Data, Security, And Advanced Persistent Threats with Patrick Hynds and Duane Laflotte

In this riveting episode, we'll be joined by special guests who do

information security work taking us into the deep, dark

realms of high level hacking. We'll explore the pyramid of

threats from those bumbling high school hackers who couldn't hack their way out of a

paper bag to the notorious figures backed by nation states.

But hold on to your keyboards, folks, because this conversation takes

a turn towards Linux and the intricate world of Ozint.

Yes, that's open source intelligence for those scratching their

heads. We'll unravel the mysteries of Ozint, its

uses, its implications, and how it can be a double edged

sword in the wrong hands. With a touch of espionage and a sprinkle of

humor, we'll leave you on the edge of your ergonomic office chair craving

more. And if that's not enough to make your encryption keys quiver,

we'll also touch upon the interconnectedness of the past with stories

of legendary minds crossing paths in unexpected cafes.

All right. Hello and welcome to Data Driven, the podcast where we explore the emerging

fields of data science, artificial intelligence and of course, data engineering,

which actually makes the whole thing possible. But there's another

field that we're going to talk about today, so it's going to be a little

bit different. We kind of did that with the last show or two, kind of

expanding our purview of topics.

And speaking of purview, I said

Purview, hopefully I pronounced it right, but I know, Andy, you've been playing

around with Azure Purview. I have, yeah. And it's

kind of it's speaking of data engineering, there's a lot there

with data lineage and the

secret sauce to it is it does automated scans and if

it can figure out where something new belongs in

the diagrams, it'll just put it in there and that is

almost magic from a data engineering perspective.

There really is a lot of innovation happening in that space. And

today, as we're recording this, my wife we

mentioned this, does cybersecurity at NIST and

my oldest son went with her to Take Your Sons and Daughters to Work

Day. That's cool. And yeah, so it's really cool.

So we have two guys here on the show. It's one of the few times

we've actually have had two guests at the same time. We have Patrick and Dwayne

who are fellow podcasters for a show called Security this

week. We need applause. Where's your effect? I don't have it. Plugged

in the effect. And

they also are the CEO and CTO, respectively of Pulsar

Security. Combined with them, they have 50

plus years of combined experience in cybersecurity and technology

and they provided services for Disney, the military,

bank of America, the NHL and more.

So welcome to the show, Patrick and Dwayne. Thank you. I just want to

clarify, I have 49 and he has one.

Wow. Just kidding. You look great for your age, by the way.

You started when you were like five. Is that what.

So there's actually a funny thing. There was a namespace collision

because you, Patrick, attended West Point, and thank you for

your service. Thanks, sir. There was another Frank Lavinia that apparently

went through West Point. Yes.

And I almost went to West Point, which probably would have confused a lot of

the professors and staff.

Wait a minute. Did you just leave here? What do you want, the eight year

plan? Yeah. You know what

I'm thinking? This is a time travel thing, Frank. It

is? Yeah. Yes. One of the

NCOs I served with sent me a picture of a Life

magazine cover that showed troops in the

landing craft at Normandy. And the guy at the center of the picture

looked exactly the way I did as a second lieutenant. He's like, I didn't know

you were in World War II. So I bought a copy of it. It's exactly

the way I looked when I was 22 years old. That's great. Okay, so

now both of you are time travel. Maybe that's what West Point does. It's

time travel now. We got to delete this.

We'll do it from the future. It'll be fun. The

neuralizer.

That would only work if. We do the video part of this, but that's true.

I want to repeat the name of the website because I was rambling when Frank

mentioned securitythewsweek.com

and you picked up a couple of new listeners, just

the banner in the virtual green room was enough to say, all

right, I got to make some time to listen to this. All right, we appreciate

it. We're trying to educate just like you. Guys,

and it's always fun.

It's a growth field, I think, to put it mildly.

Someone was asking me recently because a lot of big tech layoffs happening and

things like that, someone was asking me lately, someone who's not in data science, and

would go with security. I'd probably go with security if you have

50 50 data or security. But you can't go wrong with either.

And there have been recent events in my life which I

keep alluding to a court case,

but definitely I discovered the wonderful world of

OSINT. My

wife is really good at OSINT, right? Because that's her career. Yeah.

But kind of watching what she's able to dig out and

kind of know me doing it, too, we've been able to kind of Swiss out

more information and get clarity on things, and

it's amazing what is available. I took a course on

pluralsight on kind of using Kali Linux. Andy and

I I now work at Red Hat, so I've kind of went from

promoting Windows and using Windows 100% to, thanks

to Windows Eleven, being driven away from the Windows world and into

the wonderful arms of Linux

and fascinated by kind of

the tooling that's out there and built into something like Kali or

Kali. I'm not sure how to pronounce it. Depends on who you are. Yeah, we

usually call it Kali, but that's our bread and butter. We love Kali, right? Yeah.

That's an awesome operating system. So tell us a little bit about because I know

I don't think our listeners are necessarily up on the

Linux, let alone kind of the hacking world making

that assumption. If I'm wrong, please let me know kindly through

email comments

in angry letter form. It's a siloed kind of world. We live in technology,

right. There's a lot of specialization. There's this notion of full

stack this, full stack that, but

I've noticed in security that poison of the notion of full

stack has not hitting you guys yet. It started to kind of

flirt with the data science world. But I don't think you can be because just

looking at what are the disciplines. Right, so I think that's one of the things

we mentioned, OSINT, which for those that don't know is open source intelligence. And I

don't mean open source like Linux or anything like that. What is open source

intelligence? So open source intelligence is

from my field. It's awesome because what open source intelligence

is there's information about every human out there and you can

go like Cambridge Analytica or whoever, right? There's tons of data out there about

every human being on the planet that you can pull from just publicly

available either databases, websites, some of them say the Dark Web, but

you don't need to go to the Dark Web. It's all out there. And we

have some crazy OSINT stories.

There was one company we were trying to break into, Fortune 500,

they said, hey, listen, we'd love you to do a spear phishing campaign.

I was going to say and to be clear, you were hired to break in,

right? Sure, whatever. Yeah. So if there's any attorneys

listening, there's any federal DA listening. Let's make that clear

publicly what we're. Saying on the podcast. No, we were

hired to break into this Fortune 500 and they said, listen, we'd love you to

do spear phishing. And for those of you who may not know, spear phishing is

where you target one user. It's either like a CEO,

CFO, something along those lines. So you start to gather some really detailed

information. And we said, listen, it's too easy, we don't want to do that. Let

us just focus on the technology. They're like, no, you have to do spear phishing.

We said okay. Cool. And we did a lot of research on and we said,

we're going to take your head of HR. We took the head of HR and

we did a lot of research on her. They said, before you send these emails

out, can you come talk to us about them? Just show us them so we

can approve them. Said, sure. We sat down with them and said, listen, we got

two campaigns we're super excited about. Super excited about. They're like, all right, hit us

with them. What are they? We said, okay, we found out that she just

purchased a Dodge Durango. I have the Vin number of it, and I know where

she bought it from. We've actually purchased a website that's very close to the

same dealership website. We're going to send her an email that there's a recall on

her Durango with her Vin number. She needs to click a link, come to a

website, start typing in some information. We'll take over her computer, access the

systems. They're like, no, you can't do that. No,

that's way too personal. Okay, cool. Awesome. We got the

second campaign, which I think is a real winner. We're just going to kidnap her

kids, right? They're like, okay, so hit us with the second 1.

Second one is probably great. I said, okay, so we found out what her

kids names are, where she lives. We know what school they go to, the

teacher's name for each of the kids. And we found the school nurse name. We've

set up a website that's close to the school's website, and we can

send an email from the nurse with a form that she has to fill out

that's a PDF that's infected with a virus that will take over her computer. Right?

And we'll mention her kids names and the classes they're in, that sort of stuff.

And they're like, what is wrong with you guys? You can't do any of this

stuff. No. Yeah.

Open source intelligence is crazy right now. It's data, the things you can find. It's

all about data. It's the information you give. So what's the lesson here? The big

lesson is your data is out there. And even if you don't think it's

out there, your data is out there. And you need to use secondary

channels of communication to verify things. So if you get a call

from the school, get an email, get a text message, call them up, call up

the office. If you get a message to call a phone number about your credit

card, call the number in the back of your credit card. Try to find a

safe, reliable channel and use that to verify. I get calls

all the time from my staff that says, did you send me an email to

do this? And I invite that because it's like, you should be using

second channel verification, and it's incredibly inconvenient. And

that's how you know the security is working.

If it's convenient, it's probably not as secure as you'd like. Yeah,

well, I mean, that's an interesting point because people like convenience.

There is a tension you could just feel like, between convenience. I

mean, I have to log in

to my account using two factor authentication

for both my work and my personal stuff. And I know

it's annoying, but I know why.

And Roblox apparently must have some really

hairy security stories because

their captions, their two factor authentication,

I mean, it's pretty rigorous. And

my eight year old, he's, like, complaining about I'm like, no,

there's a good reason for this. You got

to protect the kids, but also kind of train them early. Oh,

yeah, I like that. Yeah, it's a great idea. I was on a

panel with a colonel from Disa, and he said he went on vacation

and he got bit by a spider on his hand and came back to work.

Went into the office, started working, and ten minutes later, armed

guard showed up at his desk. And we forced him to identify

himself, improve his identity, because his typing cadence had

changed. Wow. We're

starting to get to the world of the military is doing things we're

not thinking of, and eventually we're going to have to do those things. Right. So

Dwayne smiled when you said two factor authentication, and I want to know

why. Okay. All right. I get the sense

it's like the tooth Fairy, right? Like, you want to believe in it, but it's

not as effective as it is as it's supposed to be. No, actually.

So, interestingly enough, Google and Microsoft both have released

independent research that says two factor auth will

mitigate about 95% to 98% of most common

attacks, but not everything, which is fantastic. We love using it

because we look for the gaps in between systems. So there's

a couple of two factor authentication providers out there that allow us

to verify that you have valid accounts and that sort of stuff, without actually

yeah, there's all sorts of once you start digging into the APIs of two

FAS, some of them are easily bypassed, some of them are easily mimicked. Some of

them allow you to get more information you wouldn't normally get.

So just be careful. There's nothing in security. That's the panacea of security.

Right. It's the same thing with data analytics. There's nothing that's like, oh, my

God, there's this one product, and if you buy it, you know everything and you

can see into the future. No, it doesn't work that way. Right. All

right. I need to ask you about my password vault off the air.

Yes, you do. Let me tell you

password for it. No matter what you heard in the news, you should have one,

but there's one you might not want to have. Yeah,

I may have that pass.

I think we're on the same one. Well, when someone tells you who they are,

believe them, and then when they tell you again, believe them again.

Yes. That's my concern with these

password vaults, is that you are putting all your eggs in one basket,

and you don't have two arguments, really. You

could use hints in your password vault instead of the passwords.

It's less convenient, and therefore it works.

But that means you still have to use long passwords. So you might have

zip codes and phone numbers and favorite words and favorite

songs and you know what you're going to pull out of them. You'd still have

to have that cognitive presence to understand, but you can put hints

in them and then that'll let you get to where you need to be.

A friend of mine would put incorrect information

in it. Right. And he would know that's what it's same principle.

Exactly. Yeah. That is just

intriguing. So, quick question. Scrambled up symbols,

letters and stuff, or.

Better, longer the better complexity. So okay.

At our office, we break in at companies all the time legally. Right.

I'm going to keep adding that, Patrick, just for the

thank you. So when we find a hash so a hash is a representation

of a password or an account on a particular system. It's not the actual

password. We need to crack it. We need to go and figure out, okay, well,

does the word book match to this hash? No. Does the word car match?

This is a brute force technique. We're not able to reverse it, but we can

brute force it. Right. And so in doing that, we have a crack cluster at

the office. So you know the 30, 90 video cards that you might have in

your computer? We have a crack cluster that has like 40 of them all in

one motherboard. So we can guess 3 billion

passwords a second. Wow. Yeah. So if

you take a normal hash, we're

guessing let's say we're only doing

lowercase characters, it's 26 characters. And let's say

at ten character password, it takes us a day. Right? Well,

at eleven characters, it's a day times 26. Now we're at about a

month. At twelve Characters it's a month times

26. Now we're at a little over two years for twelve characters.

Now let's do one thing. So we also have a

dictionary file with 8.4 billion

passwords that have been found on the Internet through over the last breach.

Ten years. Over the last ten years. If your password is in that, we'll get

it in 3 seconds. Right. Because we can get so we also. Have to talk

about that after. Yes, for sure.

And to be clear, passwords are better. And to be clear, you're doing this

offline. Right. It's not like somebody's listening. You're not like hitting the login

page and clicking that a billion times. Let me give you stolen the hash.

Okay. Yeah. So good example, because that's a great question, Frank. So let's say

I'm trying to break into your Wi Fi. Now, there's a couple of ways to

do that. One is to try to break into your Wi Fi

system because you've allowed a remote administration, which you shouldn't

do. And then I have to guess the password, and I might be able to

minute, maybe more, but I'm

still throttled by having to send it, having to receive it. It

processing. And some of those things are going to be slow. But if I can

monitor the airwaves, which I can if I'm local to you and I

get the hash through going through the air to

someone's phone, which we will get, then we can take that home

and we can brute force it in the comfort of our own systems. And that's

offline hacking. So online attacks are harder to do

because you can't get the speed, you can't parallelize them them

parallelize them as easily. But the ones where we can do

offline, we can do those much faster and much more powerfully.

There are cool ways, though, to do online ones. Okay. Really?

Yeah. Okay, real quick, you know how you try and log into a

website and if you log in with the wrong password five times it kind of

locks you out for a period of time? Sure. So what they're doing is they're

saying five times from that one IP address. So what if you could have an

infinite amount of IP addresses, which is what

Azure and AWS will give you. So you can actually route every

password attempt through AWS, for example, and get a new

IP address every single time. You can do thousands, but you're still. Throttled by how

fast it can reply. And it probably can't reply 3 billion. Not as fast as

an offline crack. Exactly. But it can be. I'm just saying won't at some point

AWS or Azure kind of like figure. Out you would think. You

would think. Okay, no, interesting. So it's a game

of cat and mouse. They're dealing with amazing amounts of

traffic. Eventually, maybe there'll be an AI that helps, but then we'll use our

AI to fight it and it'll be and. Then the Robot Wars.

And I would imagine that Microsoft has bigger fish

to fry and AWS has. Bigger fish to fry. Problem is, if you're

not using Amazon, you just use a botnet and then there's

no limitation on that. I got you. Right. And for

the education of our audience, just in case you may have heard it in the

news, what exactly is a botnet? I think I know what it is,

but I want to hear it straight. From the when hackers take over systems,

they can do various things with them. They can ransomware them, they can steal your

personal information and do identity theft and credential theft. But they can

also just turn your computer into one of their slaves and it'll be a

zombie in their army. And they get 100,000 of these systems. They could do

Denial of Service, they can rent them out. Think of

Coin, I think was a thing for a while. Yeah. And honestly, what's interesting,

talking about data trends, you start to see ransomware

attacks on systems go up when bitcoin's

value goes down. So if it's

more advantageous for you to use those systems to mine

coins, that's what they do. But when it's not, then they just switch over to

ransomware and they start making more money that way. So you keep an eye on

that market and, you'll know interesting. Yeah,

interesting. So they make money, whoever they are,

they make money on the way up. One way or

another. Yeah, exactly. Right. You have to admire they're business

savvy. Oh, it's impressive. You shouldn't, but you

can rent a botnet, rent a ransomware framework.

So let's talk about one thing. There's different levels of threats. So the

kid that's walking through the parking lot trying car doors to steal stuff out of

a car is not as much of a threat as the professional who knows how

to break into a vault. And there's

fewer of that latter than there are of the former. So what you're

trying to do is you're trying to build up enough defense that the threats that

are likely to come your way are going to be thwarted. You can't stop

everything if Dwayne comes after you, I can confidently

say we're getting you because that's what we

do. And we're not script kitties. We're not amateurs, and we have a lot

of capabilities, a lot of software. Some of the software packets we use cost

$60,000 a year. Wow. Hackers sitting in their basement

aren't doing that. We're a different level of organization. But you

want to prepare for the highest level you can so that things

bounce off you. Isn't that referred to as

advanced persistent threats? Yeah, we would represent

an advanced persistent threat because we can do things and

spin up resources that aren't available at the lower levels. The lower levels

are like kids in high school that are just

trying to make a name for themselves. And then there's the we

actually have a slide called the Pyramid of Threats that goes through all this. And

the next level would be basically a

stalker, technical stalker, somebody who's a little bit of a techie and is mad at

you and comes after you. That's very personal. Kim Jong

UN is probably not your stalker.

Probably. The next level is the criminal syndicates who are just in it for the

money, and they're going to go after the softest target they can

find. And if you make it hard for them, they're just going to go away

because you're not what they want. They look for another target. And then you get

up to organizations like ours that work with enterprises and

governments and billion dollar entities, and then you get to governments themselves,

which, when we talk about Mitigation, we have levels of what you need

to do to stop the script kitties and everything else. And the top, when we

get to nation states, it's prayer. Yeah. There's not much.

That'S perfect. Yeah. What's fascinating,

though, is I remember reading Bruce Schneier wrote a book on

cryptography, which is probably still a vaunted

tome, but I remember one of the things

was he didn't say exactly what you said, but he

phrased it differently. If you're talking about cryptography. There's cryptography to keep your little

sister out of it, and there's cryptography to keep nation states out of it. And

that's a very wide spectrum.

Even though he wasn't writing about cryptography, it sounds like the same philosophy

holds true. There's also a duration aspect. So if I'm firing

artillery at you, I need the coordinates those are going to land at to be

secret for about two minutes, and then after that, it doesn't matter. Then it doesn't

matter. Right. But if it's nuclear missile silo locations, I need that

for decades. Or mineral depots or things

like that. So there's a time duration that also. Factors

in which actually, I think is a good topic of something else I'm

fascinated with is quantum computing. And I know that

you're laughing, so that I know there's a good story behind this. I have a

podcast on quantum computing called Things, and

it's the only topic that shuts Dwayne up.

I'm going to go do something else now. So that's why I saw the eye

roll and then you were laughing. Okay. So the reason why

people are kind of because in the security space and in the government, there's this

whole thing of how do we get post? Yeah. Shore's law.

So Shore wrote this algorithm that could theoretically

break how we do

cryptography now is largely based on it's hard

to reverse factor prime numbers. It's the discrete log

problem. Right. Which underlies RSA,

diffie hellman and elliptical curve. Oh,

elliptical curve, too. Yeah. I thought that was meant to be post.

Okay, well, they thought so, not so much. Oh, is this the one that

was broken? And don't worry, listeners, we'll unpack

this. That was the NIST psych. It was an

implementation break. So if I can just give a quick

reel. No, please do. There's a lot to unpack here, particularly. For folks that are

I'm not an. Expert, but I've got a podcast for the last two years on

quantum computing called Entangled Things, and it's a great

way to learn a topic really well. I took the MIT courses.

Peter Short was one of the professors, and so he came up with a

way if we had a suitably advanced quantum computer, we could

helman and elliptical curve. Now, those aren't our

primary symmetric encryption

protocols. Those are our primary asymmetric encryption protocols. So those are

the protocols we use to share the key that then does all the

encryption. Because files and large amounts of data can't be

encrypted with an asymmetric key, it has to use symmetric. But

how do you share that key? Well, that's where the asymmetric comes in. And so

it's the key to the key drawer is really what it is. And

so if those all break, then we need replacements.

And NIST, which is one of the reasons I'm a big fan, has come out

with basically, they did a Bake off over the last five,

six years to figure out which algorithms would not be

quantum based, but would be quantum resistant. And

Crystals.org has crystals, kyber crystals,

dilithium. So you got to love the techies, right?

It looks like those kinds

of technologies are in our future as well as when

quantum finally arrives. The problem is no one knows when quantum will actually be

ready. And that's the sticking point. Is it the end of this decade? Is it

three decades? I think it's closer to the end of this decade, but we don't

know because we're in the middle of the infancy of quantum. But

the computers do exist now. But the point you're doing about

time, right? So if you need something to be secure for decades,

right now is the time to at least

try with post quantum cryptography. Because and

supposedly there are stories that there are bad actors

out there storing stuff, storing data

for later. That's what's motivating. Honestly, that's where

a lot of the money is coming from for quantum computing, is

because of this threat, nothing funds like

defense. So this has turned quantum into a defense

spending among the primary powers. But it also solves a lot of

problems, does a lot of other things. So speaking of geeky stuff, there's

a quote from one of the Ferengi characters on Deep Space Nine, and

it's something to the effect quark. Yeah, it

might even be one of the Rules of Acquisition, but it was basically something to

the effect of no one ever went broke selling weapons.

I have that book somewhere on this bookshelf. I have that too. That's an awesome

book. Yeah, not wrong. I highly recommend that book. I don't know if

it's print, but. The other thing I'd say about quantum, and I bring

this up every now and then, we have a podcast called Impact

Quantum as well. We've been doing it about a year and a half, two years.

So it sounds like we started around the same time. Wow. But it's interesting

spinning around in the corner in all of this is as

they run simulations to try and simulate

Quantum every six months or so, they go, oh

man, we can take this problem. That was going to take 100,000 years

on traditional hardware. Now we can do it in a couple of months.

They keep finding these optimizations, I guess.

And so it's like without meaning to be here already,

quantum is kind of sneaking in. It certainly

is. And I think we've just hijacked the podcast here. I

know, right? Yeah, it's all good. All these things are. So one

of my favorite shows of all time, aside from D Space Nine, of

course, is there was this British television series called, I think

was Connections. Yeah. And I think it

was with the guy who's done a bunch of documentaries, or it was

the guy who played a James Bond villain at one point, I forget. But

they would basically try to connect. I'm. Going to get a lot of

hate mail on that one because I'm totally messy.

1978 TV series. This guy, he had a bunch of

James Burke. James Burke. You're right. Yes. But he looks like a

guy that would play he was also in Game of

Thrones, looks like a mad scientist. But

he had a number of shows from the 70s into the don't know if there's

any newer ones, but you basically show how the way

we learn about anything right. Is a very siloed right. You have English class, you

have math class, and then you put your brain

on part of your brain on the shelf. But he kind of shows how one

particular one that stuck out was the connection between perfumes

and the carburetor. And that's awesome.

The spoiler alert was the Atomizer for the

carburetor came from. But there was a whole connection of

people that knew each other, who knew each other, just like today. They didn't have

LinkedIn then, but you would always have these second and third connections that you

would meet at a cocktail party or ballroom dance,

depending on the time period. And it was just interesting how these ideas would intermingle.

Another story I like that kind of illustrates that, is that apparently there's some cafe

in Vienna where Freud would hang out, einstein

would hang out, and so would Vladimir Lenin hang out from time

to they did they have conversations with each

other? I don't know. But just the fact that they were in the same coffee

shop around the same time opens up the thing of

did Einstein say to Freud, like, hey, can you pass the sugar? And

then, you know, that's what your mom said, or something

like stupid stuff like

or or Lenin would have said, is it really your sugar?

But you have to wonder. These little type of chance

encounters, those are the types of things that the thought of which fascinate

me. Yeah. It is impressive how some of the modern

day, you think brilliant inventions, and when you unpack them, you're like,

it was a lot of little steps and a lot of weird connections that happened

that brought this thing about, right? Yeah. And Quantum to me, is still

mind blowing. I'm working on breaking into conventional systems

for now. I'll break into Quantum systems later. Well, yeah, I mean,

eventually anything can be broken,

apparently. You can watch the movie War Games, and War Games

came out at 83. I would have been impressionable young youth,

and I was just fascinated by that movie. And there's a scene

in there where he smugly turns to I guess it would have been Ali. Sheedy

like, anything could be broken.

Like, if nothing has ever been such a

timeless, a just existing is kind of like a

vulnerability. I'm telling you, those movies

all right, how many of you are fans of Sneakers? Oh,

yeah. Well, that wasn't Robert Redford.

Yeah, that was the one where I. Was like, okay, if there's a job in

the real world to do that, that's what I want to do.

Social engineering, right? That was the first time I saw it. Oh, my

gosh, I just love that. Movie because it showed,

like it's not just the obvious, right? Like the thing where the

guy who was blind was playing back with tape

whistler was playing, like, the tape. Okay, well, what did the road sound

like? And he goes, he described he goes, did it sound like this? I was

like, no, a little slower. Oh my God. I was like, So you were on

that highway? It was just like but that was one of those

moments where you're like, wow, holy crap. That sort of thing possible.

Where he's listening to neon signs as they're moving the mic around, and he's like,

no, that's an exit sign. And they're like, Dwayne, do you want. To talk about

the way you hack a database without actually reading any of the

data? So awesome. Based on denials. Have you guys ever heard of blind

injection? No? Okay. Blind injection is the coolest thing ever. So let's

say we go to a website and it's blackmagic, it's like

voodoo stuff. You go to a website and let's say in the website, all you

can do is you have a little drop down and you can change the language

of the website. And that's it. That's all you can do. No login screen? No

none of that stuff. But in that drop down, as a website owner, you

keep adding languages. So you add French and you add Spanish and you add whatever,

right? So that pulls it out of a database. So what

I can do is, even though I don't have

the ability to inject data, I can stack the query for

the language, and then at that point, I have the ability

to gauge how quickly the web page comes

back, so I can say, okay, give me the language

Spanish. And if the first column in

the first database is

an A, then pause for a fraction of a second

and the page will pause for a fraction of a second.

So you can pull all the information out of the back end database just by

how quickly the page comes back to you, whether it's two milliseconds

or five milliseconds or ten milliseconds, just by blindly injecting, which

is awesome. Yeah, that's insidious.

The first time I heard about SQL injection was actually at a Microsoft like,

dev days thing in New York, and they built this

website, I might have been Channel Nine, which for our listeners, they know what

Channel Nine is, but it was basically like a community site where they would post

content they since killed. It rebranded it's been

rebranded to learn. TV or something like that. But

I was on channel nine. You were

half microsoft flew me out to and five other

hackers flew us out to Vegas to break into a casino and

they did a half hour long, like breaking into

casino. So we did injection. It was called the code room. I remember the code

room. I got to see if they've archived that.

We have to check it out. You're like that guy in Oceans Eleven, right?

I'd like to say it's the only time I've ever been walked through a casino

in handcuffs, but whatever. Anyway,

another show. Exactly.

No. So the same team that built Channel Nine, this would have been early

had shown how they did this challenge, like, who can

hack this? And basically somebody had basically said, well, your database sent

the email back saying, know, hey, this is what your database looks like. And everybody

at Microsoft was freaking out. And it turns out it was a SQL

injection. But when I first heard that, my mind was blown like I never thought

of cool. And the wife

did nix the idea of naming our kid Little Bobby Table. Bobby

table, right? Missed

opportunities right there. Right? Little Bobby tables.

Which if you don't know that story, you have to Google it because the

Xkcd cartoon does it. Those are excellent.

Brilliant. One of many.

So this is awesome.

We've talked about OSINT, but there are other disciplines in this. Oh, there's, there's, there's

Red Team, Blue Team, pen testing,

auditing, auditing, CNA

certification, accreditation. Being a good developer. OSCPs.

Oh, yeah. Just not being a bad developer using oh my God. Well,

that's really true.

Oh, Patrick. You froze Patrick. I think we lost him. We lost

him. So while we're hoping his video

comes back, I will tell you a joke that

because when my first child, I think I'm back.

You are back. So think about building a house. And then

afterwards you say, okay, now secure it. You got to replace all the

doors. You got to think about Windows. Now, it's much more expensive when

you build anything, whether it's hardware, software, or anything,

if you start with security in mind, it's much cheaper. And so really, security is

a job for everybody. Data architects, SQL

administrators, network, file systems, Nas

administrators, everyone. And then there's the ones who are just thinking about

security all the time. But we have to make it pervasive. We have to make

everybody think about it. Well, I mean, that's a good point, because there's

an acquaintance of my wife who does I forget what it's called, but it

was basically physical security. He does all kinds of security, but one of the things

that he does is more like the stuff you would see

in movies where they follow people. They kind of

do kind of like the lock picking and the lock picking, stuff

like that. There's actually a video on it might have

been from Defcon where breaking into like 50

places in 50 days or something like that. But

I was talking to this acquaintance of my wife and no

names, but he basically that's one of the jobs that he

does. He's contracted to do that. And

he'll get some interesting things where they

have some really good stories. This guy. This guy's. Stories. So one story

was he's testing out a new data center for

someone, and they want to test the security. And he's

like, okay. Takes a look around outside, he walks in and he goes

and the customer says, well, when do we start to test? And he goes, has

the paperwork been signed? He goes, yeah. So he looks at this

bulletproof door, and then he's got these giant

boots. That's what he always wears, these giant boots. And he just basically looks

around. He goes, and the paperwork signed, right? He talked to the lawyer who was

there. He goes, yes. Paperwork signed. And he turns to the customer

once again, he goes, Are you sure you want to do this? They're like, absolutely.

We're secure. We'll get it. And then he does and he does this, like, karate

kick, and he's a big guy. Basically knocks down the

bulletproof door. Oh, my God. Because the bulletproof door was not on

reinforced hinges. Sure, but it was just kind of.

Like the description that he gives of

whoever was the chief security officer's face just blew color drained from

his face. We've done physical security and seen

bulletproof systems where they were installed backwards

so that people attacking could have taken it out.

Because the hinges you have to think about where the hinges are and where the

nuts so when you disassemble it.

We lost them again. Oh, no. Sadness. I want to know how

it ends.

So while we wait for him, there's this TV show called Burn

Notice, which always has some oh, I love Burn Notice.

It's one of my favorite shows. Yeah, well, the one where the drug

dealer and I love how he does like the voiceover. He

goes, this drug dealer has a bulletproof angel.

Angel. That's right. Sugar. Sugar. Sugar. It was sugar. He lived downstairs

from him. He shot the door. He shot through the door. The wall. The

wall. No, the wall. He's like, yeah, but there's not bulletproof drywall.

The way he says it was funny. Yeah, I highly

recommend I forget what service it's on, but I discovered it because

it was on Pluto. They had a channel that was just burned. Notice.

Twenty four seven. And then like 7 hours later I was like, oh, my God,

7 hours. It's that good of a show.

So you were talking about the before you froze up, you were

talking about the hinges.

Oh, I'm sorry. I don't know what's going on with my Internet connection. I apologize.

No worries. You're probably in the middle of a hack.

Dwayne is actually hacking. Yeah. Let me stop. Hold on.

So my password is 54 characters long because he kept telling me what my password

was in the Smarmiest voice

possible. How many years would that take to break

all of them? More years than we all have. Until

I get quantum computing comes up. To speed, then we're good.

Probabilistically. Yeah, I think I was just saying

that you got to make sure you think about where the hinges are, which

direction they're facing and stuff like that, but it's

mistakes. If you look at the news of the day, it's

misconfigurations. It's social engineering,

and it's getting more and more complex, and so we're having a tough time keeping

up with the education, which is why podcasts like yours and ours are so

important. No, absolutely. And you're right. Security is

everybody's businessweek.com. I've got to

check that out. And you got the.

Oh, my God. You need a we did it. Yeah,

we.

Were talking about you were talking about the physical security part. I did a little

bit of that back in one day. You were in the military, so you

did a lot of the back. Yeah, think about it. At least

the National Guard stuff. But it was interesting because

being in Virginia and working with a little bit

of physical security here, it was amped up a

notch. Same way Frank's in Maryland. Same way in Maryland, if you are in

driving distance of important places, you

know that there's no need to give anybody any more ideas,

but occasionally, somebody would

do something clever. And the gist

of the story, kind of the moral of the story was they didn't beat the

electronics. No. They beat the.

Was. And it's the same thing with social engineering. It's the same thing with

all of this stuff. So hopefully I didn't say too much. Frank, you may have

to take that out. I don't know. I

live now. I was being the tomahawks on its way. Andy.

We have the watch lies come back on, but

no, I live up the road on Route 32 from if you know, you know,

from places. I know from places from places

in and around that county and the next county. There's a lot of

office buildings know, just have no signs on them, have

suspiciously high degrees of security, and they. Don'T like when you

pull up unannounced. Oh, my. No.

So right next to where the Microsoft Reston office used to be,

there is an unmarked building with

a high number of security. And one of my former

bosses who drove down from Pittsburgh, his first trip to the Rest in

office, he missed the turn, and he was trying to turn around inside that

parking lot. Yeah, no. And yeah, he learned

very quickly. He went back up. Severe tire. Not that

parking. No. Well, I mean, law enforcement showed up pretty

quickly with seconds, and they're like, what are you doing here? And he's

like, I'm just trying to get the money. Just turn around. Like, sure you are.

So ten years ago, my daughter was moving out of

a place that she was renting down in Boston, right by the VA hospital.

She was finishing her senior year of college, and I had

a U Haul truck. And I took the U Haul truck

and parked it in the VA parking lot because I'm a veteran, right?

And I moved a barrier to do it because I'm a veteran. And I

parked it. And then I went and walked through the woods to where her apartment

was to talk to her and left my 17 year old nephew in the car.

And the cops came, guns drawn,

like, Open the truck. Open the truck. Oh, my goodness. Okay. And

he opened the truck. It was empty. They're like, what are you doing here? And

he's like, oh, my uncle. And he's like, this better not be here when I

come back. I came back, and he's like, telling me this story. I'm like, I'll

be fine. We're leaving now anyways. And we leave, and the cops coming back, and

I'm like, I wave. That's funny.

Yeah, there's a lot of good stories. My first day at Microsoft

not my first day, but my first speaking gig, because I was doing a developer

evangelism then was at a nondescript office building in and around the

Bethesda area. And I've driven past 100 times, never noticed

it. I still think

to this day it was a hazing thing, right? I was a last minute

replacement for somebody else, so my name wasn't on the big list. So I

show up, and I wasn't on the big list. And then the guard

looks at me and was like, well,

why don't you go over there? I'm like, uhoh

all of a sudden, out of nowhere, this normal suburban looking building

like, armed machine guns meant it was just like, oh, my God.

Like dogs sniffing around the car. It was crazy.

And the guy with the heavy machine gun said to me, you want you to

sit in the car and wait for Ain't getting out?

And so finally, they did manage to get in a hold of somebody, but it

was just kind of like, oh, my God. Yeah.

So I've been drawn on at an air force base. We

went in to do work, and I was working with I won't mention the military

contractor, but military contractor. I wasn't cleared for the particular

intelligence systems, but I was helping them do security

work. So the contractor had to type,

and I had to tell her what to type. And after two days, she's like,

listen, I don't know what you're telling me to type anyways. Doesn't matter, right? Just

sit down and type at the computer. I was like, okay. So I'm sitting there

typing. After a couple of hours, she leaves. A fully uniform guy comes in

like, what's your clearance for that system? Oh, my God. I don't have any clearance.

Pulls his gun, pulls his gun. Is like, don't touch the key.

Step away from that keyboard. And I was just like, I got to get shot.

Yeah. Back up slowly. Yeah. No, that

was probably the scariest cyber incident I've ever been

in. Well, it's interesting because the

cybersecurity world, I think, is really an interesting

space for a lot of reasons, but it does blend the physical and the real,

right. The kinetic and the virtual, as I've heard

said. It's fascinating. Yeah.

You know what, we didn't get to our questions. I

know, I'm okay with that. This was an awesome

conversation to come back. There you go. I love

it. So we will ask this because

you told us in the virtual green room you didn't want to be

advertising your company and that sort of stuff, but we ask everyone,

where can people learn more about you? And feel free

to plug your business. Our website is

Pulsarsecurity.com. We're in a weird situation

because we have very high end cybersecurity talent. We have

several billion dollar customers, and we try to do a lot

for community school systems, things like that, on a budget. So cool.

But we're really not looking for a ton of customers, which is

a good place to be. So we're mostly promoting the podcast

to say, that said, we do try to help people who need

it, but we also have to pay a lot of cost for that high end

software that makes sense.

Securitytheweek.com, podcast.

And entangle things. Okay. Entangle things. Okay. So

before you go, there's one question I think that everybody who's listening to this is

probably asking themselves, if you're not in the security field, how does

one get started? Where does one get started?

You mentioned, like, pluralsight, LinkedIn. There's all sorts

of training out there. If there was this much training when I was a kid,

I would be way smarter than I am now.

You just have to start going and surveying. I tell people they

should start a mile wide and an inch deep. They need to learn

terminology. They need to learn what is SQL? Well.

SQL injection. What'sql? You have to understand what a database is. You have to understand

what a file is. You have to understand what Red Hat is and

what Kali is and what Linux is. You need that basis. And

then you can figure out where your niche will be. Whether you're going to be

an auditor, or a hacker, or a red teamer or blue teamer

or project manager or whatever. Because it's kind of like saying,

I want to be in security or I want to be in technology. That's like

saying, I want to be in medicine. It's a wide range. You need to just

start getting that understanding so that when you listen to a

podcast or read an article, you understand what they mean when they

say deployment or compile. That's where you

start. You start with the vocabulary. And I'd say the other thing is reach out

to companies. I can't tell you how many times I have people reach out to

me and say, hey, listen, I'm interested in cybersecurity. What should I

do? And we'll do things like, I'll have them sign an NDA

and bring them on an engagement. See if this is for you before you actually

go. And just watch and ask questions and use

it as a training event.

So it's things like that. I think you'll find

companies out there who are just there's so little people in the cybersecurity space.

They're just willing to help and educate and see if this is a field you're

interested in. Also, we are summer program

True with interns that come in with

us. We're working with high school in the area

for kids that it's a Stem high school

bringing them on and having them do their required hours just to get

a feel for what it's all. About, what it's like. Yeah,

right? And that mystery voice is Jill.

Just for the listeners that are like. Who was somebody broke into the podcast.

That's hilarious. Nothing's safe.

Okay, Joe. We didn't say your last name. We're good. Yeah.

That's really interesting to know about the intern program. My

daughter is headed to Virginia Tech for computer science,

and she's looking for I don't know if she'll want to do

cybersecurity, but if she does now, I know some people. Yeah, there you go.

Have her reach out. Because, honestly, even if she just wants to sit in and

watch what a Red Team engagement looks like, I've had people my son's 19 years

old, and I got him to intern and look at engagements, and he came to

me after, like, a year, and he was like, hey, dad, you know what? And

I was like, yeah. And he's like, I hate this. This is not yeah,

this is not for me. That's a good thing, though, right? Because it's a

great thing. Did he say this or you

fire targets down. Tell him his 54 character

password. That'll get.

Well. This has been an awesome show. I hate to end it, but all good

things must end. But we'll definitely have you back, because this is a field that

I think and there's topics in my head that we didn't come up with. Right.

The idea of how do you secure data from

the source to the end, right? Because if you're training these AI

models, particularly with something like a

Kafka stream, what if you inject bad data in? How do you detect that?

A friend of mine was talking about there was some talk of using

blockchain technology to kind of

authenticate data transactions. So that way when you're learning

it, you have kind of a trail to it. And obviously that could probably be

another hour episode right there. But in the interest of time,

we'll definitely love to have you back, and. We'D love to join

you. Any parting thoughts? Stay

in school. Yes, stay in school. Use long. Change your

password. Right? And keep listening to this podcast. It's great. That's

right. And the other ones? Awesome. All right. And I'll let the

nice British lady finish the show. And that,

dear listeners, brings us to the end of another riveting episode of

Data Driven. I hope you've all enjoyed delving into

the mysterious world of cybersecurity. I must

admit, the idea of advanced persistent threats and hacking can be a bit

unnerving. But, hey, who needs beauty sleep when you

can have nightmares about hackers instead? As we sign

off, I'd like to extend a big thank you to our guest speakers, who shared

their insights and experiences, including that rogue AI of

theirs. Remember, folks, hacking might be a

dark art, but with great knowledge comes great,

um, well, cybersecurity skills, I suppose.

But wait. Before we biddered you, I'd like to remind you all to

secure those passwords, enable two factor authentication, and

resist the urge to click on suspicious links.

Because, let's face it, no one wants to wake up one morning to

find out their bank account has been drained by a hacker named Dwayne.