An Odyssey Through the Cybersecurity Universe with Crypto Knight

Show Notes

An enthralling odyssey of the cybersecurity landscape is what awaits you in this episode, as we're joined by our esteemed guest, Crypto Knight. With a rich tapestry of experience, from his tenure at ISU Squared to implementing the first real-world SAML, our exchange with Crypto Knight offers a journey that is both insightful and enlightening. He walks us through an intriguing labyrinth of his professional life, while shedding light on the foundational aspect of finding that sweet spot—the intersection of passion, skill, and mission.

As we traverse into the depths of the cybersecurity universe, we encounter subjects that are central to this field. Brace yourselves as we navigate the ethical matrix that guides the security professionals, the potential hazards that come with the territory, and the unique role the CISOs play as truth tellers. We also shed light on the dynamics when companies fail to act on disclosed vulnerabilities, a situation that brings with it a host of risks and responsibilities.

Moreover, we plunge into the heart of ethical disclosure, responsibility, and the pivotal role the professional community can play in disseminating knowledge and experience. Crypto Knight also imparts his wisdom on the path to cracking into cybersecurity, the weightage of certifications, and the necessity of continuous learning in this perpetually evolving area. So, whether you're a seasoned professional or just stepping into the field, this episode promises to be a captivating odyssey.

Support the Show.

Merch: https://cyberwarriorstudios.com/store
Youtube: https://youtube.cyberwarriorstudios.com
Twitch: https://twitch.tv/CyberWarriorStudios
Twitter: @CyberWarriorSt1
Discord: https://discord.gg/eCSRzM6mJf

Chapters

• 0:02: Cybersecurity and Identity Strategy Discussion
• 8:08: Ethics and Values in Cybersecurity
• 13:21: Ethics and Certifications in Cybersecurity
• 22:10: Risk Navigation for CISOs
• 27:58: CISO's Role in Truth and Security
• 41:55: Security and Ethical Considerations in IT
• 55:11: Discussion on Ethical Disclosure and Responsibility
• 1:07:07: Breaking Into Cybersecurity
• 1:18:11: Professional Association and Community Sharing

Transcript

Speaker 1: 0:02

And it is me the cyber warrior. This is Cyber Warrior Studios and I know you were all here for another amazing episode of Security Happy Hour and, yes, this guest was last minute, but you knew the show was gonna go on, so if you weren't here that's your fault, because I do this live every Friday at 7 pm Eastern time. But either way, look I'm here, we're gonna have an amazing show, a lot of great topics, so I'll be back in just a second. And we're back, and that's right. It is me the cyber warrior, and hold on real quick. There it is the official kickoff of Security Happy Hour, and with me this evening I have Crypto Knight, who goes by some other names. I will let him give those names if he so chooses. Otherwise, thank you for joining us this evening and I'll see you next time. Bye, bye, and with that, I will leave those names, if he so chooses.

Speaker 2: 0:54

Otherwise, thank you for joining us this evening, no worries, happy to be here, you know, chilling in the backyard in the glorious sunshine in central Ohio, and happy to contribute to community, as always, because it's all about giving back and that's the biggest thing and that's why I do this show.

Speaker 1: 1:13

It's all about giving back to the community and making sure you know new people get to understand and kind of get their voice heard, especially for newer people that are trying to break in. So it is very vital that a lot of the information that we give out on this show benefits that. So, first and foremost, why don't you give a little bit of introduction about yourself Because you have been in the field for a while, so you'll be able to give them kind of life experience and people can actually understand why you know your shit, yeah yeah, well, the gray in my beard is not a mask that I'm wearing, it is legitimately earned.

Speaker 2: 1:49

I've been doing security full time since 2000,. Mostly Fortune 500 stuff, a whole lot of architecture, security and identity, journey to cloud kind of stuff. And before that I was a developer and doing a whole lot of client server stuff and I said, hey, we got client slash server. Nobody does the slash which is networking, so I'm going to focus on data center operations, et cetera. So I did a lot of networking, server installs, a whole lot of screwdriver work, fantastic stuff, and I just played the field a lot across security.

Speaker 2: 2:22

And now it's awesome because I get to do full time security and identity strategy. It's mostly what I do, although I do play like in tangential spaces like BYOD and making that happen, like I said, journey to cloud, helping some companies get there. So it's a lot of fun. And along the way I started acquiring some certifications and got actually was on a project with a guy who was a board of directors of ISU squared and I had seen the letter that came out when they first launched. I was like, oh, that's so cool. But at that point there were like two exams a year and I can't afford to fly to California and blah, blah, blah.

Speaker 2: 3:03

And he said well, why don't you come help us develop our certification? So I did, long story short. A couple years later, through a whole lot of volunteering and whatnot, I found myself on the board of directors of ISU squared, started there to add some governance, to add some to the ethics program they already had and take it further, et cetera, and to establish term limits. And then I termed out because I added term limits and I came back later and now I'm on the board of directors. The ISU squared just voted to do what I originally planned. Yes, good for the organization, good for the industry, bad for me, which is hard. Stop term limit. Six years done for life. And so a year and a half from now I'm out, having successfully pulled the ripcord to say, yeah, term limits are a healthy thing. Let's do that.

Speaker 2: 4:03

And it's been a really cool trip and I've seen a lot of cool stuff, probably my biggest, coolest thing that I ever got to do. I was the security architect and technologist that did SAML for the first time in the real world. That was in late 2001. We went live I think January 6th of 2002-ish like right around there. So yeah, 21 years ago, first SAML in the real world ever and that was really freaking cool. Got to do a lot of fun stuff with Federation and helping organizations solve this whole security challenge around identity, and led to a pretty cool trip from that on. So yeah, I've had a lot of fun and I found a profession that I would totally do for free. But don't tell my employer because I want to get paid. Don't tell them how much fun I'm having because, oh my gosh, I would do this for free. But I got two kids in college. I didn't make tuition payments.

Speaker 1: 5:15

And that's the big thing, right? You never work a day in your life if you love what you do.

Speaker 2: 5:19

That's it. That is it. I actually talked with one of my profs when I was in school. We were like locked out of a room having a chit chat and he said the kind of same thing. He said don't tell the university how much fun I'm having because I'll stop paying me, because if they stop paying me, I'd still show up and do what I'm doing today. And when you can find the intersection of what you love, what they will pay you to do, what you're good at. And I didn't figure out the fourth one until I was 32, what is aligned with your mission.

Speaker 2: 5:51

And that is, oh my gosh, it's so good. So good Because I woke up and I was working at BMW Financial Services great company. But they I'm not slandering them because they don't sue me, but they kind of exist to be able to help people afford BMWs they normally couldn't afford so their neighbors can look and see the BMW in their driveway and that is so far from feeding starving children. And I was like, oh, I need to switch industries because this is not missional. Yeah, that's huge, it is. It is alignment with whatever your mission. I can't tell you what your mission is, but whatever your mission is, that's enormous. And the position that cybersecurity occupies is a position of trust to be able to protect economies and people, the innocent, the disadvantaged and be able to enable missions to be successful.

Speaker 1: 6:54

It's a pretty rewarding work it is, especially if you get into the right area, and so this leads us into the future state, though this is one of the things I want to discuss, because we see a lot now of consulting firms, msps, msps all these different things that provide security for a lot of different organizations. Their whole premise is to secure as many companies as possible, which is great on the outside, but from the inside, if you don't agree with, say, one of the corporations that you're dealing with, because you have to secure them, that's your job, that is your mission, that is what you're supposed to do while you're there. How can you come to terms with the two in the future state? Because I see a lot of organizations dropping their security people, and so the only jobs left are going to be these consulting and MSSP firms.

Speaker 2: 7:55

It was really interesting. I don't know if I have permission to mention my current employer. Anyway, I won't go there because Google works, so you can figure it out. So when I interviewed a work for them and my two-year anniversary was like two weeks ago, so yeah, a lot of the questions I asked them were on values and ethics and they were a little surprised at that, but I really loved the conversations I had and found out about you know what their values were, and I said like, hey, what companies won't you work for this at? Nobody really asked us that question before.

Speaker 2: 8:38

Not that they don't have ethics, but it is like they had instruction in that way and if somebody came along like, hey, we're Hezbollah, help us secure our stuff, they'd probably say no, but they hadn't really like thought about it at that level. Other folks had. They reached out up to them. Oh yeah, we actually have a list, like one. I mean I'm not saying this is the right list, but you could list out gambling, liquor, pornography. I mean, at what level are you going to say, not for us?

Speaker 2: 9:10

A buddy of mine was with photography, research with Paul Kautcher and, like you know, side channel analysis really cool shit and and they decided as a company, cri, and and what an influencer in the business, holy crap. In the early days they said, hey, what are we not going to do? And there was a lot of money to be had in the late 90s, early 2000s with protecting pornography. Right, yeah. But they said, no, not for us. We'll, we'll have a discussion if something else comes up, but we're just going to stand and and I applaud them for that they just said like that's just not who we want to be and the notion of being able to express your ethics in a way of being able to state yin and yang, super important.

Speaker 2: 10:04

So a discussion of values and I found this, I started doing this couple years back and I encourage those of you listening in to have that discussion. And when you're interviewing, let's talk about your values and your culture and what you hold dear, and what's that bright white line you're not going to cross. And what do you say? Yes, all in done, done, done. Let me know that, because if you are in a corporation that's not aligned to your values, every day is going to suck um, that's an interesting concept, because a lot of people especially for those just breaking in are just trying to get higher.

Speaker 1: 10:40

They're not thinking of the values of the organization. They are thinking of what's going to pay my bills, what's going to get me into the field, what's going to do, what I need to do, and, and so, from a a standpoint of ethics, I think that is something we lack is holding true to our ethics yes, do you have a compass? So with that, why don't you let people know kind of what are your ethics when you're looking at things, or kind of how do you view ethics here within cyber security?

Speaker 2: 11:13

yeah, yeah, so um, uh, kind of the the. The backstory here is um, I I have been serving on the ISU squared board of ethics, uh, or the ethics committee is formally called it's actually this has a different name but professional practices, but essentially it's the ethics committee um, for I think 11 of the last 16 years um in one way or another. And and and how this works out is is one of two ways. Um Is either a member will formally raise an ethical allegation against another for an ethics violation which, thankfully it may always be, so is rare um, or, which has a lot more is. There's a questionnaire when you, when you sign up um To the ISU squared, to go off and take one of the many certifications Of course, the, the flagship being the CISSP and, and when you sign up for that, it asks you if you've ever been convicted of a crime, amongst the many other other questions it asks, or if you've, or if you have um, and and forgive me, I I should have this memorized, but I don't uh, it's something like, basically, if you've uh, uh, if you have that had a dishonorable discharge, if you've lost your license to to practice as an attorney, uh, been disbarred, that kind of thing, um, and and disclose that and, uh, because of the popularity of, of ISU squared, which is which is just skyrocketed in the last two years, um, you know, there are quite a few of those cases where somebody comes forward and and they made an unfortunate decision years past and and it's, it's everything from got caught with the joint 27 years ago to Almost anything you can think of that somebody would serve time for, like drive-bys, child rape, arson, I mean the whole nine yards.

Speaker 2: 13:21

Uh, because you're talking about, um, you know, hundreds and hundreds of thousands of people that would like to have this certification, signing up for it, and anytime you you take a population of hundreds and hundreds of thousands around the world, you're going to have a population of felonies that get brought into it and go like, not for you, no, get me out. And and a lot of what they do is that aside, is this something that would would bar you from holding the certification of being the community, or would not? Forgive me for the backstory, kind of like I had to go there and get through this, but that is one of the big things that frames my moral compass. Right Is is a duty as a society, uh, a, a duty to my principal, who pays me right. A duty to the profession, right, and and and those that that, that code of cannons, every word being very carefully chosen. I encourage you to go out, look for yourself at the.

Speaker 2: 14:24

Is where the code of ethics. Anybody can look it up and see it. Is is pretty well considered and it's it's a pretty good compass. Um, what it doesn't specifically call out, it's alluded to. I go a little more formally there. Um, it is I, at least when I last looked is in the issa code of ethics and it's in a couple others, the public certifications I hold. Is it specifically calls out not raising false alarm or false comfort, and it's. It's. It's buried within the issa's word code of ethics but not called out explicitly.

Speaker 2: 14:58

And those are two really important concepts that you're not saying sky is falling, this will, this will take us down or everything just fine here. This is not the joys you're looking for. Go away. Either of which are completely deplorable because we we as as um, as cybersecurity professionals hold a particular trust. Just if you trust an attorney to interpret law, you trust an accountant to interpret tax code and help you keep out of trouble, um with your finances organizations trust us and um and I, I literally have um, have quit three jobs over ethics, which is probably I'm I'm way out there, six sigma and that you know, like that's. That's pretty far out in the in the bell curve. But I I have a few times been asked um to either provide false comfort or false alarm, and I've raised the issue and and unfortunately keep being dissatisfied with the answers I get from office of ethics etc.

Speaker 2: 16:06

And um, bill Murray was one of the founders of isc squared not the actor has happened at has the same name as the famous bill Murray, but he's the guy who basically Drove the program to deliver rack f in the main frame and came up with a practice um, I saw could cause him the father of of it audit, which is like I mean, think of that. The father of it audit. How big were practices? That that's several millions and millions of people. Um, and he, he has a number of sayings like quote from time to time, because bill Murray is is very, very wise um, but um, you know, he, uh, he talks about the fact that that we as a profession, um, we're quick to, to rush to judgment. We we smell smoke, we think, uh, fire, not barbecue. Right, but he also talks about how Integrity is the only coin in our realm, and I have adopted that Without integrity, we are nothing. Now so.

Speaker 1: 17:14

So, with that, though, right. So we talk about ethics and you and you talk about all the things that potentially and I think about this from a military standpoint, being a veteran myself you know I I despise security clearances, not because of what they Are, but because of what they're not. When I look at people that can and will be the best for cyber security, I look at hackers, or not hackers, correction. I look at malicious attackers, right, those people that don't have a certification, don't have a degree, don't have anything to their name. They just made one mistake and got caught.

Speaker 1: 17:52

I look at the people that will never make a name for themselves Because they live in the shadows and eventually get caught by the FBI, the CIA, nsa, any of those three letter agencies, right.

Speaker 1: 18:03

So, with that being the case, though, they eventually get caught. They now have felony charges, they now have things that are going to hold them back for the rest of their lives, sometimes can't even touch a computer, but these are the people that have been the best at breaking into things. I'm talking people that have broken into every three letter agency out there and eventually stayed, overstate their welcome and got caught, but it because they got greedy or whatever the case may be. Eventually they got caught so they can no longer get a security clearance, right, they got a felony. Those clearances are no longer going to be allowed or allotted to them, right? So when I look at ethics, I look at what these people have done and I think of it in terms of they're the best for what you're trying to do, though you pay them well, you sort of what they're deserved, sort of, because they are the best at what they do.

Speaker 2: 19:00

Yeah, and, and you know this is, this is a question, you know there's there's a saying how many angels can dance ahead of a pin? The kind of the kind of discussions and and you know, mr Mitnick was unrepentant, apparently, to his dying day. We, we I'm saddened that we have lost no-transcript Corporation for security training, which was awesome. So I don't want to cast aspersions at the recently departed, but, as far as I know, mr Mitnick was, was Unrepentant to his dying day, and and, but he was a very good person, he was a very good person and he was a very good person, and he was a very good person, and he was a very good person, and he was a very good person, and he was a very good person, and, but he was the poster child for should he be a cisp, right? Or you know, and all of that, that that kind of over and over and over and over and over again right? To my knowledge, he never applied, but I don't have complete knowledge.

Speaker 2: 19:55

Um, why? Why would he? If, why would he? Well, you know, and and actually, who, I point out, I've had the opportunity to meet a few times, so fortunate, ron Rivest, yes, the r that put the r in rsa, that dude so awesome for so many reasons, uh, why would he apply? He doesn't need it, right, dude? The guy wrote rc2, rc4. I mean, he is rock star famous. Why do you see this? Cis's speed doesn't right, um? But Mr Mitnick and occasionally, dr Rivest were were poster children for conversations about that, and I can tell you it's not that that the, that the ethics committee Um says oh oh, you did this, you're dead, you're done, you're done, you're like, you're dead to me I don't care whatever. No, no, no, I mean, um, we, you know, for us to not believe in in rehabilitation, for us to not believe in redemption and change lives, that is a bleak existence, and so I think it goes beyond that though?

Speaker 1: 21:05

Oh, of course it does, because, because you can only be redeemed, you can only Find this repentance and cybersecurity If you're paid let's. Let's keep in mind in this industry, unless you're well known, unless you reach executive levels, illegal shit will always pay more than legal shit. Always, of course, of course it does so. So if you want to risk reward people Exactly, if you want to keep these people that have been able to make ends meet and go above them beyond everybody else, you need to pay them, whether if you don't have to worry about redemption, if you're paying them at we Three a half to three quarters what they would make for doing it Right.

Speaker 2: 21:50

So, so I, I would hope that you have a good financial plan for your future, as should we all. Yes, uh, I, I would trust that at from time to time, you may have somebody you asked for financial advice. Could that person make more through criminality? Probably, but some of those things come with with silver bracelets and that.

Speaker 1: 22:10

I've never done anything illegal. I Caught and I got a wife. Right is I can't exactly.

Speaker 2: 22:17

Rule for living number two for me is I never want to use the phrase. You know my cellmate said I've had that rule since 1990 and it has served me very well. That's rule number two. That is a very, very important rule. Um, yeah, so you know, I live my life, so I never have to use the phrase. You know my cellmate said now I ride a Harley. I do enjoy like the twisties, do I occasionally, sometimes accidentally, go over the speed limit, sometimes? Yes, I would point out, those are misdemeanors. Um and uh, I I do definitely try to avoid criminality and from time to time it comes up. Right, I've been asked to lie to auditors.

Speaker 2: 23:05

It's like.

Speaker 1: 23:05

Hills.

Speaker 2: 23:06

No, I'm not like to an auditor. I could Let me. Let me tell you what you just asked me to do, because I don't think I heard you correctly. Like, let's have a conversation.

Speaker 1: 23:18

I'll let you, boy, let's figure this out real quick. Did you really just say that I?

Speaker 2: 23:22

couldn't have heard what I thought I just heard. There must have been like some air currents moving like uh, repeat, yes, uh, and I've, I've been asked a lot of regular like and you say it. They go like oh, no, no, wait, you do this like no.

Speaker 1: 23:37

No, if you don't get your PCI certification, that's on you, homie, that's on you. You didn't front the cash for what we needed.

Speaker 2: 23:46

That's your fault, yeah look, you signed the contract. You could have not signed the contract. You could have negotiated the contract. You didn't, so it's on you. Yeah, but you know, joking aside, we are being a little little facetious. This is a real important area where our profession gets to shine and we're gonna be like, okay, you, you ignored the rest of the advice. You went skating near the edge of the cliff. Now you find yourself like Bugs Bunny or, you know, the Road Runner yeah, Actually it would be Wiley Coyote over the air, right, no longer on the ground.

Speaker 2: 24:27

Now, what you know? Hey, I'm in deep, deep trouble. What are we gonna do? And I've been there a few times with instant response. You know, large chicken-shaped nations are hacking in and you know things are getting punked left and right. What do we do? Where do we go? What's up? You know, where is our moral compass? What should we do? What's now? You know? And leadership in crisis is one of the areas in which our profession gets to shine. It's not necessarily a fun place to be, but, okay, secretly chasing bad guys is actually fun If you're chasing them and if the company allows you to chase them.

Speaker 2: 25:10

Well, yeah, and that's actually really. It was a discussion I've had to have a few times. It's like you know, you actually have an incident. Okay, now we're talking about preservation of evidence because we need, we need to, we need evidence to reach chain, blah, blah, blah, blah. So go to court. They're going like, how are we going to sue large, chicken-shaped nation near Taiwan? And? And it's like, no, no, no, no, no, I'm trying to keep you out of court. You could get sued. There are two parties. We're talking about One of them. We're not going to be able to sue you. Oh, yes, you can be sued.

Speaker 2: 25:49

And how are you going to demonstrate you did the right thing at the right hour, making with the, with the information you had the best decision you could? How are you going to demonstrate that if you don't have a chain of evidence doing the right thing? Blah, blah, blah. And you know when, when, when things are on fire. Those are some, those are tough decisions. Man, like, hey, I can't do that, I need to save first. Or I can't do that on environment, because our environment is compromised, send an email to blah blah, blah, Can't. They've compromised the email server. I need to go outside. Yeah, that's a real interesting time to build a resume. But but yeah, and I'm not glorification, I'm just sharing, right, like like being briefed by a three letter agency and being told like that's fun.

Speaker 1: 26:42

What are you talking about? That's yeah.

Speaker 2: 26:46

You know like you should trust any of them. Right, you should come armed to work, and and we are in Ohio, a free, loving state, so we're going to put that aside, but I was going to ask you before this show.

Speaker 1: 26:57

I thought so I got one over there, but that's the point.

Speaker 2: 27:01

Yeah, but but yeah, uh, I've been told. Like I'm ca, I pack into 45 to work every day. My room got rolled three times by presumably the PLA, but chicken shaped country won't say who. It was Right. Um and a parable, a parable um, we're going to get a parable crypto. All right Cause, this is. This is a free, because we're going to get into that, but okay, elena.

Speaker 1: 27:27

Elena, actually Alana. I've had her on this show I she has done a super chat. I want to bring her question up as soon as possible, please. Thank you, alana, for the $10. Speaking of criminality, is it worth the potential criminal prosecution for being a CISO? No, seems like that's a trend we might be seeing. That's too much accountability, in my opinion.

Speaker 2: 27:49

Well, if, if done wrong, there could be prosecution, if done right, there is not. Um, you know? Uh, one of our jobs is be the prognosticator of truth, even if it's not a comfortable truth, even if it's not a popular truth. We have to be speakers of truth, see earlier discussion. Integrity is our only coin in our realm. We have to be like and I'm sorry if it, if this catches you at a bad time I I I've had cancer four times survivor. Thank you very much to my doctors.

Speaker 2: 28:25

Yeah, I found out there's a stage zero. If you want to pick a stage, that's the one to pick. Um, but do you want your doctor to say it's probably a cold, you're probably fine, it's nothing Cloudy x-ray? Or do you want them to take you by the hand and say look, you have cancer. We're going to get through this together. I'm here for you, and that's the role of a CISO doing leadership to be able to look them in the eye and say what is unpopular in a tactful way, difficult communication challenges and be able to have earned the respect of your peers to not be chicken little, bringing everything to them to be rational and presenting things not in cybersecurity like geeky terms, but in financial terms and business resiliency terms, and you've earned the capital to be invited to the C-suite in moment of crisis and say we have a problem.

Speaker 1: 29:32

Yeah.

Speaker 2: 29:32

I'm here for you. Let's do the right thing. That is really hard, but, oh my gosh rewarding.

Speaker 1: 29:41

As we're talking about everything going on and I got a few more questions saved Do you find that the CISO, as a majority, is more the fall person versus someone that can actually secure an organization? Sadly, even though we should be switching that to where they have more of a voice, is it still they're the fall person versus the one of reason that's going to secure an award?

Speaker 2: 30:12

Let me see if I can get through this without shedding a tear. Howard Schmidt was the first type of securities are Friend of mine. We rode together on motorcycles, loved the guy. I got to serve with him for the ISU squared, but before all of that he was CISO for Microsoft. Now, for those of you that aren't aware, before 2002, microsoft's reputation for security was crap. Right, okay, the company I work for is 20% by Microsoft, but I speak the truth. So just so you know I finish up a conflict of interest. But they'll tell you, before 2002, their reputation of security was horrible.

Speaker 1: 31:00

Yeah.

Speaker 2: 31:00

And I got to be in the room when they made the announcement that created the entire program. They announced it at RSA 2021 in San Jose and they announced the program that writing secure code was the manual that they released. They told everybody that put anything on the Windows disk for the next 90 days, you're not doing anything by security training. Think of what that costs. We're not like people that do fonts and pictures right, let alone code. Huge cost and that's crazy because crazy Secure coding.

Speaker 1: 31:44

When you're looking at something like Microsoft Word, excel, access, you name it, any program they're designing. You were talking about people that I've met. So I had some instructors in high school that had legitimately met the programmers for these applications. Yeah, and these programmers cannot speak to you. They have because of how intelligent they are, because of what they know and how they do things. They legitimately. Their minds don't work that way. They have zero, close to zero, social skills in talking.

Speaker 2: 32:19

I wouldn't go that far but Wicked Sharp Geniuses, and they completely changed their culture around security in 90 days.

Speaker 1: 32:29

How did they go from make this shit work yeah, to make this shit secure and work.

Speaker 2: 32:39

Tone at the top. Bill Gates, at the helm of Microsoft, wrote three memos that changed the course of Microsoft and I wish I could remember number three. I can't, but the first was he said this Internet thing is a flash in the pan, it means nothing to us. And he wrote a memo saying I was wrong. We're all in on Internet. And the second memo was I was wrong about security. From this moment on, we are about security. There was a third memo. That was you can look it up, tone at the top, dude. I mean, if you don't have the C suite on your side, it is a tough pull.

Speaker 1: 33:23

That is the biggest thing with anything in security.

Speaker 2: 33:25

It's not to have the CEO went down.

Speaker 2: 33:28

It is. I will tell you. I was at. I was at JF Morgan Chase when they got breached and I had just been brought in as the global off architect. I owned the architecture for authentication, authorization for it all like ATMs, logins, blah, blah, blah, all that stuff. And it's a fast estate. I mean they. I had come from a Fortune 20 firm with $120 billion and JF Morgan Chase had more employees doing security coding that my old company had databases or employees, yeah, and they got crushed. They got crushed. They were. They were spending more than a billion dollars a year on security. Think about that. How many of you listening have a billion dollar security budget but they?

Speaker 1: 34:23

made a few mistakes.

Speaker 2: 34:24

They made a few mistakes and they got a hell of a lot better. But, but, but I was there when it happened, right, and, and you know it was, it was a few days, but what was really cool. Please don't sue me, take Morgan Chase, as you can sue me into the Stone Age and I'd like to retire. I'm telling a story that is really cool. Right, Fastestate. Right, they have 38,000 developers 38,000 developers and they're a bank. Right, they transfer $3 trillion a day in funds.

Speaker 1: 35:04

They got the highest. They probably got one of the highest PCI PCI DSS fricking audits ever and and still. This is why I hate PCI DSS Right.

Speaker 2: 35:16

Let me, let me think if there's a story Hang on, because what was really cool was I was getting like like calls from the CISO, our team. It wasn't just me, I was like, you know, one of the guys in the team what should we do? And I'm pulling out the list of everything I said was broke. We got a fix, blah, blah, blah. I'm not saying I was like super smart, I was like, hey, here's something we got to fix, but you know, there's a lot of priorities in the bank.

Speaker 2: 35:39

And suddenly this became like, oh, this is why we get hacked. And it was published while they got hacked. So it's a known thing. It was a password out on the website that HR had set up wasn't federated. I shared earlier SAML, it's a thing and and somebody had manually synchronized their password and then allowed somebody to that side, got punked by the Russians. They took it through, sold the information off. Somebody came in and said, hey, let's try all these passwords against all the SSH interfaces and they got in elevation of privilege later, boom done. You're into the stuff that talks to everything. That's so. The cool thing was it came down from senior management. I might get the number wrong. We'll pretend this is right, but I'm going to say it's like within 90 days, if you can't do federated identity as a vendor, you're no longer a vendor, and they did it. Do you have any idea how many skyscrapers of lawyers that takes? I mean, good Lord, have mercy. How many vendors does a bank across six continents have? A lot?

Speaker 1: 36:59

Holy crap. I deal with banks now a lot.

Speaker 2: 37:03

A lot. Yes, and they did it. They did it. Dude tone at the top is everything. But Senior Exec says it's dirty has to be top down. Well, at that moment they were shedding. I mean stock price tumbling. I dealing from memory, I have been drinking, but I think it was like a $2.2 billion hit. I mean that was big and they couldn't afford to play around. Man, this is job one, because they got to save their ass.

Speaker 1: 37:41

That's it. They have to save their look at all right.

Speaker 2: 37:44

And they have. They have a pivotal place in the economy of dozens of countries, like dozens of countries said like oh, we can't do this chase. Can you do our treasury for us?

Speaker 1: 37:55

Sure we can and crush it. They do.

Speaker 2: 37:59

They do a great job, but they can I mean dude if chase goes down and it really ain't top five bank, if chase, if chase, or a lot of these.

Speaker 1: 38:10

I'd say three to five banks go down the global. It isn't just the U S economy, global.

Speaker 2: 38:20

It's a reset. It's not quite you know zombie movie level of reset.

Speaker 1: 38:25

They're near, but near bad day. Yeah.

Speaker 2: 38:31

Yeah, so it's crazy. They did the right thing, though. Toe to the top what and I can tell you being there when, when the fit hit the shan, if you're picking them up and throwing down twice, I literally had like the lights come down. I almost drove down like the lights came down to a little pinpoint, like I'm almost ready to die, and they came back. Keep working, cause, oh my gosh, the stress was insane. In four hours we need the plan, 45 minutes. They call back what's the plan? Do the thing. Okay, what are we going to do the thing? Let's do it right now.

Speaker 2: 39:09

And if you haven't, I didn't name it. If you haven't found it, google this stuff. How should it happens? Right, and it's a hilarious thing from like the 70s or 80s from the internet and I got to read it to like the global CISO of Jeff Morgan Chase and you, and it's like the workers see it and this is shit and it stinks. And the next level up says you know, this is, this is made of extra minutes, it's very strong. I love above that says this is made of things that help plants grow and it promotes growth and by the whole things at the top is this is good for our company. And that's how shit happens Right.

Speaker 2: 39:45

And I, I got to read it because he's like how could this possibly happen? Like dude, you are like eight, nine, 10 levels removed from truth and by the time it gets to you, all the filters have taken all the truth out.

Speaker 2: 39:59

And he's like, okay, I don't know if any of you have ever got the opportunity to literally read something which curses to a CISO of a you know fortune 100. That was an interesting day. But, yeah, you have to be able to speak truth. How could this have possibly happened and be reliant to you with with they're well, they're well meaning I've, I've.

Speaker 2: 40:28

There's something really important to consider as you drive change. Senior execs, get it. We have to do security. We have to do the right thing. Boom, Make us secure the worker. Bees and the trenches will do whatever they're told. Middle management has a real big problem because two, three, four years ago they said this is where we should go, this is what we should do. This will solve our problem. And you're telling them what they said before was wrong. That is creates a huge problem with driving security change. And it's not that they were wrong, it's that what was good enough before is no longer good enough. When I was there in 99, running the local, you know it was like a, a, a small liberal arts Catholic universities networks having a firewall ding, ding, you're secure, and that was enough. Two years later, you have to have a DMZ. So years later, let's talk about a DMZ is right, Right and it's not. It's not that it was wrong, it's that what before was a ceiling is now the floor and it's now table stakes for execution.

Speaker 1: 41:47

So so I want to touch on that. And then we got two questions and then I want to get into ISE squared because there's some big things happening there. There are a bunch on. So yeah, first, first and foremost, what you were talking about is you know, the reason why things are the way they are is because computers and networks were initially built for blink the lights, to blink, right. So it was made without security in mind. People never thought of the fact that people can break into this shit. They thought, oh, let's just get computers to talk, let's make networks talk. Security was an afterthought, because they never thought of the fact that when you look at DARPA net and ARPA net and all the things that brought the internet to us go, back and read never on.

Speaker 2: 42:31

Read initial spec for telnet and an FTP and they setting the initial spec. This will not work on a network because of security.

Speaker 1: 42:41

They said it If you if the original RFC that's. That's crazy, because in my master's class it's not going to work on a network. I never finished my master's but in the courses that I went through and a lot of the other things that I've researched, when I look at ARPA net and DARPA net and all these other things that I've looked into, and when you look at the internet and network connectivity, it was security was an afterthought. We just wanted to blink, the lights to blink. So the fact that you know the RFC and have now informed me of that makes it amazing, because it means, yeah, go read it, you can listen. Yeah, which blows my mind.

Speaker 2: 43:18

But anyway, they did. So I digress yeah, we have things far longer than we ever thought we'd have them Right.

Speaker 1: 43:24

So we have networks that are now designed with security as an afterthought. So you're basically putting band-aids on fricking wounds that require staples and stitches and everything else.

Speaker 2: 43:35

Do you know what the SLA is on SMTP for email delivery?

Speaker 1: 43:39

The SLA SLA for delivery of an email until you're out of compliance with the spec.

Speaker 2: 43:45

30 seconds. Seven days, Are you serious? Serious Seven days? Because back long ago, like my, my, I ran a BBS. My modem would dial Chicago every night to transfer the packets and those would get transferred from there to there, to there, to the Think of dial-up modems. Dial-up modems. And and long distance rates and all the rest of that shit. Right, we built this entire infrastructure on on seven days and like, how often did you say like Antiquated technology.

Speaker 1: 44:19

Yeah, no longer exists and they have an update.

Speaker 2: 44:22

And we have these very, very old protocols. We've said it far longer than everybody, anybody ever thought they'd be around.

Speaker 1: 44:28

Yeah, yeah, absolutely correct. And again this this gets back, though, to when you're looking at what we do. We are constantly evolving, for new people getting into the field, and this is what I always tell people you have to be willing to constantly learn, because if you're not and again there are certain aspects of IT and security that I've falling out of I have not done the research on because of what I do now and trying to do Can't know at all. Do what I do. It is very hard to keep up on everything. So you find your niche and what you're good at and you go from there Hone your craze. I love blue team. Yeah, I will. I will look into logs, I will look into firewalls, I will look into Sims and things of that nature, but if you like something, research it, become a specialist and go for it. Now, saying that, I do have two questions here for you crypto night. First one I mean we have different info. I did the flex.

Speaker 1: 45:33

I love the flex, so night has his name on a bottle of makers mark whiskey. How many bottles got put out with that name on it? Seven, that is awesome. I need one of those. I need one Just to keep and just to say.

Speaker 2: 45:53

I have my brother Got all whiskey. Your sour drive, come on, hook it up.

Speaker 1: 45:58

All right, we got like speaking of ethics, what is your take on Mr Mitnick's adventures, and should he be an example of not allowed due to their past? You know?

Speaker 2: 46:10

Mr Mitnick.

Speaker 2: 46:11

I'll just fuck shit on the dad because, no, no, and he is the second most notorious person I've ever shaken shaken hands with, shaking hands with him twice and, you know, once like a minimum elevator. Mr Midnight, hello, yes, and you know he did some really good work over his last few years with, with, with security training, really, really good. He was never really repentant of what he did. And for us to have a criminal justice system which believes that it's appropriate to lock people up, to have sanctions against them so they can learn from their mistakes and get better, we have to believe in redemption and I encourage you to do a little research. You know your Google Foo can can perhaps find it.

Speaker 2: 47:02

His unpublished first chapter in his in his autobiography, which is editor, says dude, we can't publish this because it was so self-serving it was, it was a little crazy. Read it and you'll see that he never really repented. He was sorry he got caught, not sorry. He did it and I'm not mean to throw rocks at the man who found his niche later in life to deliver good to the community and delivered some really fabulous, fabulous technology that I love. However, mr Menon, he never repented of his acts. So, yeah, the whole gray hat question. Should I hire gray hats? Oh, we're going to go to that one. Well, that's the question that was asked of of Griffin InfoSec.

Speaker 1: 47:48

It essentially is Right, so we're going to hide that one. We're going to go to James. What is your opinion of gray hacking, where you don't disclose to the company but sell hacks to bone brokers such as zero DM instead of bounty programs? Ethical or not?

Speaker 2: 48:04

Well, you know, cockroaches serve a, a, a, a society right. You know, without it we'd not have that catchy Mexican tune. But so hit eight Dude. If you find a vulnerability and don't take it to the organization and say I found a problem, make it better. You're on the wrong side. You are not on the side of justice and freedom and light, you're on the other side and you're on the Sith Lord side and you need to change your, change your tune. You know there are all sorts of things I can sell. I choose not to because I love my family, god, I love my country and I love my freedom and and freedom is good.

Speaker 1: 48:55

Freedom is good.

Speaker 2: 48:57

I should have worked on sort order there. I won't talk about that, but but uh, you know the Sith Lord has really cool toys.

Speaker 1: 49:06

You know, he really does you.

Speaker 2: 49:10

I'm telling you, you know, mark Twain had some really good quotes. You know, too much whiskey is nearly enough. One of them, uh, but, but also, um always do the right thing. You'll, you'll, um you'll satisfy a number of people and bewilder the rest, and um always tell the truth, because it's too hard to remember as a liar or something like that right, um, especially when you start stacking them. Just tell the truth, man.

Speaker 1: 49:38

Never happen again.

Speaker 2: 49:39

Yeah, and I've had to be there where I'm, I'm, I'm like the doctor you got cancer. I'm here to deliver the truth, and it's a hard truth. I need your attention, I need your focus when I talk through this, and you might want to have an attorney present, but here's the hard truth. Right, was that fun?

Speaker 1: 49:57

No, no, it was not.

Speaker 2: 50:00

But afterwards I could look myself in the mirror right.

Speaker 1: 50:05

I look at gray hat differently than what um they they put in the comments, though. To me, I look at gray hat as someone who, who finds the vulnerabilities without a bug bounty, without a contractor, with anything else. I look at someone um, the Robin Hood hacker, uh, kevin Nick. Um interviewed him. I can't remember exactly, uh, his name, but basically he would find vulnerabilities on the internet and then reach out and say, hey, I'll come in and tell you how to fix it or I'll bounce. Those are up to you, but this is what I found. He'd go through a third party, but basically illegally. Right, he would find these connections, he would make sure it was legit, he would do all these things. So it was technically illegal. He wasn't doing anything malicious, he was just finding ways into a network.

Speaker 2: 50:56

Yeah.

Speaker 1: 50:57

It wasn't until the New York boat that somebody pressed charges against them. But his initial, his initial breach, where he got his first story was there was an unmanned, unpatched, unmaintained proxy server. He found it just by surfing the internet and being curious and being like, hey, what the fuck's out there. And he reached out through a third party. Third party got in touch. They said, yeah, show them, bring them in, tell us how to fix it. He literally sat there, took a knife, cut the cable to the proxy server because they no longer needed it. It wasn't used but it was a way into the network. Right, the New York coast had come out and said we cannot be breached. Well, their words were we cannot be hacked. And he went in and said, all right, bet, here's the real thing.

Speaker 2: 51:54

So the answer does not justify the means.

Speaker 1: 51:57

No.

Speaker 2: 51:58

Right and if the company doesn't want to take responsibility. And I've had that. I have found Tuesday. I have found two zero days in my life and and there there are two CPEs I've earned by watching videos where I wet because it touched me so deeply. One, oddly enough, by Violet Blue. When she says not say for work, believe her, okay.

Speaker 1: 52:30

Oh my gosh.

Speaker 2: 52:34

But she talked about harm prevention. Right, and I do support her very via Patreon because she's doing a really good thing for your security, bridging the gap. She's I like what, what she and I'm like oh, what's that? Support all she does? But we talked about harm prevention is very important and Richard theme talked about Richard theme, t H I E M E, who got beaten up for 15 years for talking about UFOs. Turns out he was right.

Speaker 1: 53:03

I mean, the government just admitted there's aliens, yeah, and he got beaten up for 1520 years.

Speaker 2: 53:09

But he talks about the harm of keeping secrets and our profession has a high suicide rate and it's something worth talking about. You have to have your center, you have to have ethics, you have to have a community of trust, and I'm going to talk about that.

Speaker 2: 53:30

And I'm going to talk about the harm prevention of the harm prevention, yes, and what he talked about was the harm of keeping secrets. I experienced that personal harm from finding that a major vendor had published documentation was complete BS on how to protect secrets in their, in their, in their infrastructure.

Speaker 1: 53:53

And I got here. James actually came up with a comment about that same topic, but I want to touch on this, because somebody asked what is gray hat? Gray hat is not waking up, deciding whether you're going to be black or white, what a gray hat hacker is. Or, yeah, gray hat hacker, because there's black, white and gray. There's also other colors. Some people put other colors on it, but basically you work as a white hat, but we'll do illegal shit in your off time. That doesn't necessarily align, because you're doing things outside of contract, so yeah.

Speaker 1: 54:32

You may not be doing bug bounties, but you're finding things and I do feel like the Robin Hood hacker was more gray hat and that he was presenting this to the client.

Speaker 2: 54:44

But to me that's like I sell drugs. But don't worry, I give half of it to feed starving children, Right, I'm?

Speaker 1: 54:50

just saying look at Children you're feeding, starving children, yeah. But you are selling drugs at the playground, right.

Speaker 2: 54:58

So I think gray hat Not that I believe there's a black and white in, in in perspectives and and maybe this is the way to end this was full circle.

Speaker 1: 55:11

This community has one here. Can you please put crypto night on a revolving appointment once every one to three months or so, because storytime is impeccable Done, done and done yeah.

Speaker 1: 55:25

Before you get into that, we do have a more question. I know you want to touch on gray hat, but James, have us as another one. What about how they treat good guys delivering bones to the companies not taking bone serious or punishing the hacker for ethical disclosure? This is where I get into gray hat. Well, two questions. It's closed it ethically Even though it was not under contract.

Speaker 2: 55:47

Yeah, so so I think, two questions. First of all, I have disclosed, and if they do nothing, this is the same thing as a consultant, right, and this is a consultant. Employee Consultant says I have this thing you should do. I think I was like, yeah, whatever, and I can sort of like let me make sure you heard me, let me be a little more articulate, let me provide some documentation. Here's they go yeah, whatever, yeah, and employee gets to come back. A third and regular like, oh, hell's, no, we're going to talk right. Consultant goes like okay, right, and that's where you are. If, if, if you have provided copious documentation on exactly what, make sure you're talking to the right entity, make sure they're authorized to act, make sure you provided clear and copious documentation, not just like I found the thing, but I did this. Here's what I think, here's what I know, here what I believe are the implications, and here are my recommendations. And if they walk away, you've done the right thing.

Speaker 2: 56:55

Walk away next, do you have the right of that point to go like well, they're not doing the thing, can I? Can I tell you? Oh, but you know, and this is, this is a quandary, because not doing the right thing, people might be harmed by your silence.

Speaker 1: 57:14

But that is, that is not on you.

Speaker 2: 57:17

Right. If you see somebody being beaten up in a parking lot, being there's a crap beating out them, are you obligated to intervene? No, does it hurt you to not intervene? Possibly, yes, been there, done that. But Do you have an obligation to go home to your family and to value the things that you value With your, with your compass, your ethical, moral compass, and you have an obligation to report? I can't answer that question for you. The, the, the right thing to do. You will have to decide for yourself, and and, and that's why the, the ISC squared code of ethics, which I think is probably one of the better ones out there. I am a little biased. You look, you're.

Speaker 1: 58:04

You're not a checklist, you're as biased about ISC squared as I am about this being the best damn cybersecurity show. Let's just be honest.

Speaker 2: 58:14

Yeah, yeah. But you know, does that have its flaws? Well, yeah, it says every system, everything does, but. But it leaves the judgment up to you. You have to do the right thing at the end of the day so you can evaluate and look yourself in the mirror and say did I do the right thing? You know, people for the PLA Breaking into the merit, into America because they've been told to do it as as an officer in the army. They're doing the right thing for their country. Am I happy about it? No, oh stop. But are they doing the right thing? You know, the only difference between you know attacker and patriot is is you know who's right in the history you're doing it from yeah.

Speaker 1: 59:00

Yeah, so. So I got this thing on it, though, and then I want to get into ISC squared. It's only gonna be a minute because we're at the top of the hour, but you know, for me on this is companies not taking into consideration the fact that somebody has been willingly Able to release this information to them without releasing it to the public? We have seen people whether it's uber and other organizations that, when vulnerabilities have been disclosed, have pressed charges Versus saying, hey, thank you, I'm not gonna head you, I'm not gonna do all this, but thank you for the information.

Speaker 2: 59:40

I large right sharing the company about that, like, oh, that was her. Yeah, yeah, yeah that was me.

Speaker 1: 59:49

That is why we are seeing a lot of ethical hackers, ethical Pentesters, ethical cybersecurity people. Now go to the dark side, because if you're going to press charges against me for releasing information to you, for finding a vulnerability, I'm not asking for money, I'm not asking for kudos. I am literally pointing out hey, I found this flaw, here you go, this is how you fix it, and you're gonna now press charges against me. Now I'm gonna go to the dark side and I'm gonna sit there and I'm gonna burn every single bridge you have and I am going to Release at all.

Speaker 2: 1:00:25

Yeah, but you know, yeah, that that is a problem and the answer don't justify the means. A Organization not doing the right thing I Doesn't, doesn't obviate your responsibilities To do the right thing on your own and, and you know, I can't tell you the right decision there. That's all on you. I believe, on, I believe, on ethical disclosure If the company doesn't do ethical closure there. Close it to there are some other means not done anything.

Speaker 1: 1:01:00

Right, then guess what? I'm gonna sell that shit for every penny it's worth.

Speaker 2: 1:01:05

Yeah, I think there are probably other avenues. I can't say I can describe the one right avenue, because Because I've now sat there.

Speaker 1: 1:01:14

I put out a poc on twitter. I've told the company. I've done all this shit. I told the company Two, three months ago.

Speaker 2: 1:01:21

You could have a conversation.

Speaker 1: 1:01:24

I put something on twitter. It's still there.

Speaker 2: 1:01:26

You could have a conversation. One of their top 10 customers, there there's.

Speaker 1: 1:01:33

I mean there, there are other venues saying, but the problem comes down to and I do, I love this conversation, I love ethics. I think it's the ball is gonna do it, it is man. I love it. But when I look at this, when I look at this great, you put this out and ethical disclosure is what? 60 days, I think, for most companies, 60 or 90 around there. So I've done this. Now usually, usually, you have a done shit.

Speaker 2: 1:02:02

Usually you're in. I mean, I've seen some. Yeah, I've seen some catastrophic stuff. How long can we go? We're at 803.

Speaker 1: 1:02:09

I'm telling you I could Do what the fuck I want.

Speaker 2: 1:02:12

So it doesn't boom, dynamite, so One of the coolest shows I ever saw at RSA. Full disclosure I am on the program committee so I am biased. Um Is cartography research, which I already mentioned. They came forward and they had discovered that um a number of devices when an airplane mode with no network connection Were leaking, keys such as you could pick it up with a sled or a direct tv satellite and uh, dish that had been sent to the junkyard you get for like five bucks. You could take that into a digital signal processor and you could pull keys off of it when you could get symmetric keys within a few packets you could get asymmetric. We're talking rsa stuff, man. Hold up, hold up, hold up, hold up within a few packets airplane mode.

Speaker 2: 1:03:08

Okay.

Speaker 1: 1:03:09

So you could not send anything Technically? Okay, technically Could not send any data, all right off the air at all.

Speaker 2: 1:03:19

What are the three most important things to do as a mobile producer of electronics? Sheep, powerful light, those three forces work you out of. Secure, can I, can I?

Speaker 1: 1:03:36

can I tell you why? And this is why and I'm gonna stop you for a sole purpose yes, this is why non-removable batteries have been a problem. Yes, because the best way to secure your device Was really power off, remove the battery and let the bios and the motherboard battery. Wait for story two, my friend, wait, we're gonna hold up, we got no, no, you are saving your stories Because we got people that want you back on for stories.

Speaker 2: 1:04:09

Oh, dude, I have. I have a dude who worked For a very, very large software firm who had his phone rolled two different ways While off so oh off, no battery removed.

Speaker 1: 1:04:30

No battery removed, just off off iphone or android.

Speaker 2: 1:04:36

Will not disclose saving that for another day.

Speaker 1: 1:04:41

All right, I gotta see a sequel, my brother, yes, I'm up for it so yeah, real story back on. We're gonna do a sequel. We're at 805, so this is what I want to do. I'm sorry, space taco squared as a board on the board of directors? Yeah, have, they are doing huge things and I am going to put they are this link in chat. But I want to discuss, and in one story, one paragraph, however you want to do it how is is he squared, helping newcomers come?

Speaker 2: 1:05:16

in this field.

Speaker 2: 1:05:18

This is a great story. We started many, many, many years ago, in fact, when I was first on the board I want to say 2011, but I am old, I drink, I forget um and and we worked on on dei at that point, recognizing that that we needed the space For minorities and women in our profession, that we were out of, out of rounds, needed correct blah blah started that journey more than a decade ago Now and we started the workforce study that we've done To help us understand the movements of the organization, and I can share with you that the under 30 crowd we've achieved gender parity and cyber security. Boom, love it, love it. Now we're saying like but man, we got this big gap. What are you about the gap? We got the cyber security skills gap. Everybody's saying gap, gap, gap. So what I really love is we have started the 1 million and cc program. Are you sharing the link, my brother? Can you share that?

Speaker 1: 1:06:14

I will put it All right, you just put it there. So let's Control v hold up one thing, okay.

Speaker 2: 1:06:20

There is a commitment that is the square it is done when we are giving away 1 million certifications, a million specifically targeting disadvantaged communities, and giving away the education, the training and the certification to, to disadvantaged communities, to close the gap and, oh my gosh, is it growing explosively. Uh, I, I can't tell you, like I, I literally can't tell you. You know, nba, but the numbers are huge, like um, beyond our wildest expectations. We are starting to close that skills gap With people getting their, their cc. I myself sat for the cc, didn't study for it. It's not going to go cold.

Speaker 2: 1:07:07

Again, that is the, uh, the, the certified in cybersecurity.

Speaker 1: 1:07:12

Oh, okay, so is right is e-squares, equivalent basically of google's course I wouldn't say that it's an entry level. That's not necessarily equivalent, but it's it's. It's a basic cybersecurity certification.

Speaker 2: 1:07:24

It is truly at entry level, but it is not easy. I mean they were like, oh man, they're asking about that like okay.

Speaker 1: 1:07:31

Bring it on. What's the cost of that, of that certification Um?

Speaker 2: 1:07:37

free, first million, first million in for free because we we're putting skin in the game.

Speaker 2: 1:07:46

Skin in the game, my brother. We're saying like, okay, this is going to hurt a little bit, but we have to pump this up for the future generation. We have to get the next generation in cybersecurity. There was a barrier that's been created and and we have to break down that barrier for the next generation. So the one million in cc um, we created the cc. It has all the rigor that you would expect of a professional love certification with all the rigor of the isc squared. Um, we're, we're top of the game as far as that goes. We I could talk for hours about that, can't.

Speaker 1: 1:08:21

Andrea, did you get the cc? I see it. It's not easy for the cc. I had to study for it. It is how many you it is. I believe I've seen a lot of her posts, andrea on here. Andrea mylar, one of the the most prominent warriors I have right now, um, has been doing amazing things as well as space tacos, um. Please tell me you you got the cc and can tell people about it because Absolutely amazing there you go.

Speaker 2: 1:08:50

Cheers to you. Uh, I, I also went and sat for the cc pointed out I didn't use the free one, you know, because I and I would encourage you if you have the means. Um, I don't call myself rich, but compared to many nations the world, I am, oh, me and you both, yeah. So I said, dude, I'll pay the money, right, because I don't want to take a seat, that that needs to be kept by somebody.

Speaker 1: 1:09:15

All right, all right. Time out dude. Does the cc require ce use?

Speaker 2: 1:09:22

You know, I should know that as a as as a board member, but uh, I don't know that question, the.

Speaker 1: 1:09:27

The reason I asked that question is because that is the hardest problem with me and so that is awesome. Okay, the reason that's a hard problem I have a cis sp. As a cis sp, I have to find, just like sands. I have to find where does this match, where does this go? You?

Speaker 2: 1:09:46

you have come to the spring. Well of joy, my friend. Because I heard this when I was on the board before of like, oh, I have to travel, it takes money, blah blah. So I started out on twitter naix now hashtag CPE for free. Now I stopped after posting about 25 to 30.

Speaker 1: 1:10:10

But that requires me to watch videos.

Speaker 2: 1:10:13

And you want it for free? Come on, dude, free, free, free, free, free, free. I posted like 30,000 CPEs and stopped. Almost all the links are still good, dude, irongeekcom. Irongeekcom still has like hey, can we get my show to be on the CPE thing? Dude, I just earned a CPE Done. The biggest thing with CPEs is track it every month. If you have a weekly center support, monthly center support, whatever it is you do that you track your CPEs. Boom Done, join your local. I'm just saying I do a squared chapter.

Speaker 1: 1:10:52

It's just here every week, so if people are watching or whatever, they should get confused from it.

Speaker 2: 1:10:58

That's 52 CPEs. My brother, I see squared chapter, I say chapter I socket chapter ASIS. Oh, wasp tool, you could act. Okay, the funnest way you can earn CPEs not free Firearms training- no, you know how I got you know what I'm saying. The best way I see PEs for the longest time was at the box.

Speaker 1: 1:11:25

I literally.

Speaker 2: 1:11:27

Okay, that's a great conference.

Speaker 1: 1:11:29

I literally did all the boxes and got all my CPEs. I never made it there.

Speaker 2: 1:11:33

That summer camp never been but the particular joy of being an NRA pistol instructor.

Speaker 1: 1:11:40

Wait using the CPEs from going to a range.

Speaker 2: 1:11:44

Oh hell. Well, not going to a range Taking a course, so I took a course, I'll do it. I took a course in knife fighting. That's why I carry, you know, the Delica.

Speaker 1: 1:11:54

Oh yeah.

Speaker 2: 1:11:57

And that was eight hours CPEs.

Speaker 1: 1:12:00

But all right Physical security.

Speaker 2: 1:12:03

Go to weapons ranges of all types and you get CPEs, not of all types of reputable types. Train us Weapons training.

Speaker 1: 1:12:13

Yes, my friend Greg, Ella is awesome.

Speaker 2: 1:12:16

Yes, and you know it's the fun. I'm not saying it's the best winner in CPEs, but it's the most fun.

Speaker 1: 1:12:22

Who cares about the best? We just care about fun.

Speaker 2: 1:12:25

Well, you should try to line it to your career and what you need and close your gaps, etc.

Speaker 1: 1:12:30

Right.

Speaker 2: 1:12:32

Oh, your gap. I know, but I'm telling you, my local ISC squared chapter is 20 bucks a year and includes two beers a month. Dude, you're trying to find any of these? What for a million digits.

Speaker 1: 1:12:44

Who does that count?

Speaker 2: 1:12:46

Oh, you do, I'm telling you, I get 24 CPEs a year for going to drinking beers and talking security and sharing stuff, and sharing this works. This does it.

Speaker 1: 1:12:58

And it's awesome. All right, we are well over the top of the hour. Crypto Knight. I did share the link for ISC squared. I want you any, any and all information that you can give to newcomers in cybersecurity. Please drop that knowledge right now.

Speaker 2: 1:13:17

All right. So there is always the challenge of I can't get hired until I get experience. I can't experience unless I get hired. Right, how to break in? All right, there are lots of paths in. If you are exceedingly young not that you started doing hate, having mortgage and those obligations there is no better training than military training. Okay, dude, straight up. I wish I could. I am medically unqualified, being flat footed, colorblind and nearsighted. Triple-horizontal Efecta can't do it. But if you can qualify, no better training and you will emerge from the military not only with discipline, self-discipline, sense of worth and actual skills to apply, but you're going to have at least a secret, if not top secret, clearance, which is super, super valuable. Now, all of us can do that. So how to break in otherwise? First of all, the CC program. You can go to that wwwisdsquaredorg. Slash 1 MCC, free training, free certification, go, go, go, free, free, free.

Speaker 2: 1:14:26

Other than that, tons of nonprofit organizations need help. Local library, local Boy Scout, girl Scout troop needs to be able to talk to them about how to keep safe on the internet. See also Center for Cybersecurity and Education that DICE squared runs for protecting children online, seniors, online training, offered there Valuable training. You can become an instructor and get that training and experience. Go to your local university, go to your local nonprofit. I want to help you with cybersecurity. But before, it's actually pretty cool, they got breached. I helped them out, talk to the FBI, got the thing going back up again, boom done. That is super valuable training.

Speaker 2: 1:15:04

It doesn't have to be for pay. Should it be for pay? Well, sorry, yeah, it should. That's a great way. Hey, go work for organization. Look very carefully. It will pay for your education. If you don't have the education, if that's the barrier, work for usually 400, 400, 1,000. Usually, pay for your college education. Go to work for them flipping tacos, whatever you have to do, but get your Bachelor's, get your Master's. So I got my MBA. Didn't cost me hardly anything because my company paid for it. So take those, take those paths and beyond anything we heard it from the cyber warrior you have to be committed and study up. Dude, just our day, our day. Plug away what's happening, what's next? Sharpen the saw.

Speaker 2: 1:15:54

Amazon, google and and and Microsoft Azure all have free training. Tons of Really good training. Certificates usually cost something. Training us for free. Third, first 30 days. Usually get a free environment to make your own pop servers, everything else. Do everything else you want, going with the plan. Do that. 90, 90, 90, right, boom done. You now have training on Google platform, azure platform, aws platform and you have the essentials of cybersecurity, free training. Do that. That will help you find a mentor, find your compass, and I wish you the best.

Speaker 1: 1:16:41

Definitely in crypto night. Thank you for all of that wisdom and knowledge. Everybody loves you and they want you back on, so we are definitely gonna get you back on the show here in the coming months. But, as you know and everybody here in chat knows, look, you need to invite more people on. It's all for the newcomers that need their voice heard. So we're gonna get them heard. But crypto night. Thank you for being here before I go. My pleasure. They finally came in, so I got it. I gotta show it. Hold up, hold up. Where's that right here? So? So I did order so y'all could see. Wait, wait, merch.

Speaker 2: 1:17:17

You got the. Hold on oh, I got, you got.

Speaker 1: 1:17:22

Thursday I got Thursday, I got this one.

Speaker 2: 1:17:27

I drink and hack things nice, nice.

Speaker 1: 1:17:30

Yes, we got security. Happy hour Hold up. We gotta get the back. Came for the conversation stayed for the beer.

Speaker 2: 1:17:39

You know alcohol.

Speaker 1: 1:17:40

I forget what he said come back, you got you got 60 seconds for me.

Speaker 2: 1:17:45

I got 60 seconds go. We're in year 21 of the local organization which is now the ISC squared chapter started with two of us in a bar that had an MBA program. Masters of beer Appreciation came in every month, got their pint, got a certificate, got a mug, blah, blah, blah. We said we should do this more often invite a friend. Before we knew it, a year out we had like 12 people. Next year we had a hundred people. We had a charity event, boom done. Professional association, all about community and sharing. You can do it. I did it, anybody can do it. Reach out, find a friend, create a community and find more friends and share. Yep, that's the secret man.

Speaker 1: 1:18:25

Chetam house roaring is the secret not working and sharing is it is cyber security it is but saying that I love everybody that's been here in chat. Look a. If you want to come back, tip after. If you want to do super chat, you can do it right now while I'm running the end screen. Otherwise, thank you. Crypto night. Thank you everybody who's been here. I love you all and you are all my warriors, you're all my family and I'll see you all next week for another amazing episode Security happy hour. Thank you, derek.