In the Mind of a Mercenary: A Dive Into Cyber Warfare

Well, chris, you know it's a real pleasure having you on. You know, before we dive into the conversation, I got to tell you right, the first DEF CON I was ever at was the DEF CON that you spoke at, where you were talking about how to you know, essentially fraudulently, fraudulently, you know submit and get someone's death certificate, and that, like I mean that, that just like opened my mind to this whole world of like wait a minute, you know the government is still run largely on paper, right, so how easy is it to do fraudulent things with, you know, applications, and it just like made me go down a whole rabbit hole. So like that was a really fascinating talk that that I heard you for for my first ever DEF CON.

I'm glad you got to say it live.

Yeah, yeah, it was fantastic. I mean you know from what I remember right, because I was, you know might have been a few drinks in that day, as one is at DEF CON and given it was like eight years ago you know at this point, but you know it was it was fantastic and you know the humor that you, that you wrap into it is just hilarious with having Jeff Moss on the death certificate While we're at DEF CON.

Yeah, I was like well, I'm at DEF CON and then everything's up for grabs. You know it's supposed to be disavowed, so let's put our money where our mouth is and I'll put the host up to be killed.

Yeah, it's fantastic. Well, chris, you know I start everyone off with telling you know their story, right, how did you get into security? How did you, how did you stumble upon it? You know what piqued your interest, that sorts of things. Right, Because you know I have an audience that is younger in their career, that is looking to get into security, or maybe they just made that jump right and hearing everyone's story will really add, you know, to their own mentality of thinking okay, this is possible, this is something that I can potentially do, you know, and just helps them along the way.

Yeah. So for your new listeners, I just let let's let them know there's no right, this is not one of those I'm gonna get in testing in the first three years and I'm gonna do forensics or all of that. So I've been doing this stuff for 30 something years. I started essentially as a child. I was born at the right time, 1973, like probably, you know, eight years before computers became, I would say, mainstream. But so I found something before that. It was, you know I'm obsessed about things like train sets and you know nerd stuff like that. And when computers came along, we're shocked when I sold my train set to get my first computer. So I was essentially, you put, an obsessive kid whether you call it autistic or asparagus or anything that's neurodivergent put somebody in front of a computer and they're at home. They love spending time in front of the computer. So I essentially spent my life in front of a computer. You know we're talking, you know, before the modem days and the modem days and then the internet.

So in terms of career, I went to university to do comp science, because that's what you did when it turned 18. And I found out because it was boring, I hated coding. And then the following year I thought I'll do it, I'll try again. So I went to university college again, like that. Again I thought, oh shit, I really should buckle down. But I don't like university. I thought it was boring. The stuff that I've been doing pre uni, I'm new all this sort of stuff about you know CPU, cpu architecture and stuff like that. I just hated coding. I just thought it was boring. And then I tried again the third time and fail again In first semester and so, man, this is not for me.

And then I went straight to the workforce. I got a job at a university just doing it. I did help desk, help desk for a year and a half. That was a shit job. But then I started to learn the systems at the university, things like those days we're talking about Unix and Vax and you know sun systems and you know PC and FS and cat five and coaxon ones and stuff. And then after that I then got a job at a bank and, just to make sure your list is like a two board, I spent 10 years doing IT and then IT security in four different banks. So then you get to learn how systems really plug and how things are important. You know check clearing times and and in England, really good practices.

Working in a bank. My dad always said make sure you get a job at a bank because they sell money. Don't work at someone that sells like the cells and sorry for anyone working targets, selling underwear and stuff like that, because you always have money at a bank. And then after that I saw some pen testers coming into the bank. So this is what I was in my late 20s, coming to the back and doing a pen test and I noticed that they're relying on tools such as back then or things like Nessus and stuff like that, and your listeners will know when you're doing a pen test it relies on banner information that comes back from a host your windows hosts then try these exploits, or your Sunhives.

So I used to screw with them and then changed all the host banner information and all the port numbers so they couldn't find the ports using standard tools and be able to change the banner.

So instead of a you know if they're hitting a Sun system I changed the banner you know the enumeration to a Windows server and watch them then file and then watching them file and then having to resort to manual tools, which they didn't have any skills doing it.

So back then these were the big auditing firms, you know the EYK, pmg, stuff like that, doing pen tests as a side key for their key function, which is auditing. And then I then said, shit, there's a, there's a market here for pen testing. So I then went and set up my own company and then started doing pen testing and then picked up some big clients really quick because I mean I've been doing this, you know, at that stage for your 10 plus years and I found it really easy. So, you know, pick up clients like American Express and stuff like that went around the world and spent a long time in the Middle East. And then, the latter part of my career, just to speed up 10 years, I had a client of mine who I did a pen test for and we'd been, we'd been in the environment for maybe a month or so, and they had no idea where in the environment.

They said, look, what tools are out there to detect hackers once they're inside? I said, well, you know, you need things like idiar and same and all that stuff. So I've got them in touch with Splunk. They got a quote for Splunk which was like million bucks plus and they said, well, we can't afford that. So what else is there out there? And we said, well, you could go the open source route.

And you know, at that time there was elk elastic search. They said, well, we don't really have the skills that. Can you build this, an elk platform? We said, look, look, we don't do it. We're pen testers. We don't really do that, but if you sponsor us the word sponsor as in pay we'll have a look at, you know, putting our elk solution in for you. And that was essentially day one of Seam Monster. And you know, since 2015, I've been working on a company called Seam Monster, co-teller and CISO, where we build Seam solutions for companies using open source tech so they can detect breaches within an end network, using what the experiment we've had and testing some of that.

Wow, that is that. That's really fascinating and there's a lot to unpack there. So you know, I've spent quite a few years in the financial industry myself and it seems like it's always just so much easier to go from one financial company to another, whether it be a bank or you know even the Federal Reserve, right or other. You know credit companies, mortgage companies if it deals with you know money. In that way, it's very easy to just get that jump. Is that something that you experienced then as well? Or is this kind of something that was brand new, where if more of if you just had the technical skill set, you know, they would take you?

So for me, once in the banks, once you work in a bank, it's easy to move to a bank in terms of employment history. You know he worked at the Australia's biggest banks, so working for Australia's second biggest bank, that's really easy. But I found that internally it was pretty much the same stuff. You know that they might be using different systems, different architecture, but again they have a you know a lot of risks and your job is to minimize those risks and you know so. You essentially come in as a white knight and, to be honest, when I go into a company, I like if they've got, say, 70, you know issues that need to be rectified and I can get that down to a low number of two or five. My job is done. I don't think, hang around, I don't like doing you know, I'm not gonna say with blue tea I don't like just hanging around doing status bar. I prefer to do something new. At that stage I get bored.

Hmm, yeah, like a lot of us in this field, like we get, we easily get bored and, you know, have to find other things.

Like when Chris gets Chris Roberts gets bored on an airplane, he starts doing weird things that get some in trouble.

Right, but you know, I how did you get to the point where you decided that you wanted to become a DEF CON speaker? Right, because that's not, at least for me, right, like I don't want to call it a goal, right, but it would be really cool if it happened. But I'm also totally fine if it doesn't happen, right, because I don't really like speaking a whole lot in front of a whole bunch of people and I also don't think that I have anything or know anything of enough value to actually, you know, speak about, right, at a conference. Like, that's just me, that's my own personal issues that I have to work through, I guess with the therapist or something, right. But you know how did you, I guess one did you come up with the idea of I want to be a speaker at DEF CON first and then find something to talk about? Or did you stumble upon your death certificate, vulnerability, so to speak? And then you're like, oh, I should tell people about this at DEF CON.

Yeah, so great questions, by the way, so it's actually the first one. So I went to DEF CON 22 and thought I actually might have been 21,. But this is awesome, def CON, this is finally found my people and then I, at that stage the thought of talking at that stage so I can do a talk, didn't have anything to talk about. So I thought, yeah, I could do a talk. And then it just went away out of my mind and that's completely fine. And coming back to what you said, is the talk then came to me. You're, you're like me that you'll probably study a topic to death and you'll know it in several hours.

I don't like public speaking either, like I. You know I may be good as a public speaker or averages of public speaking, but I see I don't like it. I prefer to do not public speaking. It don't make sense. So for me, I just let and I sound as really weird, but I let my subconscious do the talking for me. So the ideas come to me. You know when you have that idea of moment and that's just subconscious saying, you know that's an idea. So I stop reading. If that makes sense, I let myself just relax, get all the shit out of my brain, get Twitter out of my brain, get infos, get everything out of my brain and just relax, whether that the meditation, walking, you know, in the bush or through a forest or whatever like that, or just shut the hell up for five minutes and then, and then things will come to you. You know that your inner, inner voice will come out, great idea. And then then you then get your conscious mind around that topic. So for me it was just.

I think I was watching some TV and I noticed a news article that you know, someone had accidentally a Melbourne hospital had accidentally killed 200 people. Oh, that's pretty weird. How the hell did that happen? Then, you know, you start to, as I said, you let yourself conscious to the thinking for you and think you know, how does that possibly happen in this day and age? And then, and then you apply your conscious thought. So then you start researching the hell about it, which is what our skill set is. We research the hell out of the topic. I spoke to doctors, funeral directors, you know, probate people the whole world to study the hell out of it.

And then that became the talk topic and then obviously it's a bit of a death con and got accepted. But that's, that's the path. I just I try to relax, Don't think. If you try to think I need to do a death con, I need to do a death con talk, it doesn't well, it may work for some people because they're only doing research in that, but for me it doesn't work that way. And the same thing happened in my second talk, I think my wife said to me oh, you need to do another death con talk after the, after the first one. And I said to her it doesn't work like that. You can't just come up with a death con talk. So I was falling asleep you know that love of sleep, just before you fall asleep, and then I had a great idea and it just popped into my head this, you know, when you said that subconscious quiet moment, and I thought that's the topic. So then went to bed, got up and then conscious thought comes in your recess. The hell out of it for a few years.

That's what you kind of dive into a couple different areas there, right? Because what you're describing, to me at least, sounds like kind of like a mental health practice, almost right, of shutting off your mind, shutting off distractions and kind of just letting your mind, I guess, kind of reset. That's how I view it, that's how I feel that it works for me, right? Do you ever, of curiosity, do you ever do like float sessions or anything like that with sensory deprivation tanks? I've done that before and it really helps me like reset my brain, if that makes any sort of sense, which, like, I actually have to go do it here pretty soon because it just helps you out so much. Right, is that something that you've tried?

I haven't done that deprivation one. I'm definitely interested in doing that, but for me it's just that meditation, and I'm talking about the whole under a tree stuff, but that whole, you know, they take focus on your breathing, focus on your breathing, but as soon as you're thinking, focus on your breathing, that's your conscious thought. I need to get to that subconscious where you're not actually, you're not thinking of anything, and that's when stuff comes to you and to me. The best ideas have always come from that subconscious. And just to give you an idea, our conscious.

You know, when you're observing something, you and I are talking now and we're actually observing information. You know our conscious thought absorbs. I'll just give you a number, but let's say you know 1000 bits per second, but our subconscious thought brings in, you know, 500,000 bits per second. So our subconscious stuff that we're observing outside, that we consciously don't think about, which we can't, we can't actually bring up because it's subconscious, we don't know about it, we can't actually bring up to the front of mind. That sort of stuff just stays hidden until you tap into it and then you can draw a prominent information.

And that's why hypnosis is good. Deprivation, meditation, all that stuff brings all the awesome stuff to life and that's why you know you've got songwriters or a writer, a book writer, who have mental blocks, who just carry around a note pad, and if they're driving a car doing something boring, and that's when the ideas come to them in their head, not one they're trying to. You know research, twitter or read, you know the articles. It's that whole idea. Popping the head is where all you know inspiration come from.

Hmm, yeah, it's like. It's like when you eliminate, you know, all the other busyness or all the other noise from your brain, you know you're able to actually get through some, some breakthroughs and some great ideas. You know I've had that you described. You know, in that twilight area right where you're not quite asleep but you're almost asleep and having that great idea. You know I've had in both cases where I've had that and I woke myself up right and wrote it down real quick and revisited the next day or two days later, whatever it might be. And then I've had that where it's like, oh, okay, I'll remember that when I wake up. And then I wake up and I don't remember it, no matter how hard I try. It's like the most frustrating thing and I'm starting to lean towards just having a notebook next to my bed when I couldn't sleep, you know, because you have to.

Yeah, and you know, if I, if I have my cell phone there right, and I go on my cell phone, in this instance the cell phone just wakes you up, you know, because it has that, has that blue light, and so it just wakes you up automatically, a little bit more than what you would want to be woken up, in my opinion.

Yeah.

And what you're talking about is essentially mind.

So having that note behind the bed. When something clicks to you in a subconscious thought that hits conscious thought, you write it down. But of course when you think of something, don't I know why I can't think about it. That's part, that's per design. If you can't bring it back from subconscious subconscious because you've forgotten about it, it's designed to be in your brain that you can't bring unless you meditate. And I don't want this to be hippie-dippy security chat show, but just that's how you can hack your own brain to get your ideas in front of people.

Well, yeah, I mean this, this conversation, you know, can go anywhere, right, and in my years of getting into security and spending time in security, right, one of the things that I have learned is mental health and to take care of yourself and, you know, exploring different ways of doing that right. And I'm even on this podcast, you know I've talked about mental health previously at length because it's extremely important and I feel like insecurity almost. You know people don't think about that, right, they're, they're like, okay, you know it's nine to five o'clock in your clock out, you don't have anything to worry about, but they don't hear about the late nights, right, where you're up until four am because there's something critical you know going on at the company and whatnot that you have to resolve. And so I I really do enjoy using this platform to talk about that, because I don't hear anyone else talking about it. Really, I mean, that's sure there's a few other you know instances and whatnot, but definitely something to dive into.

So you were talking about, you know, previously you were talking about how you kind of stumbled across this opportunity to do some consulting for a company, do some pen testing, and out of that grew this idea for SimMonster. You know what were some of the challenges at the time that you had with creating, you know, simmonster, or the solution for SimMonster, because I'm sure, right, let's just say, my company comes to you to create a Sim that's open source, which is a. It's actually a huge deal because Sims are extremely expensive, they're very cost prohibitive and they take a huge amount of manpower to run. You know, just within your organization not not even including the renewal rates and all that stuff Was there unique challenges that you faced that maybe there was open source projects that essentially didn't weren't existing at the time? Or what year was it when you, you know, went down that path?

Yeah, so great question. I mean 2015 was when we started the SimMonster project to give you a rough year. And you're right. I mean Elk by itself. You know Elasticsearch, kavana, LogSesh, kavana it's essentially an Elk called Elastic, but that was one that's a searchable database. Great, that's not a scene, that's just a searchable database. Anybody have all the other modules on top, instant response. You know EDR, indiar platforms at the time though Indiar and you have reporting and ticketing systems and devices and stuff.

So you're going to go through all the open source nonsense out there. Is it maintained? Do you want to maintain it and then bring that into your suite? So we've always had what we call an open module project. So if there was something that was that was not being maintained, it would lose itself in the next build.

We had people like you know I think it was Palo Alto came to us with a product called MyMail. That was an open source product. We had a MISP equivalent that we had in our product suite and you know that was great for a couple of years and then we dumped it because there was a better offering on the market. So having a module that was really good because we hit a market fit, because customers already had tools out there, whether it be pen testing tools, they had instant response tools, they had ticketing systems, whether it be, you know, helpdesk now or whatever. Whatever they were using, so we could actually turn our modules off and let them use their modules and therefore, companies that didn't have the budget for a scene, we could come in and fit that slot and a product would scale greater than Alien Vault and it would scale up to Splunk, but without the price tag to suit.

So in terms of challenges with any business, yes, paying the arts like no money, you know. Paying AWSPs because we, you know we're a cloud stack shitty tech, shitty open source, everything shit Customers who don't then want to pay for professional services you know what it's like running a business some of your listeners will too. I heard that conversation you had with Chris Roberts. Running a business of paying the arts, like you could easily go and get another, you know, get a job in security and throw for your new users on the call. But you can easily get a job earning $100 million a year without this bullshit and you could just simply clock in at nine never.

Nine to nine in our industry, but definitely not. A nine to nine instead of nine to five is probably closer to the mark. And then not sleeping at nine times. But yeah, running a business of paying the arts, you need a good team. You're going to have highs and lows. You're going to have big highs, you're going to lose big highs. And yeah, look, would I do it again? Yes, but fuck for those going out there it's a huge risk. You know, for everything, everything on the line. You put your house on the line, you've got investors, money on the line, everything's on the line. And they talk about the overnight success. You know, 20 years later, but it's a great journey. Where else can you do that sort of stuff where you can talk to investors and do A rounds, b rounds, c, it's, it's. It's freaking awesome to to learn stuff that you wouldn't have normally had in. You know, just getting a paycheck every every week or every two weeks.

Yeah, that is. That is like the. I guess that's the biggest pro and con to me, in my own opinion, of you know, trying to do your own thing and navigate those waters right, because for me, you know, I'm not in a situation right when where I've overextended myself and, right like you, put your house up as collateral or anything like that, right, um, thankfully I haven't done that situation. But I know someone that has a group of friends where, you know, these guys have made hundreds of millions of dollars but they've also lost all of it like two, three, four times. I don't know if I would even be able to like handle that stress right Of losing it Once I put in all that work of earning that, that certain amount of money right, like I don't know if I could. Just, I don't know if I could handle that. You know, like I don't know it's a skill almost to be able to look at it differently from how other people would.

So it's essentially you're putting your balls on the line, and literally your balls, I mean, for me I knew it was a great idea, like I could. Actually I was already in the pen testing suite. I you know there's plenty of money in pen testing and I could see the market and just whether I could attract the market in the seams. But for me it was like all in and I didn't hesitate putting stuff on credit cards. I think I'm at, you know, at 140,000 in credit cards and maybe a hundred thousand dollars in loans just to get it where I wanted to be. Before I even approached investors and stuff like that. And was it scary? I wouldn't say scary, but maybe I could probably hit that from my own mind so I could keep, you know, getting up in the morning. But but it was fucking fun. I knew it was a good idea and I knew I could execute. It's just a matter of how much capital I could get in before I could get myself out of the ship, if that makes sense.

I think it took three years before the first out of the ship. But then there's bigger numbers. Then you're not talking about $250,000 in personal, then you're talking about $2 million of investor money to go to the next level. Then you're in different levels of shit. Then you're in a legal accounting hell, like Chris Roberts said, you're in IRS and then ATO Health back in Australia. Fuck the pain. I don't know why. I just stayed at the bank. Half million dollars a year. Sit back on my seat and talk shit on Twitter. I mean fucking. So much easier.

Yeah, it is way easier. You could almost get a career now just talking shit on Twitter.

I'll be one of the influence.

Yeah, with this podcast, it's like a double-edged sword with social media. You have to be out there, you have to be engaging all the time, but I'm not the type of person to engage all the time If I don't have quality content to say or input, feedback, whatever it might be right, if I don't have something that I feel is of value, I'm not going to post about it. Right, in this game of podcasting and building an audience and all that sort of stuff, I admittedly I'm absolutely horrible at it, because I'll go a week or two of no posts on Twitter and that's like a huge red flag, that's a huge no-no. It's like, oh my God, why are you making that? You're losing all your momentum. To me, it's just like man, I have like five other things going on. I can't spend 20 minutes I literally cannot spend 20 minutes researching the right hashtags and all this other stuff just to put together some crafted posts. Right, that isn't even my own words anymore. It's frustrating. I went out on a tangent there.

No, it's a great tangent. Queen Eustwood once said in one movie. He said a man's got to know his own limitations. If you're not that sort of person, then don't try to be that person. I mean, I look at Mel where Jake. I love Mel where Jake. He has great content, always great content. The only thing I can do is just give him shit. That's my skill set. I love poking people, say with dark matter or Kintara. I just give them shit because that's my skill set. I'm not going to research something that's already public and then regurgitate it like I know the shit. Jake can do that. I've just got no interest in doing that or skill in doing it. So I just post shit and like you infrequently.

Yeah, that makes a lot of sense. So, okay, so we talked about you being a Defcon speaker and whatnot. After you researched this death certificate vulnerability, right After you researched that, did you start going down this rabbit hole of documentation that the government uses for different benefits and things like that and how to potentially exploit the system, or did you stop there or what was that like? Because, for me at least, I would start going down that rabbit hole of seeing like, okay, can I get disability benefits, can I get this? It's just it'll snowball and that's probably a bad mentality in that situation. But where did you go after that?

Yeah, so you noticed that all my talks I always do any talk and I also do a paper or a book. So I actually wrote a book to that talk. So it was published straight after the talk with all my materials that people could research them and then take that research further. After a talk I stopped cold. I did not go down that rabbit hole and keep going and, like I said with the bank scenario, like I work in a bank, get born and then move on. Same with the talk I'll do a talk, present the talk, provide my materials so people can go and Chris, that shit, you domestic step or you miss that. So people you know, as a scientist.

But as a scientist, people can actually look at my work and go how did you get from A to B? And prove it how did you get from A to B? So the answer to your question is I drop it dead and go to the next topic or do nothing and then just let the next idea fall.

Hmm, and okay, okay. So then you, you just dropped the entire. You know government paper method, right? You just dropped that whole topic and then moved on to the next one. Correct, Right, Okay, so you know what was. What was your next talk about at DEF CON? I have to admit to you, you know, it's not like I follow your career or anything like that, you know, but I did see that first talk. What was your next talks about? What areas did you dive into?

Did you kill Jeff Moss a couple of more times, different ways, or so the next talk I did, I did with a, with a mercenary called Simon Mann who did a coup in Africa. So I did the overthrow of government in DEF CON 24 in 2016. So I actually worked with a mercenary on how you would overthrow government and use Q8 as an example and then hack their power, their government, their oil, their telco, everything so you can actually orchestrate your own coup using digital means. So that was the sense that's probably most of my popular talk out there at the moment. And then I did another talk last year last year, yeah, last year on how to how to bypass bomb jammers, so using a specific hardware, how I could actually get frequencies transmitted under a nine kilohertz and actually generate an.

ID under jammed environment.

Wow, okay. So I mean I feel like we could do a whole other podcast on cyber mercenaries a lot. Yeah, you know, when we talk about cyber mercenary, can we break down what that is right? Because to me, one I've never heard the term before and two, when I think about what a mercenary is in the military sense, I'm thinking you know someone that's a lone wolf that's going in and impacting, you know, I guess, the power grid, or impacting social media for a region and directing, you know, political views and things like that. Is that what it is, or is there more to it? Do you ever see like more organized groups of cyber mercenaries that you know? It's like, hey, these five people are attacking the power grid and I don't know name a random country, right, and then these people are attacking the water supply. Is that what you've seen? Let's talk about that a little bit.

Yeah, so you're partially right. So think of a mercenary. You don't think of a mercenary as a single mercenary. It's always a group of mercenaries and their ex-soldiers, it's guns for hire. The cyber mercs is essentially keyboards for hire. I mean same thing. They're people like myself, for you or for Chris Roberts, for example who've got, you know, great technical skills and then they've been asked to do a job and that job might be for a private organization and it's illegal. It might be for a government, which is illegal in some countries, and then you are essentially keyboard for hire and you may be doing the job by yourself. We might be doing a job by yourself. I'll give you an example. You know you've had a black water and a HS and all that sort of stuff. You know private military contacters. They're in a big ass company. There's a cyber division. It's essentially you have a cyber division that does the cyber merc class within that company or it's an outside phone. So think of it as a big group.

That's really interesting. That's almost like organized cyber crimes in the kids or something like that right.

That is. I mean, people can dance around the subject cyber merc, cyber criminal. You know, one man freedom fighter is another one's terrorist. This is exactly the same. I mean, you know you look at some man in Africa. He was asked by the English government to do something over there. He did it. It was private money. He's a mercenary. He got caught, he went to jail and then you know it's essentially it's a criminal activity. But you know, people put mercenary in part of it and make it a clean title.

Is this something that you have seen, like you know, actually happen in the real world? Right, Because immediately when we start, you know, talking about what this actually looks like, of attacking the different portions of a country, you know, I guess my American brain goes straight to America, right, and it's like, okay, did our power grid get attacked recently? Did our water supply, oil, whatever it might be? You know, in my head it immediately goes to oh well, you know, this attack was rushed, or this one was, you know, attributed to China, or whatever it might be. Do you see these criminal groups, potentially even masquerading as these other you know government powers? And maybe, you know, this is all theoretical, right, I don't know shit about anything, Like you know, are they potentially like, masquerading as China? Maybe they're a faction of cyber mercenaries in China and they're attacking, let's just say, the US power grid, for an example? You know, is that what you've seen or is that how it works? Potentially? Yeah, I am a cyber mercenary.

I'm a cyber merc by trade, so I know exactly what you're referring to and the answer is yes. And it's not just, not just country, it might be company within a country. So you know, I mean you might be tough with, you know, doing a job within a company within a country. It doesn't have to be the power grid, it can be something small, it can be a country. I mean you look at your 2016 elections, you know, was there outside interference? Yes, someone says yes, someone says no. Of course, no one's going to say yes, there was, but there's always going to be. And that's the whole idea about mercenary. Did, did? Did America help Ukraine break away from Russia? You know in, you know in 2000,.

The answer is yes, obama admitted that, but it's never going to be. No one's ever going to say, yes, that happened though.

You know, you know America revolved in the 2002 to two in our like it's. It's just one of those things where it's not going to be well. It's going to be tried not to be public because no one wants that public perception that we did this, or we involved or we acting to this private company, or we did this or we did that. So the answer question is, it's all around us.

It's always been all around us. And you get a tap on the shoulder Can you assist with this? Yes, no, if you're a cyber merc. Anyone existing is cyber merc. They know exactly how it works. You get a job across your desk and you decide whether you want to do it or not, and that's how it works.

Oh yeah, that's really fascinating that's. It's almost tempting to go down that, go down that rabbit hole. You know myself, right, but it's an interesting area that I mean literally. I didn't even know that this area kind of even existed before. You know you brought it up.

You know, is being in this kind of line of work can it be frustrating at times to, you know, potentially participate in a project right Of, I don't know, let's just say, hacking Microsoft, because Microsoft's been on my brain lately not saying that you did or anything like that, right, but you know, let's say that you, you know, go through this project and then you see it portrayed in a different way in the news.

Does that ever frustrate you or does that ever, you know, get to you to a certain extent? And I asked that because, you know, I had Mike Jones on previously and he said that when he was working for the NSA, you know he had the insider information and he knew the actual truth about a hack or about, you know, an operation that he may have been, you know, had some hands in some way right, and then he would see it how it was portrayed in the media. And it was completely opposite. It was completely different from the report that he actually wrote, and that was very frustrating for him. Do you ever come across that sort of situation as well?

Yes, but I don't get frustrated by it. It's one of those things is the media and the average Joe will interpret it a certain way and then it becomes ego, like if I do a job and I guess portrayed a certain way that doesn't fit with the way that I was doing it. A different position than myself with Mike is that I mean that was his job and he got paid for his job. As a mercenary you get paid money, so who gives a shit how it's portrayed? I mean if I hack a bank and then find another hacker in that bank and then format this and then I might take their mark and throw it on another disk, so when it gets relatively, you know retrieved, they can see the mark of the other hacker there.

For me that's fucking funny, like I'm not involved. It's the check at the end. So obviously if you went to the NSA you actually give a shit about your country and all that sort of stuff and of course you have that whole he goes the wrong way. But you have that confidence, that responsibility. You have that whole. I love America mentality if you're gonna work for the NSA and for me it was just a check I don't give a shit how it gets portrayed, as long as I get paid.

Yeah, that makes sense. Have you ever had that situation where you've hacked into a company and then you found another hacker? All?

the time, all the time.

You're planting evidence for them to get discovered and IU and stuff like that All the time.

That's our common method we use is we're all hacking and even if they haven't hacked in, we'll throw their marks from other hacks on the target. So it's just one of those things like man, what we're gonna go down for this, let them go down for it, so we'll throw their mark, their flag, their style, on another server. Even going back to pen testing, we're hacking to legitimate porn companies who had hackers in there for five years that were taking the new I'm gonna use the word fresh models, but they have a new, young model that they would then take that data and put on another site and then they would then sell that porn legitimately after hacking the data, and they had a constant feed. So every time there was new models being updated, it would go to this other site and then they would sell that content, and they did that for five years. So no, I was making money off other people's model money.

So we see all, and so when we did the pen test, I said, hey, you don't realize, you got hackers in there and they didn't take it to the police. Obviously, in the porn industry you're not gonna be attracting police attention. So they just asked to shut it down, and so it's pretty common. It's not uncommon for us to hack in and see other people in there. Sometimes you're hacking and you just don't. You don't wanna disrupt each other, so then I point causing havoc for each other. You'll just like bypass each other and keep going.

Wow, that is. That's really interesting. That makes me think about the different hacks that have come out in the past and whatnot, and it makes me wonder if some of these hacks that like, let's say, america, attributed it like directly to Russia or something like that or some hacking group in Russia. I wonder if it was that situation where it was like, yeah, you attributed it to Russia because we made you think it was them, but it was actually someone else or whatever it might be, which I guess that's a. I can use Russia as a good example, because this podcast got blacklisted in Russia ever since they invaded Ukraine, so it's not like they're gonna hear it.

And look and don't worry about that sort of stuff too. Look, if I did an interview with a journalist, 70% of what I say will be accurate and 30% will be inaccurate. Even like a recorded interview, like we're doing now. They'll fuck it up and they'll do that because they have their own agenda, like it's got to meet their listening audience. Now, if you've got a government agenda and whether you want to attribute this to Russia or China, you may have. You may get a report from the NSA that we've got a 95% we believe it's come from this, from this Russian group, and then others go with it. You know what I mean? Because if it meets their agenda, they'll publish that it came from Russia, but they're not gonna say, oh well, we didn't get a hundred percent certainly, so we're not gonna publish. Is this the right time to bash Russia? Yeah, let's do it. Or China, or name your enemy of the day. It seems like the constant thing with America is you always got to have an enemy. It's just kind of quietness.

Yeah, that is a really interesting, I guess, mentality right that you bring up Like we always have to have some sort of adversary, right that we're going up against, that we're doing things to protect ourselves from, or whatever it might be, and to a degree that's exhausting, it's frustrating, at least for me. It makes me question a whole lot of different things. Right, it's like well, are we being lied to about this and all that sort of stuff? Oh, sorry, I was gonna interrupt you.

I mean I can't believe that you're still thinking whether you're being lied to or not. Like you know the whole weapons of mass destruction thing. It's like what the fuck we did? Just skip that a whole lead path. You know what I mean. Like it's that whole fucking. You know what I mean. Like it's just it's constant being lied to about everything. And even if something legitimate, let's say I'm not an anti-COVID, so don't get me, I'm an anti-COVID. But the government says do this, do that? We've been lied to so many times. No, when the fuck are people going? I'm not fucking interested in your bullshit. One more fucking time there's always ends in chaos.

Yeah, no, I 100% agree. You know, I actually, in college, I actually stopped watching the news or anything like that, because I found that the news was just giving me so much anxiety about things that basically had no impact on my life at all. There was no point in me listening to anything that they said. And then I started going down the rabbit hole of oh they like legitimately, you know lied about WMD. Well, if they were gonna lie about that, what else are they lying about, you know? And so, like, I tried to sequester that in my brain to protect me from myself, from going down that rabbit hole, because you know I'm in the cybersecurity world and I can only go down so many rabbit holes at once and I don't wanna waste my time on the government's lies right.

Yeah. So what we do is we? Just when I say we, it's a blanket lie. So everything's gonna be aligned to approve it otherwise. And I haven't got time to disprove their nonsense, because they're creating the narrative. They're providing the evidence in front of me to say oh, you know, this is the case. We're doing a no vote at the moment in Australia about Aboriginal rights. Now it could be 100% legitimate and I should be voting no, but the government are telling me to vote yes. Now, as soon as the government tell me to vote yes, I'm not fucking voting yes. It's as simple as that. They've fucked us around so many times. I don't really wanna be one of those people, but it's just embarrassing. You know what I mean. Like you wouldn't put up with this with anybody else. If somebody, if your company, kept lying to you about when you're gonna get paid and you're never gonna get paid, I mean you just straight away. It's non-trust. You have no faith.

Yeah, that would be a very real problem of you know. Actually, that reminds me my wife, you know. She's a teacher and earlier on in her career she worked for like a private school, right, and we didn't know it obviously, you know beforehand or when she started working there. But the guy who owned the school you know was like double dipping across like several different companies and he was using income from one company to pay for, you know, teachers in this school and vice versa, right, and it like started to come to light when her paycheck was late. It's like, well, wait a minute, paychecks are not normally late and you're not getting paid in cash, like what the hell, you know. And it all came out, you know, and the school you know just crumbled, like right in front of everyone is insane.

But I really wanna talk about Simon Mann and how you guys got linked up and you know maybe just a brief intro into his work in the coup that he created in Africa, because, for one, I know nothing about it. And so now, you know, the very first thing that I'm gonna be doing is looking him up after this podcast and trying to get him on for sure, because that's a fascinating line of work to be in.

He's awesome. And what happened, though, is I was watching Netflix and I can't remember what it was, maybe 2014, 15, maybe it wasn't even Netflix, but anyway, there was a four part episode on mercenaries, and he was actually on the show and he was talking about how mercenaries operate Like and he's an ex-SAF. You know UK soldier, you know beautiful. You know looked at his resume in terms of you know he was in Iraq, I know he was in Ireland and all that stuff, so he had a beautiful resume, and then he just went down this other route, you know the mercenary route, and he wrote a book called Cryhavoc. It's a great book.

There's some things that had to be cut out of that book, but so I actually contacted him and said, hey, this is what I do, I know what you do. Maybe we could work together. Now, originally, he was supposed to come with me to the US and present a DEF CON, but he has travel restrictions, so we had to do we work collaboratively together, and then I got like a one minute pre-recorded session so I could show who's on and man was.

And then we worked together for that had an over-strike government in the 2016 talk.

Huh, that's really fascinating about the travel restrictions with America, because he's a British citizen and he has travel restrictions to America, which I mean that makes me question a whole lot of other things, right, because there's some very interesting reasons behind that, I'm sure.

After all. I mean, he was in well, he was in Equatorial Guinea. He was in a prison there, for I think he had a nine year sentence and he did six or seven years yes, for that failed coup. And the story was that he was actually pay he was actually commissioned to do this work by Margaret Thatcher's son, who we he actually who loaned him a plane and he had a fleet of mercenaries who didn't make it off the tarmac in in South Africa. So they got caught. But you know the whole. It came out after the exercise, but it was one of those they don't want shit to get out, so you only hear half the story He'll. He probably won't tell you the whole story on air, but he'll tell you after if you get him on the call.

Yeah, for sure it's. I guess one of the key rules of a coup is to not fail at the coup. Correct, because then you're kind of you're kind of screwed.

You got your balls on the line and then it's very yeah, yeah, I couldn't.

I mean I don't. I guess I don't know what that mentality is like of going to prison and actually doing time right, because I mean I've never done that, I've never gotten more than a speeding ticket, you know. And so the whole thought behind going to prison and losing your freedom and and and your rights, and that perspective is just it's like almost terrifying to me, and I I bring it up because I actually have a friend who could be serving time fairly soon, which it's just like. I mean it really just messes with your mind, you know, at least for me it does right, because it's like man, this guy didn't think he was doing anything wrong. He was doing something wrong and they're going after him with the book, right, it's like makes me reassess everything. Well, what am I doing that could send me to prison? You know, because I want to, I kind of want to avoid that, you know.

Yeah, so so it's. And you operate out of fear and by keeping you on online. And that's the normal behavior, that's a human behavior, and your friend obviously thought he was doing the right thing. Again, he, you know, we're always, you're always threatened. You have to do this. All this is going to happen. You're threatened by the RF, threatened by government, threatened by police, threatened by lawyers. It's a constant threat. Now, if you can get the out of your head is like they're just trying to control me with threats like even our parents, you know, as kids yeah, fuck it, do this, or you're fucking gotta go to bed with no TV. Do this, or there's no dinner. That constant threat to manipulate behavior. If you can then circumvent that, you can circumvent your mind like no fuck off, I'll do what I want, and then, if you can then just reset that, then you essentially can do whatever you want to do. Of course, you've got the repercussions of prison, but again, your mate is he walking around right now?

Yeah, he is, for now at least, you know you can jump on a plush.

You can go to Canada, go to South America, go to. You know, ecuador, go to fucking. I don't know Georgia, you can go anywhere. You know he's got options, he's not stuck. I mean, that's that whole fear of government. Then you can own that like you can do your time, five, eight, 10 years, whatever or you can just fuck off.

Yeah, that's a very good point. That's a different mentality that I feel like I have to digest and actually work through and whatnot. So, Chris, you know I do apologize. We just went 50 minutes into our interview. We barely even talked about seeing monster or anything like that.

You don't have to. You don't have to. This is not this talks about. I'm happy to talk about any topic you want. This is not a business shell. Everyone knows what I do, but I want to use a product. They can. We can just talk socially. We don't have to talk about business.

Yeah, of course I mean. You know I do want to talk about Simmonster, for sure out of my own curiosities, right, because I have been stuck with Sims before running Sims. I don't want to name any names. But these deployments of you know Sims that you pay millions of dollars for become extremely complicated very quickly and you know it leads to one person basically knowing how it's actually deployed and run in the environment and whatnot.

And whenever, at least from my perspective, right as being a buyer of a solution, whenever I hear free Sim, my mind immediately goes to I'm maintaining it myself, I'm screwed if this open source library, you know, is no longer maintained and things like that. And I think that you touched on this a little bit before. But from what I understand previously, you know you guys basically go into open source projects or bring them into your solution that you are willing to maintain yourself and if they ever go out of you know support, so to speak, you will either, you know, have the choice of maintaining it yourself for your own solution or going a different route and going with some other open source solution, right, is that correct?

Yes, you know you spot on. So we have our own coders that will look at code base and go can this be supported within our product suite and then we will maintain the code. We lean heavily on companies like Wazoo. We have a great XTR solution and they have a fleet of coders that keep that up to date. So we'll absorb that into our product because it's well maintained. But you're right, anything that gets decapitated or whatever, we will dump it from our suite so that we always have a stable product. If we're not getting any updates or patching, it's gone and gets replaced by a module that we write or another open source solution that's out there.

Hmm, now is the product, I guess, designed in a way to where you know a broad range of people could actually come into this thing and run it. The reason why I ask again and I'm sure you're well aware of it, you know like for myself, I couldn't just jump in this plunk and start maintaining that thing. You know that is a headache in and of itself. It takes a lot of different training to actually do it, in my opinion. You know, do you guys create it in a way and use these different open source libraries in a way to where you know, really anyone could dive into this thing and learn it and use it efficiently?

Yes, so it's a great question you asked. So essentially, what we've done is you got to remember that the customers that we've attracted are customers who don't have a large budget. The customers who don't have a large budget don't have a large SOC team. They may be, you know, one, two, three operators. Of course we've attracted some large MISP's that are happy to white label our solution and then they have the staff support it.

But we've always had the customer base that we needed self healing. So there was ever an issue that the product would self heal with. That module would self heal and we've had to make the product intuitive so that from out of the box and we've learned that over time, 2015 product 16, 17, 18 was not intuitive, but over that journey we've turned our product into what we call an intuitive product. There's someone like you could jump in front of it. You could play with a, three or four modules, get the hang of it and move on to four, five and six and then you know the suite and if you get into trouble, it will self heal. So much of the size of our product.

Now we roll the product out on AWS marketplace with our support. So the product gets rolled out into your AWS environment when we can buy support. But you don't need support. We don't push support on you. So you can run our suite, upgrade your own product, and you don't need a support contract or anything. So you can have it up and running within, you know, a couple of minutes, use it and then, if you like it, just keep using it. If you want support, you can get it. If not, there's enough documentation and self healing in nature that you can use the product, I mean, uninhabited by salespeople annoying the shit out of you. Because we're all from the same industry Venus suck, so we're trying to make an, we're trying to be a non suck vendor.

Yeah, that is that's always refreshing me here, you know, just just dealing with vendors right now myself, it's, it's frustrating, you know, and yeah, it's frustrating, to say the least. Everyone in this industry has experienced it, so that's really interesting. With the, you know, no support model necessary, right? Nope, is there a method? So, like I always have a knack for running into the most random issues, you know that that basically everyone that I talk to has no clue of what's going on. Is there like a forum that I could go to and, you know, post a question and someone from the team would answer it or whatnot? Or do I have to like negotiate like a one time fee for a support? You know situation.

We've got multiple options. We've got a support portal where you can just lodge a ticket and then you can just pay per request. But to answer your first question, I made my engineers take off six months of their job to document everything that they knew, everything that they've experienced, and put it on the support portal so that we did not require so you're you know one in a million or one in that you've come across issue. It's already been discovered by our customers before and we've made sure that it's everything that you've ever experienced has been documented. And I'm not talking just. You know 80% of document, 100%, that I could actually find my whole support team and you can rely on this documentation.

Of course I wouldn't. We've got new products and blah, blah, blah. But my point is I made it clear that I didn't want them doing any other work but documentation, because I'm a critical believer in you've got a document and everything. But to answer your question, yes, you've got the full docs on site. If you want a support contract, you can get a support contract. Or if you've just got an alley, you just want to ask a question for an hour, knock yourself out. You've got access to our SMEs to answer your questions.

Wow, that is really refreshing. It's not very often. I don't think I've ever encountered another security company that will actually enforce the documentation requirement, like that of like, hey, you're doing nothing else for the next six months, dump all that you know into whatever solution you had for it. I remember earlier on in my career I was where I was leaving a position and I was the security you know SME for this company. I was literally the only person at the company that did anything with security. And you know, of course we would have random customers that have SE Linux issues after upgrades and things like that, and so I created my own you know troubleshooting guide for everything that I did. You know you could search, you know in the field and everything else like that, to look up the different you know information and the exact command that you would have to run to get it working.

And after I had left, you know it was common knowledge that you basically had to distribute it. But it wasn't a company policy, even it was like, oh, it was a you know camaraderie type thing within the team is like hey, can you please like give me your troubleshooting guide because, like now, I'm going to take over all your customers and you know I need to know what you've been doing. It was more of that rather than someone else like actually forcing you to do it. So there was people that never maintained a document like that, never kept any notes on any of our customers, and when they left the company, you know, it was like starting over. There were some situations where we actually had to like redeploy the solution because it was so custom in ways that didn't need to be custom that you know we just had to start over. We couldn't maintain it any longer, and it's just. You know, I say all that because it's not a common thing, especially with that you know security or IT overall.

You're right, and, because you're asking, I founded the company now the CISO. So I and I'm a security architect pen tester by trade. So I know the efficiencies in our own industry and documentation is always one of them. So I'm so anal that I'll monitor every ticket that comes in and wondering why there's a fucking ticket that's come in because the ticket shouldn't come in, because it should be documented. So you know, I'm then on my team and I'm, you know, most of the time it's there's an article there that they didn't know was there. Why didn't they find that? And then if there's an issue that's come in that we've never seen before, it's got to be up on that fucking portal.

So that's how I operate, because I'm running a software shop, not a support shop, if that makes sense. I want that software as good as possible. I don't need a team of 100 support staff. I don't want 100 support staff. I want a great product, a support if you need it. But fuck, documentation is the key because you, if you're working on something, do you really want to contact me and fucking 10 o'clock at night that there's an issue and go through that whole bullshit? Or do you want to fucking see an article that you have. The fuck do I do this and then you get an answer pop up. That's what you want.

Yeah, yeah. I'd much rather just have the answer and not bother someone in the middle of the night. You know well, chris. You know it's been a fantastic conversation. I absolutely want to have you back on sometime in the future and dive more into, you know, cyber mercenary stuff and you know talk about your, your bomb jammer or whatnot. But you know I'm a stickler for time myself. I try to respect everyone's time and even now. You know we're over a couple of minutes, right, but before I let you go, how about you tell my audience? You know where they could find you if they wanted to. You know reach out to you and you know what your company's website is if they want to learn more about Seamonster.

Thanks for that, joe, and I've loved being, on a matter of fact, talking to someone like myself in the industry, right in the guts of it, and you know exactly what I'm talking about, and it's lovely just to hear those ideas. Look my website, really easy chrisrockhackercom. All my talks, all my books, all my articles, all my upcoming talks are on that site. Chrisrockhackercom and Seamonster it's just siamonstercom, if you're looking at the same products.

Awesome. Well, thanks everyone. I hope you enjoyed this episode.