mean I don't.
00:47:19
I guess I don't know what that mentality is like of going to
00:47:24
prison and actually doing time right, because I mean I've never
00:47:27
done that, I've never gotten more than a speeding ticket, you
00:47:29
know.
00:47:29
And so the whole thought behind going to prison and losing your
00:47:34
freedom and and and your rights , and that perspective is just
00:47:38
it's like almost terrifying to me, and I I bring it up because
00:47:41
I actually have a friend who could be serving time fairly
00:47:46
soon, which it's just like.
00:47:48
I mean it really just messes with your mind, you know, at
00:47:51
least for me it does right, because it's like man, this guy
00:47:54
didn't think he was doing anything wrong.
00:47:56
He was doing something wrong and they're going after him with
00:47:58
the book, right, it's like makes me reassess everything.
00:48:02
Well, what am I doing that could send me to prison?
00:48:05
You know, because I want to, I kind of want to avoid that, you
00:48:08
know.
00:48:10
Speaker 2: Yeah, so so it's.
00:48:11
And you operate out of fear and by keeping you on online.
00:48:16
And that's the normal behavior, that's a human behavior, and
00:48:19
your friend obviously thought he was doing the right thing.
00:48:21
Again, he, you know, we're always, you're always threatened
00:48:24
.
00:48:24
You have to do this.
00:48:25
All this is going to happen.
00:48:26
You're threatened by the RF, threatened by government,
00:48:29
threatened by police, threatened by lawyers.
00:48:31
It's a constant threat.
00:48:32
Now, if you can get the out of your head is like they're just
00:48:34
trying to control me with threats like even our parents,
00:48:37
you know, as kids yeah, fuck it, do this, or you're fucking
00:48:41
gotta go to bed with no TV.
00:48:42
Do this, or there's no dinner.
00:48:43
That constant threat to manipulate behavior.
00:48:46
If you can then circumvent that , you can circumvent your mind
00:48:49
like no fuck off, I'll do what I want, and then, if you can then
00:48:52
just reset that, then you essentially can do whatever you
00:48:54
want to do.
00:48:54
Of course, you've got the repercussions of prison, but
00:49:00
again, your mate is he walking around right now?
00:49:04
Speaker 1: Yeah, he is, for now at least, you know you can jump
00:49:07
on a plush.
00:49:08
Speaker 2: You can go to Canada, go to South America, go to.
00:49:11
You know, ecuador, go to fucking.
00:49:13
I don't know Georgia, you can go anywhere.
00:49:16
You know he's got options, he's not stuck.
00:49:18
I mean, that's that whole fear of government.
00:49:20
Then you can own that like you can do your time, five, eight,
00:49:23
10 years, whatever or you can just fuck off.
00:49:30
Speaker 1: Yeah, that's a very good point.
00:49:33
That's a different mentality that I feel like I have to
00:49:37
digest and actually work through and whatnot.
00:49:40
So, Chris, you know I do apologize.
00:49:43
We just went 50 minutes into our interview.
00:49:45
We barely even talked about seeing monster or anything like
00:49:47
that.
00:49:49
Speaker 2: You don't have to.
00:49:49
You don't have to.
00:49:50
This is not this talks about.
00:49:52
I'm happy to talk about any topic you want.
00:49:53
This is not a business shell.
00:49:54
Everyone knows what I do, but I want to use a product.
00:49:57
They can.
00:49:57
We can just talk socially.
00:49:59
We don't have to talk about business.
00:50:01
Speaker 1: Yeah, of course I mean.
00:50:02
You know I do want to talk about Simmonster, for sure out
00:50:08
of my own curiosities, right, because I have been stuck with
00:50:12
Sims before running Sims.
00:50:14
I don't want to name any names.
00:50:17
But these deployments of you know Sims that you pay millions
00:50:21
of dollars for become extremely complicated very quickly and you
00:50:27
know it leads to one person basically knowing how it's
00:50:30
actually deployed and run in the environment and whatnot.
00:50:35
And whenever, at least from my perspective, right as being a
00:50:39
buyer of a solution, whenever I hear free Sim, my mind
00:50:45
immediately goes to I'm maintaining it myself, I'm
00:50:49
screwed if this open source library, you know, is no longer
00:50:53
maintained and things like that.
00:50:55
And I think that you touched on this a little bit before.
00:51:00
But from what I understand previously, you know you guys
00:51:06
basically go into open source projects or bring them into your
00:51:10
solution that you are willing to maintain yourself and if they
00:51:13
ever go out of you know support , so to speak, you will either,
00:51:19
you know, have the choice of maintaining it yourself for your
00:51:22
own solution or going a different route and going with
00:51:26
some other open source solution, right, is that correct?
00:51:30
Speaker 2: Yes, you know you spot on.
00:51:31
So we have our own coders that will look at code base and go
00:51:34
can this be supported within our product suite and then we will
00:51:37
maintain the code.
00:51:38
We lean heavily on companies like Wazoo.
00:51:41
We have a great XTR solution and they have a fleet of coders
00:51:46
that keep that up to date.
00:51:47
So we'll absorb that into our product because it's well
00:51:50
maintained.
00:51:51
But you're right, anything that gets decapitated or whatever,
00:51:55
we will dump it from our suite so that we always have a stable
00:51:58
product.
00:51:58
If we're not getting any updates or patching, it's gone
00:52:02
and gets replaced by a module that we write or another open
00:52:05
source solution that's out there .
00:52:08
Speaker 1: Hmm, now is the product, I guess, designed in a
00:52:14
way to where you know a broad range of people could actually
00:52:20
come into this thing and run it.
00:52:21
The reason why I ask again and I'm sure you're well aware of it
00:52:24
, you know like for myself, I couldn't just jump in this plunk
00:52:29
and start maintaining that thing.
00:52:31
You know that is a headache in and of itself.
00:52:35
It takes a lot of different training to actually do it, in
00:52:38
my opinion.
00:52:38
You know, do you guys create it in a way and use these
00:52:44
different open source libraries in a way to where you know,
00:52:48
really anyone could dive into this thing and learn it and use
00:52:51
it efficiently?
00:52:52
Speaker 2: Yes, so it's a great question you asked.
00:52:53
So essentially, what we've done is you got to remember that the
00:52:58
customers that we've attracted are customers who don't have a
00:53:00
large budget.
00:53:01
The customers who don't have a large budget don't have a large
00:53:03
SOC team.
00:53:03
They may be, you know, one, two , three operators.
00:53:06
Of course we've attracted some large MISP's that are happy to
00:53:09
white label our solution and then they have the staff support
00:53:11
it.
00:53:12
But we've always had the customer base that we needed
00:53:15
self healing.
00:53:16
So there was ever an issue that the product would self heal
00:53:19
with.
00:53:19
That module would self heal and we've had to make the product
00:53:22
intuitive so that from out of the box and we've learned that
00:53:26
over time, 2015 product 16, 17, 18 was not intuitive, but over
00:53:30
that journey we've turned our product into what we call an
00:53:33
intuitive product.
00:53:34
There's someone like you could jump in front of it.
00:53:35
You could play with a, three or four modules, get the hang of
00:53:38
it and move on to four, five and six and then you know the suite
00:53:41
and if you get into trouble, it will self heal.
00:53:43
So much of the size of our product.
00:53:45
Now we roll the product out on AWS marketplace with our support
00:53:49
.
00:53:49
So the product gets rolled out into your AWS environment when
00:53:53
we can buy support.
00:53:55
But you don't need support.
00:53:56
We don't push support on you.
00:53:57
So you can run our suite, upgrade your own product, and
00:54:00
you don't need a support contract or anything.
00:54:02
So you can have it up and running within, you know, a
00:54:04
couple of minutes, use it and then, if you like it, just keep
00:54:07
using it.
00:54:07
If you want support, you can get it.
00:54:08
If not, there's enough documentation and self healing
00:54:11
in nature that you can use the product, I mean, uninhabited by
00:54:15
salespeople annoying the shit out of you.
00:54:16
Because we're all from the same industry Venus suck, so we're
00:54:20
trying to make an, we're trying to be a non suck vendor.
00:54:25
Speaker 1: Yeah, that is that's always refreshing me here, you
00:54:30
know, just just dealing with vendors right now myself, it's,
00:54:34
it's frustrating, you know, and yeah, it's frustrating, to say
00:54:39
the least.
00:54:40
Everyone in this industry has experienced it, so that's really
00:54:44
interesting.
00:54:44
With the, you know, no support model necessary, right?
00:54:48
Nope, is there a method?
00:54:52
So, like I always have a knack for running into the most random
00:54:55
issues, you know that that basically everyone that I talk
00:55:00
to has no clue of what's going on.
00:55:02
Is there like a forum that I could go to and, you know, post
00:55:06
a question and someone from the team would answer it or whatnot?
00:55:09
Or do I have to like negotiate like a one time fee for a
00:55:13
support?
00:55:14
You know situation.
00:55:16
Speaker 2: We've got multiple options.
00:55:16
We've got a support portal where you can just lodge a
00:55:19
ticket and then you can just pay per request.
00:55:20
But to answer your first question, I made my engineers
00:55:24
take off six months of their job to document everything that
00:55:27
they knew, everything that they've experienced, and put it
00:55:29
on the support portal so that we did not require so you're you
00:55:34
know one in a million or one in that you've come across issue.
00:55:37
It's already been discovered by our customers before and we've
00:55:40
made sure that it's everything that you've ever experienced has
00:55:42
been documented.
00:55:43
And I'm not talking just.
00:55:44
You know 80% of document, 100%, that I could actually find my
00:55:48
whole support team and you can rely on this documentation.
00:55:50
Of course I wouldn't.
00:55:51
We've got new products and blah , blah, blah.
00:55:53
But my point is I made it clear that I didn't want them doing
00:55:56
any other work but documentation , because I'm a critical
00:55:59
believer in you've got a document and everything.
00:56:00
But to answer your question, yes, you've got the full docs on
00:56:03
site.
00:56:04
If you want a support contract, you can get a support contract.
00:56:07
Or if you've just got an alley, you just want to ask a question
00:56:10
for an hour, knock yourself out .
00:56:11
You've got access to our SMEs to answer your questions.
00:56:16
Speaker 1: Wow, that is really refreshing.
00:56:18
It's not very often.
00:56:20
I don't think I've ever encountered another security
00:56:24
company that will actually enforce the documentation
00:56:28
requirement, like that of like, hey, you're doing nothing else
00:56:31
for the next six months, dump all that you know into whatever
00:56:38
solution you had for it.
00:56:40
I remember earlier on in my career I was where I was leaving
00:56:46
a position and I was the security you know SME for this
00:56:50
company.
00:56:51
I was literally the only person at the company that did
00:56:53
anything with security.
00:56:54
And you know, of course we would have random customers that
00:56:58
have SE Linux issues after upgrades and things like that,
00:57:03
and so I created my own you know troubleshooting guide for
00:57:06
everything that I did.
00:57:08
You know you could search, you know in the field and everything
00:57:11
else like that, to look up the different you know information
00:57:15
and the exact command that you would have to run to get it
00:57:18
working.
00:57:19
And after I had left, you know it was common knowledge that you
00:57:24
basically had to distribute it.
00:57:26
But it wasn't a company policy, even it was like, oh, it was a
00:57:30
you know camaraderie type thing within the team is like hey, can
00:57:33
you please like give me your troubleshooting guide because,
00:57:36
like now, I'm going to take over all your customers and you know
00:57:39
I need to know what you've been doing.
00:57:41
It was more of that rather than someone else like actually
00:57:45
forcing you to do it.
00:57:46
So there was people that never maintained a document like that,
00:57:50
never kept any notes on any of our customers, and when they
00:57:55
left the company, you know, it was like starting over.
00:57:57
There were some situations where we actually had to like
00:58:00
redeploy the solution because it was so custom in ways that
00:58:04
didn't need to be custom that you know we just had to start
00:58:08
over.
00:58:08
We couldn't maintain it any longer, and it's just.
00:58:12
You know, I say all that because it's not a common thing,
00:58:16
especially with that you know security or IT overall.
00:58:20
Speaker 2: You're right, and, because you're asking, I founded
00:58:23
the company now the CISO.
00:58:25
So I and I'm a security architect pen tester by trade.
00:58:27
So I know the efficiencies in our own industry and
00:58:30
documentation is always one of them.
00:58:32
So I'm so anal that I'll monitor every ticket that comes
00:58:35
in and wondering why there's a fucking ticket that's come in
00:58:39
because the ticket shouldn't come in, because it should be
00:58:40
documented.
00:58:41
So you know, I'm then on my team and I'm, you know, most of
00:58:44
the time it's there's an article there that they didn't know was
00:58:47
there.
00:58:47
Why didn't they find that?
00:58:48
And then if there's an issue that's come in that we've never
00:58:51
seen before, it's got to be up on that fucking portal.
00:58:54
So that's how I operate, because I'm running a software shop,
00:58:58
not a support shop, if that makes sense.
00:58:59
I want that software as good as possible.
00:59:02
I don't need a team of 100 support staff.
00:59:04
I don't want 100 support staff.
00:59:06
I want a great product, a support if you need it.
00:59:09
But fuck, documentation is the key because you, if you're
00:59:13
working on something, do you really want to contact me and
00:59:16
fucking 10 o'clock at night that there's an issue and go through
00:59:18
that whole bullshit?
00:59:19
Or do you want to fucking see an article that you have.
00:59:21
The fuck do I do this and then you get an answer pop up.
00:59:24
That's what you want.
00:59:25
Speaker 1: Yeah, yeah.
00:59:26
I'd much rather just have the answer and not bother someone in
00:59:29
the middle of the night.
00:59:30
You know well, chris.
00:59:32
You know it's been a fantastic conversation.
00:59:35
I absolutely want to have you back on sometime in the future
00:59:39
and dive more into, you know, cyber mercenary stuff and you
00:59:44
know talk about your, your bomb jammer or whatnot.
00:59:46
But you know I'm a stickler for time myself.
00:59:49
I try to respect everyone's time and even now.
00:59:51
You know we're over a couple of minutes, right, but before I
00:59:54
let you go, how about you tell my audience?
00:59:56
You know where they could find you if they wanted to.
00:59:58
You know reach out to you and you know what your company's
01:00:02
website is if they want to learn more about Seamonster.
01:00:05
Speaker 2: Thanks for that, joe, and I've loved being, on a
01:00:06
matter of fact, talking to someone like myself in the
01:00:08
industry, right in the guts of it, and you know exactly what
01:00:10
I'm talking about, and it's lovely just to hear those ideas.
01:00:13
Look my website, really easy chrisrockhackercom.
01:00:17
All my talks, all my books, all my articles, all my upcoming
01:00:21
talks are on that site.
01:00:22
Chrisrockhackercom and Seamonster it's just
01:00:24
siamonstercom, if you're looking at the same products.
01:00:29
Speaker 1: Awesome.
01:00:29
Well, thanks everyone.
01:00:30
I hope you enjoyed this episode .