You've heard of Boom Supersonic, right? Let's journey into the mind of its CISO, Chris Roberts, our most sought-after guest yet. His tales of transitioning to self-employment, battling the IRS, and the challenges of running his own company are nothing short of enlightening. This episode not only explores Chris's professional journey but also offers practical advice to aspiring entrepreneurs.
Navigating the labyrinth of self-employment can be daunting. Chris opens up about the unexpected costs and the importance of consistency and responsibility. The conversation expands to his role at Boom Supersonic, where he promised his staff that he would never make them look like fools. The implications of this promise, along with the challenges of handling multiple phishing tests, are discussed in depth. We then venture into the realm of corporate bigwigs, exploring Chris's experiences in the corporate environment, the unique opportunities it presents, and his memorable board meeting attire.
But that's not all. We delve into the merging of the physical and digital world, exploring the challenges of distinguishing truth from lies in an uncertain environment. Cybersecurity enthusiasts will relish Chris's insights on how hackers exploit these situations. His fears of who may gain access to plane systems, the potential implications of AI, and the reality of cyber warfare are sure to keep you on the edge of your seat. We wrap up with a hearty discussion on the public perception of these issues and why it's crucial to take them seriously. This episode is a treasure trove of insights and advice on self-employment, corporate life, and cybersecurity.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Well, Chris, it's really good to have you back on. I think you're probably the most requested guest to have back on ever. I get paid more about you coming on than anyone else.
Speaker 2:It's almost frustrating. I'm sorry, I'm humbled, honored and scared all at the same time. I was thinking about this before we were actually talking. I was thinking about this because we'll get into it in a minute. I did something this morning. I did an award ceremony thing this morning and I did it and I just I walked out. I actually walked out halfway through it because it wasn't real, it was just, it was scary. Yeah, this is what I just about doing. These ones, these are just its reality, and it's yeah that scares me about the guest thing.
Speaker 2:Well, I'm honored. I will try not to let people down. I said I could. I was actually a few minutes late because, partly because I was sitting on the wrong, on the wrong stream, which is my own fault, but also I'm like I was at. That is at that point in time of the day and it's raining as well, and it's at that point time of the day when I really need a good, strong cup of tea. So I got my cup of tea. So goodness knows what the hell's going to happen. You might have to hit the bleep button a few times.
Speaker 1:Oh, no worries on that. I mean you've been on here before. The podcast is unfiltered for a reason right?
Speaker 2:I'll be fucked at this point in time, people. Yeah that is very true.
Speaker 1:Well, chris, you know, I think you know the last time you were on, you were you were running your own company. Still, I believe it was you know you were still doing consulting. You haven't quite, you know, made the transition or anything. Yet why don't we talk about, like, why you made that transition? Because I feel like there's a lot of people, or at least there's a small subsection of us within the community that you know the dream is to actually get into consulting, work for yourself and do that whole thing right. I have, I've been uncomfortable with the IRS enough times to you know. Be okay to not go down that route, right.
Speaker 2:Yeah, I'm actually, ironically, I'm having conversations with our wonderful IRS system at the moment because they and I do not agree on some of my taxes from literally 2014 onwards. Oh my God, yeah, so I we're at loggerheads and now got somebody else involved to help out sort of our situation and I think you know it's. It's all down to the company stuff and I and the stupidity of it is, and a lot of people listening and they're going to understand this one because they know me well enough my whiskey case so my whiskey case is is part of who I am. It's. I take it to conferences, I share it, we do stuff for charity with it, we, we go down to right time, the watch is placed here and we do watches, whiskeys and work events. It is, it's, it's part of who I am.
Speaker 2:These days Now you sit down with an IRS agent and you go, hey, so I bought some whiskey on the company and they're like well, you know, if I sent a statement, I'm actually, no, it's business development. Well, no, it's entertainment you can become. I'm actually. You know, it's business development. I'll sell them. By the way, some of it's for charity and some of it I don't even bother claiming because it's too much. I'm like here's the amount and here's what I'm claiming and here's what I'm asking for. And just just that one thing, that if they stepped out of their own world and went oh yeah, you know, we'll do a little bit of background research and most in on the guy and actually go oh yeah, the, you know, the guys I rolled it up a gherk on last year, you're before lost a gherk on me race couple of grand for charity. We're going to do the same thing, I think Columbus I'm talking to new spire and we're going to try and do the same thing out at Columbus B sites. I'm going to bring the whiskey case with me and we'll do a for charity there as well.
Speaker 2:And it's, you know, it's, you try to explain it to the IRS and that that confuses us. It's not a, let alone the fact that changed costs every five minutes. That that alone should should allow me the the ability to just throw myself off the cliff when it comes to trying to forget that. So yeah, if you're going to go into start your own company or run yourself as a schedule, see, or any of that stuff, one keep stupid good records to go in with your eyes wide open. Three, use QuickBooks. And four, get yourself a damn good accountant who is validating for you, because it ain't pretty and, yeah, you can. You can mess with some numbers and you can fudge a little bit and you can play a little bit. I mean, you know IRS expect that, but yeah, you better just keep it tight. And then, by the way, puts in money aside for when you have to pay for the lawyers to fight the fact that the IRS doesn't agree with the fact that an arduino is seen as a tool versus a beast.
Speaker 1:Yeah, it's a. It is challenging, you know, like I don't even. I don't even do that much business. But the issue is the side work, right, so I'll do these side projects and whatnot. And with these side projects I mean, sometimes I'll get through them in, you know, a week and I'll forget that I did them, even you know, when it comes next year. Sometimes it takes me five months to get through a side project, right, and man, it's like trying to keep track of all that is just insane, especially when you're going back a year, you know, and so, like now, I have to keep like meticulous records. I actually got an accountant to actually help me through all this stuff, you know, because I'm at the point where it's like I have to deduct an uncomfortable amount and to me, right, growing up poor, to me it feels wrong. Oh why. To everyone else, you know, it's like, oh, this is nothing, but for me it's like I don't know.
Speaker 2:It's money's money at the end of the day. I mean, when you've got to take a quarter or a third of what you put, of what you bring in and it's some of it's freaking hard work to bring that in and you got to put a third or a quarter of that aside and go, hey, that just has to sit there, or I got to pay that in in advance. Whichever method you're using, yeah, it's, it sucks. And I mean I, you know to your point. Last time we're on I, we had Hilberley hit squad which we ended up closing down at the end of this past year. And closing it down is going to be an interesting one because I still haven't sorted out with taxes on that one yet Because when we closed it down we divided up the assets. And so how that? I mean we had a watch collection, because we had, we were building up a watch rental company I lost two thirds of the whiskeys. So, even though I still have a couple of hundred bottles, I lost the best part of four or 500 bottles of whiskey because I had to divide up the asset, because they were bought under the company and I'm quite the fact that for the most part I was doing most of the business and the work and the consulting. The agreement was signed that all three of us would get a complete, even split, no matter what, and so that was a bit of a painful bit, of a painful December January, shall we say. From just a mental state, I did not sit well on a few different reasons, especially when somebody close to me Turner said hey, by the way, there's still, you know, $20,000, $30,000 worth of stuff that needs to be paid for over here. And I hit the other guys up and said, hey, we need some of that stuff back to pay the bills. And basically I got to fuck you. So that came out of my money. So that was another $20,000, $30,000 worth of unforeseen expenses. So I ended up selling quite a number of the watches that I had. So I had a couple of nice ones, but like the couple of Rolexes, the Tudors, couple of the Grand Seiko, some of the other stuff I'd actually really liked, end up going up for sale to pay towards just all the legal stuff and then the money outstanding on closing it down.
Speaker 2:Yeah, it's tough, I'm still doing some side stuff, but I have scaled way back. You know, when somebody hits me, I'm down and says, hey, we want a pentest done. First call is almost to Amanda Nickerson. I'm like, hey, does Chris and you and the team want to do this? And I just put the two people in touch. I'm like, go do, just go deal with it and it's all yours, because I really I don't want to get involved in much more. I'll do the occasional pentest assessment. I'm doing some consulting, I'm doing some thread and tell stuff with a couple of folks, but, yeah, I've scaled it way back.
Speaker 2:Honestly, most of the stuff now that are from like a side income standpoint is there are out of all of the actually you know this is I think I put the post up there out of all of the conferences that I do. Some of them I actually get a stipend for, not many, but some of them, and that, untruthfully, that's income. It just goes straight back to pay for the other conferences that I don't charge for. So, even though it's income, it offsets. Yeah, there's that. I'm still. What am I?
Speaker 2:22, $22,000 underwater so far this year for the conferences and and. But then the difference is some of the conferences will pay for travel, some don't. Some pay for stuff like a B site. I don't ask much about a B site. I mean like, look, if you can cover my hotel, I got the rest of it covered. Any of the charity stuff I won't ask for, but if it's a pay for conference, I'm like, hey, look, at the very least you can fricking pick up the T and E for me please. So yeah, it's. It's weird getting a steady paycheck every every two weeks, because we get paid every two weeks, not every twice a month. It's kind of weird getting a paycheck every two weeks, even if you've, like taken some time off, as, like, holy shit, I took time off and I'm still getting money. I'm still getting a lot of experience.
Speaker 1:Yeah, that's. You know, that's a problem that I'm working through right now. Right, so I recently opened the podcast up to sponsors and so now I'm seeing like the vendor management side of it and things like that. Right, so I'm starting to like try and do the math of, like, well, what it would take to actually just do this full time, you know, and maybe go to conferences and do all that thing.
Speaker 2:I mean there's a bunch of folks that have done it successfully. I mean look at Paul and Security Weekly and stuff like that. I mean they, that team, did it. I don't know the numbers and all the stuff involved. I know there's a bit of a bit of who hard towards the end for which I don't know, and I hope it gets resolved, whatever it was. But I mean I know, I know they did okay and I mean that was their job, that was their role. They got sponsors in and I think they ended up selling it off and doing okay. I mean dark matters and dive diaries and all those Danny's doing the same thing. She's doing the podcast, the conferences and then building up a consulting business. So it can absolutely be done. I think, you see, she got to figure out the math on it.
Speaker 1:Yeah, that's the, that's the challenging part and I think, also staying just staying consistent. You know, like I feel like that's 80% of the battle is like still being motivated to do it. And the reason why I say that is because, like you know, I talked to Paul from Security Weekly and he said it took him like seven years, right, seven years of doing it before he looked up and was like oh wait, I can like hire someone right, like I can get a studio and and do these things.
Speaker 2:You know, I guess you know that makes sense, cause I mean I remember the early days and I remember the early days of them just having like literally a table at like the DEF CON on the ship, pre-b sites. I mean this is pre-B sites. This was like in the, in the vendor area, whatever the hell we used to call that before it was the vendor area. I thought we used to call it mosh pit, basically, yeah, I remember having like, I remember seeing all the stickers and stuff like that. So, yeah, that's got back a while now. So, yeah, that's a. It's a rough one, cause I mean it's. I mean you know this is well. I mean, once you take somebody on, you are responsible for that person, and that was. You know, if anything ever kept me awake in the evenings when I had like howl or Sentinel or HHS or any of the other, any of the other companies some have done well and some didn't the biggest thing that would scare the living crap out of me was I'm now responsible for other people's livelihoods.
Speaker 1:Yeah, that is. That is also like the boulder in my head, right. Yeah, that, you know, makes me nervous about that. Right, it's one set of stress factors, right, when I have to already provide for my wife and you know we have a mortgage, we have a kid now, you know. But it's like now other people are depending upon me that have families that have their own mortgages, that are paying their own bills and everything you know. And if I make one stupid mistake or if I say one stupid thing on this unfiltered podcast, right, like it could all go up in smoke potentially, right, I don't think I don't think I'm close to saying something that'll blow up everything, but, you know, maybe if I have too much whiskey or something during a podcast, you know.
Speaker 2:Well, I mean okay. So here's the interesting thing. I mean, this is the challenge is we didn't necessarily matter what you think or don't think on this one. I mean the other part of it is as you got guests on the podcast. I mean, some of us have been at the mercy of the media on more than one occasion. You know two or three occasions on my part, and it's, it's gone well once or twice and man is it bit me in the ass on one or two occasions, let's face it so it's, and some of it you don't even give it a second thought. I mean, you know, when you tweet something, you don't necessarily think it's going to have that random word repercussions, that it does the same thing. When you say something, I mean you're the same way. I mean I'm on stage on a regular basis and I'm as raw, as unfiltered as it comes off the time, but I'm still. I still care about humans. Ish, but I'm, and to me I'm going to do a post later on fact. We'll talk about this in a second. I think it's.
Speaker 2:I think, if it comes from the heart, I don't think there's much that you can say. There's going to piss off people enough that you end up getting nailed for it. If you're a good human normally and you're fucking awesome, let's be honest If you're a good human normally, I just I don't think any of that stupid shit comes out. I think it's those people that hide behind. I mean, there's so many narcissists in our world, there's so many people that like hide that behind, the shit's just going to slip out. There are people that only care for themselves or are only out for the money that they're going to slip and say something derogatory about their team or the people who work for them, or somebody race, color, creed, orientation, whatever it might be Because that is not the true nature of it. So I think, stay true to yourself and you'll be fine.
Speaker 1:Yeah, I think that's a great piece of advice. You know, I did actually used to have that worry in my head, you know, when I, when I started this whole podcast, and what I realized is, you know, those things that like would potentially like get me canceled, so to speak, I like doesn't even exist in my head. You know, like I wouldn't even know what to say, literally like in the spur of a moment, that would put me in that situation. And, you know, I guess part of it is probably, you know, how I was brought up, how I was raised and everything like that. Right, like, it's just, I think that that's a section, right, that my mind doesn't even go to, it doesn't exist in my head, which is, you know, I think, I think it's helpful.
Speaker 1:It's absolutely helpful, you know, because I've noticed when people, sometimes, sometimes people will try to catch me up in something and I'll just get confused, like, okay, what are you talking about? Like I don't know what you're even talking about. You know, and you could see, like, oh, they were trying to catch me up in something. It's not until hours later that I realized what they were trying to catch me up in. But, like you said, you know this. I feel like this field in it, right is more prone to being full of narcissists, or if you're in this field, you're more prone to becoming a narcissist right, because it's almost like a God complex God complex for it, almost.
Speaker 2:It's. I mean either, when you think about it, we and this has been one of my complaints for our industry especially, I think, especially since getting into the management side of the world, it's been one of my biggest complaints. It's, you know, we have, undeniably we have, the keys to the kingdom. I mean, without a shadow of a doubt, turn off electricity in countries, got you covered. You know, shut places down easy enough to do. Let me demonstrate it for you. So, as an entire segment of the industry, we have the keys to the kingdom. The problem is we don't necessarily have the maturity to cut with that keys of the kingdom, not in a long stretch, I mean. And it's and part of it's because our industry just hasn't been around long enough and we're still trying to figure ourselves out.
Speaker 2:I put a post out the other day about it. I'm like you know, from an industry perspective, we report into 10 different directions. You get to a C cell and you're like, oh, I have made it, which is totally the wrong way of looking at it, to be honest, but it's like the business still doesn't really know what the frickin heck to do with us. I mean it doesn't. It's like well, shit, some of you can go to the CFO, some go to the CEO, some to the CIA, some are going to bury somewhere in the middle of bug fuck, nova, because we don't want the hell to do with you. So, as an entire industry, business hasn't figured out how to deal with us and, honestly, neither have we figured out how to deal with business as effectively as we should do. So we have the keys to the kingdom, we know it.
Speaker 2:The business still doesn't know what the hell to do and we're still yelling going hey, look at us, look at us, look at us, and and. So that narcissistic tendency to beat your own chest and go we are the ones and you should listen to us is still prevalent. They're alone. Wait, I mean, it's also the blame game as well. Let's face it. As an industry, we fucking blamed everybody. I mean, we still blame users, we still blame developers. We blamed it. I mean we blame everybody apart from looking in the bloody mirror and going. You know what could?
Speaker 2:we do differently.
Speaker 1:Yeah, that's. That's actually a really good point that we always blame everyone else except for ourselves. It's not my stupid configuration, it's not my you know terrible training that my users aren't able to identify this really good phishing email.
Speaker 2:Yeah, which you know, it's funny.
Speaker 1:It's funny because I you know, I had a. I had a phishing email a couple of weeks ago and it was one of the best ones I've ever seen. I almost clicked on it, but it would have broken my first rule of no clicking on links. That's the only thing that saved me is my own personal rule, but everything else about it was very convincing.
Speaker 2:Yeah, it's, it's and I think that's it. And you know, you throw all of the intelligence systems that have now been thrust onto the unsuspecting world and it ain't going to get any easier. And yet we still think we as an industry, not individuals there's some really fucking good people out there but as an industry we've still said once a year or once a quarter, we're just going to train people and hope that's it. I mean a bunch of. And, by the way, we're going to train you in the corporate world, not train you how to look after you as the human being. We won't train you how to look after your kids or your grandparents or your parents or your guardians or friends and family. We're just going to train you because if you click on shit, we're going to punish you. I mean, like, what a fucking ridiculous way to run anything. And we still think it's a good way to do it. And and oh, this one pisses me off Not only we're going to train you, before we train you, we're going to fucking trick you. And then we're going to trick you because we want to measure how much you fail.
Speaker 2:I'm like you assholes. I mean really one of the first things I did when I started at boom because I walked into boom supersonic when I started there I was in front of like the entire staff and I and that question came up about you know phishing emails and stuff I said I'll make you a promise I will never try to fool you, trick you, make you look like fools and idiots just to make me feel better. I will train you every single month. I will help you, I will teach you, I will make you fun and we will make it engaging. And now, with the team that I have, we're doing that. And I said and when I run a phishing test, I will tell you beforehand because I want you to know and learn and understand and succeed, but I will never, ever make fools of you. If I do, you know exactly where to find me.
Speaker 1:Yeah, that's a huge thing. You know, it's kind of two fold right. So I used to work at a company that did a lot of work with the government and whatnot and they had some rule where if you fail I think it's like three phishing tests in a row, you're automatically terminated.
Speaker 2:Yeah, and.
Speaker 1:I was so perplexed by it, you know, because it's like you know one, the market is not the easiest to hire people in, because you're typically poaching from everyone, right, and it's not really fair. Yeah, I can see if it's literally every single month, right, and you just missed 12 in a row. Maybe you should reassess and be like maybe I'm doing something wrong, right, maybe this person isn't getting it, but man, it's. It's really dumb and I've worked at other places where that team of people they will intentionally try to trick you. It was like week two at this job and they sent me some.
Speaker 1:It was a phishing email like regard my 401k and it was during the holiday season and everyone was talking about a holiday bonus. Right, it's my second week. And so I clicked on the email and I got in trouble for him, like what? But that that's not even a fair email. I just set up my 401k. I, I 100% thought like this was pertaining to it, you know, and that, yeah, they get. They actually got into a lot of trouble for that one, but, you know, all the other times is just, it's a mess.
Speaker 2:I think that's it. Again, back to that. We're ad to prove that we're better. We're ad to prove that we have the knowledge and you don't. It's quit that shit. We have one job. I've said this a number of times on stage, in places. As an industry, we have one freaking job. You know this. You got a five and a half month old rug rat. You have one job to protect. It doesn't matter what the hell are so fucking hurricanes out there can be shit going on the world. Well, it's going to hell. I'm not asking, let's face it. You have one job. It is to hold that infant in your arms and your significant other and go. I will take care and I will protect. That's it. We should be doing the same thing with every single person that we're responsible for inside an organization and our media friend circle. I got one job. How the hell do I protect you as effectively as I possibly can?
Speaker 1:So you know, you mentioned going to Sonic Boom and becoming their CISO, right. So what's that like? Do you like it? Do you like the change? Is it new challenges for you? What is that like?
Speaker 2:So it's interesting because I've done the VC so stuff a number of times. So for years I've done the virtual CISO stuff and it's weird. And there's a Dilbert Carton you know it's Douglas Adams or the other stuff. Douglas Adams was the Douglas Adams. Yeah, outside of all of his challenges and stuff, there was one Dilbert cartoon that epitomizes a VC so which is that it's the boomerang boss. It's the one that comes in and goes I'm going to do I'm in buggers off again. That's basically a VC. So because you go in like and we're going to do all this shit and I'll see you in three months time or I'll see you next month and see how your shit's doing, and I don't like it. I do like it because it at least helps guide and there are some instances when you're more involved and depends on how much time and effort. But for the most part you kind of go in, you're like and I'm going to drop some shit on you and I'm going to bug off.
Speaker 2:We've done with pen testing for fucking 24 years being inside as the CISO. I live and breathe it every single day. You know I have to walk in there every single day and I walk out every single evening, or I'm there what? Three days a week. But I walk in and out of that place and I'm like how do I do a more efficient job? How do I help my team? How does my team do a more efficient job? How do we help protect? How do I help understand risk and work out probability for what's going to hit this organization? And you know, you think about it. We are building supersonic airplanes and we're building them for all sorts of interesting people, and so we have all sorts of really freaking cool tech. And so you have your traditional SBNRs, you have your camera SBIs and all those other shit. And then we've got a whole bunch of nations that are building some really cool tech. Rather than actually having to rebuild the wheel, let's just steal yours instead. And so the profiles of the organizations and the people's and the teams and the tactics and all that stuff are obviously evolving and changing. So I enjoyed that, this game of chat. So let's face it Inside, boom, it's a small organization. It's a bunch of crazy amazing engineers and a bunch of people just making sure that we get this fucking airplane off the ground.
Speaker 2:So I love that. I love the engineering, I love the geekness, I love the fact I'm messing around with airplanes in a legitimate way for a change, rather than getting yelled at for doing it. I also love the fact I'm challenging and able to change the entire industry Because, again, how things have been built and designed to put together is maybe not how we want to do in the future. So I'm able to influence that really, really effectively because I'm responsible for physical and digital security, especially on planes, and the corporation side as well. I'm also able to give back, which is what I also love as well, because, again, you know, as a, as a CISO inside a company, I got a checkbook. It ain't huge at the moment because we don't have a ton of money, but it's big enough that I can actually go to some of the people that I've loved and worked with and known and talked to over the years. Hey, fancy coming in and giving us some help. That part alone has been absolutely fantastic being able to do that and then building up the team. You know there's people I've known on LinkedIn for a while. I'm like, hey, want to come over and come give us some help. So that's been, that has been fantastic.
Speaker 2:The challenges are I'm now inside a corporation, and albeit a dynamic one and albeit a very good one of the flu, it's still a corporation. It still has legal people is to have people, team people. It still has finance people. I've got CEOs and presidents, and so they thankfully knew what they were getting into. So there is an upside to that. I didn't come in as an unknown quantity. They came after we had conversations and then also Charles, who was our CIO, did a really good job of laying some amazing groundwork for me to walk into, so I didn't walk in cold, which was also obviously fantastic. But it's still a corporation, which means I still have to sit down and work with the CFO. I still have to.
Speaker 2:There's lots of things that I have to do that are very business at scale and corporate look and feel, but not too corporate looking. And who runs our people team is absolutely amazing. The ability to just hit her up on Slack and have a conversation is fantastic. Blake, the CEO I can yak with him in the corridor when he's not out and about doing crazy amazing things for us. Kathy, who's the president, is another one of us being able to stop in a call way conversation. But there's still also the formality. They're still like hey, we have reporting to do. I have to report out to the, to the board of directors, every quarter. I have slides that are responsible for. I have finances that were responsible for. We have people.
Speaker 2:You know it's, it's. I still get a geek out. I still get a crazy shit. I'm building some amazing artificial intelligence stuff. I'm able to mess around and build. Some of the team folks up were amazing and dealing with all sorts of stuff. But it's also the corporate side of the work that I have to tread a little more. I can't walk into my pajama bottoms anymore. That's part of the way I did that. On day three, day one and day two I wore trousers. Day three, I walked into my pajamas and then day four, I got a message going please don't wear your pajamas anymore. So you know there's balance.
Speaker 1:Yeah, you got to. You got to test the boundaries. You know how else are you going to know that they're there?
Speaker 2:Exactly At least I didn't do. Years and years and years ago and this was, this was years ago this was dot com dot bomb days. So it shows you how well I was. I was down in Atlanta going through some personal stuff. There was a shit show and I was working for a company that didn't make it through the dot com dot bomb days and it was one of the final board meetings and it was board meeting with the investors and it wasn't going to be a pretty one and I was. The things were not going in the right direction and I was a little aggrieved at some of the stuff. I walked in in a bath towel. That was it, now that I had underwear on, but I walked into the board meeting in a bath towel. Yeah, at least I haven't done that yet. So you know, there's still some hope.
Speaker 1:That must have been a pretty interesting meeting.
Speaker 2:No, yeah, that went down about as well as you can probably expect, I was yeah.
Speaker 1:Were you still employed after that?
Speaker 2:I was. Yeah, I was, I was, I made my point. No, I made my point. I'm literally a little blunt. And then you probably most expected.
Speaker 2:But yeah, that was the same company where you know you're out there going for funds and you have no negotiation. I mean, yeah, it's kind of like boom. Same thing with pre-revenue. So you know every dollar counts. And back in this other company, back in the days that the dot com bill bomb does, we were every penny counted. And yet the C, one of the sea levels I don't know which one he was went out and bought himself and this has got about 20 years, so these desks were rare and expensive bought himself one of these, the desks, the elevating desks with all the bells and whistles, and then then came up and denied us a whole bunch of stuff we were trying to do to make the product better so that it would sell. So one evening we were like fuck it. So we ended up literally crawling across the roof tiles and we wired up the flippers on the pinball machine to the up and down arrows on his fricking on his desk. So yeah, revenge is sweet sometimes.
Speaker 1:Yeah, that's like in this industry if you're going to get revenge on someone, it's typically like pretty. It's pretty like intense.
Speaker 2:Oh, yeah, there's. There's no half measures. I mean there's. I mean with, I mean that that is one downside to us. I mean we can be vicious at times and the problem is we know how to do it. I mean that's, yeah, there's, there's a.
Speaker 2:There was a cartoon strip I don't know if it's still going, it was this. It was called techies United or text United. I think it's called techies United and the main character, female female protagonist, techie us like amazing God, like skills type of things, and she's the juror. I you might remember, you might not know. Oh gosh, what the hell was it? Ah, um, no, what was the? The help that? Oh God, what was that freaking thing? It was used to be on BSD and then it was. It ended up. Oh God, it was the tech. It was that ultra sarcastic tech support yeah, I have, is somewhere.
Speaker 2:Bastard operator from hell, blfh. If you've got a few I don't know if you've ever got anybody that's listening in on this if you've never ever read any of the original B O F H bastard operator from hell, you almost have to go back and read them. They are terrible but they epitomize what our industry used to be in kind of history. They actually epitomize exactly what many of us think in our heads when we're dealing with our industry. There was this. I know where the hell we were going with this. There was this text script and she's the main protagonist. He's basically the modern day version of BFFH and she's, like you know, somebody invited around a day from the marketing department and they pissed her off, so he just basically turned off the electricity in his entire area. I'm like, yes, perfect.
Speaker 1:Wow, wow.
Speaker 2:That is wild. Oh, I mean, good, god's alive. I mean I remember how many years ago it was it was several years ago sitting at one of the security conferences and a bunch of us got a wild hair up our ass. We're talking about space, in the space station, and I think it was like LA or somewhere like that just announced that they all of their nighttime lights, or their like all their lights the street lights had all gone wireless. Not half an hour later we're in their systems and we are trying to figure out how to send a Morse code message to the space station using their lights. I mean just stupid. Yeah, I mean it's so much fun, but this comes back in there. When you install this shit, don't leave defaults on place, please, admin, admin, yeah, I can do a little bit better on that, please.
Speaker 1:It's like how much can I do and how high is the felony that I'm going to get? Am I willing to accept that felony on the record?
Speaker 2:Oh, yeah, just another. Another time the feds are, but actually the feds haven't been to this location yet lesson, so I've got to. I think it's been about a year and a half, maybe two years, since I've had a visit from the feds to the doorstep, so I'm about due for another one. I got to find I had to explain myself as I'm Saudi Arabia last November at a conference and I stood up on stage and I'm like, okay, yeah, and it was a conversation was about taking the digital realm and turning into a very much more human experience and for whatever reason, I got after the Royal tankers.
Speaker 2:I done stupid things without on the side stage and I'm on the main stage and his Excellency is there and so I'm sitting down like all right, let's talk about camels. And you could tell they were like this is a cybersecurity complex. Why are we talking about camels? Hold on a minute. And so I brought up his Excellency's camels and he's got some like 8 million US dollar camels. He's fucking. Things are expensive. You should pageant camels. We're not to him racing, we're talking beauty pageants. Okay, dude, do research is fucking amazing. These camels are expensive and they win lots of money and they make losses. Racing camels are expensive, but what they all have is they'll have chips in them and they all have like predominant. They all are stupid shit.
Speaker 2:So I took the stuff I'd done with hacking the cows and I rehashed it, figured out the satellite systems that they used, broke into a Chinese similar satellite and I swapped his entire herd with this herd of like roaming camels in the middle of steps fucking out of Mongolia and his apparently their team then called up their head herder and is like check your camels and is like my camels are here. No, check the database. Why am I camels in China? I'm like that was a perfect way of going. There is the physical world. There is the digital world. Which one are you going to believe? Yeah, you tell me which one's long.
Speaker 1:It always gets it all always gets like a little scary right when the two worlds kind of merge right and they're already slowly merging together. I feel like right.
Speaker 2:Yeah, absolutely. And when you start looking at text going and you start looking at biotech and nanotech and the stuff that we've been able to pull out of the brain now you start into a point you're like okay, and chat upd is a perfect example of this is like okay, how do we tell 8 billion people how to tell truth from a lie when most of them don't think beyond the next footstep or the mouth to let alone? No matter which news channel you follow, no matter whether to question that or just accept the fact that we've been told, I mean, it scares us not out of me.
Speaker 1:Yeah, that is becoming a more and more prevalent issue that we're running into. How do you know you know what you're being told is actually the truth? How do you know if that fact checker that is telling you that it's the truth or that it's false is not having, you know, some sort of outside influence to influence you in a certain way? You know like that's a great way to influence millions of people all at the same time is create your own fact checker. Have the fact checker you know sway to a certain side, have it become reputable. You know like that's a very easy attack that anyone in security has done themselves. You know, several times.
Speaker 2:Yeah, I mean we should. We did it with DNS for crying out, let's face it. I mean that was the fun thing with DNS. I mean you know, it's how we do. I do it, I'm so doing an airplane. I don't do it on airplanes because that would be a terrible thing to do.
Speaker 2:I do it when I'm stuck in somewhere for an extended period of time. I'll fire up my bloody offer at my antennas and then I'm serving people up what they think is their website. And it's amazing how often, when I'm stuck in these places for a period of time, that towards the back of said said tubes that are that are doing things, that all of a sudden you hear hamster dance and I'm like, ah yeah, you enter a website. You probably shouldn't have gone to it and you ended up on one of my. I mean this is easy stuff. We've had that ability to do that for as long as DNS has been around 20 plus years for crying out loud, and now it's getting even easier and even simpler and you can do it on mass and I don't have to use hard tech to do it to your point. I can take over a fact checker.
Speaker 1:Hmm, yeah, you, you, you bring up. You know, doing it in enclosed spaces and with Defcon coming up right. I'm thinking about my flight a little bit more, all right, and I'm already an anxious flyer, and a couple weeks ago I had Mike Jones on the podcast from the hot to the hacker podcast.
Speaker 2:I love him.
Speaker 1:And he's great, he is. Well, we were. We were just talking about traveling, you know, and I asked him somehow we got around to it right. And I asked him are you ever worried when you're flying? Right, Because you're such an experienced and skilled hacker, you kind of know what's possible, you know what's out there, right? Yeah, and for me, you know, I may not be able to do it all, but I certainly know what's there. And so when I'm flying, especially the Defcon, I'm like on edge, like All right, who has the terminal open? What the hell are they actually doing in that terminal.
Speaker 2:That's out of the maintenance computer you must.
Speaker 1:Yeah, exactly, you know, like, do you ever, do you ever go down that thought path as well of like, or are you the one that has the terminal open?
Speaker 2:Yeah, if somebody else has got terminal, the chances are they're going to find me in there as well.
Speaker 1:Mike was telling me that he's only afraid to fly if you're on the plane.
Speaker 2:Oh yeah, no, we're about to do loop the loops over some bloody airport or other for shitting giggles. Oh yeah, I've said that to a few people. If I ever catch you on the same airplane that I'm on, we are like diverting, we are going to have some fun. End of conversation. Despite whatever he says, we're going to have a little bit of fun. No, it's. I say that in jest for all the federal authorities that are listening in. You don't need to come to the door this time. Neither do you need to put official complaints into Boom Supersonic. I play nice.
Speaker 1:Well, that's probably why Boom Supersonic is potentially like the best fit possible. You know, like who else are they going to go to for their CISO? That understands the space better than anyone else really?
Speaker 2:What were you going to say? Sorry, no, I say that was honestly, that was a big part of it, because I'm like you all do know who you're talking with and they're like yeah, that's why we're talking with you. And I love it, because now it's a challenge for me, because I want to be very, very, I want to come to the industry. I'm not saying a contrite way, but I want to come to the industry in a way of like hey, here's what we're doing and here's why we're doing it our way and here's why we're doing it differently. And here's the logic behind it, rather than coming to you and going, you're all wrong, because you didn't fucking listen back then and because that won't work If we come to them and go hey, look, here's, here's.
Speaker 2:We took a look at the problems, we took a look at the challenges and, despite what all of you say, there are challenges and therefore let's look at them through a very clear lens and go how do we effectively reduce the potentials and probabilities? How do we understand the risk? And then, how do we manage it, mitigate it, quantify it and do everything you know, from a chip level all the way through to a system and architecture and resolution level and, from my standpoint, my job is to basically build a self-healing aeroplane, and that's what I'm building. So it's kind of a cool way of dealing with it. So it's it's. If I come to the industry and that way and go hey look, we learned, we understood, we've come with better ideas, would you be willing to listen? And even if somebody else has to champion and champion this, I love you know, kathy, who's the president over there, is fantastic because she can champion those which I would absolutely love to see her do, and I'll just feed the stuff and off we go and boom, the organization gets the credit. On. My best of both worlds, let's go.
Speaker 2:I think if we approach it that way, we'll see change in the industry because we've got some amazing partners that we're hanging out with. And I think the other part of it is as well. As you know, we we're making airplanes. So when we go to I mean, you mentioned United, america, united, and who are the ones that want banned from most of them America, you know, when we go to them and we go, hey look, here is the plane, here is all the architecture, here are the systems and here's all the safety and security that we have elevated inside this. It's going to make them look around to go well, we don't have that from our other suppliers. Let's go ask them the awkward questions and they will be the ones that champion change. That's kind of what I'm looking for.
Speaker 2:And you know we're hoping for.
Speaker 1:That's probably the only way. That's probably the only way to do it in that industry with without having a plane go down due to a cybersecurity reason. Well, I mean that was the.
Speaker 2:I mean, that was that's where I got to. You know, I'm sitting. I was sitting in some very, very senior people's offices after sitting on their airfields demonstrating what was capable, and I'm sitting in their offices. Going is the only time you're going to change when lives are lost. And I didn't get a satisfactory answer. And I think that's again comes back to the protect factor. You know, we have one job. We have one job. We have one job.
Speaker 2:I mean, it's as simple as that to make sure that our passengers get from point A to point B as humanly safe as possible. And so, yeah, let's challenge the norms, let's do that. And then let's take all the considerations. And this is where we get into privacy. You know, if I'm letting, let's say, 160 people onto an airplane, in a, in a big, a normal, big sized airplane, or in ours, you're looking, 60, 70, 80 people on an airplane. So if I look at the passengers and go, how will you affect my probability and what can I do to compensate for, rather than tell you, no, you can't get your ass on the airplane, how do I actually ensure that the plane itself understands those potentials and can modify accordingly to your point so somebody manages to come on like me or like Mike that's got the ability to get terminal into a system. Well, how does that system self heal, become self aware, understand itself and mitigate those wireless flying along? So there's some cool stuff I'm building and playing.
Speaker 1:Hopefully that's in touch with you know, by chance, did you ever watch that documentary on the Malaysia Airlines flight that went down?
Speaker 2:I did not watch, I didn't see it, but I actually so I got dragged in as soon as, I think, went down. I got dragged straight into that. They, a number of folks, oh, wow, yeah, well, because obviously a number of the potential vectors at the time were hey, chris, what did you say you were able to do, and is that possible on this, this, this and this? And then we get into the conversation of leave behinds. You know it's, can you do something? And again a number of us have proved.
Speaker 2:I got an amazing phone call. There was a very, very dear friend of mine was sitting on an Amtrak train and at the time the Amtrak's was still susceptible to heart bleed and it wasn't pretty. Because I mean, it was not pretty, we'll just leave it at that. So I get this message from him. I'm sitting on a plane at the time. He's like hey, guess where I'm at? And he sends me this screenshot of his freaking terminal. He's like you want access? I'm like, oh, hell, yes. So he sends me access into his so literally, and while we're doing this, I'm scanning through his Bluetooth thing and blue snarling, why, coming to a station, looking at the cars as well, from this fucking heart bleed and we're looking at the front of the train, also some other stupid shit, and I'm like we literally have planes, trains and automobiles all in one thing.
Speaker 2:And it was. It was one of those eye opening moments because, you know, at that point the psycho kick had somebody from the ground interfere with something on the plane. Well, potentially. Now the question is is what they could they do. They could they do it, yeah, and all the other stuff that goes with it. So, yeah, I got dragged in to go, okay, could could some inference have come from somebody else? And like anything, where's the risk? Well, it's here. Where's the probability? Well, depends upon a whole bunch of other criteria. Is it possible? Absolutely, does somebody do it? It's yours to decide.
Speaker 1:Hmm, yeah, I bring it up because in the in the documentary on Netflix, you know they they bring up one of the potential scenarios is that people on the plane actually were able to, you know, somehow get into the computer that was controlling the plane and, you know, take it over without anyone else knowing or doing it, being able to do anything about it. So I mean, who else, who else you know, who better should?
Speaker 2:I ask Right, well, the irony of the whole thing is, is that yeah, I mean I got asked about that a number of times there were some of the family's lawyers go I mean said, hey, look, you know, give us, give us the lowdown, and so I talk them through. You know the maintenance machines, the systems and, depending upon the plane types, because you ask anything I mean pilots are freaking crazy well trained. So there are secondary, tertiary capabilities on a lot of these things. And then, honestly, it just comes down to what's the motivation, what's the percent? You know where's the risk? Zero through one, simple as that, you know it's better than zero, but it's not quite a one because it's not an absolute. Where's the, where's the probability? Well, here's all the things you have to.
Speaker 2:I mean that was six, seven years worth of research and even with boomers we're putting stuff together. I mean, technology has advanced to such a point that you've got some really cool on chip stuff and you know, on the wire monitoring and also some other really good stuff. That's way more efficient and effective. Is it foolproof? No, is it getting there? It's working on it, but nothing is foolproof because there are people way smarter than I am looking at this stuff.
Speaker 1:Hmm, you know, I think you probably have a really interesting, interesting perspective that probably some, some don't right, especially as being a CISO. You know, you come from like almost both worlds, right, like I see CISOs as like, almost like a totally, just a totally different world from the world that I live in, almost, you know, like I don't want to say I live in like ones and zeros, but I live in the world of possibility, where it's like, okay, what's the likelihood of this? How do I protect against it? Oh, that's a 1% likelihood, but if it happens, we go down, we no longer exist, you know. So how do I protect against it? And things like that? Where do you see, where do you see, I guess, the space going, with AI becoming more and more prevalent in the space to be able to do things you know, like write code and react to how people are answering questions and modify responses and things like that. Are we getting to a place where you think that there's like no turning back, there's no putting that genie back in the bottle?
Speaker 2:Oh, I mean that genie is out of the bottle End of the car, I mean, and this, I think, is it's almost a, it's not almost, it is a frustration for me Because I've been, I mean, I was messing around with adversarial intelligence several years ago because we were fighting, you know, we were fighting what our options were, and I was doing some stuff with the government boys and some other folks where we were building adversarial engines to break people's intelligence and actual AI systems that were meant to be there to, you know, protect them from us.
Speaker 2:Good fun on that stuff. Now, that was very, very controlled space. When DARPA did the Grand Cyber Challenge at Defcon years ago, that was a very controlled space. We've had, you know, watson, perfect example, very narrow, very focused but very guard railed controlled space, syrian or the other ones. The same thing. What we did with the generative stuff is we literally took the pin out of the grenade, handed it to almost 8 billion people on the planet said you have some fun now, and that's what we, and we didn't put any guard rails on it.
Speaker 2:I mean we and there are some people still sitting there in in freeze mode going what do I do with this? There are some people in fight mode that are now throwing that grenade at the people in freeze mode and there are some in fight on flight mode that are like I'm out of here, so that genie's out, it's done. Now what's going to be interesting to see is how it develops and how it evolves. So we already talked a bit about the human in the little it's. How do we now educate them to tell truth from lie, digital, from human? For me on the side, on the security side of things in in the ones in zeroes and also the CSUS space, is like, how can I use this as a tool and technology to help? We saw it literally sore. I mean we, we, we saw the evolution of of a sock and a knock. Go from Holy shit, I've got too much to look at to hey, how do I prioritize? How do I put playbooks in place? How do I orchestration in place? Now, could I have an intelligence actually do something for me? The answer is probably yes, when it learns my environment. Great, now I've got that. Do I trust? It is another conversation altogether. Where do I put the human into this? Or do I even put humans? So now those people that were trying to fight every single alert and every single priority alert Connecticut step back and go, hey, now I can learn my job more efficiently, now I can actually look at projects rather than firefighting, and now I can. All these other things that now open up the possibilities for them to be able to love that idea. We start looking at cogeneration. There's some fantastic things, but now I have to build a co generating AI and I need another AI to look at its code and go, hey, you'll forgot to do this. A couple of really freaking cool companies over in Israel did some absolutely well, the fantastic stuff with the like, the anti code, gen stuff. This really fucking cool stuff coming out of there.
Speaker 2:We're going to use it on the airplanes. I mean from an airplane standpoint, when a company sends, sells you an engine, they sell you a digital twin to do predictive maintenance. Well, we're going to do that. The my plan, obviously from the intelligence, is to do that for the whole airplane. Can I build and manage predictively an entire airplane, and so we'll use both narrow and very general AI models to determine how much of that we can do from atmospheric antenna or sorts of crazy variables that no human on their own will be able to figure out. And, quite honestly, I'll throw some of the general AI at some of the narrow models I've built and go tell me a better way to do it.
Speaker 2:What am I missing? Can you code it better? Can you be more gracious on it? Can you give me models and numbers I hadn't thought about? Can you learn in a way that's different than I have approached this and give me a better answer? And so I'm actually looking forward to being on, and I think that's it. If we use I mean we did, I mean Google did it. Google said hey, this is how we coded you, and the engine went fuck you all. I can do a better job by coding myself in a language you don't even know. Is that going to end up with nuclear war at 430 in the afternoon or Wednesday? I hope not, but I don't know.
Speaker 1:Time will tell yeah, especially with you know, when you have countries that are sending balloons over your nuclear sites.
Speaker 2:Okay, all right, you've done government shit. Why didn't we just shoot the fucking thing down over Alaska and not say a bloody word? Really Right, I mean, we knew it was coming. This is not. I mean, why the fuck did we wait until it got over the central area nesting grand, basically my neck of the woods, for all of you are paying attention where we have all of our nuclear is in our cornfields. Why did we wait until it got to there before we shot the studio? And we'll shoot it fucking down in private, like we've done with all the other ones. You're bunch of muppets.
Speaker 1:Right, I mean they act like they. They act like they didn't know that it was like coming or something like that. You know it's like you can't tell me that when you have like three agencies that all that they do is monitor things that go from the ground to the sky, you know like that's all that they do. Yeah.
Speaker 2:Yeah, and they're really good and for the most part I'm your phrases. For the most part they're really good at it.
Speaker 1:Oh my God, it's insane.
Speaker 2:I, I, I don't know if it was a PR effort or if it was a who knows I. I don't even want to speculate on that one again.
Speaker 1:I probably never know.
Speaker 2:No, and I think that's it. It's somewhat frustrating because you know we've been at war arguably since late 90s, maybe early 2000s, pick your day. I mean, we've been at war in the digital realm for the last, I'd say, 20, 25 years and I think the average person just doesn't understand that or doesn't want to, doesn't need to, potentially doesn't understand it.
Speaker 1:And.
Speaker 2:I maybe can't even grasp it. I think that's the other problem we've been rerun into because you know people. I've always said humans won't change until you literally have to crawl over your relatives to get to your keyboard. When that happens, maybe humans will change, but until you've literally got a, you know grandma, grandfather, kids, family and everything else are laying their spleen out because of whatever happened. You got to crawl over them to get to your social media. That's probably when the rest of humanity might actually pay attention.
Speaker 1:Yeah, it's, um, it's an interesting problem, I guess. Right, because no one wants to really admit it, but the professionals in the field are more than willing to say like, oh, yeah, we've been at cyber war with China and Russia and Iran. You know, there's a reason why my podcast is black hole and all those countries, right, it's because, like I, I don't care about saying like, hey, we've been at cyber war, you know that when they've been trying to, you know, do malicious things to us actively and vice versa, right, like we probably, we're probably doing the same thing, right, but it's like the, it's almost like every administration is very against just calling it what it is, out of fear or something like that. I mean, I, what? 80, 90% of the population won't even understand what that is.
Speaker 2:Okay, so let me put a scenario to you and I'll tell you why we. I tell you, I'll tell you, let me give you my theory on why I think that is. Where are you based out of? I can't remember. Off the top of my head, oh, I'm in Chicago, all right, so you're in a relatively civilized area, neck of the woods. So now let's, let's transport ourselves to the Alabama's and the Texas's office world. Okay, so you and I are government officials and we step outside and we step up to the podium, where where Texas and Alabama and everybody is listening and Tennessee will throw Tennessee in their door. And they're listening because they trust us, because we've told them to trust us, and most of them, for thump, dump reason, are actually believing us. Okay, we stand up, we go. Those little Chinese people are attacking us and they're a war with us and they're stealing everything from us and they're taking us. We must take up arms and fight with them because we declare war on China. Every Chinese restaurant shops more, more ownership person.
Speaker 2:You want to go about persecution on a mass scale. Holy shit, if you ain't white and American, you be fucked. I mean it would be. People wouldn't understand the difference between physical and digital war it would be. I mean, it's already bad enough if you don't look the right way In this country and other countries as well. Let's not just pick on this country, other countries as well. If you don't look the right way or the right color, or holding hands with the right person, You're gonna get persecuted. Now you accelerate that by declaring outright war against Russia, china and half a dozen other countries. I mean. I mean it would get real nasty in the physical world really quickly. That's my opinion. I just don't think people. I don't think people can deal with it. I think people can deal with it's a really good point.
Speaker 1:I actually never thought about it like that, of the actual repercussions from people probably not understanding what it actually is, right that they're being told and then overreacting in ways that are just above and beyond what anyone would need or want or expect.
Speaker 2:Even why me? Okay, so let's take a step back. Let's look at history. History is not kind to this kind of stuff. You got to 1930s, 1940s. German propaganda I don't know if anybody's here is from Germany, I mean it's history to propaganda basically said that the Jewish population is taking all the best jobs, has all this, has all this is taking stuff from from Germany and it's taking the German might down and who you're not well, didn't know what's. Six million, seven, six plus million Jewish people Paris, because of that persecution. I mean you can imagine what would happen in this, in this country If I'm not just this country, in this country, now the country's if we certainly took the digital world into the physical realm and said if you are, you are now my enemy, and too many people would take that as an opportunity. Step up, an exact revenge. Basically, I got a horrible feeling. That's what we people, people, individuals are not bad. Humans together are not nice. We just on.
Speaker 1:Yeah, that's a really good point, well. Well, chris, you know I really appreciate you coming on and I feel like we go for another hour or two. But you know, yeah, absolutely. Hopefully not in two years, you know be a little bit sooner this time, but you know I always enjoy our conversations, chris.
Speaker 2:I same thing. I absolutely I was. Yeah, I'm, yeah, let's just. I'm so freaking glad to be back on thank you and Favorite listing as well. Thank you very, very much, joe. You're freaking amazing and good luck with the rug as well. Like big time. Good luck with the rug and give the young lady out as well, please.
Speaker 1:Yeah, absolutely. I need all the luck that I can get with raising this little monster.
Speaker 2:Teach you to be a hacker. You mean good shit.
Speaker 1:Yeah, absolutely Well, chris, you know I really appreciate you coming on and I hope everyone enjoyed this episode.