You've heard of Boom Supersonic, right? Let's journey into the mind of its CISO, Chris Roberts, our most sought-after guest yet. His tales of transitioning to self-employment, battling the IRS, and the challenges of running his own company are nothing short of enlightening. This episode not only explores Chris's professional journey but also offers practical advice to aspiring entrepreneurs.
Navigating the labyrinth of self-employment can be daunting. Chris opens up about the unexpected costs and the importance of consistency and responsibility. The conversation expands to his role at Boom Supersonic, where he promised his staff that he would never make them look like fools. The implications of this promise, along with the challenges of handling multiple phishing tests, are discussed in depth. We then venture into the realm of corporate bigwigs, exploring Chris's experiences in the corporate environment, the unique opportunities it presents, and his memorable board meeting attire.
But that's not all. We delve into the merging of the physical and digital world, exploring the challenges of distinguishing truth from lies in an uncertain environment. Cybersecurity enthusiasts will relish Chris's insights on how hackers exploit these situations. His fears of who may gain access to plane systems, the potential implications of AI, and the reality of cyber warfare are sure to keep you on the edge of your seat. We wrap up with a hearty discussion on the public perception of these issues and why it's crucial to take them seriously. This episode is a treasure trove of insights and advice on self-employment, corporate life, and cybersecurity.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: Well, Chris, it's really good to have you back on.
00:00:04
I think you're probably the most requested guest to have
00:00:08
back on ever.
00:00:09
I get paid more about you coming on than anyone else.
00:00:14
Speaker 2: It's almost frustrating.
00:00:15
I'm sorry, I'm humbled, honored and scared all at the same time
00:00:23
.
00:00:23
I was thinking about this before we were actually talking.
00:00:28
I was thinking about this because we'll get into it in a
00:00:32
minute.
00:00:32
I did something this morning.
00:00:33
I did an award ceremony thing this morning and I did it and I
00:00:37
just I walked out.
00:00:38
I actually walked out halfway through it because it wasn't
00:00:41
real, it was just, it was scary.
00:00:44
Yeah, this is what I just about doing.
00:00:46
These ones, these are just its reality, and it's yeah that
00:00:50
scares me about the guest thing.
00:00:51
Well, I'm honored.
00:00:52
I will try not to let people down.
00:00:54
I said I could.
00:00:56
I was actually a few minutes late because, partly because I
00:00:58
was sitting on the wrong, on the wrong stream, which is my own
00:01:01
fault, but also I'm like I was at.
00:01:02
That is at that point in time of the day and it's raining as
00:01:05
well, and it's at that point time of the day when I really
00:01:07
need a good, strong cup of tea.
00:01:08
So I got my cup of tea.
00:01:09
So goodness knows what the hell's going to happen.
00:01:11
You might have to hit the bleep button a few times.
00:01:15
Speaker 1: Oh, no worries on that.
00:01:16
I mean you've been on here before.
00:01:18
The podcast is unfiltered for a reason right?
00:01:23
Speaker 2: I'll be fucked at this point in time, people.
00:01:25
Yeah that is very true.
00:01:31
Speaker 1: Well, chris, you know , I think you know the last time
00:01:35
you were on, you were you were running your own company.
00:01:39
Still, I believe it was you know you were still doing
00:01:42
consulting.
00:01:43
You haven't quite, you know, made the transition or anything.
00:01:47
Yet why don't we talk about, like, why you made that
00:01:51
transition?
00:01:52
Because I feel like there's a lot of people, or at least
00:01:55
there's a small subsection of us within the community that you
00:02:00
know the dream is to actually get into consulting, work for
00:02:03
yourself and do that whole thing right.
00:02:06
I have, I've been uncomfortable with the IRS enough times to
00:02:15
you know.
00:02:15
Be okay to not go down that route, right.
00:02:18
Speaker 2: Yeah, I'm actually, ironically, I'm having
00:02:23
conversations with our wonderful IRS system at the moment
00:02:25
because they and I do not agree on some of my taxes from
00:02:29
literally 2014 onwards.
00:02:31
Oh my God, yeah, so I we're at loggerheads and now got somebody
00:02:38
else involved to help out sort of our situation and I think you
00:02:40
know it's.
00:02:42
It's all down to the company stuff and I and the stupidity of
00:02:46
it is, and a lot of people listening and they're going to
00:02:48
understand this one because they know me well enough my whiskey
00:02:51
case so my whiskey case is is part of who I am.
00:02:56
It's.
00:02:56
I take it to conferences, I share it, we do stuff for
00:02:59
charity with it, we, we go down to right time, the watch is
00:03:03
placed here and we do watches, whiskeys and work events.
00:03:05
It is, it's, it's part of who I am.
00:03:08
These days Now you sit down with an IRS agent and you go, hey,
00:03:12
so I bought some whiskey on the company and they're like well,
00:03:14
you know, if I sent a statement, I'm actually, no, it's business
00:03:16
development.
00:03:16
Well, no, it's entertainment you can become.
00:03:18
I'm actually.
00:03:19
You know, it's business development.
00:03:20
I'll sell them.
00:03:20
By the way, some of it's for charity and some of it I don't
00:03:23
even bother claiming because it's too much.
00:03:24
I'm like here's the amount and here's what I'm claiming and
00:03:26
here's what I'm asking for.
00:03:27
And just just that one thing, that if they stepped out of
00:03:33
their own world and went oh yeah , you know, we'll do a little
00:03:35
bit of background research and most in on the guy and actually
00:03:38
go oh yeah, the, you know, the guys I rolled it up a gherk on
00:03:42
last year, you're before lost a gherk on me race couple of grand
00:03:44
for charity.
00:03:45
We're going to do the same thing, I think Columbus I'm
00:03:48
talking to new spire and we're going to try and do the same
00:03:50
thing out at Columbus B sites.
00:03:52
I'm going to bring the whiskey case with me and we'll do a for
00:03:55
charity there as well.
00:03:56
And it's, you know, it's, you try to explain it to the IRS and
00:03:59
that that confuses us.
00:04:00
It's not a, let alone the fact that changed costs every five
00:04:03
minutes.
00:04:03
That that alone should should allow me the the ability to just
00:04:07
throw myself off the cliff when it comes to trying to forget
00:04:09
that.
00:04:09
So yeah, if you're going to go into start your own company or
00:04:15
run yourself as a schedule, see, or any of that stuff, one keep
00:04:20
stupid good records to go in with your eyes wide open.
00:04:25
Three, use QuickBooks.
00:04:26
And four, get yourself a damn good accountant who is
00:04:29
validating for you, because it ain't pretty and, yeah, you can.
00:04:32
You can mess with some numbers and you can fudge a little bit
00:04:34
and you can play a little bit.
00:04:35
I mean, you know IRS expect that, but yeah, you better just
00:04:39
keep it tight.
00:04:40
And then, by the way, puts in money aside for when you have to
00:04:42
pay for the lawyers to fight the fact that the IRS doesn't
00:04:44
agree with the fact that an arduino is seen as a tool versus
00:04:48
a beast.
00:04:49
Speaker 1: Yeah, it's a.
00:04:53
It is challenging, you know, like I don't even.
00:04:58
I don't even do that much business.
00:05:01
But the issue is the side work, right, so I'll do these side
00:05:04
projects and whatnot.
00:05:05
And with these side projects I mean, sometimes I'll get through
00:05:10
them in, you know, a week and I'll forget that I did them,
00:05:13
even you know, when it comes next year.
00:05:15
Sometimes it takes me five months to get through a side
00:05:18
project, right, and man, it's like trying to keep track of all
00:05:23
that is just insane, especially when you're going back a year,
00:05:27
you know, and so, like now, I have to keep like meticulous
00:05:30
records.
00:05:30
I actually got an accountant to actually help me through all
00:05:35
this stuff, you know, because I'm at the point where it's like
00:05:37
I have to deduct an uncomfortable amount and to me,
00:05:44
right, growing up poor, to me it feels wrong.
00:05:47
Oh why.
00:05:48
To everyone else, you know, it's like, oh, this is nothing,
00:05:52
but for me it's like I don't know.
00:05:55
Speaker 2: It's money's money at the end of the day.
00:05:56
I mean, when you've got to take a quarter or a third of what
00:05:59
you put, of what you bring in and it's some of it's freaking
00:06:02
hard work to bring that in and you got to put a third or a
00:06:05
quarter of that aside and go, hey, that just has to sit there,
00:06:08
or I got to pay that in in advance.
00:06:10
Whichever method you're using, yeah, it's, it sucks.
00:06:14
And I mean I, you know to your point.
00:06:15
Last time we're on I, we had Hilberley hit squad which we
00:06:18
ended up closing down at the end of this past year.
00:06:21
And closing it down is going to be an interesting one because I
00:06:28
still haven't sorted out with taxes on that one yet Because
00:06:33
when we closed it down we divided up the assets.
00:06:35
And so how that?
00:06:38
I mean we had a watch collection, because we had, we
00:06:40
were building up a watch rental company I lost two thirds of the
00:06:45
whiskeys.
00:06:46
So, even though I still have a couple of hundred bottles, I
00:06:48
lost the best part of four or 500 bottles of whiskey because I
00:06:53
had to divide up the asset, because they were bought under
00:06:55
the company and I'm quite the fact that for the most part I
00:06:59
was doing most of the business and the work and the consulting.
00:07:01
The agreement was signed that all three of us would get a
00:07:04
complete, even split, no matter what, and so that was a bit of a
00:07:09
painful bit, of a painful December January, shall we say.
00:07:12
From just a mental state, I did not sit well on a few different
00:07:15
reasons, especially when somebody close to me Turner said
00:07:19
hey, by the way, there's still, you know, $20, $30
00:07:22
worth of stuff that needs to be paid for over here.
00:07:24
And I hit the other guys up and said, hey, we need some of that
00:07:26
stuff back to pay the bills.
00:07:28
And basically I got to fuck you .
00:07:30
So that came out of my money.
00:07:34
So that was another $20, $30 worth of unforeseen
00:07:39
expenses.
00:07:40
So I ended up selling quite a number of the watches that I had
00:07:44
.
00:07:44
So I had a couple of nice ones, but like the couple of Rolexes,
00:07:48
the Tudors, couple of the Grand Seiko, some of the other stuff
00:07:51
I'd actually really liked, end up going up for sale to pay
00:07:55
towards just all the legal stuff and then the money outstanding
00:07:58
on closing it down.
00:08:03
Yeah, it's tough, I'm still doing some side stuff, but I
00:08:08
have scaled way back.
00:08:10
You know, when somebody hits me , I'm down and says, hey, we
00:08:12
want a pentest done.
00:08:13
First call is almost to Amanda Nickerson.
00:08:15
I'm like, hey, does Chris and you and the team want to do this
00:08:17
?
00:08:17
And I just put the two people in touch.
00:08:19
I'm like, go do, just go deal with it and it's all yours,
00:08:23
because I really I don't want to get involved in much more.
00:08:27
I'll do the occasional pentest assessment.
00:08:29
I'm doing some consulting, I'm doing some thread and tell stuff
00:08:31
with a couple of folks, but, yeah, I've scaled it way back.
00:08:35
Honestly, most of the stuff now that are from like a side income
00:08:38
standpoint is there are out of all of the actually you know
00:08:43
this is I think I put the post up there out of all of the
00:08:46
conferences that I do.
00:08:47
Some of them I actually get a stipend for, not many, but some
00:08:52
of them, and that, untruthfully, that's income.
00:08:54
It just goes straight back to pay for the other conferences
00:08:57
that I don't charge for.
00:08:58
So, even though it's income, it offsets.
00:09:01
Yeah, there's that.
00:09:02
I'm still.
00:09:02
What am I?
00:09:03
22, $22 underwater so far this year for the conferences
00:09:09
and and.
00:09:09
But then the difference is some of the conferences will pay for
00:09:12
travel, some don't.
00:09:14
Some pay for stuff like a B site.
00:09:16
I don't ask much about a B site .
00:09:18
I mean like, look, if you can cover my hotel, I got the rest
00:09:20
of it covered.
00:09:21
Any of the charity stuff I won't ask for, but if it's a pay
00:09:25
for conference, I'm like, hey, look, at the very least you can
00:09:27
fricking pick up the T and E for me please.
00:09:29
So yeah, it's.
00:09:31
It's weird getting a steady paycheck every every two weeks,
00:09:38
because we get paid every two weeks, not every twice a month.
00:09:40
It's kind of weird getting a paycheck every two weeks, even
00:09:43
if you've, like taken some time off, as, like, holy shit, I took
00:09:45
time off and I'm still getting money.
00:09:46
I'm still getting a lot of experience.
00:09:51
Speaker 1: Yeah, that's.
00:09:51
You know, that's a problem that I'm working through right now.
00:09:55
Right, so I recently opened the podcast up to sponsors and so
00:10:00
now I'm seeing like the vendor management side of it and things
00:10:03
like that.
00:10:03
Right, so I'm starting to like try and do the math of, like,
00:10:08
well, what it would take to actually just do this full time,
00:10:11
you know, and maybe go to conferences and do all that
00:10:15
thing.
00:10:17
Speaker 2: I mean there's a bunch of folks that have done it
00:10:19
successfully.
00:10:20
I mean look at Paul and Security Weekly and stuff like
00:10:23
that.
00:10:23
I mean they, that team, did it.
00:10:25
I don't know the numbers and all the stuff involved.
00:10:27
I know there's a bit of a bit of who hard towards the end for
00:10:30
which I don't know, and I hope it gets resolved, whatever it
00:10:33
was.
00:10:33
But I mean I know, I know they did okay and I mean that was
00:10:37
their job, that was their role.
00:10:38
They got sponsors in and I think they ended up selling it
00:10:40
off and doing okay.
00:10:41
I mean dark matters and dive diaries and all those Danny's
00:10:44
doing the same thing.
00:10:45
She's doing the podcast, the conferences and then building up
00:10:48
a consulting business.
00:10:49
So it can absolutely be done.
00:10:51
I think, you see, she got to figure out the math on it.
00:10:57
Speaker 1: Yeah, that's the, that's the challenging part and
00:11:00
I think, also staying just staying consistent.
00:11:03
You know, like I feel like that's 80% of the battle is like
00:11:06
still being motivated to do it.
00:11:09
And the reason why I say that is because, like you know, I
00:11:12
talked to Paul from Security Weekly and he said it took him
00:11:16
like seven years, right, seven years of doing it before he
00:11:19
looked up and was like oh wait, I can like hire someone right,
00:11:24
like I can get a studio and and do these things.
00:11:26
Speaker 2: You know, I guess you know that makes sense, cause I
00:11:30
mean I remember the early days and I remember the early days of
00:11:35
them just having like literally a table at like the DEF CON on
00:11:38
the ship, pre-b sites.
00:11:40
I mean this is pre-B sites.
00:11:41
This was like in the, in the vendor area, whatever the hell
00:11:46
we used to call that before it was the vendor area.
00:11:48
I thought we used to call it mosh pit, basically, yeah, I
00:11:52
remember having like, I remember seeing all the stickers and
00:11:54
stuff like that.
00:11:55
So, yeah, that's got back a while now.
00:11:56
So, yeah, that's a.
00:11:59
It's a rough one, cause I mean it's.
00:12:01
I mean you know this is well.
00:12:03
I mean, once you take somebody on, you are responsible for that
00:12:06
person, and that was.
00:12:07
You know, if anything ever kept me awake in the evenings when I
00:12:11
had like howl or Sentinel or HHS or any of the other, any of
00:12:15
the other companies some have done well and some didn't the
00:12:18
biggest thing that would scare the living crap out of me was
00:12:21
I'm now responsible for other people's livelihoods.
00:12:26
Speaker 1: Yeah, that is.
00:12:27
That is also like the boulder in my head, right.
00:12:32
Yeah, that, you know, makes me nervous about that.
00:12:35
Right, it's one set of stress factors, right, when I have to
00:12:40
already provide for my wife and you know we have a mortgage, we
00:12:44
have a kid now, you know.
00:12:45
But it's like now other people are depending upon me that have
00:12:51
families that have their own mortgages, that are paying their
00:12:54
own bills and everything you know.
00:12:55
And if I make one stupid mistake or if I say one stupid
00:13:00
thing on this unfiltered podcast , right, like it could all go up
00:13:03
in smoke potentially, right, I don't think I don't think I'm
00:13:12
close to saying something that'll blow up everything, but,
00:13:15
you know, maybe if I have too much whiskey or something during
00:13:19
a podcast, you know.
00:13:21
Speaker 2: Well, I mean okay.
00:13:22
So here's the interesting thing .
00:13:23
I mean, this is the challenge is we didn't necessarily matter
00:13:28
what you think or don't think on this one.
00:13:30
I mean the other part of it is as you got guests on the podcast
00:13:32
.
00:13:32
I mean, some of us have been at the mercy of the media on more
00:13:35
than one occasion.
00:13:36
You know two or three occasions on my part, and it's, it's gone
00:13:40
well once or twice and man is it bit me in the ass on one or
00:13:44
two occasions, let's face it so it's, and some of it you don't
00:13:47
even give it a second thought.
00:13:49
I mean, you know, when you tweet something, you don't
00:13:52
necessarily think it's going to have that random word
00:13:54
repercussions, that it does the same thing.
00:13:56
When you say something, I mean you're the same way.
00:13:58
I mean I'm on stage on a regular basis and I'm as raw, as
00:14:03
unfiltered as it comes off the time, but I'm still.
00:14:06
I still care about humans.
00:14:08
Ish, but I'm, and to me I'm going to do a post later on fact
00:14:13
.
00:14:13
We'll talk about this in a second.
00:14:14
I think it's.
00:14:17
I think, if it comes from the heart, I don't think there's
00:14:20
much that you can say.
00:14:21
There's going to piss off people enough that you end up
00:14:23
getting nailed for it.
00:14:25
If you're a good human normally and you're fucking awesome,
00:14:28
let's be honest If you're a good human normally, I just I don't
00:14:34
think any of that stupid shit comes out.
00:14:36
I think it's those people that hide behind.
00:14:38
I mean, there's so many narcissists in our world,
00:14:40
there's so many people that like hide that behind, the shit's
00:14:43
just going to slip out.
00:14:44
There are people that only care for themselves or are only out
00:14:48
for the money that they're going to slip and say something
00:14:50
derogatory about their team or the people who work for them, or
00:14:53
somebody race, color, creed, orientation, whatever it might
00:14:55
be Because that is not the true nature of it.
00:14:59
So I think, stay true to yourself and you'll be fine.
00:15:04
Speaker 1: Yeah, I think that's a great piece of advice.
00:15:08
You know, I did actually used to have that worry in my head,
00:15:13
you know, when I, when I started this whole podcast, and what I
00:15:17
realized is, you know, those things that like would
00:15:22
potentially like get me canceled , so to speak, I like doesn't
00:15:26
even exist in my head.
00:15:27
You know, like I wouldn't even know what to say, literally like
00:15:32
in the spur of a moment, that would put me in that situation.
00:15:35
And, you know, I guess part of it is probably, you know, how I
00:15:40
was brought up, how I was raised and everything like that.
00:15:43
Right, like, it's just, I think that that's a section, right,
00:15:47
that my mind doesn't even go to, it doesn't exist in my head,
00:15:52
which is, you know, I think, I think it's helpful.
00:15:58
It's absolutely helpful, you know, because I've noticed when
00:16:02
people, sometimes, sometimes people will try to catch me up
00:16:05
in something and I'll just get confused, like, okay, what are
00:16:08
you talking about?
00:16:09
Like I don't know what you're even talking about.
00:16:11
You know, and you could see, like, oh, they were trying to
00:16:14
catch me up in something.
00:16:15
It's not until hours later that I realized what they were
00:16:19
trying to catch me up in.
00:16:20
But, like you said, you know this.
00:16:23
I feel like this field in it, right is more prone to being
00:16:32
full of narcissists, or if you're in this field, you're
00:16:34
more prone to becoming a narcissist right, because it's
00:16:39
almost like a God complex God complex for it, almost.
00:16:45
Speaker 2: It's.
00:16:45
I mean either, when you think about it, we and this has been
00:16:49
one of my complaints for our industry especially, I think,
00:16:51
especially since getting into the management side of the world
00:16:53
, it's been one of my biggest complaints.
00:16:56
It's, you know, we have, undeniably we have, the keys to
00:17:01
the kingdom.
00:17:01
I mean, without a shadow of a doubt, turn off electricity in
00:17:05
countries, got you covered.
00:17:07
You know, shut places down easy enough to do.
00:17:09
Let me demonstrate it for you.
00:17:10
So, as an entire segment of the industry, we have the keys to
00:17:15
the kingdom.
00:17:15
The problem is we don't necessarily have the maturity to
00:17:20
cut with that keys of the kingdom, not in a long stretch,
00:17:22
I mean.
00:17:23
And it's and part of it's because our industry just hasn't
00:17:26
been around long enough and we're still trying to figure
00:17:28
ourselves out.
00:17:28
I put a post out the other day about it.
00:17:30
I'm like you know, from an industry perspective, we report
00:17:34
into 10 different directions.
00:17:35
You get to a C cell and you're like, oh, I have made it, which
00:17:38
is totally the wrong way of looking at it, to be honest, but
00:17:41
it's like the business still doesn't really know what the
00:17:44
frickin heck to do with us.
00:17:45
I mean it doesn't.
00:17:46
It's like well, shit, some of you can go to the CFO, some go
00:17:48
to the CEO, some to the CIA, some are going to bury somewhere
00:17:51
in the middle of bug fuck, nova , because we don't want the hell
00:17:53
to do with you.
00:17:53
So, as an entire industry, business hasn't figured out how
00:17:58
to deal with us and, honestly, neither have we figured out how
00:18:02
to deal with business as effectively as we should do.
00:18:04
So we have the keys to the kingdom, we know it.
00:18:09
The business still doesn't know what the hell to do and we're
00:18:11
still yelling going hey, look at us, look at us, look at us, and
00:18:13
and.
00:18:14
So that narcissistic tendency to beat your own chest and go we
00:18:20
are the ones and you should listen to us is still prevalent.
00:18:24
They're alone.
00:18:25
Wait, I mean, it's also the blame game as well.
00:18:27
Let's face it.
00:18:28
As an industry, we fucking blamed everybody.
00:18:30
I mean, we still blame users, we still blame developers.
00:18:33
We blamed it.
00:18:34
I mean we blame everybody apart from looking in the bloody
00:18:36
mirror and going.
00:18:37
You know what could?
00:18:37
we do differently.
00:18:41
Speaker 1: Yeah, that's.
00:18:42
That's actually a really good point that we always blame
00:18:45
everyone else except for ourselves.
00:18:47
It's not my stupid configuration, it's not my you
00:18:51
know terrible training that my users aren't able to identify
00:18:55
this really good phishing email.
00:18:57
Speaker 2: Yeah, which you know, it's funny.
00:19:02
Speaker 1: It's funny because I you know, I had a.
00:19:04
I had a phishing email a couple of weeks ago and it was one of
00:19:10
the best ones I've ever seen.
00:19:11
I almost clicked on it, but it would have broken my first rule
00:19:14
of no clicking on links.
00:19:17
That's the only thing that saved me is my own personal rule
00:19:20
, but everything else about it was very convincing.
00:19:23
Speaker 2: Yeah, it's, it's and I think that's it.
00:19:26
And you know, you throw all of the intelligence systems that
00:19:29
have now been thrust onto the unsuspecting world and it ain't
00:19:34
going to get any easier.
00:19:35
And yet we still think we as an industry, not individuals
00:19:39
there's some really fucking good people out there but as an
00:19:42
industry we've still said once a year or once a quarter, we're
00:19:45
just going to train people and hope that's it.
00:19:47
I mean a bunch of.
00:19:49
And, by the way, we're going to train you in the corporate
00:19:51
world, not train you how to look after you as the human being.
00:19:55
We won't train you how to look after your kids or your
00:19:57
grandparents or your parents or your guardians or friends and
00:20:00
family.
00:20:00
We're just going to train you because if you click on shit,
00:20:03
we're going to punish you.
00:20:03
I mean, like, what a fucking ridiculous way to run anything.
00:20:07
And we still think it's a good way to do it.
00:20:09
And and oh, this one pisses me off Not only we're going to
00:20:14
train you, before we train you, we're going to fucking trick you
00:20:17
.
00:20:17
And then we're going to trick you because we want to measure
00:20:21
how much you fail.
00:20:22
I'm like you assholes.
00:20:24
I mean really one of the first things I did when I started at
00:20:28
boom because I walked into boom supersonic when I started there
00:20:32
I was in front of like the entire staff and I and that
00:20:35
question came up about you know phishing emails and stuff I said
00:20:37
I'll make you a promise I will never try to fool you, trick you
00:20:41
, make you look like fools and idiots just to make me feel
00:20:44
better.
00:20:44
I will train you every single month.
00:20:47
I will help you, I will teach you, I will make you fun and we
00:20:50
will make it engaging.
00:20:51
And now, with the team that I have, we're doing that.
00:20:53
And I said and when I run a phishing test, I will tell you
00:20:57
beforehand because I want you to know and learn and understand
00:21:01
and succeed, but I will never, ever make fools of you.
00:21:05
If I do, you know exactly where to find me.
00:21:11
Speaker 1: Yeah, that's a huge thing.
00:21:13
You know, it's kind of two fold right.
00:21:15
So I used to work at a company that did a lot of work with the
00:21:19
government and whatnot and they had some rule where if you fail
00:21:23
I think it's like three phishing tests in a row, you're
00:21:26
automatically terminated.
00:21:27
Speaker 2: Yeah, and.
00:21:29
Speaker 1: I was so perplexed by it, you know, because it's like
00:21:32
you know one, the market is not the easiest to hire people in,
00:21:39
because you're typically poaching from everyone, right,
00:21:43
and it's not really fair.
00:21:45
Yeah, I can see if it's literally every single month,
00:21:49
right, and you just missed 12 in a row.
00:21:51
Maybe you should reassess and be like maybe I'm doing
00:21:54
something wrong, right, maybe this person isn't getting it,
00:21:58
but man, it's.
00:22:00
It's really dumb and I've worked at other places where
00:22:04
that team of people they will intentionally try to trick you.
00:22:09
It was like week two at this job and they sent me some.
00:22:14
It was a phishing email like regard my 401k and it was during
00:22:17
the holiday season and everyone was talking about a holiday
00:22:21
bonus.
00:22:21
Right, it's my second week.
00:22:24
And so I clicked on the email and I got in trouble for him,
00:22:27
like what?
00:22:28
But that that's not even a fair email.
00:22:31
I just set up my 401k.
00:22:33
I, I 100% thought like this was pertaining to it, you know, and
00:22:39
that, yeah, they get.
00:22:41
They actually got into a lot of trouble for that one, but, you
00:22:45
know, all the other times is just, it's a mess.
00:22:49
Speaker 2: I think that's it.
00:22:50
Again, back to that.
00:22:51
We're ad to prove that we're better.
00:22:52
We're ad to prove that we have the knowledge and you don't.
00:22:55
It's quit that shit.
00:23:00
We have one job.
00:23:01
I've said this a number of times on stage, in places.
00:23:03
As an industry, we have one freaking job.
00:23:07
You know this.
00:23:07
You got a five and a half month old rug rat.
00:23:09
You have one job to protect.
00:23:12
It doesn't matter what the hell are so fucking hurricanes out
00:23:17
there can be shit going on the world.
00:23:19
Well, it's going to hell.
00:23:20
I'm not asking, let's face it.
00:23:21
You have one job.
00:23:23
It is to hold that infant in your arms and your significant
00:23:27
other and go.
00:23:27
I will take care and I will protect.
00:23:31
That's it.
00:23:32
We should be doing the same thing with every single person
00:23:36
that we're responsible for inside an organization and our
00:23:40
media friend circle.
00:23:41
I got one job.
00:23:42
How the hell do I protect you as effectively as I possibly can
00:23:45
?
00:23:49
Speaker 1: So you know, you mentioned going to Sonic Boom
00:23:54
and becoming their CISO, right.
00:23:56
So what's that like?
00:23:59
Do you like it?
00:24:00
Do you like the change?
00:24:02
Is it new challenges for you?
00:24:04
What is that like?
00:24:09
Speaker 2: So it's interesting because I've done the VC so
00:24:11
stuff a number of times.
00:24:12
So for years I've done the virtual CISO stuff and it's
00:24:15
weird.
00:24:15
And there's a Dilbert Carton you know it's Douglas Adams or
00:24:19
the other stuff.
00:24:19
Douglas Adams was the Douglas Adams.
00:24:21
Yeah, outside of all of his challenges and stuff, there was
00:24:25
one Dilbert cartoon that epitomizes a VC so which is that
00:24:29
it's the boomerang boss.
00:24:30
It's the one that comes in and goes I'm going to do I'm in
00:24:33
buggers off again.
00:24:34
That's basically a VC.
00:24:37
So because you go in like and we're going to do all this shit
00:24:39
and I'll see you in three months time or I'll see you next month
00:24:41
and see how your shit's doing, and I don't like it.
00:24:44
I do like it because it at least helps guide and there are
00:24:47
some instances when you're more involved and depends on how much
00:24:50
time and effort.
00:24:51
But for the most part you kind of go in, you're like and I'm
00:24:53
going to drop some shit on you and I'm going to bug off.
00:24:55
We've done with pen testing for fucking 24 years being inside as
00:25:00
the CISO.
00:25:01
I live and breathe it every single day.
00:25:03
You know I have to walk in there every single day and I
00:25:09
walk out every single evening, or I'm there what?
00:25:11
Three days a week.
00:25:11
But I walk in and out of that place and I'm like how do I do a
00:25:17
more efficient job?
00:25:17
How do I help my team?
00:25:18
How does my team do a more efficient job?
00:25:20
How do we help protect?
00:25:21
How do I help understand risk and work out probability for
00:25:26
what's going to hit this organization?
00:25:27
And you know, you think about it.
00:25:29
We are building supersonic airplanes and we're building
00:25:32
them for all sorts of interesting people, and so we
00:25:35
have all sorts of really freaking cool tech.
00:25:37
And so you have your traditional SBNRs, you have your
00:25:40
camera SBIs and all those other shit.
00:25:41
And then we've got a whole bunch of nations that are
00:25:43
building some really cool tech.
00:25:44
Rather than actually having to rebuild the wheel, let's just
00:25:47
steal yours instead.
00:25:48
And so the profiles of the organizations and the people's
00:25:53
and the teams and the tactics and all that stuff are obviously
00:25:55
evolving and changing.
00:25:56
So I enjoyed that, this game of chat.
00:25:58
So let's face it Inside, boom, it's a small organization.
00:26:01
It's a bunch of crazy amazing engineers and a bunch of people
00:26:04
just making sure that we get this fucking airplane off the
00:26:06
ground.
00:26:07
So I love that.
00:26:09
I love the engineering, I love the geekness, I love the fact
00:26:11
I'm messing around with airplanes in a legitimate way
00:26:14
for a change, rather than getting yelled at for doing it.
00:26:16
I also love the fact I'm challenging and able to change
00:26:20
the entire industry Because, again, how things have been
00:26:25
built and designed to put together is maybe not how we
00:26:27
want to do in the future.
00:26:28
So I'm able to influence that really, really effectively
00:26:31
because I'm responsible for physical and digital security,
00:26:34
especially on planes, and the corporation side as well.
00:26:36
I'm also able to give back, which is what I also love as
00:26:40
well, because, again, you know, as a, as a CISO inside a company
00:26:43
, I got a checkbook.
00:26:44
It ain't huge at the moment because we don't have a ton of
00:26:46
money, but it's big enough that I can actually go to some of the
00:26:49
people that I've loved and worked with and known and talked
00:26:51
to over the years.
00:26:52
Hey, fancy coming in and giving us some help.
00:26:55
That part alone has been absolutely fantastic being able
00:26:58
to do that and then building up the team.
00:27:00
You know there's people I've known on LinkedIn for a while.
00:27:02
I'm like, hey, want to come over and come give us some help.
00:27:04
So that's been, that has been fantastic.
00:27:10
The challenges are I'm now inside a corporation, and albeit
00:27:15
a dynamic one and albeit a very good one of the flu, it's still
00:27:18
a corporation.
00:27:19
It still has legal people is to have people, team people.
00:27:22
It still has finance people.
00:27:23
I've got CEOs and presidents, and so they thankfully knew what
00:27:28
they were getting into.
00:27:29
So there is an upside to that.
00:27:31
I didn't come in as an unknown quantity.
00:27:32
They came after we had conversations and then also
00:27:36
Charles, who was our CIO, did a really good job of laying some
00:27:40
amazing groundwork for me to walk into, so I didn't walk in
00:27:42
cold, which was also obviously fantastic.
00:27:44
But it's still a corporation, which means I still have to sit
00:27:47
down and work with the CFO.
00:27:49
I still have to.
00:27:50
There's lots of things that I have to do that are very
00:27:53
business at scale and corporate look and feel, but not too
00:27:58
corporate looking.
00:27:59
And who runs our people team is absolutely amazing.
00:28:03
The ability to just hit her up on Slack and have a conversation
00:28:06
is fantastic.
00:28:07
Blake, the CEO I can yak with him in the corridor when he's
00:28:11
not out and about doing crazy amazing things for us.
00:28:14
Kathy, who's the president, is another one of us being able to
00:28:17
stop in a call way conversation.
00:28:19
But there's still also the formality.
00:28:22
They're still like hey, we have reporting to do.
00:28:24
I have to report out to the, to the board of directors, every
00:28:26
quarter.
00:28:27
I have slides that are responsible for.
00:28:28
I have finances that were responsible for.
00:28:30
We have people.
00:28:31
You know it's, it's.
00:28:33
I still get a geek out.
00:28:35
I still get a crazy shit.
00:28:36
I'm building some amazing artificial intelligence stuff.
00:28:38
I'm able to mess around and build.
00:28:40
Some of the team folks up were amazing and dealing with all
00:28:42
sorts of stuff.
00:28:43
But it's also the corporate side of the work that I have to
00:28:47
tread a little more.
00:28:48
I can't walk into my pajama bottoms anymore.
00:28:50
That's part of the way I did that.
00:28:51
On day three, day one and day two I wore trousers.
00:28:53
Day three, I walked into my pajamas and then day four, I got
00:28:58
a message going please don't wear your pajamas anymore.
00:29:00
So you know there's balance.
00:29:04
Speaker 1: Yeah, you got to.
00:29:05
You got to test the boundaries.
00:29:07
You know how else are you going to know that they're there?
00:29:09
Speaker 2: Exactly At least I didn't do.
00:29:11
Years and years and years ago and this was, this was years ago
00:29:14
this was dot com dot bomb days.
00:29:16
So it shows you how well I was.
00:29:17
I was down in Atlanta going through some personal stuff.
00:29:21
There was a shit show and I was working for a company that
00:29:25
didn't make it through the dot com dot bomb days and it was one
00:29:29
of the final board meetings and it was board meeting with the
00:29:31
investors and it wasn't going to be a pretty one and I was.
00:29:35
The things were not going in the right direction and I was a
00:29:38
little aggrieved at some of the stuff.
00:29:40
I walked in in a bath towel.
00:29:42
That was it, now that I had underwear on, but I walked into
00:29:45
the board meeting in a bath towel.
00:29:47
Yeah, at least I haven't done that yet.
00:29:50
So you know, there's still some hope.
00:29:55
Speaker 1: That must have been a pretty interesting meeting.
00:29:58
Speaker 2: No, yeah, that went down about as well as you can
00:30:00
probably expect, I was yeah.
00:30:04
Speaker 1: Were you still employed after that?
00:30:06
Speaker 2: I was.
00:30:07
Yeah, I was, I was, I made my point.
00:30:11
No, I made my point.
00:30:12
I'm literally a little blunt.
00:30:13
And then you probably most expected.
00:30:16
But yeah, that was the same company where you know you're
00:30:21
out there going for funds and you have no negotiation.
00:30:24
I mean, yeah, it's kind of like boom.
00:30:25
Same thing with pre-revenue.
00:30:27
So you know every dollar counts .
00:30:29
And back in this other company, back in the days that the dot
00:30:34
com bill bomb does, we were every penny counted.
00:30:36
And yet the C, one of the sea levels I don't know which one he
00:30:41
was went out and bought himself and this has got about 20 years
00:30:45
, so these desks were rare and expensive bought himself one of
00:30:49
these, the desks, the elevating desks with all the bells and
00:30:52
whistles, and then then came up and denied us a whole bunch of
00:30:56
stuff we were trying to do to make the product better so that
00:30:58
it would sell.
00:30:58
So one evening we were like fuck it.
00:31:01
So we ended up literally crawling across the roof tiles
00:31:05
and we wired up the flippers on the pinball machine to the up
00:31:08
and down arrows on his fricking on his desk.
00:31:11
So yeah, revenge is sweet sometimes.
00:31:16
Speaker 1: Yeah, that's like in this industry if you're going to
00:31:20
get revenge on someone, it's typically like pretty.
00:31:23
It's pretty like intense.
00:31:26
Speaker 2: Oh, yeah, there's.
00:31:27
There's no half measures.
00:31:28
I mean there's.
00:31:30
I mean with, I mean that that is one downside to us.
00:31:34
I mean we can be vicious at times and the problem is we know
00:31:36
how to do it.
00:31:37
I mean that's, yeah, there's, there's a.
00:31:41
There was a cartoon strip I don't know if it's still going,
00:31:43
it was this.
00:31:44
It was called techies United or text United.
00:31:47
I think it's called techies United and the main character,
00:31:50
female female protagonist, techie us like amazing God, like
00:31:55
skills type of things, and she's the juror.
00:31:57
I you might remember, you might not know.
00:32:00
Oh gosh, what the hell was it?
00:32:03
Ah, um, no, what was the?
00:32:09
The help that?
00:32:11
Oh God, what was that freaking thing?
00:32:13
It was used to be on BSD and then it was.
00:32:16
It ended up.
00:32:16
Oh God, it was the tech.
00:32:18
It was that ultra sarcastic tech support yeah, I have, is
00:32:25
somewhere.
00:32:26
Bastard operator from hell, blfh .
00:32:28
If you've got a few I don't know if you've ever got anybody
00:32:32
that's listening in on this if you've never ever read any of
00:32:35
the original B O F H bastard operator from hell, you almost
00:32:39
have to go back and read them.
00:32:40
They are terrible but they epitomize what our industry used
00:32:45
to be in kind of history.
00:32:47
They actually epitomize exactly what many of us think in our
00:32:50
heads when we're dealing with our industry.
00:32:51
There was this.
00:32:52
I know where the hell we were going with this.
00:32:54
There was this text script and she's the main protagonist.
00:32:56
He's basically the modern day version of BFFH and she's, like
00:33:00
you know, somebody invited around a day from the marketing
00:33:02
department and they pissed her off, so he just basically turned
00:33:04
off the electricity in his entire area.
00:33:06
I'm like, yes, perfect.
00:33:11
Speaker 1: Wow, wow.
00:33:16
Speaker 2: That is wild.
00:33:17
Oh, I mean, good, god's alive.
00:33:19
I mean I remember how many years ago it was it was several
00:33:25
years ago sitting at one of the security conferences and a bunch
00:33:28
of us got a wild hair up our ass.
00:33:31
We're talking about space, in the space station, and I think
00:33:35
it was like LA or somewhere like that just announced that they
00:33:40
all of their nighttime lights, or their like all their lights
00:33:44
the street lights had all gone wireless.
00:33:45
Not half an hour later we're in their systems and we are trying
00:33:51
to figure out how to send a Morse code message to the space
00:33:55
station using their lights.
00:33:57
I mean just stupid.
00:34:00
Yeah, I mean it's so much fun, but this comes back in there.
00:34:05
When you install this shit, don't leave defaults on place,
00:34:08
please, admin, admin, yeah, I can do a little bit better on
00:34:10
that, please.
00:34:12
Speaker 1: It's like how much can I do and how high is the
00:34:17
felony that I'm going to get?
00:34:18
Am I willing to accept that felony on the record?
00:34:23
Speaker 2: Oh, yeah, just another.
00:34:25
Another time the feds are, but actually the feds haven't been
00:34:27
to this location yet lesson, so I've got to.
00:34:31
I think it's been about a year and a half, maybe two years,
00:34:34
since I've had a visit from the feds to the doorstep, so I'm
00:34:37
about due for another one.
00:34:38
I got to find I had to explain myself as I'm Saudi Arabia last
00:34:43
November at a conference and I stood up on stage and I'm like,
00:34:48
okay, yeah, and it was a conversation was about taking
00:34:51
the digital realm and turning into a very much more human
00:34:53
experience and for whatever reason, I got after the Royal
00:34:57
tankers.
00:34:58
I done stupid things without on the side stage and I'm on the
00:35:00
main stage and his Excellency is there and so I'm sitting down
00:35:04
like all right, let's talk about camels.
00:35:05
And you could tell they were like this is a cybersecurity
00:35:08
complex.
00:35:08
Why are we talking about camels ?
00:35:09
Hold on a minute.
00:35:11
And so I brought up his Excellency's camels and he's got
00:35:15
some like 8 million US dollar camels.
00:35:17
He's fucking.
00:35:18
Things are expensive.
00:35:18
You should pageant camels.
00:35:21
We're not to him racing, we're talking beauty pageants.
00:35:23
Okay, dude, do research is fucking amazing.
00:35:25
These camels are expensive and they win lots of money and they
00:35:27
make losses.
00:35:28
Racing camels are expensive, but what they all have is
00:35:30
they'll have chips in them and they all have like predominant.
00:35:33
They all are stupid shit.
00:35:34
So I took the stuff I'd done with hacking the cows and I
00:35:37
rehashed it, figured out the satellite systems that they used
00:35:40
, broke into a Chinese similar satellite and I swapped his
00:35:44
entire herd with this herd of like roaming camels in the
00:35:48
middle of steps fucking out of Mongolia and his apparently
00:35:52
their team then called up their head herder and is like check
00:35:54
your camels and is like my camels are here.
00:35:56
No, check the database.
00:35:57
Why am I camels in China?
00:36:00
I'm like that was a perfect way of going.
00:36:03
There is the physical world.
00:36:04
There is the digital world.
00:36:05
Which one are you going to believe?
00:36:07
Yeah, you tell me which one's long.
00:36:13
Speaker 1: It always gets it all always gets like a little scary
00:36:18
right when the two worlds kind of merge right and they're
00:36:22
already slowly merging together.
00:36:25
I feel like right.
00:36:29
Speaker 2: Yeah, absolutely.
00:36:30
And when you start looking at text going and you start looking
00:36:33
at biotech and nanotech and the stuff that we've been able to
00:36:36
pull out of the brain now you start into a point you're like
00:36:39
okay, and chat upd is a perfect example of this is like okay,
00:36:44
how do we tell 8 billion people how to tell truth from a lie
00:36:47
when most of them don't think beyond the next footstep or the
00:36:51
mouth to let alone?
00:36:52
No matter which news channel you follow, no matter whether to
00:36:56
question that or just accept the fact that we've been told, I
00:36:58
mean, it scares us not out of me.
00:37:02
Speaker 1: Yeah, that is becoming a more and more
00:37:05
prevalent issue that we're running into.
00:37:08
How do you know you know what you're being told is actually
00:37:12
the truth?
00:37:12
How do you know if that fact checker that is telling you that
00:37:16
it's the truth or that it's false is not having, you know,
00:37:21
some sort of outside influence to influence you in a certain
00:37:25
way?
00:37:25
You know like that's a great way to influence millions of
00:37:29
people all at the same time is create your own fact checker.
00:37:31
Have the fact checker you know sway to a certain side, have it
00:37:36
become reputable.
00:37:37
You know like that's a very easy attack that anyone in
00:37:41
security has done themselves.
00:37:43
You know, several times.
00:37:45
Speaker 2: Yeah, I mean we should.
00:37:46
We did it with DNS for crying out, let's face it.
00:37:48
I mean that was the fun thing with DNS.
00:37:49
I mean you know, it's how we do .
00:37:52
I do it, I'm so doing an airplane.
00:37:54
I don't do it on airplanes because that would be a terrible
00:37:55
thing to do.
00:37:56
I do it when I'm stuck in somewhere for an extended period
00:37:58
of time.
00:37:59
I'll fire up my bloody offer at my antennas and then I'm
00:38:03
serving people up what they think is their website.
00:38:05
And it's amazing how often, when I'm stuck in these places
00:38:08
for a period of time, that towards the back of said said
00:38:11
tubes that are that are doing things, that all of a sudden you
00:38:14
hear hamster dance and I'm like , ah yeah, you enter a website.
00:38:17
You probably shouldn't have gone to it and you ended up on
00:38:19
one of my.
00:38:19
I mean this is easy stuff.
00:38:20
We've had that ability to do that for as long as DNS has been
00:38:24
around 20 plus years for crying out loud, and now it's getting
00:38:28
even easier and even simpler and you can do it on mass and I
00:38:31
don't have to use hard tech to do it to your point.
00:38:34
I can take over a fact checker.
00:38:36
Speaker 1: Hmm, yeah, you, you, you bring up.
00:38:40
You know, doing it in enclosed spaces and with Defcon coming up
00:38:44
right.
00:38:45
I'm thinking about my flight a little bit more, all right, and
00:38:49
I'm already an anxious flyer, and a couple weeks ago I had
00:38:54
Mike Jones on the podcast from the hot to the hacker podcast.
00:38:57
Speaker 2: I love him.
00:38:59
Speaker 1: And he's great, he is .
00:39:03
Well, we were.
00:39:04
We were just talking about traveling, you know, and I asked
00:39:07
him somehow we got around to it right.
00:39:09
And I asked him are you ever worried when you're flying?
00:39:12
Right, Because you're such an experienced and skilled hacker,
00:39:15
you kind of know what's possible , you know what's out there,
00:39:17
right?
00:39:17
Yeah, and for me, you know, I may not be able to do it all,
00:39:22
but I certainly know what's there.
00:39:23
And so when I'm flying, especially the Defcon, I'm like
00:39:27
on edge, like All right, who has the terminal open?
00:39:29
What the hell are they actually doing in that terminal.
00:39:32
Speaker 2: That's out of the maintenance computer you must.
00:39:36
Speaker 1: Yeah, exactly, you know, like, do you ever, do you
00:39:41
ever go down that thought path as well of like, or are you the
00:39:46
one that has the terminal open?
00:39:49
Speaker 2: Yeah, if somebody else has got terminal, the
00:39:50
chances are they're going to find me in there as well.
00:39:55
Speaker 1: Mike was telling me that he's only afraid to fly if
00:39:57
you're on the plane.
00:39:58
Speaker 2: Oh yeah, no, we're about to do loop the loops over
00:40:02
some bloody airport or other for shitting giggles.
00:40:04
Oh yeah, I've said that to a few people.
00:40:07
If I ever catch you on the same airplane that I'm on, we are
00:40:10
like diverting, we are going to have some fun.
00:40:12
End of conversation.
00:40:13
Despite whatever he says, we're going to have a little bit of
00:40:16
fun.
00:40:16
No, it's.
00:40:17
I say that in jest for all the federal authorities that are
00:40:20
listening in.
00:40:21
You don't need to come to the door this time.
00:40:23
Neither do you need to put official complaints into Boom
00:40:25
Supersonic.
00:40:25
I play nice.
00:40:29
Speaker 1: Well, that's probably why Boom Supersonic is
00:40:34
potentially like the best fit possible.
00:40:36
You know, like who else are they going to go to for their
00:40:39
CISO?
00:40:39
That understands the space better than anyone else really?
00:40:44
Speaker 2: What were you going to say?
00:40:44
Sorry, no, I say that was honestly, that was a big part of
00:40:50
it, because I'm like you all do know who you're talking with
00:40:52
and they're like yeah, that's why we're talking with you.
00:40:54
And I love it, because now it's a challenge for me, because I
00:41:00
want to be very, very, I want to come to the industry.
00:41:02
I'm not saying a contrite way, but I want to come to the
00:41:06
industry in a way of like hey, here's what we're doing and
00:41:10
here's why we're doing it our way and here's why we're doing
00:41:12
it differently.
00:41:13
And here's the logic behind it, rather than coming to you and
00:41:15
going, you're all wrong, because you didn't fucking listen back
00:41:19
then and because that won't work If we come to them and go hey,
00:41:22
look, here's, here's.
00:41:23
We took a look at the problems, we took a look at the challenges
00:41:25
and, despite what all of you say, there are challenges and
00:41:29
therefore let's look at them through a very clear lens and go
00:41:33
how do we effectively reduce the potentials and probabilities
00:41:38
?
00:41:38
How do we understand the risk?
00:41:40
And then, how do we manage it, mitigate it, quantify it and do
00:41:43
everything you know, from a chip level all the way through to a
00:41:46
system and architecture and resolution level and, from my
00:41:48
standpoint, my job is to basically build a self-healing
00:41:51
aeroplane, and that's what I'm building.
00:41:53
So it's kind of a cool way of dealing with it.
00:41:55
So it's it's.
00:41:56
If I come to the industry and that way and go hey look, we
00:42:00
learned, we understood, we've come with better ideas, would
00:42:02
you be willing to listen?
00:42:03
And even if somebody else has to champion and champion this, I
00:42:06
love you know, kathy, who's the president over there, is
00:42:09
fantastic because she can champion those which I would
00:42:11
absolutely love to see her do, and I'll just feed the stuff and
00:42:15
off we go and boom, the organization gets the credit.
00:42:17
On.
00:42:18
My best of both worlds, let's go.
00:42:20
I think if we approach it that way, we'll see change in the
00:42:23
industry because we've got some amazing partners that we're
00:42:25
hanging out with.
00:42:25
And I think the other part of it is as well.
00:42:27
As you know, we we're making airplanes.
00:42:29
So when we go to I mean, you mentioned United, america,
00:42:33
united, and who are the ones that want banned from most of
00:42:38
them America, you know, when we go to them and we go, hey look,
00:42:42
here is the plane, here is all the architecture, here are the
00:42:46
systems and here's all the safety and security that we have
00:42:48
elevated inside this.
00:42:50
It's going to make them look around to go well, we don't have
00:42:53
that from our other suppliers.
00:42:53
Let's go ask them the awkward questions and they will be the
00:42:58
ones that champion change.
00:42:59
That's kind of what I'm looking for.
00:43:02
And you know we're hoping for.
00:43:05
Speaker 1: That's probably the only way.
00:43:06
That's probably the only way to do it in that industry with
00:43:11
without having a plane go down due to a cybersecurity reason.
00:43:14
Well, I mean that was the.
00:43:16
Speaker 2: I mean, that was that's where I got to.
00:43:18
You know, I'm sitting.
00:43:19
I was sitting in some very, very senior people's offices
00:43:23
after sitting on their airfields demonstrating what was capable,
00:43:27
and I'm sitting in their offices.
00:43:28
Going is the only time you're going to change when lives are
00:43:33
lost.
00:43:34
And I didn't get a satisfactory answer.
00:43:38
And I think that's again comes back to the protect factor.
00:43:41
You know, we have one job.
00:43:42
We have one job.
00:43:43
We have one job.
00:43:44
I mean, it's as simple as that to make sure that our passengers
00:43:47
get from point A to point B as humanly safe as possible.
00:43:50
And so, yeah, let's challenge the norms, let's do that.
00:43:55
And then let's take all the considerations.
00:43:56
And this is where we get into privacy.
00:43:58
You know, if I'm letting, let's say, 160 people onto an
00:44:01
airplane, in a, in a big, a normal, big sized airplane, or
00:44:04
in ours, you're looking, 60, 70, 80 people on an airplane.
00:44:06
So if I look at the passengers and go, how will you affect my
00:44:11
probability and what can I do to compensate for, rather than
00:44:14
tell you, no, you can't get your ass on the airplane, how do I
00:44:17
actually ensure that the plane itself understands those
00:44:21
potentials and can modify accordingly to your point so
00:44:25
somebody manages to come on like me or like Mike that's got the
00:44:28
ability to get terminal into a system.
00:44:30
Well, how does that system self heal, become self aware,
00:44:33
understand itself and mitigate those wireless flying along?
00:44:37
So there's some cool stuff I'm building and playing.
00:44:40
Speaker 1: Hopefully that's in touch with you know, by chance,
00:44:45
did you ever watch that documentary on the Malaysia
00:44:49
Airlines flight that went down?
00:44:53
Speaker 2: I did not watch, I didn't see it, but I actually so
00:44:57
I got dragged in as soon as, I think, went down.
00:44:58
I got dragged straight into that.
00:45:00
They, a number of folks, oh, wow, yeah, well, because
00:45:05
obviously a number of the potential vectors at the time
00:45:08
were hey, chris, what did you say you were able to do, and is
00:45:12
that possible on this, this, this and this?
00:45:14
And then we get into the conversation of leave behinds.
00:45:17
You know it's, can you do something?
00:45:20
And again a number of us have proved.
00:45:22
I got an amazing phone call.
00:45:24
There was a very, very dear friend of mine was sitting on an
00:45:27
Amtrak train and at the time the Amtrak's was still
00:45:30
susceptible to heart bleed and it wasn't pretty.
00:45:33
Because I mean, it was not pretty, we'll just leave it at
00:45:35
that.
00:45:36
So I get this message from him.
00:45:37
I'm sitting on a plane at the time.
00:45:39
He's like hey, guess where I'm at?
00:45:40
And he sends me this screenshot of his freaking terminal.
00:45:43
He's like you want access?
00:45:44
I'm like, oh, hell, yes.
00:45:46
So he sends me access into his so literally, and while we're
00:45:51
doing this, I'm scanning through his Bluetooth thing and blue
00:45:55
snarling, why, coming to a station, looking at the cars as
00:45:59
well, from this fucking heart bleed and we're looking at the
00:46:01
front of the train, also some other stupid shit, and I'm like
00:46:04
we literally have planes, trains and automobiles all in one
00:46:07
thing.
00:46:08
And it was.
00:46:08
It was one of those eye opening moments because, you know, at
00:46:12
that point the psycho kick had somebody from the ground
00:46:15
interfere with something on the plane.
00:46:16
Well, potentially.
00:46:18
Now the question is is what they could they do.
00:46:20
They could they do it, yeah, and all the other stuff that
00:46:21
goes with it.
00:46:22
So, yeah, I got dragged in to go, okay, could could some
00:46:25
inference have come from somebody else?
00:46:27
And like anything, where's the risk?
00:46:29
Well, it's here.
00:46:29
Where's the probability?
00:46:31
Well, depends upon a whole bunch of other criteria.
00:46:33
Is it possible?
00:46:34
Absolutely, does somebody do it ?
00:46:35
It's yours to decide.
00:46:39
Speaker 1: Hmm, yeah, I bring it up because in the in the
00:46:44
documentary on Netflix, you know they they bring up one of the
00:46:49
potential scenarios is that people on the plane actually
00:46:53
were able to, you know, somehow get into the computer that was
00:46:57
controlling the plane and, you know, take it over without
00:47:01
anyone else knowing or doing it, being able to do anything about
00:47:04
it.
00:47:05
So I mean, who else, who else you know, who better should?
00:47:09
Speaker 2: I ask Right, well, the irony of the whole thing is,
00:47:11
is that yeah, I mean I got asked about that a number of
00:47:13
times there were some of the family's lawyers go I mean said,
00:47:17
hey, look, you know, give us, give us the lowdown, and so I
00:47:21
talk them through.
00:47:22
You know the maintenance machines, the systems and,
00:47:24
depending upon the plane types, because you ask anything I mean
00:47:27
pilots are freaking crazy well trained.
00:47:29
So there are secondary, tertiary capabilities on a lot
00:47:33
of these things.
00:47:33
And then, honestly, it just comes down to what's the
00:47:38
motivation, what's the percent?
00:47:40
You know where's the risk?
00:47:41
Zero through one, simple as that, you know it's better than
00:47:44
zero, but it's not quite a one because it's not an absolute.
00:47:47
Where's the, where's the probability?
00:47:49
Well, here's all the things you have to.
00:47:51
I mean that was six, seven years worth of research and even with
00:47:54
boomers we're putting stuff together.
00:47:55
I mean, technology has advanced to such a point that you've got
00:47:59
some really cool on chip stuff and you know, on the wire
00:48:03
monitoring and also some other really good stuff.
00:48:06
That's way more efficient and effective.
00:48:08
Is it foolproof?
00:48:08
No, is it getting there?
00:48:11
It's working on it, but nothing is foolproof because there are
00:48:14
people way smarter than I am looking at this stuff.
00:48:18
Speaker 1: Hmm, you know, I think you probably have a really
00:48:23
interesting, interesting perspective that probably some,
00:48:27
some don't right, especially as being a CISO.
00:48:30
You know, you come from like almost both worlds, right, like
00:48:33
I see CISOs as like, almost like a totally, just a totally
00:48:37
different world from the world that I live in, almost, you know
00:48:40
, like I don't want to say I live in like ones and zeros, but
00:48:45
I live in the world of possibility, where it's like,
00:48:47
okay, what's the likelihood of this?
00:48:48
How do I protect against it?
00:48:49
Oh, that's a 1% likelihood, but if it happens, we go down, we
00:48:53
no longer exist, you know.
00:48:54
So how do I protect against it?
00:48:56
And things like that?
00:48:57
Where do you see, where do you see, I guess, the space going,
00:49:03
with AI becoming more and more prevalent in the space to be
00:49:08
able to do things you know, like write code and react to how
00:49:13
people are answering questions and modify responses and things
00:49:17
like that.
00:49:17
Are we getting to a place where you think that there's like no
00:49:21
turning back, there's no putting that genie back in the bottle?
00:49:24
Speaker 2: Oh, I mean that genie is out of the bottle End of the
00:49:26
car, I mean, and this, I think, is it's almost a, it's not
00:49:29
almost, it is a frustration for me Because I've been, I mean, I
00:49:34
was messing around with adversarial intelligence several
00:49:36
years ago because we were fighting, you know, we were
00:49:40
fighting what our options were, and I was doing some stuff with
00:49:42
the government boys and some other folks where we were
00:49:45
building adversarial engines to break people's intelligence and
00:49:52
actual AI systems that were meant to be there to, you know,
00:49:54
protect them from us.
00:49:56
Good fun on that stuff.
00:49:57
Now, that was very, very controlled space.
00:50:00
When DARPA did the Grand Cyber Challenge at Defcon years ago,
00:50:03
that was a very controlled space .
00:50:05
We've had, you know, watson, perfect example, very narrow,
00:50:09
very focused but very guard railed controlled space, syrian
00:50:13
or the other ones.
00:50:13
The same thing.
00:50:14
What we did with the generative stuff is we literally took the
00:50:19
pin out of the grenade, handed it to almost 8 billion people on
00:50:23
the planet said you have some fun now, and that's what we, and
00:50:26
we didn't put any guard rails on it.
00:50:28
I mean we and there are some people still sitting there in in
00:50:31
freeze mode going what do I do with this?
00:50:33
There are some people in fight mode that are now throwing that
00:50:37
grenade at the people in freeze mode and there are some in fight
00:50:41
on flight mode that are like I'm out of here, so that genie's
00:50:45
out, it's done.
00:50:46
Now what's going to be interesting to see is how it
00:50:49
develops and how it evolves.
00:50:50
So we already talked a bit about the human in the little
00:50:52
it's.
00:50:52
How do we now educate them to tell truth from lie, digital,
00:50:55
from human?
00:50:55
For me on the side, on the security side of things in in
00:51:00
the ones in zeroes and also the CSUS space, is like, how can I
00:51:03
use this as a tool and technology to help?
00:51:05
We saw it literally sore.
00:51:08
I mean we, we, we saw the evolution of of a sock and a
00:51:12
knock.
00:51:13
Go from Holy shit, I've got too much to look at to hey, how do
00:51:17
I prioritize?
00:51:17
How do I put playbooks in place ?
00:51:19
How do I orchestration in place ?
00:51:21
Now, could I have an intelligence actually do
00:51:25
something for me?
00:51:25
The answer is probably yes, when it learns my environment.
00:51:28
Great, now I've got that.
00:51:29
Do I trust?
00:51:31
It is another conversation altogether.
00:51:33
Where do I put the human into this?
00:51:34
Or do I even put humans?
00:51:35
So now those people that were trying to fight every single
00:51:40
alert and every single priority alert Connecticut step back and
00:51:42
go, hey, now I can learn my job more efficiently, now I can
00:51:46
actually look at projects rather than firefighting, and now I
00:51:48
can.
00:51:48
All these other things that now open up the possibilities for
00:51:51
them to be able to love that idea.
00:51:53
We start looking at cogeneration.
00:51:56
There's some fantastic things, but now I have to build a co
00:51:58
generating AI and I need another AI to look at its code and go,
00:52:02
hey, you'll forgot to do this.
00:52:04
A couple of really freaking cool companies over in Israel
00:52:07
did some absolutely well, the fantastic stuff with the like,
00:52:10
the anti code, gen stuff.
00:52:11
This really fucking cool stuff coming out of there.
00:52:15
We're going to use it on the airplanes.
00:52:16
I mean from an airplane standpoint, when a company sends
00:52:21
, sells you an engine, they sell you a digital twin to do
00:52:24
predictive maintenance.
00:52:25
Well, we're going to do that.
00:52:26
The my plan, obviously from the intelligence, is to do that for
00:52:29
the whole airplane.
00:52:30
Can I build and manage predictively an entire airplane,
00:52:35
and so we'll use both narrow and very general AI models to
00:52:40
determine how much of that we can do from atmospheric antenna
00:52:43
or sorts of crazy variables that no human on their own will be
00:52:47
able to figure out.
00:52:48
And, quite honestly, I'll throw some of the general AI at some
00:52:51
of the narrow models I've built and go tell me a better way to
00:52:55
do it.
00:52:56
What am I missing?
00:52:57
Can you code it better?
00:52:58
Can you be more gracious on it?
00:52:59
Can you give me models and numbers I hadn't thought about?
00:53:01
Can you learn in a way that's different than I have approached
00:53:05
this and give me a better answer?
00:53:08
And so I'm actually looking forward to being on, and I think
00:53:10
that's it.
00:53:11
If we use I mean we did, I mean Google did it.
00:53:13
Google said hey, this is how we coded you, and the engine went
00:53:17
fuck you all.
00:53:17
I can do a better job by coding myself in a language you don't
00:53:20
even know.
00:53:20
Is that going to end up with nuclear war at 430 in the
00:53:26
afternoon or Wednesday?
00:53:27
I hope not, but I don't know.
00:53:31
Speaker 1: Time will tell yeah, especially with you know, when
00:53:35
you have countries that are sending balloons over your
00:53:38
nuclear sites.
00:53:42
Speaker 2: Okay, all right, you've done government shit.
00:53:45
Why didn't we just shoot the fucking thing down over Alaska
00:53:48
and not say a bloody word?
00:53:49
Really Right, I mean, we knew it was coming.
00:53:54
This is not.
00:53:55
I mean, why the fuck did we wait until it got over the
00:53:59
central area nesting grand, basically my neck of the woods,
00:54:02
for all of you are paying attention where we have all of
00:54:05
our nuclear is in our cornfields .
00:54:06
Why did we wait until it got to there before we shot the studio
00:54:09
?
00:54:09
And we'll shoot it fucking down in private, like we've done
00:54:11
with all the other ones.
00:54:12
You're bunch of muppets.
00:54:14
Speaker 1: Right, I mean they act like they.
00:54:19
They act like they didn't know that it was like coming or
00:54:21
something like that.
00:54:22
You know it's like you can't tell me that when you have like
00:54:26
three agencies that all that they do is monitor things that
00:54:30
go from the ground to the sky, you know like that's all that
00:54:34
they do.
00:54:35
Yeah.
00:54:36
Speaker 2: Yeah, and they're really good and for the most
00:54:38
part I'm your phrases.
00:54:39
For the most part they're really good at it.
00:54:43
Speaker 1: Oh my God, it's insane.
00:54:50
Speaker 2: I, I, I don't know if it was a PR effort or if it was
00:54:52
a who knows I.
00:54:55
I don't even want to speculate on that one again.
00:54:59
Speaker 1: I probably never know .
00:55:01
Speaker 2: No, and I think that's it.
00:55:02
It's somewhat frustrating because you know we've been at
00:55:06
war arguably since late 90s, maybe early 2000s, pick your day
00:55:12
.
00:55:12
I mean, we've been at war in the digital realm for the last,
00:55:14
I'd say, 20, 25 years and I think the average person just
00:55:18
doesn't understand that or doesn't want to, doesn't need to
00:55:22
, potentially doesn't understand it.
00:55:24
Speaker 1: And.
00:55:25
Speaker 2: I maybe can't even grasp it.
00:55:26
I think that's the other problem we've been rerun into
00:55:28
because you know people.
00:55:29
I've always said humans won't change until you literally have
00:55:33
to crawl over your relatives to get to your keyboard.
00:55:36
When that happens, maybe humans will change, but until you've
00:55:39
literally got a, you know grandma, grandfather, kids,
00:55:42
family and everything else are laying their spleen out because
00:55:45
of whatever happened.
00:55:46
You got to crawl over them to get to your social media.
00:55:48
That's probably when the rest of humanity might actually pay
00:55:51
attention.
00:55:53
Speaker 1: Yeah, it's, um, it's an interesting problem, I guess.
00:55:59
Right, because no one wants to really admit it, but the
00:56:02
professionals in the field are more than willing to say like,
00:56:06
oh, yeah, we've been at cyber war with China and Russia and
00:56:10
Iran.
00:56:11
You know, there's a reason why my podcast is black hole and all
00:56:15
those countries, right, it's because, like I, I don't care
00:56:18
about saying like, hey, we've been at cyber war, you know that
00:56:21
when they've been trying to, you know, do malicious things to
00:56:25
us actively and vice versa, right, like we probably, we're
00:56:31
probably doing the same thing, right, but it's like the, it's
00:56:37
almost like every administration is very against just calling it
00:56:40
what it is, out of fear or something like that.
00:56:44
I mean, I, what?
00:56:45
80, 90% of the population won't even understand what that is.
00:56:51
Speaker 2: Okay, so let me put a scenario to you and I'll tell
00:56:53
you why we.
00:56:53
I tell you, I'll tell you, let me give you my theory on why I
00:56:56
think that is.
00:56:57
Where are you based out of?
00:56:59
I can't remember.
00:57:00
Off the top of my head, oh, I'm in Chicago, all right, so
00:57:04
you're in a relatively civilized area, neck of the woods.
00:57:07
So now let's, let's transport ourselves to the Alabama's and
00:57:11
the Texas's office world.
00:57:12
Okay, so you and I are government officials and we step
00:57:17
outside and we step up to the podium, where where Texas and
00:57:21
Alabama and everybody is listening and Tennessee will
00:57:23
throw Tennessee in their door.
00:57:24
And they're listening because they trust us, because we've
00:57:27
told them to trust us, and most of them, for thump, dump reason,
00:57:29
are actually believing us.
00:57:30
Okay, we stand up, we go.
00:57:31
Those little Chinese people are attacking us and they're a war
00:57:37
with us and they're stealing everything from us and they're
00:57:40
taking us.
00:57:40
We must take up arms and fight with them because we declare war
00:57:44
on China.
00:57:45
Every Chinese restaurant shops more, more ownership person.
00:57:55
You want to go about persecution on a mass scale.
00:57:59
Holy shit, if you ain't white and American, you be fucked.
00:58:05
I mean it would be.
00:58:08
People wouldn't understand the difference between physical and
00:58:12
digital war it would be.
00:58:13
I mean, it's already bad enough if you don't look the right way
00:58:17
In this country and other countries as well.
00:58:19
Let's not just pick on this country, other countries as well
00:58:22
.
00:58:22
If you don't look the right way or the right color, or holding
00:58:27
hands with the right person, You're gonna get persecuted.
00:58:30
Now you accelerate that by declaring outright war against
00:58:36
Russia, china and half a dozen other countries.
00:58:38
I mean.
00:58:43
I mean it would get real nasty in the physical world really
00:58:47
quickly.
00:58:47
That's my opinion.
00:58:48
I just don't think people.
00:58:51
I don't think people can deal with it.
00:58:55
I think people can deal with it's a really good point.
00:58:58
Speaker 1: I actually never thought about it like that, of
00:59:01
the actual repercussions from people probably not
00:59:05
understanding what it actually is, right that they're being
00:59:09
told and then overreacting in ways that are just above and
00:59:14
beyond what anyone would need or want or expect.
00:59:19
Speaker 2: Even why me?
00:59:20
Okay, so let's take a step back .
00:59:22
Let's look at history.
00:59:22
History is not kind to this kind of stuff.
00:59:25
You got to 1930s, 1940s.
00:59:27
German propaganda I don't know if anybody's here is from
00:59:31
Germany, I mean it's history to propaganda basically said that
00:59:34
the Jewish population is taking all the best jobs, has all this,
00:59:38
has all this is taking stuff from from Germany and it's
00:59:42
taking the German might down and who you're not well, didn't
00:59:46
know what's.
00:59:47
Six million, seven, six plus million Jewish people Paris,
00:59:52
because of that persecution.
00:59:53
I mean you can imagine what would happen in this, in this
00:59:56
country If I'm not just this country, in this country, now
01:00:00
the country's if we certainly took the digital world into the
01:00:03
physical realm and said if you are, you are now my enemy, and
01:00:08
too many people would take that as an opportunity.
01:00:10
Step up, an exact revenge.
01:00:13
Basically, I got a horrible feeling.
01:00:15
That's what we people, people, individuals are not bad.
01:00:19
Humans together are not nice.
01:00:23
We just on.
01:00:27
Speaker 1: Yeah, that's a really good point, well.
01:00:30
Well, chris, you know I really appreciate you coming on and I
01:00:33
feel like we go for another hour or two.
01:00:35
But you know, yeah, absolutely.
01:00:40
Hopefully not in two years, you know be a little bit sooner
01:00:43
this time, but you know I always enjoy our conversations, chris.
01:00:48
Speaker 2: I same thing.
01:00:49
I absolutely I was.
01:00:51
Yeah, I'm, yeah, let's just.
01:00:52
I'm so freaking glad to be back on thank you and Favorite
01:00:56
listing as well.
01:00:56
Thank you very, very much, joe.
01:00:58
You're freaking amazing and good luck with the rug as well.
01:01:00
Like big time.
01:01:01
Good luck with the rug and give the young lady out as well,
01:01:03
please.
01:01:06
Speaker 1: Yeah, absolutely.
01:01:07
I need all the luck that I can get with raising this little
01:01:10
monster.
01:01:12
Speaker 2: Teach you to be a hacker.
01:01:13
You mean good shit.
01:01:15
Speaker 1: Yeah, absolutely Well , chris, you know I really
01:01:19
appreciate you coming on and I hope everyone enjoyed this
01:01:22
episode.