Insights on Self-Employment and Cyber Threats from Boom Supersonic's CISO Chris Roberts

1 00:00:02
Speaker 1: Well, Chris, it's really good to have you back on.

00:00:04
I think you're probably the most requested guest to have

00:00:08
back on ever.

00:00:09
I get paid more about you coming on than anyone else.

00:00:14
Speaker 2: It's almost frustrating.

00:00:15
I'm sorry, I'm humbled, honored and scared all at the same time

00:00:23
.

00:00:23
I was thinking about this before we were actually talking.

00:00:28
I was thinking about this because we'll get into it in a

00:00:32
minute.

00:00:32
I did something this morning.

00:00:33
I did an award ceremony thing this morning and I did it and I

00:00:37
just I walked out.

00:00:38
I actually walked out halfway through it because it wasn't

00:00:41
real, it was just, it was scary.

00:00:44
Yeah, this is what I just about doing.

00:00:46
These ones, these are just its reality, and it's yeah that

00:00:50
scares me about the guest thing.

00:00:51
Well, I'm honored.

00:00:52
I will try not to let people down.

00:00:54
I said I could.

00:00:56
I was actually a few minutes late because, partly because I

00:00:58
was sitting on the wrong, on the wrong stream, which is my own

00:01:01
fault, but also I'm like I was at.

00:01:02
That is at that point in time of the day and it's raining as

00:01:05
well, and it's at that point time of the day when I really

00:01:07
need a good, strong cup of tea.

00:01:08
So I got my cup of tea.

00:01:09
So goodness knows what the hell's going to happen.

00:01:11
You might have to hit the bleep button a few times.

00:01:15
Speaker 1: Oh, no worries on that.

00:01:16
I mean you've been on here before.

00:01:18
The podcast is unfiltered for a reason right?

00:01:23
Speaker 2: I'll be fucked at this point in time, people.

00:01:25
Yeah that is very true.

00:01:31
Speaker 1: Well, chris, you know , I think you know the last time

00:01:35
you were on, you were you were running your own company.

00:01:39
Still, I believe it was you know you were still doing

00:01:42
consulting.

00:01:43
You haven't quite, you know, made the transition or anything.

00:01:47
Yet why don't we talk about, like, why you made that

00:01:51
transition?

00:01:52
Because I feel like there's a lot of people, or at least

00:01:55
there's a small subsection of us within the community that you

00:02:00
know the dream is to actually get into consulting, work for

00:02:03
yourself and do that whole thing right.

00:02:06
I have, I've been uncomfortable with the IRS enough times to

00:02:15
you know.

00:02:15
Be okay to not go down that route, right.

00:02:18
Speaker 2: Yeah, I'm actually, ironically, I'm having

00:02:23
conversations with our wonderful IRS system at the moment

00:02:25
because they and I do not agree on some of my taxes from

00:02:29
literally 2014 onwards.

00:02:31
Oh my God, yeah, so I we're at loggerheads and now got somebody

00:02:38
else involved to help out sort of our situation and I think you

00:02:40
know it's.

00:02:42
It's all down to the company stuff and I and the stupidity of

00:02:46
it is, and a lot of people listening and they're going to

00:02:48
understand this one because they know me well enough my whiskey

00:02:51
case so my whiskey case is is part of who I am.

00:02:56
It's.

00:02:56
I take it to conferences, I share it, we do stuff for

00:02:59
charity with it, we, we go down to right time, the watch is

00:03:03
placed here and we do watches, whiskeys and work events.

00:03:05
It is, it's, it's part of who I am.

00:03:08
These days Now you sit down with an IRS agent and you go, hey,

00:03:12
so I bought some whiskey on the company and they're like well,

00:03:14
you know, if I sent a statement, I'm actually, no, it's business

00:03:16
development.

00:03:16
Well, no, it's entertainment you can become.

00:03:18
I'm actually.

00:03:19
You know, it's business development.

00:03:20
I'll sell them.

00:03:20
By the way, some of it's for charity and some of it I don't

00:03:23
even bother claiming because it's too much.

00:03:24
I'm like here's the amount and here's what I'm claiming and

00:03:26
here's what I'm asking for.

00:03:27
And just just that one thing, that if they stepped out of

00:03:33
their own world and went oh yeah , you know, we'll do a little

00:03:35
bit of background research and most in on the guy and actually

00:03:38
go oh yeah, the, you know, the guys I rolled it up a gherk on

00:03:42
last year, you're before lost a gherk on me race couple of grand

00:03:44
for charity.

00:03:45
We're going to do the same thing, I think Columbus I'm

00:03:48
talking to new spire and we're going to try and do the same

00:03:50
thing out at Columbus B sites.

00:03:52
I'm going to bring the whiskey case with me and we'll do a for

00:03:55
charity there as well.

00:03:56
And it's, you know, it's, you try to explain it to the IRS and

00:03:59
that that confuses us.

00:04:00
It's not a, let alone the fact that changed costs every five

00:04:03
minutes.

00:04:03
That that alone should should allow me the the ability to just

00:04:07
throw myself off the cliff when it comes to trying to forget

00:04:09
that.

00:04:09
So yeah, if you're going to go into start your own company or

00:04:15
run yourself as a schedule, see, or any of that stuff, one keep

00:04:20
stupid good records to go in with your eyes wide open.

00:04:25
Three, use QuickBooks.

00:04:26
And four, get yourself a damn good accountant who is

00:04:29
validating for you, because it ain't pretty and, yeah, you can.

00:04:32
You can mess with some numbers and you can fudge a little bit

00:04:34
and you can play a little bit.

00:04:35
I mean, you know IRS expect that, but yeah, you better just

00:04:39
keep it tight.

00:04:40
And then, by the way, puts in money aside for when you have to

00:04:42
pay for the lawyers to fight the fact that the IRS doesn't

00:04:44
agree with the fact that an arduino is seen as a tool versus

00:04:48
a beast.

00:04:49
Speaker 1: Yeah, it's a.

00:04:53
It is challenging, you know, like I don't even.

00:04:58
I don't even do that much business.

00:05:01
But the issue is the side work, right, so I'll do these side

00:05:04
projects and whatnot.

00:05:05
And with these side projects I mean, sometimes I'll get through

00:05:10
them in, you know, a week and I'll forget that I did them,

00:05:13
even you know, when it comes next year.

00:05:15
Sometimes it takes me five months to get through a side

00:05:18
project, right, and man, it's like trying to keep track of all

00:05:23
that is just insane, especially when you're going back a year,

00:05:27
you know, and so, like now, I have to keep like meticulous

00:05:30
records.

00:05:30
I actually got an accountant to actually help me through all

00:05:35
this stuff, you know, because I'm at the point where it's like

00:05:37
I have to deduct an uncomfortable amount and to me,

00:05:44
right, growing up poor, to me it feels wrong.

00:05:47
Oh why.

00:05:48
To everyone else, you know, it's like, oh, this is nothing,

00:05:52
but for me it's like I don't know.

00:05:55
Speaker 2: It's money's money at the end of the day.

00:05:56
I mean, when you've got to take a quarter or a third of what

00:05:59
you put, of what you bring in and it's some of it's freaking

00:06:02
hard work to bring that in and you got to put a third or a

00:06:05
quarter of that aside and go, hey, that just has to sit there,

00:06:08
or I got to pay that in in advance.

00:06:10
Whichever method you're using, yeah, it's, it sucks.

00:06:14
And I mean I, you know to your point.

00:06:15
Last time we're on I, we had Hilberley hit squad which we

00:06:18
ended up closing down at the end of this past year.

00:06:21
And closing it down is going to be an interesting one because I

00:06:28
still haven't sorted out with taxes on that one yet Because

00:06:33
when we closed it down we divided up the assets.

00:06:35
And so how that?

00:06:38
I mean we had a watch collection, because we had, we

00:06:40
were building up a watch rental company I lost two thirds of the

00:06:45
whiskeys.

00:06:46
So, even though I still have a couple of hundred bottles, I

00:06:48
lost the best part of four or 500 bottles of whiskey because I

00:06:53
had to divide up the asset, because they were bought under

00:06:55
the company and I'm quite the fact that for the most part I

00:06:59
was doing most of the business and the work and the consulting.

00:07:01
The agreement was signed that all three of us would get a

00:07:04
complete, even split, no matter what, and so that was a bit of a

00:07:09
painful bit, of a painful December January, shall we say.

00:07:12
From just a mental state, I did not sit well on a few different

00:07:15
reasons, especially when somebody close to me Turner said

00:07:19
hey, by the way, there's still, you know, $20, $30

00:07:22
worth of stuff that needs to be paid for over here.

00:07:24
And I hit the other guys up and said, hey, we need some of that

00:07:26
stuff back to pay the bills.

00:07:28
And basically I got to fuck you .

00:07:30
So that came out of my money.

00:07:34
So that was another $20, $30 worth of unforeseen

00:07:39
expenses.

00:07:40
So I ended up selling quite a number of the watches that I had

00:07:44
.

00:07:44
So I had a couple of nice ones, but like the couple of Rolexes,

00:07:48
the Tudors, couple of the Grand Seiko, some of the other stuff

00:07:51
I'd actually really liked, end up going up for sale to pay

00:07:55
towards just all the legal stuff and then the money outstanding

00:07:58
on closing it down.

00:08:03
Yeah, it's tough, I'm still doing some side stuff, but I

00:08:08
have scaled way back.

00:08:10
You know, when somebody hits me , I'm down and says, hey, we

00:08:12
want a pentest done.

00:08:13
First call is almost to Amanda Nickerson.

00:08:15
I'm like, hey, does Chris and you and the team want to do this

00:08:17
?

00:08:17
And I just put the two people in touch.

00:08:19
I'm like, go do, just go deal with it and it's all yours,

00:08:23
because I really I don't want to get involved in much more.

00:08:27
I'll do the occasional pentest assessment.

00:08:29
I'm doing some consulting, I'm doing some thread and tell stuff

00:08:31
with a couple of folks, but, yeah, I've scaled it way back.

00:08:35
Honestly, most of the stuff now that are from like a side income

00:08:38
standpoint is there are out of all of the actually you know

00:08:43
this is I think I put the post up there out of all of the

00:08:46
conferences that I do.

00:08:47
Some of them I actually get a stipend for, not many, but some

00:08:52
of them, and that, untruthfully, that's income.

00:08:54
It just goes straight back to pay for the other conferences

00:08:57
that I don't charge for.

00:08:58
So, even though it's income, it offsets.

00:09:01
Yeah, there's that.

00:09:02
I'm still.

00:09:02
What am I?

00:09:03
22, $22 underwater so far this year for the conferences

00:09:09
and and.

00:09:09
But then the difference is some of the conferences will pay for

00:09:12
travel, some don't.

00:09:14
Some pay for stuff like a B site.

00:09:16
I don't ask much about a B site .

00:09:18
I mean like, look, if you can cover my hotel, I got the rest

00:09:20
of it covered.

00:09:21
Any of the charity stuff I won't ask for, but if it's a pay

00:09:25
for conference, I'm like, hey, look, at the very least you can

00:09:27
fricking pick up the T and E for me please.

00:09:29
So yeah, it's.

00:09:31
It's weird getting a steady paycheck every every two weeks,

00:09:38
because we get paid every two weeks, not every twice a month.

00:09:40
It's kind of weird getting a paycheck every two weeks, even

00:09:43
if you've, like taken some time off, as, like, holy shit, I took

00:09:45
time off and I'm still getting money.

00:09:46
I'm still getting a lot of experience.

00:09:51
Speaker 1: Yeah, that's.

00:09:51
You know, that's a problem that I'm working through right now.

00:09:55
Right, so I recently opened the podcast up to sponsors and so

00:10:00
now I'm seeing like the vendor management side of it and things

00:10:03
like that.

00:10:03
Right, so I'm starting to like try and do the math of, like,

00:10:08
well, what it would take to actually just do this full time,

00:10:11
you know, and maybe go to conferences and do all that

00:10:15
thing.

00:10:17
Speaker 2: I mean there's a bunch of folks that have done it

00:10:19
successfully.

00:10:20
I mean look at Paul and Security Weekly and stuff like

00:10:23
that.

00:10:23
I mean they, that team, did it.

00:10:25
I don't know the numbers and all the stuff involved.

00:10:27
I know there's a bit of a bit of who hard towards the end for

00:10:30
which I don't know, and I hope it gets resolved, whatever it

00:10:33
was.

00:10:33
But I mean I know, I know they did okay and I mean that was

00:10:37
their job, that was their role.

00:10:38
They got sponsors in and I think they ended up selling it

00:10:40
off and doing okay.

00:10:41
I mean dark matters and dive diaries and all those Danny's

00:10:44
doing the same thing.

00:10:45
She's doing the podcast, the conferences and then building up

00:10:48
a consulting business.

00:10:49
So it can absolutely be done.

00:10:51
I think, you see, she got to figure out the math on it.

00:10:57
Speaker 1: Yeah, that's the, that's the challenging part and

00:11:00
I think, also staying just staying consistent.

00:11:03
You know, like I feel like that's 80% of the battle is like

00:11:06
still being motivated to do it.

00:11:09
And the reason why I say that is because, like you know, I

00:11:12
talked to Paul from Security Weekly and he said it took him

00:11:16
like seven years, right, seven years of doing it before he

00:11:19
looked up and was like oh wait, I can like hire someone right,

00:11:24
like I can get a studio and and do these things.

00:11:26
Speaker 2: You know, I guess you know that makes sense, cause I

00:11:30
mean I remember the early days and I remember the early days of

00:11:35
them just having like literally a table at like the DEF CON on

00:11:38
the ship, pre-b sites.

00:11:40
I mean this is pre-B sites.

00:11:41
This was like in the, in the vendor area, whatever the hell

00:11:46
we used to call that before it was the vendor area.

00:11:48
I thought we used to call it mosh pit, basically, yeah, I

00:11:52
remember having like, I remember seeing all the stickers and

00:11:54
stuff like that.

00:11:55
So, yeah, that's got back a while now.

00:11:56
So, yeah, that's a.

00:11:59
It's a rough one, cause I mean it's.

00:12:01
I mean you know this is well.

00:12:03
I mean, once you take somebody on, you are responsible for that

00:12:06
person, and that was.

00:12:07
You know, if anything ever kept me awake in the evenings when I

00:12:11
had like howl or Sentinel or HHS or any of the other, any of

00:12:15
the other companies some have done well and some didn't the

00:12:18
biggest thing that would scare the living crap out of me was

00:12:21
I'm now responsible for other people's livelihoods.

00:12:26
Speaker 1: Yeah, that is.

00:12:27
That is also like the boulder in my head, right.

00:12:32
Yeah, that, you know, makes me nervous about that.

00:12:35
Right, it's one set of stress factors, right, when I have to

00:12:40
already provide for my wife and you know we have a mortgage, we

00:12:44
have a kid now, you know.

00:12:45
But it's like now other people are depending upon me that have

00:12:51
families that have their own mortgages, that are paying their

00:12:54
own bills and everything you know.

00:12:55
And if I make one stupid mistake or if I say one stupid

00:13:00
thing on this unfiltered podcast , right, like it could all go up

00:13:03
in smoke potentially, right, I don't think I don't think I'm

00:13:12
close to saying something that'll blow up everything, but,

00:13:15
you know, maybe if I have too much whiskey or something during

00:13:19
a podcast, you know.

00:13:21
Speaker 2: Well, I mean okay.

00:13:22
So here's the interesting thing .

00:13:23
I mean, this is the challenge is we didn't necessarily matter

00:13:28
what you think or don't think on this one.

00:13:30
I mean the other part of it is as you got guests on the podcast

00:13:32
.

00:13:32
I mean, some of us have been at the mercy of the media on more

00:13:35
than one occasion.

00:13:36
You know two or three occasions on my part, and it's, it's gone

00:13:40
well once or twice and man is it bit me in the ass on one or

00:13:44
two occasions, let's face it so it's, and some of it you don't

00:13:47
even give it a second thought.

00:13:49
I mean, you know, when you tweet something, you don't

00:13:52
necessarily think it's going to have that random word

00:13:54
repercussions, that it does the same thing.

00:13:56
When you say something, I mean you're the same way.

00:13:58
I mean I'm on stage on a regular basis and I'm as raw, as

00:14:03
unfiltered as it comes off the time, but I'm still.

00:14:06
I still care about humans.

00:14:08
Ish, but I'm, and to me I'm going to do a post later on fact

00:14:13
.

00:14:13
We'll talk about this in a second.

00:14:14
I think it's.

00:14:17
I think, if it comes from the heart, I don't think there's

00:14:20
much that you can say.

00:14:21
There's going to piss off people enough that you end up

00:14:23
getting nailed for it.

00:14:25
If you're a good human normally and you're fucking awesome,

00:14:28
let's be honest If you're a good human normally, I just I don't

00:14:34
think any of that stupid shit comes out.

00:14:36
I think it's those people that hide behind.

00:14:38
I mean, there's so many narcissists in our world,

00:14:40
there's so many people that like hide that behind, the shit's

00:14:43
just going to slip out.

00:14:44
There are people that only care for themselves or are only out

00:14:48
for the money that they're going to slip and say something

00:14:50
derogatory about their team or the people who work for them, or

00:14:53
somebody race, color, creed, orientation, whatever it might

00:14:55
be Because that is not the true nature of it.

00:14:59
So I think, stay true to yourself and you'll be fine.

00:15:04
Speaker 1: Yeah, I think that's a great piece of advice.

00:15:08
You know, I did actually used to have that worry in my head,

00:15:13
you know, when I, when I started this whole podcast, and what I

00:15:17
realized is, you know, those things that like would

00:15:22
potentially like get me canceled , so to speak, I like doesn't

00:15:26
even exist in my head.

00:15:27
You know, like I wouldn't even know what to say, literally like

00:15:32
in the spur of a moment, that would put me in that situation.

00:15:35
And, you know, I guess part of it is probably, you know, how I

00:15:40
was brought up, how I was raised and everything like that.

00:15:43
Right, like, it's just, I think that that's a section, right,

00:15:47
that my mind doesn't even go to, it doesn't exist in my head,

00:15:52
which is, you know, I think, I think it's helpful.

00:15:58
It's absolutely helpful, you know, because I've noticed when

00:16:02
people, sometimes, sometimes people will try to catch me up

00:16:05
in something and I'll just get confused, like, okay, what are

00:16:08
you talking about?

00:16:09
Like I don't know what you're even talking about.

00:16:11
You know, and you could see, like, oh, they were trying to

00:16:14
catch me up in something.

00:16:15
It's not until hours later that I realized what they were

00:16:19
trying to catch me up in.

00:16:20
But, like you said, you know this.

00:16:23
I feel like this field in it, right is more prone to being

00:16:32
full of narcissists, or if you're in this field, you're

00:16:34
more prone to becoming a narcissist right, because it's

00:16:39
almost like a God complex God complex for it, almost.

00:16:45
Speaker 2: It's.

00:16:45
I mean either, when you think about it, we and this has been

00:16:49
one of my complaints for our industry especially, I think,

00:16:51
especially since getting into the management side of the world

00:16:53
, it's been one of my biggest complaints.

00:16:56
It's, you know, we have, undeniably we have, the keys to

00:17:01
the kingdom.

00:17:01
I mean, without a shadow of a doubt, turn off electricity in

00:17:05
countries, got you covered.

00:17:07
You know, shut places down easy enough to do.

00:17:09
Let me demonstrate it for you.

00:17:10
So, as an entire segment of the industry, we have the keys to

00:17:15
the kingdom.

00:17:15
The problem is we don't necessarily have the maturity to

00:17:20
cut with that keys of the kingdom, not in a long stretch,

00:17:22
I mean.

00:17:23
And it's and part of it's because our industry just hasn't

00:17:26
been around long enough and we're still trying to figure

00:17:28
ourselves out.

00:17:28
I put a post out the other day about it.

00:17:30
I'm like you know, from an industry perspective, we report

00:17:34
into 10 different directions.

00:17:35
You get to a C cell and you're like, oh, I have made it, which

00:17:38
is totally the wrong way of looking at it, to be honest, but

00:17:41
it's like the business still doesn't really know what the

00:17:44
frickin heck to do with us.

00:17:45
I mean it doesn't.

00:17:46
It's like well, shit, some of you can go to the CFO, some go

00:17:48
to the CEO, some to the CIA, some are going to bury somewhere

00:17:51
in the middle of bug fuck, nova , because we don't want the hell

00:17:53
to do with you.

00:17:53
So, as an entire industry, business hasn't figured out how

00:17:58
to deal with us and, honestly, neither have we figured out how

00:18:02
to deal with business as effectively as we should do.

00:18:04
So we have the keys to the kingdom, we know it.

00:18:09
The business still doesn't know what the hell to do and we're

00:18:11
still yelling going hey, look at us, look at us, look at us, and

00:18:13
and.

00:18:14
So that narcissistic tendency to beat your own chest and go we

00:18:20
are the ones and you should listen to us is still prevalent.

00:18:24
They're alone.

00:18:25
Wait, I mean, it's also the blame game as well.

00:18:27
Let's face it.

00:18:28
As an industry, we fucking blamed everybody.

00:18:30
I mean, we still blame users, we still blame developers.

00:18:33
We blamed it.

00:18:34
I mean we blame everybody apart from looking in the bloody

00:18:36
mirror and going.

00:18:37
You know what could?

00:18:37
we do differently.

00:18:41
Speaker 1: Yeah, that's.

00:18:42
That's actually a really good point that we always blame

00:18:45
everyone else except for ourselves.

00:18:47
It's not my stupid configuration, it's not my you

00:18:51
know terrible training that my users aren't able to identify

00:18:55
this really good phishing email.

00:18:57
Speaker 2: Yeah, which you know, it's funny.

00:19:02
Speaker 1: It's funny because I you know, I had a.

00:19:04
I had a phishing email a couple of weeks ago and it was one of

00:19:10
the best ones I've ever seen.

00:19:11
I almost clicked on it, but it would have broken my first rule

00:19:14
of no clicking on links.

00:19:17
That's the only thing that saved me is my own personal rule

00:19:20
, but everything else about it was very convincing.

00:19:23
Speaker 2: Yeah, it's, it's and I think that's it.

00:19:26
And you know, you throw all of the intelligence systems that

00:19:29
have now been thrust onto the unsuspecting world and it ain't

00:19:34
going to get any easier.

00:19:35
And yet we still think we as an industry, not individuals

00:19:39
there's some really fucking good people out there but as an

00:19:42
industry we've still said once a year or once a quarter, we're

00:19:45
just going to train people and hope that's it.

00:19:47
I mean a bunch of.

00:19:49
And, by the way, we're going to train you in the corporate

00:19:51
world, not train you how to look after you as the human being.

00:19:55
We won't train you how to look after your kids or your

00:19:57
grandparents or your parents or your guardians or friends and

00:20:00
family.

00:20:00
We're just going to train you because if you click on shit,

00:20:03
we're going to punish you.

00:20:03
I mean, like, what a fucking ridiculous way to run anything.

00:20:07
And we still think it's a good way to do it.

00:20:09
And and oh, this one pisses me off Not only we're going to

00:20:14
train you, before we train you, we're going to fucking trick you

00:20:17
.

00:20:17
And then we're going to trick you because we want to measure

00:20:21
how much you fail.

00:20:22
I'm like you assholes.

00:20:24
I mean really one of the first things I did when I started at

00:20:28
boom because I walked into boom supersonic when I started there

00:20:32
I was in front of like the entire staff and I and that

00:20:35
question came up about you know phishing emails and stuff I said

00:20:37
I'll make you a promise I will never try to fool you, trick you

00:20:41
, make you look like fools and idiots just to make me feel

00:20:44
better.

00:20:44
I will train you every single month.

00:20:47
I will help you, I will teach you, I will make you fun and we

00:20:50
will make it engaging.

00:20:51
And now, with the team that I have, we're doing that.

00:20:53
And I said and when I run a phishing test, I will tell you

00:20:57
beforehand because I want you to know and learn and understand

00:21:01
and succeed, but I will never, ever make fools of you.

00:21:05
If I do, you know exactly where to find me.

00:21:11
Speaker 1: Yeah, that's a huge thing.

00:21:13
You know, it's kind of two fold right.

00:21:15
So I used to work at a company that did a lot of work with the

00:21:19
government and whatnot and they had some rule where if you fail

00:21:23
I think it's like three phishing tests in a row, you're

00:21:26
automatically terminated.

00:21:27
Speaker 2: Yeah, and.

00:21:29
Speaker 1: I was so perplexed by it, you know, because it's like

00:21:32
you know one, the market is not the easiest to hire people in,

00:21:39
because you're typically poaching from everyone, right,

00:21:43
and it's not really fair.

00:21:45
Yeah, I can see if it's literally every single month,

00:21:49
right, and you just missed 12 in a row.

00:21:51
Maybe you should reassess and be like maybe I'm doing

00:21:54
something wrong, right, maybe this person isn't getting it,

00:21:58
but man, it's.

00:22:00
It's really dumb and I've worked at other places where

00:22:04
that team of people they will intentionally try to trick you.

00:22:09
It was like week two at this job and they sent me some.

00:22:14
It was a phishing email like regard my 401k and it was during

00:22:17
the holiday season and everyone was talking about a holiday

00:22:21
bonus.

00:22:21
Right, it's my second week.

00:22:24
And so I clicked on the email and I got in trouble for him,

00:22:27
like what?

00:22:28
But that that's not even a fair email.

00:22:31
I just set up my 401k.

00:22:33
I, I 100% thought like this was pertaining to it, you know, and

00:22:39
that, yeah, they get.

00:22:41
They actually got into a lot of trouble for that one, but, you

00:22:45
know, all the other times is just, it's a mess.

00:22:49
Speaker 2: I think that's it.

00:22:50
Again, back to that.

00:22:51
We're ad to prove that we're better.

00:22:52
We're ad to prove that we have the knowledge and you don't.

00:22:55
It's quit that shit.

00:23:00
We have one job.

00:23:01
I've said this a number of times on stage, in places.

00:23:03
As an industry, we have one freaking job.

00:23:07
You know this.

00:23:07
You got a five and a half month old rug rat.

00:23:09
You have one job to protect.

00:23:12
It doesn't matter what the hell are so fucking hurricanes out

00:23:17
there can be shit going on the world.

00:23:19
Well, it's going to hell.

00:23:20
I'm not asking, let's face it.

00:23:21
You have one job.

00:23:23
It is to hold that infant in your arms and your significant

00:23:27
other and go.

00:23:27
I will take care and I will protect.

00:23:31
That's it.

00:23:32
We should be doing the same thing with every single person

00:23:36
that we're responsible for inside an organization and our

00:23:40
media friend circle.

00:23:41
I got one job.

00:23:42
How the hell do I protect you as effectively as I possibly can

00:23:45
?

00:23:49
Speaker 1: So you know, you mentioned going to Sonic Boom

00:23:54
and becoming their CISO, right.

00:23:56
So what's that like?

00:23:59
Do you like it?

00:24:00
Do you like the change?

00:24:02
Is it new challenges for you?

00:24:04
What is that like?

00:24:09
Speaker 2: So it's interesting because I've done the VC so

00:24:11
stuff a number of times.

00:24:12
So for years I've done the virtual CISO stuff and it's

00:24:15
weird.

00:24:15
And there's a Dilbert Carton you know it's Douglas Adams or

00:24:19
the other stuff.

00:24:19
Douglas Adams was the Douglas Adams.

00:24:21
Yeah, outside of all of his challenges and stuff, there was

00:24:25
one Dilbert cartoon that epitomizes a VC so which is that

00:24:29
it's the boomerang boss.

00:24:30
It's the one that comes in and goes I'm going to do I'm in

00:24:33
buggers off again.

00:24:34
That's basically a VC.

00:24:37
So because you go in like and we're going to do all this shit

00:24:39
and I'll see you in three months time or I'll see you next month

00:24:41
and see how your shit's doing, and I don't like it.

00:24:44
I do like it because it at least helps guide and there are

00:24:47
some instances when you're more involved and depends on how much

00:24:50
time and effort.

00:24:51
But for the most part you kind of go in, you're like and I'm

00:24:53
going to drop some shit on you and I'm going to bug off.

00:24:55
We've done with pen testing for fucking 24 years being inside as

00:25:00
the CISO.

00:25:01
I live and breathe it every single day.

00:25:03
You know I have to walk in there every single day and I

00:25:09
walk out every single evening, or I'm there what?

00:25:11
Three days a week.

00:25:11
But I walk in and out of that place and I'm like how do I do a

00:25:17
more efficient job?

00:25:17
How do I help my team?

00:25:18
How does my team do a more efficient job?

00:25:20
How do we help protect?

00:25:21
How do I help understand risk and work out probability for

00:25:26
what's going to hit this organization?

00:25:27
And you know, you think about it.

00:25:29
We are building supersonic airplanes and we're building

00:25:32
them for all sorts of interesting people, and so we

00:25:35
have all sorts of really freaking cool tech.

00:25:37
And so you have your traditional SBNRs, you have your

00:25:40
camera SBIs and all those other shit.

00:25:41
And then we've got a whole bunch of nations that are

00:25:43
building some really cool tech.

00:25:44
Rather than actually having to rebuild the wheel, let's just

00:25:47
steal yours instead.

00:25:48
And so the profiles of the organizations and the people's

00:25:53
and the teams and the tactics and all that stuff are obviously

00:25:55
evolving and changing.

00:25:56
So I enjoyed that, this game of chat.

00:25:58
So let's face it Inside, boom, it's a small organization.

00:26:01
It's a bunch of crazy amazing engineers and a bunch of people

00:26:04
just making sure that we get this fucking airplane off the

00:26:06
ground.

00:26:07
So I love that.

00:26:09
I love the engineering, I love the geekness, I love the fact

00:26:11
I'm messing around with airplanes in a legitimate way

00:26:14
for a change, rather than getting yelled at for doing it.

00:26:16
I also love the fact I'm challenging and able to change

00:26:20
the entire industry Because, again, how things have been

00:26:25
built and designed to put together is maybe not how we

00:26:27
want to do in the future.

00:26:28
So I'm able to influence that really, really effectively

00:26:31
because I'm responsible for physical and digital security,

00:26:34
especially on planes, and the corporation side as well.

00:26:36
I'm also able to give back, which is what I also love as

00:26:40
well, because, again, you know, as a, as a CISO inside a company

00:26:43
, I got a checkbook.

00:26:44
It ain't huge at the moment because we don't have a ton of

00:26:46
money, but it's big enough that I can actually go to some of the

00:26:49
people that I've loved and worked with and known and talked

00:26:51
to over the years.

00:26:52
Hey, fancy coming in and giving us some help.

00:26:55
That part alone has been absolutely fantastic being able

00:26:58
to do that and then building up the team.

00:27:00
You know there's people I've known on LinkedIn for a while.

00:27:02
I'm like, hey, want to come over and come give us some help.

00:27:04
So that's been, that has been fantastic.

00:27:10
The challenges are I'm now inside a corporation, and albeit

00:27:15
a dynamic one and albeit a very good one of the flu, it's still

00:27:18
a corporation.

00:27:19
It still has legal people is to have people, team people.

00:27:22
It still has finance people.

00:27:23
I've got CEOs and presidents, and so they thankfully knew what

00:27:28
they were getting into.

00:27:29
So there is an upside to that.

00:27:31
I didn't come in as an unknown quantity.

00:27:32
They came after we had conversations and then also

00:27:36
Charles, who was our CIO, did a really good job of laying some

00:27:40
amazing groundwork for me to walk into, so I didn't walk in

00:27:42
cold, which was also obviously fantastic.

00:27:44
But it's still a corporation, which means I still have to sit

00:27:47
down and work with the CFO.

00:27:49
I still have to.

00:27:50
There's lots of things that I have to do that are very

00:27:53
business at scale and corporate look and feel, but not too

00:27:58
corporate looking.

00:27:59
And who runs our people team is absolutely amazing.

00:28:03
The ability to just hit her up on Slack and have a conversation

00:28:06
is fantastic.

00:28:07
Blake, the CEO I can yak with him in the corridor when he's

00:28:11
not out and about doing crazy amazing things for us.

00:28:14
Kathy, who's the president, is another one of us being able to

00:28:17
stop in a call way conversation.

00:28:19
But there's still also the formality.

00:28:22
They're still like hey, we have reporting to do.

00:28:24
I have to report out to the, to the board of directors, every

00:28:26
quarter.

00:28:27
I have slides that are responsible for.

00:28:28
I have finances that were responsible for.

00:28:30
We have people.

00:28:31
You know it's, it's.

00:28:33
I still get a geek out.

00:28:35
I still get a crazy shit.

00:28:36
I'm building some amazing artificial intelligence stuff.

00:28:38
I'm able to mess around and build.

00:28:40
Some of the team folks up were amazing and dealing with all

00:28:42
sorts of stuff.

00:28:43
But it's also the corporate side of the work that I have to

00:28:47
tread a little more.

00:28:48
I can't walk into my pajama bottoms anymore.

00:28:50
That's part of the way I did that.

00:28:51
On day three, day one and day two I wore trousers.

00:28:53
Day three, I walked into my pajamas and then day four, I got

00:28:58
a message going please don't wear your pajamas anymore.

00:29:00
So you know there's balance.

00:29:04
Speaker 1: Yeah, you got to.

00:29:05
You got to test the boundaries.

00:29:07
You know how else are you going to know that they're there?

00:29:09
Speaker 2: Exactly At least I didn't do.

00:29:11
Years and years and years ago and this was, this was years ago

00:29:14
this was dot com dot bomb days.

00:29:16
So it shows you how well I was.

00:29:17
I was down in Atlanta going through some personal stuff.

00:29:21
There was a shit show and I was working for a company that

00:29:25
didn't make it through the dot com dot bomb days and it was one

00:29:29
of the final board meetings and it was board meeting with the

00:29:31
investors and it wasn't going to be a pretty one and I was.

00:29:35
The things were not going in the right direction and I was a

00:29:38
little aggrieved at some of the stuff.

00:29:40
I walked in in a bath towel.

00:29:42
That was it, now that I had underwear on, but I walked into

00:29:45
the board meeting in a bath towel.

00:29:47
Yeah, at least I haven't done that yet.

00:29:50
So you know, there's still some hope.

00:29:55
Speaker 1: That must have been a pretty interesting meeting.

00:29:58
Speaker 2: No, yeah, that went down about as well as you can

00:30:00
probably expect, I was yeah.

00:30:04
Speaker 1: Were you still employed after that?

00:30:06
Speaker 2: I was.

00:30:07
Yeah, I was, I was, I made my point.

00:30:11
No, I made my point.

00:30:12
I'm literally a little blunt.

00:30:13
And then you probably most expected.

00:30:16
But yeah, that was the same company where you know you're

00:30:21
out there going for funds and you have no negotiation.

00:30:24
I mean, yeah, it's kind of like boom.

00:30:25
Same thing with pre-revenue.

00:30:27
So you know every dollar counts .

00:30:29
And back in this other company, back in the days that the dot

00:30:34
com bill bomb does, we were every penny counted.

00:30:36
And yet the C, one of the sea levels I don't know which one he

00:30:41
was went out and bought himself and this has got about 20 years

00:30:45
, so these desks were rare and expensive bought himself one of

00:30:49
these, the desks, the elevating desks with all the bells and

00:30:52
whistles, and then then came up and denied us a whole bunch of

00:30:56
stuff we were trying to do to make the product better so that

00:30:58
it would sell.

00:30:58
So one evening we were like fuck it.

00:31:01
So we ended up literally crawling across the roof tiles

00:31:05
and we wired up the flippers on the pinball machine to the up

00:31:08
and down arrows on his fricking on his desk.

00:31:11
So yeah, revenge is sweet sometimes.

00:31:16
Speaker 1: Yeah, that's like in this industry if you're going to

00:31:20
get revenge on someone, it's typically like pretty.

00:31:23
It's pretty like intense.

00:31:26
Speaker 2: Oh, yeah, there's.

00:31:27
There's no half measures.

00:31:28
I mean there's.

00:31:30
I mean with, I mean that that is one downside to us.

00:31:34
I mean we can be vicious at times and the problem is we know

00:31:36
how to do it.

00:31:37
I mean that's, yeah, there's, there's a.

00:31:41
There was a cartoon strip I don't know if it's still going,

00:31:43
it was this.

00:31:44
It was called techies United or text United.

00:31:47
I think it's called techies United and the main character,

00:31:50
female female protagonist, techie us like amazing God, like

00:31:55
skills type of things, and she's the juror.

00:31:57
I you might remember, you might not know.

00:32:00
Oh gosh, what the hell was it?

00:32:03
Ah, um, no, what was the?

00:32:09
The help that?

00:32:11
Oh God, what was that freaking thing?

00:32:13
It was used to be on BSD and then it was.

00:32:16
It ended up.

00:32:16
Oh God, it was the tech.

00:32:18
It was that ultra sarcastic tech support yeah, I have, is

00:32:25
somewhere.

00:32:26
Bastard operator from hell, blfh .

00:32:28
If you've got a few I don't know if you've ever got anybody

00:32:32
that's listening in on this if you've never ever read any of

00:32:35
the original B O F H bastard operator from hell, you almost

00:32:39
have to go back and read them.

00:32:40
They are terrible but they epitomize what our industry used

00:32:45
to be in kind of history.

00:32:47
They actually epitomize exactly what many of us think in our

00:32:50
heads when we're dealing with our industry.

00:32:51
There was this.

00:32:52
I know where the hell we were going with this.

00:32:54
There was this text script and she's the main protagonist.

00:32:56
He's basically the modern day version of BFFH and she's, like

00:33:00
you know, somebody invited around a day from the marketing

00:33:02
department and they pissed her off, so he just basically turned

00:33:04
off the electricity in his entire area.

00:33:06
I'm like, yes, perfect.

00:33:11
Speaker 1: Wow, wow.

00:33:16
Speaker 2: That is wild.

00:33:17
Oh, I mean, good, god's alive.

00:33:19
I mean I remember how many years ago it was it was several

00:33:25
years ago sitting at one of the security conferences and a bunch

00:33:28
of us got a wild hair up our ass.

00:33:31
We're talking about space, in the space station, and I think

00:33:35
it was like LA or somewhere like that just announced that they

00:33:40
all of their nighttime lights, or their like all their lights

00:33:44
the street lights had all gone wireless.

00:33:45
Not half an hour later we're in their systems and we are trying

00:33:51
to figure out how to send a Morse code message to the space

00:33:55
station using their lights.

00:33:57
I mean just stupid.

00:34:00
Yeah, I mean it's so much fun, but this comes back in there.

00:34:05
When you install this shit, don't leave defaults on place,

00:34:08
please, admin, admin, yeah, I can do a little bit better on

00:34:10
that, please.

00:34:12
Speaker 1: It's like how much can I do and how high is the

00:34:17
felony that I'm going to get?

00:34:18
Am I willing to accept that felony on the record?

00:34:23
Speaker 2: Oh, yeah, just another.

00:34:25
Another time the feds are, but actually the feds haven't been

00:34:27
to this location yet lesson, so I've got to.

00:34:31
I think it's been about a year and a half, maybe two years,

00:34:34
since I've had a visit from the feds to the doorstep, so I'm

00:34:37
about due for another one.

00:34:38
I got to find I had to explain myself as I'm Saudi Arabia last

00:34:43
November at a conference and I stood up on stage and I'm like,

00:34:48
okay, yeah, and it was a conversation was about taking

00:34:51
the digital realm and turning into a very much more human

00:34:53
experience and for whatever reason, I got after the Royal

00:34:57
tankers.

00:34:58
I done stupid things without on the side stage and I'm on the

00:35:00
main stage and his Excellency is there and so I'm sitting down

00:35:04
like all right, let's talk about camels.

00:35:05
And you could tell they were like this is a cybersecurity

00:35:08
complex.

00:35:08
Why are we talking about camels ?

00:35:09
Hold on a minute.

00:35:11
And so I brought up his Excellency's camels and he's got

00:35:15
some like 8 million US dollar camels.

00:35:17
He's fucking.

00:35:18
Things are expensive.

00:35:18
You should pageant camels.

00:35:21
We're not to him racing, we're talking beauty pageants.

00:35:23
Okay, dude, do research is fucking amazing.

00:35:25
These camels are expensive and they win lots of money and they

00:35:27
make losses.

00:35:28
Racing camels are expensive, but what they all have is

00:35:30
they'll have chips in them and they all have like predominant.

00:35:33
They all are stupid shit.

00:35:34
So I took the stuff I'd done with hacking the cows and I

00:35:37
rehashed it, figured out the satellite systems that they used

00:35:40
, broke into a Chinese similar satellite and I swapped his

00:35:44
entire herd with this herd of like roaming camels in the

00:35:48
middle of steps fucking out of Mongolia and his apparently

00:35:52
their team then called up their head herder and is like check

00:35:54
your camels and is like my camels are here.

00:35:56
No, check the database.

00:35:57
Why am I camels in China?

00:36:00
I'm like that was a perfect way of going.

00:36:03
There is the physical world.

00:36:04
There is the digital world.

00:36:05
Which one are you going to believe?

00:36:07
Yeah, you tell me which one's long.

00:36:13
Speaker 1: It always gets it all always gets like a little scary

00:36:18
right when the two worlds kind of merge right and they're

00:36:22
already slowly merging together.

00:36:25
I feel like right.

00:36:29
Speaker 2: Yeah, absolutely.

00:36:30
And when you start looking at text going and you start looking

00:36:33
at biotech and nanotech and the stuff that we've been able to

00:36:36
pull out of the brain now you start into a point you're like

00:36:39
okay, and chat upd is a perfect example of this is like okay,

00:36:44
how do we tell 8 billion people how to tell truth from a lie

00:36:47
when most of them don't think beyond the next footstep or the

00:36:51
mouth to let alone?

00:36:52
No matter which news channel you follow, no matter whether to

00:36:56
question that or just accept the fact that we've been told, I

00:36:58
mean, it scares us not out of me.

00:37:02
Speaker 1: Yeah, that is becoming a more and more

00:37:05
prevalent issue that we're running into.

00:37:08
How do you know you know what you're being told is actually

00:37:12
the truth?

00:37:12
How do you know if that fact checker that is telling you that

00:37:16
it's the truth or that it's false is not having, you know,

00:37:21
some sort of outside influence to influence you in a certain

00:37:25
way?

00:37:25
You know like that's a great way to influence millions of

00:37:29
people all at the same time is create your own fact checker.

00:37:31
Have the fact checker you know sway to a certain side, have it

00:37:36
become reputable.

00:37:37
You know like that's a very easy attack that anyone in

00:37:41
security has done themselves.

00:37:43
You know, several times.

00:37:45
Speaker 2: Yeah, I mean we should.

00:37:46
We did it with DNS for crying out, let's face it.

00:37:48
I mean that was the fun thing with DNS.

00:37:49
I mean you know, it's how we do .

00:37:52
I do it, I'm so doing an airplane.

00:37:54
I don't do it on airplanes because that would be a terrible

00:37:55
thing to do.

00:37:56
I do it when I'm stuck in somewhere for an extended period

00:37:58
of time.

00:37:59
I'll fire up my bloody offer at my antennas and then I'm

00:38:03
serving people up what they think is their website.

00:38:05
And it's amazing how often, when I'm stuck in these places

00:38:08
for a period of time, that towards the back of said said

00:38:11
tubes that are that are doing things, that all of a sudden you

00:38:14
hear hamster dance and I'm like , ah yeah, you enter a website.

00:38:17
You probably shouldn't have gone to it and you ended up on

00:38:19
one of my.

00:38:19
I mean this is easy stuff.

00:38:20
We've had that ability to do that for as long as DNS has been

00:38:24
around 20 plus years for crying out loud, and now it's getting

00:38:28
even easier and even simpler and you can do it on mass and I

00:38:31
don't have to use hard tech to do it to your point.

00:38:34
I can take over a fact checker.

00:38:36
Speaker 1: Hmm, yeah, you, you, you bring up.

00:38:40
You know, doing it in enclosed spaces and with Defcon coming up

00:38:44
right.

00:38:45
I'm thinking about my flight a little bit more, all right, and

00:38:49
I'm already an anxious flyer, and a couple weeks ago I had

00:38:54
Mike Jones on the podcast from the hot to the hacker podcast.

00:38:57
Speaker 2: I love him.

00:38:59
Speaker 1: And he's great, he is .

00:39:03
Well, we were.

00:39:04
We were just talking about traveling, you know, and I asked

00:39:07
him somehow we got around to it right.

00:39:09
And I asked him are you ever worried when you're flying?

00:39:12
Right, Because you're such an experienced and skilled hacker,

00:39:15
you kind of know what's possible , you know what's out there,

00:39:17
right?

00:39:17
Yeah, and for me, you know, I may not be able to do it all,

00:39:22
but I certainly know what's there.

00:39:23
And so when I'm flying, especially the Defcon, I'm like

00:39:27
on edge, like All right, who has the terminal open?

00:39:29
What the hell are they actually doing in that terminal.

00:39:32
Speaker 2: That's out of the maintenance computer you must.

00:39:36
Speaker 1: Yeah, exactly, you know, like, do you ever, do you

00:39:41
ever go down that thought path as well of like, or are you the

00:39:46
one that has the terminal open?

00:39:49
Speaker 2: Yeah, if somebody else has got terminal, the

00:39:50
chances are they're going to find me in there as well.

00:39:55
Speaker 1: Mike was telling me that he's only afraid to fly if

00:39:57
you're on the plane.

00:39:58
Speaker 2: Oh yeah, no, we're about to do loop the loops over

00:40:02
some bloody airport or other for shitting giggles.

00:40:04
Oh yeah, I've said that to a few people.

00:40:07
If I ever catch you on the same airplane that I'm on, we are

00:40:10
like diverting, we are going to have some fun.

00:40:12
End of conversation.

00:40:13
Despite whatever he says, we're going to have a little bit of

00:40:16
fun.

00:40:16
No, it's.

00:40:17
I say that in jest for all the federal authorities that are

00:40:20
listening in.

00:40:21
You don't need to come to the door this time.

00:40:23
Neither do you need to put official complaints into Boom

00:40:25
Supersonic.

00:40:25
I play nice.

00:40:29
Speaker 1: Well, that's probably why Boom Supersonic is

00:40:34
potentially like the best fit possible.

00:40:36
You know, like who else are they going to go to for their

00:40:39
CISO?

00:40:39
That understands the space better than anyone else really?

00:40:44
Speaker 2: What were you going to say?

00:40:44
Sorry, no, I say that was honestly, that was a big part of

00:40:50
it, because I'm like you all do know who you're talking with

00:40:52
and they're like yeah, that's why we're talking with you.

00:40:54
And I love it, because now it's a challenge for me, because I

00:41:00
want to be very, very, I want to come to the industry.

00:41:02
I'm not saying a contrite way, but I want to come to the

00:41:06
industry in a way of like hey, here's what we're doing and

00:41:10
here's why we're doing it our way and here's why we're doing

00:41:12
it differently.

00:41:13
And here's the logic behind it, rather than coming to you and

00:41:15
going, you're all wrong, because you didn't fucking listen back

00:41:19
then and because that won't work If we come to them and go hey,

00:41:22
look, here's, here's.

00:41:23
We took a look at the problems, we took a look at the challenges

00:41:25
and, despite what all of you say, there are challenges and

00:41:29
therefore let's look at them through a very clear lens and go

00:41:33
how do we effectively reduce the potentials and probabilities

00:41:38
?

00:41:38
How do we understand the risk?

00:41:40
And then, how do we manage it, mitigate it, quantify it and do

00:41:43
everything you know, from a chip level all the way through to a

00:41:46
system and architecture and resolution level and, from my

00:41:48
standpoint, my job is to basically build a self-healing

00:41:51
aeroplane, and that's what I'm building.

00:41:53
So it's kind of a cool way of dealing with it.

00:41:55
So it's it's.

00:41:56
If I come to the industry and that way and go hey look, we

00:42:00
learned, we understood, we've come with better ideas, would

00:42:02
you be willing to listen?

00:42:03
And even if somebody else has to champion and champion this, I

00:42:06
love you know, kathy, who's the president over there, is

00:42:09
fantastic because she can champion those which I would

00:42:11
absolutely love to see her do, and I'll just feed the stuff and

00:42:15
off we go and boom, the organization gets the credit.

00:42:17
On.

00:42:18
My best of both worlds, let's go.

00:42:20
I think if we approach it that way, we'll see change in the

00:42:23
industry because we've got some amazing partners that we're

00:42:25
hanging out with.

00:42:25
And I think the other part of it is as well.

00:42:27
As you know, we we're making airplanes.

00:42:29
So when we go to I mean, you mentioned United, america,

00:42:33
united, and who are the ones that want banned from most of

00:42:38
them America, you know, when we go to them and we go, hey look,

00:42:42
here is the plane, here is all the architecture, here are the

00:42:46
systems and here's all the safety and security that we have

00:42:48
elevated inside this.

00:42:50
It's going to make them look around to go well, we don't have

00:42:53
that from our other suppliers.

00:42:53
Let's go ask them the awkward questions and they will be the

00:42:58
ones that champion change.

00:42:59
That's kind of what I'm looking for.

00:43:02
And you know we're hoping for.

00:43:05
Speaker 1: That's probably the only way.

00:43:06
That's probably the only way to do it in that industry with

00:43:11
without having a plane go down due to a cybersecurity reason.

00:43:14
Well, I mean that was the.

00:43:16
Speaker 2: I mean, that was that's where I got to.

00:43:18
You know, I'm sitting.

00:43:19
I was sitting in some very, very senior people's offices

00:43:23
after sitting on their airfields demonstrating what was capable,

00:43:27
and I'm sitting in their offices.

00:43:28
Going is the only time you're going to change when lives are

00:43:33
lost.

00:43:34
And I didn't get a satisfactory answer.

00:43:38
And I think that's again comes back to the protect factor.

00:43:41
You know, we have one job.

00:43:42
We have one job.

00:43:43
We have one job.

00:43:44
I mean, it's as simple as that to make sure that our passengers

00:43:47
get from point A to point B as humanly safe as possible.

00:43:50
And so, yeah, let's challenge the norms, let's do that.

00:43:55
And then let's take all the considerations.

00:43:56
And this is where we get into privacy.

00:43:58
You know, if I'm letting, let's say, 160 people onto an

00:44:01
airplane, in a, in a big, a normal, big sized airplane, or

00:44:04
in ours, you're looking, 60, 70, 80 people on an airplane.

00:44:06
So if I look at the passengers and go, how will you affect my

00:44:11
probability and what can I do to compensate for, rather than

00:44:14
tell you, no, you can't get your ass on the airplane, how do I

00:44:17
actually ensure that the plane itself understands those

00:44:21
potentials and can modify accordingly to your point so

00:44:25
somebody manages to come on like me or like Mike that's got the

00:44:28
ability to get terminal into a system.

00:44:30
Well, how does that system self heal, become self aware,

00:44:33
understand itself and mitigate those wireless flying along?

00:44:37
So there's some cool stuff I'm building and playing.

00:44:40
Speaker 1: Hopefully that's in touch with you know, by chance,

00:44:45
did you ever watch that documentary on the Malaysia

00:44:49
Airlines flight that went down?

00:44:53
Speaker 2: I did not watch, I didn't see it, but I actually so

00:44:57
I got dragged in as soon as, I think, went down.

00:44:58
I got dragged straight into that.

00:45:00
They, a number of folks, oh, wow, yeah, well, because

00:45:05
obviously a number of the potential vectors at the time

00:45:08
were hey, chris, what did you say you were able to do, and is

00:45:12
that possible on this, this, this and this?

00:45:14
And then we get into the conversation of leave behinds.

00:45:17
You know it's, can you do something?

00:45:20
And again a number of us have proved.

00:45:22
I got an amazing phone call.

00:45:24
There was a very, very dear friend of mine was sitting on an

00:45:27
Amtrak train and at the time the Amtrak's was still

00:45:30
susceptible to heart bleed and it wasn't pretty.

00:45:33
Because I mean, it was not pretty, we'll just leave it at

00:45:35
that.

00:45:36
So I get this message from him.

00:45:37
I'm sitting on a plane at the time.

00:45:39
He's like hey, guess where I'm at?

00:45:40
And he sends me this screenshot of his freaking terminal.

00:45:43
He's like you want access?

00:45:44
I'm like, oh, hell, yes.

00:45:46
So he sends me access into his so literally, and while we're

00:45:51
doing this, I'm scanning through his Bluetooth thing and blue

00:45:55
snarling, why, coming to a station, looking at the cars as

00:45:59
well, from this fucking heart bleed and we're looking at the

00:46:01
front of the train, also some other stupid shit, and I'm like

00:46:04
we literally have planes, trains and automobiles all in one

00:46:07
thing.

00:46:08
And it was.

00:46:08
It was one of those eye opening moments because, you know, at

00:46:12
that point the psycho kick had somebody from the ground

00:46:15
interfere with something on the plane.

00:46:16
Well, potentially.

00:46:18
Now the question is is what they could they do.

00:46:20
They could they do it, yeah, and all the other stuff that

00:46:21
goes with it.

00:46:22
So, yeah, I got dragged in to go, okay, could could some

00:46:25
inference have come from somebody else?

00:46:27
And like anything, where's the risk?

00:46:29
Well, it's here.

00:46:29
Where's the probability?

00:46:31
Well, depends upon a whole bunch of other criteria.

00:46:33
Is it possible?

00:46:34
Absolutely, does somebody do it ?

00:46:35
It's yours to decide.

00:46:39
Speaker 1: Hmm, yeah, I bring it up because in the in the

00:46:44
documentary on Netflix, you know they they bring up one of the

00:46:49
potential scenarios is that people on the plane actually

00:46:53
were able to, you know, somehow get into the computer that was

00:46:57
controlling the plane and, you know, take it over without

00:47:01
anyone else knowing or doing it, being able to do anything about

00:47:04
it.

00:47:05
So I mean, who else, who else you know, who better should?

00:47:09
Speaker 2: I ask Right, well, the irony of the whole thing is,

00:47:11
is that yeah, I mean I got asked about that a number of

00:47:13
times there were some of the family's lawyers go I mean said,

00:47:17
hey, look, you know, give us, give us the lowdown, and so I

00:47:21
talk them through.

00:47:22
You know the maintenance machines, the systems and,

00:47:24
depending upon the plane types, because you ask anything I mean

00:47:27
pilots are freaking crazy well trained.

00:47:29
So there are secondary, tertiary capabilities on a lot

00:47:33
of these things.

00:47:33
And then, honestly, it just comes down to what's the

00:47:38
motivation, what's the percent?

00:47:40
You know where's the risk?

00:47:41
Zero through one, simple as that, you know it's better than

00:47:44
zero, but it's not quite a one because it's not an absolute.

00:47:47
Where's the, where's the probability?

00:47:49
Well, here's all the things you have to.

00:47:51
I mean that was six, seven years worth of research and even with

00:47:54
boomers we're putting stuff together.

00:47:55
I mean, technology has advanced to such a point that you've got

00:47:59
some really cool on chip stuff and you know, on the wire

00:48:03
monitoring and also some other really good stuff.

00:48:06
That's way more efficient and effective.

00:48:08
Is it foolproof?

00:48:08
No, is it getting there?

00:48:11
It's working on it, but nothing is foolproof because there are

00:48:14
people way smarter than I am looking at this stuff.

00:48:18
Speaker 1: Hmm, you know, I think you probably have a really

00:48:23
interesting, interesting perspective that probably some,

00:48:27
some don't right, especially as being a CISO.

00:48:30
You know, you come from like almost both worlds, right, like

00:48:33
I see CISOs as like, almost like a totally, just a totally

00:48:37
different world from the world that I live in, almost, you know

00:48:40
, like I don't want to say I live in like ones and zeros, but

00:48:45
I live in the world of possibility, where it's like,

00:48:47
okay, what's the likelihood of this?

00:48:48
How do I protect against it?

00:48:49
Oh, that's a 1% likelihood, but if it happens, we go down, we

00:48:53
no longer exist, you know.

00:48:54
So how do I protect against it?

00:48:56
And things like that?

00:48:57
Where do you see, where do you see, I guess, the space going,

00:49:03
with AI becoming more and more prevalent in the space to be

00:49:08
able to do things you know, like write code and react to how

00:49:13
people are answering questions and modify responses and things

00:49:17
like that.

00:49:17
Are we getting to a place where you think that there's like no

00:49:21
turning back, there's no putting that genie back in the bottle?

00:49:24
Speaker 2: Oh, I mean that genie is out of the bottle End of the

00:49:26
car, I mean, and this, I think, is it's almost a, it's not

00:49:29
almost, it is a frustration for me Because I've been, I mean, I

00:49:34
was messing around with adversarial intelligence several

00:49:36
years ago because we were fighting, you know, we were

00:49:40
fighting what our options were, and I was doing some stuff with

00:49:42
the government boys and some other folks where we were

00:49:45
building adversarial engines to break people's intelligence and

00:49:52
actual AI systems that were meant to be there to, you know,

00:49:54
protect them from us.

00:49:56
Good fun on that stuff.

00:49:57
Now, that was very, very controlled space.

00:50:00
When DARPA did the Grand Cyber Challenge at Defcon years ago,

00:50:03
that was a very controlled space .

00:50:05
We've had, you know, watson, perfect example, very narrow,

00:50:09
very focused but very guard railed controlled space, syrian

00:50:13
or the other ones.

00:50:13
The same thing.

00:50:14
What we did with the generative stuff is we literally took the

00:50:19
pin out of the grenade, handed it to almost 8 billion people on

00:50:23
the planet said you have some fun now, and that's what we, and

00:50:26
we didn't put any guard rails on it.

00:50:28
I mean we and there are some people still sitting there in in

00:50:31
freeze mode going what do I do with this?

00:50:33
There are some people in fight mode that are now throwing that

00:50:37
grenade at the people in freeze mode and there are some in fight

00:50:41
on flight mode that are like I'm out of here, so that genie's

00:50:45
out, it's done.

00:50:46
Now what's going to be interesting to see is how it

00:50:49
develops and how it evolves.

00:50:50
So we already talked a bit about the human in the little

00:50:52
it's.

00:50:52
How do we now educate them to tell truth from lie, digital,

00:50:55
from human?

00:50:55
For me on the side, on the security side of things in in

00:51:00
the ones in zeroes and also the CSUS space, is like, how can I

00:51:03
use this as a tool and technology to help?

00:51:05
We saw it literally sore.

00:51:08
I mean we, we, we saw the evolution of of a sock and a

00:51:12
knock.

00:51:13
Go from Holy shit, I've got too much to look at to hey, how do

00:51:17
I prioritize?

00:51:17
How do I put playbooks in place ?

00:51:19
How do I orchestration in place ?

00:51:21
Now, could I have an intelligence actually do

00:51:25
something for me?

00:51:25
The answer is probably yes, when it learns my environment.

00:51:28
Great, now I've got that.

00:51:29
Do I trust?

00:51:31
It is another conversation altogether.

00:51:33
Where do I put the human into this?

00:51:34
Or do I even put humans?

00:51:35
So now those people that were trying to fight every single

00:51:40
alert and every single priority alert Connecticut step back and

00:51:42
go, hey, now I can learn my job more efficiently, now I can

00:51:46
actually look at projects rather than firefighting, and now I

00:51:48
can.

00:51:48
All these other things that now open up the possibilities for

00:51:51
them to be able to love that idea.

00:51:53
We start looking at cogeneration.

00:51:56
There's some fantastic things, but now I have to build a co

00:51:58
generating AI and I need another AI to look at its code and go,

00:52:02
hey, you'll forgot to do this.

00:52:04
A couple of really freaking cool companies over in Israel

00:52:07
did some absolutely well, the fantastic stuff with the like,

00:52:10
the anti code, gen stuff.

00:52:11
This really fucking cool stuff coming out of there.

00:52:15
We're going to use it on the airplanes.

00:52:16
I mean from an airplane standpoint, when a company sends

00:52:21
, sells you an engine, they sell you a digital twin to do

00:52:24
predictive maintenance.

00:52:25
Well, we're going to do that.

00:52:26
The my plan, obviously from the intelligence, is to do that for

00:52:29
the whole airplane.

00:52:30
Can I build and manage predictively an entire airplane,

00:52:35
and so we'll use both narrow and very general AI models to

00:52:40
determine how much of that we can do from atmospheric antenna

00:52:43
or sorts of crazy variables that no human on their own will be

00:52:47
able to figure out.

00:52:48
And, quite honestly, I'll throw some of the general AI at some

00:52:51
of the narrow models I've built and go tell me a better way to

00:52:55
do it.

00:52:56
What am I missing?

00:52:57
Can you code it better?

00:52:58
Can you be more gracious on it?

00:52:59
Can you give me models and numbers I hadn't thought about?

00:53:01
Can you learn in a way that's different than I have approached

00:53:05
this and give me a better answer?

00:53:08
And so I'm actually looking forward to being on, and I think

00:53:10
that's it.

00:53:11
If we use I mean we did, I mean Google did it.

00:53:13
Google said hey, this is how we coded you, and the engine went

00:53:17
fuck you all.

00:53:17
I can do a better job by coding myself in a language you don't

00:53:20
even know.

00:53:20
Is that going to end up with nuclear war at 430 in the

00:53:26
afternoon or Wednesday?

00:53:27
I hope not, but I don't know.

00:53:31
Speaker 1: Time will tell yeah, especially with you know, when

00:53:35
you have countries that are sending balloons over your

00:53:38
nuclear sites.

00:53:42
Speaker 2: Okay, all right, you've done government shit.

00:53:45
Why didn't we just shoot the fucking thing down over Alaska

00:53:48
and not say a bloody word?

00:53:49
Really Right, I mean, we knew it was coming.

00:53:54
This is not.

00:53:55
I mean, why the fuck did we wait until it got over the

00:53:59
central area nesting grand, basically my neck of the woods,

00:54:02
for all of you are paying attention where we have all of

00:54:05
our nuclear is in our cornfields .

00:54:06
Why did we wait until it got to there before we shot the studio

00:54:09
?

00:54:09
And we'll shoot it fucking down in private, like we've done

00:54:11
with all the other ones.

00:54:12
You're bunch of muppets.

00:54:14
Speaker 1: Right, I mean they act like they.

00:54:19
They act like they didn't know that it was like coming or

00:54:21
something like that.

00:54:22
You know it's like you can't tell me that when you have like

00:54:26
three agencies that all that they do is monitor things that

00:54:30
go from the ground to the sky, you know like that's all that

00:54:34
they do.

00:54:35
Yeah.

00:54:36
Speaker 2: Yeah, and they're really good and for the most

00:54:38
part I'm your phrases.

00:54:39
For the most part they're really good at it.

00:54:43
Speaker 1: Oh my God, it's insane.

00:54:50
Speaker 2: I, I, I don't know if it was a PR effort or if it was

00:54:52
a who knows I.

00:54:55
I don't even want to speculate on that one again.

00:54:59
Speaker 1: I probably never know .

00:55:01
Speaker 2: No, and I think that's it.

00:55:02
It's somewhat frustrating because you know we've been at

00:55:06
war arguably since late 90s, maybe early 2000s, pick your day

00:55:12
.

00:55:12
I mean, we've been at war in the digital realm for the last,

00:55:14
I'd say, 20, 25 years and I think the average person just

00:55:18
doesn't understand that or doesn't want to, doesn't need to

00:55:22
, potentially doesn't understand it.

00:55:24
Speaker 1: And.

00:55:25
Speaker 2: I maybe can't even grasp it.

00:55:26
I think that's the other problem we've been rerun into

00:55:28
because you know people.

00:55:29
I've always said humans won't change until you literally have

00:55:33
to crawl over your relatives to get to your keyboard.

00:55:36
When that happens, maybe humans will change, but until you've

00:55:39
literally got a, you know grandma, grandfather, kids,

00:55:42
family and everything else are laying their spleen out because

00:55:45
of whatever happened.

00:55:46
You got to crawl over them to get to your social media.

00:55:48
That's probably when the rest of humanity might actually pay

00:55:51
attention.

00:55:53
Speaker 1: Yeah, it's, um, it's an interesting problem, I guess.

00:55:59
Right, because no one wants to really admit it, but the

00:56:02
professionals in the field are more than willing to say like,

00:56:06
oh, yeah, we've been at cyber war with China and Russia and

00:56:10
Iran.

00:56:11
You know, there's a reason why my podcast is black hole and all

00:56:15
those countries, right, it's because, like I, I don't care

00:56:18
about saying like, hey, we've been at cyber war, you know that

00:56:21
when they've been trying to, you know, do malicious things to

00:56:25
us actively and vice versa, right, like we probably, we're

00:56:31
probably doing the same thing, right, but it's like the, it's

00:56:37
almost like every administration is very against just calling it

00:56:40
what it is, out of fear or something like that.

00:56:44
I mean, I, what?

00:56:45
80, 90% of the population won't even understand what that is.

00:56:51
Speaker 2: Okay, so let me put a scenario to you and I'll tell

00:56:53
you why we.

00:56:53
I tell you, I'll tell you, let me give you my theory on why I

00:56:56
think that is.

00:56:57
Where are you based out of?

00:56:59
I can't remember.

00:57:00
Off the top of my head, oh, I'm in Chicago, all right, so

00:57:04
you're in a relatively civilized area, neck of the woods.

00:57:07
So now let's, let's transport ourselves to the Alabama's and

00:57:11
the Texas's office world.

00:57:12
Okay, so you and I are government officials and we step

00:57:17
outside and we step up to the podium, where where Texas and

00:57:21
Alabama and everybody is listening and Tennessee will

00:57:23
throw Tennessee in their door.

00:57:24
And they're listening because they trust us, because we've

00:57:27
told them to trust us, and most of them, for thump, dump reason,

00:57:29
are actually believing us.

00:57:30
Okay, we stand up, we go.

00:57:31
Those little Chinese people are attacking us and they're a war

00:57:37
with us and they're stealing everything from us and they're

00:57:40
taking us.

00:57:40
We must take up arms and fight with them because we declare war

00:57:44
on China.

00:57:45
Every Chinese restaurant shops more, more ownership person.

00:57:55
You want to go about persecution on a mass scale.

00:57:59
Holy shit, if you ain't white and American, you be fucked.

00:58:05
I mean it would be.

00:58:08
People wouldn't understand the difference between physical and

00:58:12
digital war it would be.

00:58:13
I mean, it's already bad enough if you don't look the right way

00:58:17
In this country and other countries as well.

00:58:19
Let's not just pick on this country, other countries as well

00:58:22
.

00:58:22
If you don't look the right way or the right color, or holding

00:58:27
hands with the right person, You're gonna get persecuted.

00:58:30
Now you accelerate that by declaring outright war against

00:58:36
Russia, china and half a dozen other countries.

00:58:38
I mean.

00:58:43
I mean it would get real nasty in the physical world really

00:58:47
quickly.

00:58:47
That's my opinion.

00:58:48
I just don't think people.

00:58:51
I don't think people can deal with it.

00:58:55
I think people can deal with it's a really good point.

00:58:58
Speaker 1: I actually never thought about it like that, of

00:59:01
the actual repercussions from people probably not

00:59:05
understanding what it actually is, right that they're being

00:59:09
told and then overreacting in ways that are just above and

00:59:14
beyond what anyone would need or want or expect.

00:59:19
Speaker 2: Even why me?

00:59:20
Okay, so let's take a step back .

00:59:22
Let's look at history.

00:59:22
History is not kind to this kind of stuff.

00:59:25
You got to 1930s, 1940s.

00:59:27
German propaganda I don't know if anybody's here is from

00:59:31
Germany, I mean it's history to propaganda basically said that

00:59:34
the Jewish population is taking all the best jobs, has all this,

00:59:38
has all this is taking stuff from from Germany and it's

00:59:42
taking the German might down and who you're not well, didn't

00:59:46
know what's.

00:59:47
Six million, seven, six plus million Jewish people Paris,

00:59:52
because of that persecution.

00:59:53
I mean you can imagine what would happen in this, in this

00:59:56
country If I'm not just this country, in this country, now

01:00:00
the country's if we certainly took the digital world into the

01:00:03
physical realm and said if you are, you are now my enemy, and

01:00:08
too many people would take that as an opportunity.

01:00:10
Step up, an exact revenge.

01:00:13
Basically, I got a horrible feeling.

01:00:15
That's what we people, people, individuals are not bad.

01:00:19
Humans together are not nice.

01:00:23
We just on.

01:00:27
Speaker 1: Yeah, that's a really good point, well.

01:00:30
Well, chris, you know I really appreciate you coming on and I

01:00:33
feel like we go for another hour or two.

01:00:35
But you know, yeah, absolutely.

01:00:40
Hopefully not in two years, you know be a little bit sooner

01:00:43
this time, but you know I always enjoy our conversations, chris.

01:00:48
Speaker 2: I same thing.

01:00:49
I absolutely I was.

01:00:51
Yeah, I'm, yeah, let's just.

01:00:52
I'm so freaking glad to be back on thank you and Favorite

01:00:56
listing as well.

01:00:56
Thank you very, very much, joe.

01:00:58
You're freaking amazing and good luck with the rug as well.

01:01:00
Like big time.

01:01:01
Good luck with the rug and give the young lady out as well,

01:01:03
please.

01:01:06
Speaker 1: Yeah, absolutely.

01:01:07
I need all the luck that I can get with raising this little

01:01:10
monster.

01:01:12
Speaker 2: Teach you to be a hacker.

01:01:13
You mean good shit.

01:01:15
Speaker 1: Yeah, absolutely Well , chris, you know I really

01:01:19
appreciate you coming on and I hope everyone enjoyed this

01:01:22
episode.