Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

NSA Red Team Founder - Jeff Man

August 05, 2024 • Joe South • Episode 163

Send us a text

In this insightful interview, Joe sits down with cybersecurity expert Mr. Jeff Man to delve into his extensive background in security and his impactful tenure at the National Security Agency (NSA). They explore how Jeff embarked on his security career, the critical mission of the NSA, and the agency's compartmentalized structure. Jeff recounts his experiences working on significant projects at the NSA and underscores the importance of compartmentalization for security. The discussion also highlights the challenges of government work and the stringent entry requirements for agencies like the NSA.

The conversation spans various topics, including the complexities of handling different telecom and operating systems, the advanced technology at the NSA, the pioneering days of hacking and network security, and the formation of the first red team. Jeff shares his motivations for staying at the NSA and the circumstances that led to his departure. Additionally, he talks about his current work in PCI compliance and his active participation in the security community through conferences and podcasts. Don't miss this deep dive into the world of cybersecurity from a seasoned expert.

00:00 Introduction and Podcasting
03:47 Getting into Security
10:47 Jeff's Background and Entry into the NSA
15:58 The Mission of the NSA
22:27 Challenges of Working in the Government
29:07 Overlapping Projects and Duplication of Efforts
31:02 Technological Advancement at the Agency
36:47 The Early Days of Hacking and Network Security
51:42 Reasons for Staying at the Agency
54:20 Leaving the Agency and the Significant Incident
57:06 Current Work in PCI Compliance and Involvement in the Security Community

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:53

How's it going, Jeff? It's great to get you on the podcast. I'm actually really excited for our conversation.

Speaker 2: 1:00

I'm happy to be here. It took a while to make this arrangement, but I've heard other guests say that, so you must have a way of doing things.

Speaker 1: 1:11

Yeah, it's a lot of demand. Let's say it's all demand right let's say it's all demand, right, yeah, yeah, of course, yeah, everyone wants to get on this thing right. But you know, it's uh, it's interesting when you're, when you're running your own podcast and you're, you know, working a nine to five, right, because it's like you have to fit it in where you can fit it in, and I used to kind of just open up my entire week for recordings and I realized that I got burnt out very quickly doing that and so now I dial it into you know one or two days a week, like that's my recording period, and then you know which, which I guess kind of creates a backlog right.

Speaker 1: 1:49

It creates a backlog of one recordings and it creates a backlog of people trying to get on, alleviates, I guess, a lot of the stress that I had in year one of doing this right, like we're three years in and year one was just like the worst time trying to find guests. Last minute there were so many episodes where it was just me talking. You know it's like, and I'm sitting here like no one wants to hear me, just talk you know, that's what those LinkedIn shorts are for.

Speaker 1: 2:17

Yeah, I guess I hate social media. Now, you know, I didn't. I didn't hate it that much before podcasting, but now that my my growth right is kind of determined based on my engagement that I get on social media, I hate it so much more and I wish, I wish I was making the money to just hire like a social media manager, just like here, just figure all this out, you know.

Speaker 2: 2:43

Yeah, Uh, like many things, uh, a necessary evil that uh aren't going away anytime soon. You know me, I'm focused on how soon can I retire and just walk away from everything, Right, Uh, so a few few years away, I am having fun at a lot of levels doing what I'm doing these days, but definitely there's days I would love to just, you know, walk away from all of it. I mean, I could be being blackballed on on social media and doxed and dosed and I wouldn't even know it because I just don't get on that much. But yeah, it is what it is.

Speaker 1: 3:22

Yeah, yeah, absolutely. Well, I'm sure we will get there in our conversation, but you know, to start, you know why don't you talk about how you got into security, right? The reason why I ask everyone this question is because there is a portion of my viewership that, or listeners, you know, whatever platform they're on, that are trying to make that jump into IT or security, right, and they probably don't know if it's possible for them, right, they might be coming from various backgrounds and I feel like it's always helpful for everyone to hear someone else's background, right, Because I remember when I was trying to get into, specifically, the federal government, right, it was extremely helpful for me to hear someone that came from even my same area, right, same background even, and he made it, and so I was like, well, if he made it, then why can't I make it?

Speaker 1: 4:17

Right and so getting that mentality switch, I think is key for everyone. So how did you get into it?

Speaker 2: 4:23

Well, uh, I got into this in the early mid 1980s, you know. So, back in the 1900s, before the internet was a thing, before cell phones and mobile phones were a thing, people barely had computers, what were called desktop or personal computers back in those days. I've actually told this story in one of the talks I've given at conferences, and I think there's recordings of it out on YouTube somewhere. The name of the talk is Hackers Are Neither Created Nor Destroyed, given that nothing existed back then. There was no training courses, no certifications. The real question is well, the short answer to your question is I worked for some time for the National Security Agency and I started out as a cryptologist. But the real answer to the question is how did I get to NSA? And I chuckle because when I was putting this talk together and sort of thinking back about my origin story, I think you know the NSA that exists today. They probably would never hire me, just for all sorts of different reasons, mostly because they're always looking for very specific skills, and even when I was applying to NSA back in the mid-80s, they didn't call it STEM back then, they just called it critical skills. They were looking primarily for engineers, mathematicians and computer scientists and I won't tell the whole story, but I went through the traditional route. I sent in an application the government SF-71-171 form by mail US Postal Service-type mail Got a response and was invited to Fort Meade, to NSA headquarters actually to one of their satellite offices to go through a couple days worth of sort of aptitude skills testing. And I forget exactly how many tests. There were 10 or 12 or 14 tests. Long story short is I scored well enough on all these aptitude tests that they hired me without any kind of position in mind, which was they were hiring a lot of people back then. They were doing a lot of recruiting at universities, again hiring these critical skills, trying to entice people out of college as they graduated college to come work for NSA. And back in those days nobody knew what NSA was. By the way, they didn't advertise. We weren't allowed to say that we worked at NSA. We could only say we worked for the Department of Defense back in those days.

Speaker 2: 7:06

But I ended up going to work, for my first assignment was in a manual crypto systems branch in what at the time was called communication security, which was sort of the defensive side of the house. Later it had become known as information security director or InfoSec, thus my start in information security. How I knew I was in the right place was I grew up in a family that loved to do puzzles and one of my favorite pastimes was doing the Dell Crossword Puzzle book, which had logic problems in it, and I loved doing the logic problems. My first assignment in this manual crypto system branch. I had a mentor who was a cryptanalyst on loan from the operations side of the house. One day at lunchtime he was doing some stuff with graph paper and colored pencils and I kind of asked him what are you doing? He says I'm writing logic problems as a side job. I write logic problems for Dell Crossword Puzzle Magazine, and that was just one of these karma.

Speaker 2: 8:08

Oh, I would say and I say this a lot to people that ask this question you know, don't get hung up on the technology things, the STEM things. While that's important and while we need people with those skills, there's a lot of other skills out there that people are looking for. You know, I liked logic problems, so I had sort of a logical mindset which kind of made me good at math, but I'm not a mathematician. Critical thinking, abstract thinking, people that are involved in music and are good at music. It's really what makes you a hacker and how I decided at some point oh, I am a hacker. What are the attributes? Not accepting answers, thinking there's a better answer or a better way, liking to tinker, take things apart, find out how things work, curiosity being organized. During COVID we talked to some people I talked to some people somewhere along the line, people that were getting laid off from restaurants, that were like chefs and short order cooks have to be really skilled and organized and they were getting into cybersecurity and finding out they were really good at things related to cybersecurity because they had such good organizational skills, leadership skills, able to sort things out and do things, multitasking and so on and so forth. So there's lots of different things that might make you good in this field.

Speaker 2: 9:46

I'm not really a good textbook example because I just kind of stumbled upon it. Frankly, I got into it and it was the you know I got into hacking and computer hacking at the beginning, of sort of everybody doing it Again. No training courses, no certifications or degrees. So you know, I've always kind of scoffed at certifications and I've kind of scoffed at degrees, but I realize that they're necessary for people. But you know, my pedigree is I lived it, I grew up in it, which not everybody can say. So, acknowledging that, I try to do as much as I can to just impart knowledge and experience that I've had over the years on the next generation and try to encourage people to don't give up. Try new things, try different things, find your niche, find out what you, what you like to do, find out what you're good good at and do that, uh, that type of thing. Long-winded answer, but that's sort of my background story no, but I think it's.

Speaker 1: 10:48

I think it's really interesting, you know, because you didn't we always think of I mean, even I do, to this day, right, when I'm thinking of someone that goes in the nsa. I mean, these guys are, you know, mathematicians and cryptologists and some of the absolute smartest of the smart right like I, I've applied to the to the nsa previously, you know, years ago, right, and even when I was applying, I was thinking like why the hell are they going to choose me? What I'm not? I'm not a mathematician.

Speaker 1: 11:20

Yeah, I like math, but that doesn't make me anything special in math. You know what? What value would they get out of me? Right, right, and you, you came into it in a period where you know they were more open right to skill sets and potential skill sets, rather than, you know, I guess, the accreditations on paper that they're looking forward to right now. More right, they're looking for those people that have the degrees in math, right, and the degrees in, you know, cryptology, the experience you know from a company like RSA, for instance that has been doing crypto for 10 years.

Speaker 1: 12:04

That's what they're looking for. Now. The bar is much higher.

Speaker 2: 12:07

Right. Well, I also came into NSA at a time when we were still fighting the Cold War with the Soviet Union. It was during the Reagan administrations, and one of the big strategies there was basically to try to bankrupt the Soviet Union, which is effectively what happened. So there's a lot of money being poured into the Defense Department. They were literally hiring 100 people a week at NSA. They were casting a pretty wide net and they were growing through attrition, because, you know, I don't know the exact numbers, but let's say, you know, 80 out of the 100 people that they were hiring were people coming straight out of college or people with these critical skills degrees, and they would immediately put them into what they called the 2020 program. So you could go get your graduate degree and have the government pay for it and only work half-time 20 hours of work, 20 hours of school. So people were coming in with these advanced skills. By the way, they were paying them extra. There was an accelerated pay scale immediately sending them to school and paying for their degree, immediately sending them to school and paying for their degree and the vast majority of these people would get their degrees, fulfill their requirement to the government for having gotten all this stuff which at the time it was time of service, but the clock was running while they were there. You know, somebody figured it out. But you could basically get your graduate degree and leave like two or three months later and go out into the private sector and make more money, never look back, and a lot of people did that.

Speaker 2: 13:45

So NSA was I don't know if it was their strategy or not, but they were growing incrementally by bringing in a lot of people and, you know, saving the ones that survived or didn't leave, which you would think would be like second-class citizens, and you know, the ones that weren't the cream of the crop, that couldn't go out and get the job in the private sector. I don't know, because that kind of puts me into that category. I like to think I'm different, but you know, I graduated from college with a human resource management degree, so it was a business major, and I had a whopping 2.6.5 grade point average and somehow I but I was good at some stuff and I scored well on aptitude tests and I just had happened to be at the right place at the right time and had the mindset of a hacker where, when I was asked to do things and, you know, could we do something differently? Could we do something that hasn't been done before? I was naive enough to say I don't see why not, so let's do it.

Speaker 2: 14:46

So I had some early successes at NSA doing some, as it turns out, innovative things and, you know, sort of rounded out my career at NSA, effectively architecting the first red team at NSA, getting into ethical hacking and penetration testing. Because a lot of us that worked in this one little group saw the movie Sneakers, had the mission of doing evaluations of fielded systems, including network systems we called them distributed systems at the time and somebody in our team said why don't we just start learning how to be hackers? That movie came out and we all remember the classic movie War Games. It's like we should be doing that instead of just sort of the controlled, scientific, engineering-oriented analyses that we had been doing, the right place at the right time and the right mindset or persona. That I happened to be able to and was naive enough to think that we can do things differently, which is hard to do at very large government bureaucratic organizations, which is one of the reasons why I left there, but that's another story for another day.

Speaker 1: 15:59

So what's the overall mission statement of the NSA? And it leads into my next question. So I know that's pretty basic, but what is it, at least when you were there.

Speaker 2: 16:13

Well, I don't know that we had a mission statement per se, but the way I used to describe it was we were sort of the nation's ear. We were the ones that were listening to what people were saying, and of course we were doing that globally and we were listening to all sorts of different things, which were primarily, in those days, radio signals of one frequency or another, maybe a little bit of telephone traffic, a whole lot of radio traffic and other creative ways that we could intercept communications. But the mission was more or less we were an information gathering agency, sort of adjacent to things like the CIA, which were the actual spies, you know, hiring people to commit espionage and stuff like that, whereas NSA was just sort of the big ear where we were listening to everything and any kind of data or signal that we could collect in any number of classified ways. You know if it happened to be encrypted in some way. Of course, you know NSA was known for being code breakers, cryptanalysts, and so that was a large part of the mission. But that was what we called operations, which was probably about 80% of the mission at the time that I was there, and the exact number is probably classified, but it's been a long time. It's been a long time. The other side of the house, what was called what came to be known as InfoSec, was responsible for producing all the secure communications cryptographic systems that were being used by US special forces, anybody in the military, anybody who had a classified mission, state department embassies and so on and so forth forth. So we were making all the little black boxes.

Speaker 2: 17:58

At those times it was very much an engineering organization and there was very much a mentality that I I mean very just, just succinctly distinctly remember a chief scientist saying you know, there's really no such thing as software. Everything we do is hardware, or let's say firmware based in in the modern dialect. But the idea of doing something in software, which is something I did early on, was very kind of crypto would happen and out would come the code or the cipher that would be transmitted and somebody had the box on the other end. That would reverse the process and get back to whatever it was that the message traffic was Primarily communications traffic.

Speaker 2: 18:59

Back then it wasn't as much storing secrets and protecting secrets that were what we call these days data at rest. It very much had to do with. I mean, the organization was called Communications Security when I first started there, because we were intercepting the secrets that were being transmitted past from one end to another. That's actually an important distinction, because I think that's one of the huge changes that came about with the dawn of the internet age and the digital age is we started sharing a lot of information but wanted to have some way to put the data online and make it freely available to everybody but only certain people.

Speaker 2: 19:37

So we had to come up with all sorts of different ways of trying to protect data and started thinking about different levels of the classification of the data, the different sensitivities. Rest was necessarily all printed on paper and locked in safes and locked rooms and locked buildings with guards and guns and machine gun nests and barbed wire fences and so on and so forth. Very much the mission back then was communication security and everything involved in communications, whether it was listening and decoding what everybody else was saying and then reporting that to the decision makers, the military leaders, the Congress, the president and so on and so forth, so they could have information to make better informed decisions about. Are we going to go to war with somebody or whatever the question was at the time.

Speaker 1: 20:36

Yeah, that's really fascinating. You know, back then was the NSA very siloed? It doesn't sound like it was very siloed. You know, now, right 10 years ago, at this point 10 years ago, I did a little bit of work with some agencies and I mean, it is so siloed, is siloed within silos, right, and it is, um, it's crazy how, it's kind of crazy how they get anything done. You know, to be completely honest with you, because it's like you know I was, I was working with one guy on the left side of this aisle right, massive aisle right takes you 10 minutes to walk from one end to the other in a building.

Speaker 1: 21:18

And I'm working with the guy on the left and you know, he gave me some, he gave me what he could tell me that he works on Right, and I was like, well, what, what's he work on right across the aisle Right, like they've known each other for 30 years, they've worked together for 30 years at different agencies and things like that, Right, and I was like, no, but you know, do you, do you actually know or do you actually not know he goes? No, I've known him for 30 years. I have no clue what he works on. All I know is he works on the same product family as I do, and that's it.

Speaker 1: 21:59

And I was like what? And then you know, you could go all the way down the aisle and everyone will give you the same answer. And you know, maybe, maybe that is a part of the veal right when, where they're not going to tell you because you're not, you're not cleared or whatever. It is Right. But I feel like when you go to 30, 40, 50 people, you know and I mean, you know, I wasn't a podcaster at the time, right, but I'm able to talk to people, I'm able to typically, you know, get information out of people in different ways. Right, when they give you the same answer of no, I don't know what they work on. I've known them for years, right.

Speaker 1: 22:41

Was that the case back then? Or was it a little bit more open for you to you know? Maybe talk to the guys right that created the black box and now you're creating the software that goes into that black box and because now I don't think that someone in your position creating that software, I don't even think that you would know that there's a black box right, they're. They're just saying create a software that does this right.

Speaker 2: 23:11

No, there were certainly silos and a lot of the concept was actually very deliberate. We didn't call it silos, we called it compartments, compartmentalization and it had to do from an information security or data security perspective. I mean, we still have the concept these days need to know, we talk about it in terms of escalation of privileges and access to different areas in the technology and our data storage and databases and things like that. But the concept is simply the fewer people that know about something that's very sensitive, the better, because then you have fewer people that are going to have loose lips. You know loose lips sink ships. No World War I security poster. The fewer people that if it is discovered that some information is leaked, the fewer people to investigate. You know, there's just all sorts of different reasons why you add compartmentalization. I had the top secret, secret compartmented information, tssei clearance, as most people pretty much everybody at NSA did. But even beyond that, if you're working on a different problem and problems, let's say, were loosely geography-related, geopolitically-related very much different compartments, different security clearances that you would have to get read into signed papers promising that you're not going to reveal secrets about it, and so on and so forth, and very much dependent on what the target was, what the object of interest was, and it could be very literally right next door to one another and you really wouldn't know what the other people are doing. And that was primarily on the operations side of the house. On the defensive side of the house, the information security side of the house, it wasn worked in.

Speaker 2: 25:15

One of the things that I ended up starting to develop was I-wheeler trucks to comprise this mobile, supposedly mobile communications base station. One of the trucks was primarily the power plant, the other one was filled up with all sorts of equipment. They were trying to modernize and make use of things like laptop computers, and so a contractor had come up with a design for doing a lot of what this thing was doing, but do it in software in a laptop laptop, and so what took two semi-trucks to create a base station was being reduced to I'm looking at the picture of it now 15 transit cases that were two feet by two feet by two feet. I'll just grab the picture and show it to you. A picture is worth a thousand words. So this is what was being designed as the replacement for two trucks, much more transportable, much more meeting the original goal of mobile, because the truck ones basically weren't mobile.

Speaker 2: 26:56

The key element to that was the encrypted communications that they were doing, which was with what was called a one-time pad. It was called a one-time pad, the one-time pad key, which was printed on paper pads and was used by the troops in the field, the Green Berets, the A-teams At the base station. The same key was being printed on the old-fashioned paper tapes that you used in the early days of computers and they came to us and said is there any way we can get the key, instead of on paper tape, on a floppy disk, Because then we can feed it in the laptop, do the encryption, decryption? I had conveniently already done that for another customer and so we were able to do it for these guys and so help them in the project. So that's something I was working on for quite a while.

Speaker 2: 27:46

I was having lunch one day with a guy that literally worked the office next door to me and we're like so what have you been working on? What have you been working on? Like firmware in something that looked kind of like kind of sort of some of today's modern phones, that kind of flip open with a key pad. But it was something back then that was called a kale 43. You can Google that.

Speaker 2: 28:17

And as he was describing his his client that he was doing it for, I'm like, well, it sure sounds a lot like my client. So we started comparing notes and, lo and behold, we were working on two very different things but going after the same problem, and it turned out that the customer had two different offices let's say that approached two different offices at NSA, so we could point fingers as to where the replication was going on. We could point fingers as to where the replication was going on, but literally we were right next door to each other, both involved in multi-million dollar, multi-year design projects, research and development projects to satisfy the same base requirement from one customer. So yeah, it happened, even on the InfoSec side of the house.

Speaker 1: 29:07

Huh, that is really interesting. Customer. Uh, so yeah, it happened even on the infosec side of the house. Huh, that is, that's really interesting. That also isn't like completely out of the realm after working with the government that they would spend, you know, double the money on the same exact project. Basically right, just you know there's a reason why toilets cost like fifty thousand dollars or whatever it is right, like a pentagon, like that's always the joke.

Speaker 2: 29:32

Yeah, the. The epilogue to this and I'll share this just because it matters to me is after I left that office, which was before the completion of this project, and you know it bubbled up to management. Hey, we've got two, you know, different efforts going on that are basically going after the same thing. Somebody from that office sent me an internal memo some months later. That came from the top levels of the Army, because that's who the customer was saying that my system was what they were going to go with and they were going to cancel the other one. So I won, at least in the short term. Awesome.

Speaker 1: 30:11

It mattered to me at the time, trust me, yeah, absolutely, I mean, that's a, that's a huge thing, you know, because I I always felt like, especially at the facility that I was at, right it was broken up into four major modules and each module would have a different you know, telecom system would have a different OS, would have completely different things and each module was competing against the other. So, you know, if X phone system ever went down, they would just, you know, promote Y, and Y is a totally different product and they're all competing against each other. So it's not like it's not completely out of the realm and they're all competing against each other. So it's not like it's not completely out of the realm. You know, like when, I guess, when companies, maybe the best way to think about it, you know, and that's what that's like. It's a, it's a environment like none other.

Speaker 1: 31:15

And you know, one of the things that I kind of got a glimpse at was the technology that they were using. You know, the technology seemed to be I mean, it seemed to be, from what I saw, right, and I'm not even seeing the cutting edge, the top tier stuff, right, but even that stuff seemed to be five to 10 years ahead of whatever was on the market, right, whatever you could purchase right now as a private citizen, it's probably five to 10 years ahead. Does that remain true? Back when you were at the agency, did you, you know, work on stuff that you were saying like this, this will come out in you know 2000 or whatever it might be Right, and you're you're looking at advertisements for you know the newest stuff, right, when you go home or whatever, and you're saying, man, we were like, that's nothing at work, you know, like, is that the case, or maybe not so much?

Speaker 2: 32:14

Well, you know my opinion only, I should say, and certainly I didn't have a complete view into everything, but my experience was rather sort of the exact opposite. You know, what you're describing is is sort of the of one of the fundamental principles of the free enterprise system is the idea of competition, and the idea that there's competition is going to drive innovation and the best products to come out at the best price. This might go back to, you know, sort of the military mindset that NSA was built around, because I can remember I worked with a lot of people that were enlisted and officers Third to half of the workforce were military people at any given time and I'm making that number up because the exact number is probably classified, but I can remember one of them, one time they were passing out a list of aphorisms. You know true statements that were true for the military, and one that always stood out to me was you know, remember when you're in a firefight that your rifle was built by the low bidder. You know, but even I think you know the InfoSec side of the house being more or less an engineering organization that did notillion-dollar contract with one of the branches of the military and that branch was coming back to NSA saying why are we spending millions of dollars on you to develop something everywhere called pretty good privacy tgp? Google it, you younger people.

Speaker 2: 34:09

The guy that wrote it was in trouble with the government before they were trying to prosecute him for a long time, because he basically came up with a free encryption software that was as good, if not better, than some of the stuff that nsa was producing and it was, but crypto at the time was classified as materiel, it was like munitions, and so it couldn't be exported. And how do you control the export or import of something that's on the Internet? Phil Zimmerman, this guy that wrote PGP. They tried to prosecute him for a long time, but there was a day and I was in the InfoSec side of the house where a mandate was put out from the deputy director saying you know, our contract and our livelihood is being threatened by this freeware package called PGP.

Speaker 2: 34:58

Everybody, stop what they're doing and try to come up with an attack against it. To try to. You know, sully its name and prove that it's not as secure as our stuff. Sully its name and prove that it's not as secure as our stuff. I won't tell you what the outcome was, but I'll tell you that PGP is still around today in some forms and some people still use it, and of course, public key cryptography and so on and so forth has won the day. I mean, nobody's getting their cryptographic keys in search from NSA anymore, because it's all out there in the wild. So you can imagine where that went. I'll leave it there, a, because I forgot what my second story was going to be, and B, that's probably more poignant anyway.

Speaker 1: 35:41

What was that like? Starting the first red team at the agency? Well A, we didn't call ourselves a red team at the agency.

Speaker 2: 35:49

Well, one you know well we didn't call ourselves a red team. That was a term that was assigned to us much later on. But we were, you know, we're some, a small group of guys, or four of us initially that were just kind of, you know, interested in this new thing called computer hacking and network hacking, internet hacking, internet security, and we were charged with the mission of evaluating the security of network systems anyway. So somebody said, why don't we just learn how to hack? And so we all just started learning how to hack and I had hair back then. I grew it long. We were trying to live kind of the hacker lifestyle. You know, while we were doing this was when the movie hackers came out Uh, you know.

Speaker 2: 36:35

So you know things were happening out, out in the public. You know, like 2600 was around back in the early days. You had the anarchist cookbook that was available on the internet. I mean, everything was new and the internet was new, and you know, having information at your fingertips through a browser. You know, worldwide web is what we called it at the beginning. It was all new and everything that was written up into that point, everything that was designed up in that way, was trying to facilitate and foster fast, easy communication and data sharing. So the idea of protecting it in any kind of way, shape or form was really kind of foreign. So, needless to say, it was sometimes very easy for us to break into things because most of the time what we were doing was just taking advantage of what we would have called features. You know, it wasn't a bug in the operating system, it was the way the thing was designed.

Speaker 2: 37:34

And, uh, you know, back in the early days, you know, there there used to be talk about, you know, when you would buy something new, like a, buy a new computer or buy a new server, you never wanted to plug it in out of the box because it had everything turned on by default, because they wanted you to be able to use it and have it work. So it was up to you, the consumer, to lock things down, to harden things. So to this day there's hardening guides, there's configuration guides and requirements to follow things like that, guides and requirements to follow things like that, although you know, the big players like microsoft have, you know, gone leaps and bounds into doing much more security out of the box for new systems and new servers and applications and operating systems and so forth. But it was the wild west in the early days, so we were just sponges and just learning as much as we could, and we tried on our own systems and networks and like, look at that, you know it works. But we were learning from the same sources that everybody else was. You know what? You know hacker websites, there were bug track. You know people that are reporting vulnerabilities or having problems fixing things, various news groups and RSS feeds and so on and so forth 2600. I think we all subscribe to it Anything we could get our hands on.

Speaker 2: 38:56

What made it tricky, though, for us was because our targets were classified systems. The lawyers that tried to provide some ground rules for us to do what we wanted to do. They made the declaration that anything we do has to be classified at the same level as our target. So if we're targeting mostly top secret systems, literally everything we did had to be classified top secret because of the sort of the traditional way of classifying things and the touch rule and the association, and you know, if you have a way of breaking into a top secret network, it makes sense at some level. You want to keep that a secret too, so that needs to be protected according to the same rules that any top secret information. So there, I mean there was a reason for it. It became very impractical when we're pulling most of the things that we were doing, which was more techniques than exploits, back in those days Although there were some exploits too, but we were getting them off the internet. It was freeware, it was open source, and yet as soon as we touched it it became classified, top secret.

Speaker 2: 40:14

I gave a talk years ago about sort of the origins of the red team and I have to caveat in this talk I can't tell you what we did because it's still classified. I can't tell you what we did, were doing, but use some common sense. And then at some point I say, okay, I'll tell you one top secret tradecraft that was a very common tool that we use, and I proceed to tell them about the Ping Committee. So ping command, because we used it literally, was classified top secret and we couldn't tell people that we used the ping command and worse than that, to get all the management approvals and authorizations to do these pen tests and this ethical hacking, trying to break into something we were supposed to describe our attack scenario and our methodology ahead of time and have everybody pre-approve it. So before we could even issue a ping command, we had to go through a weeks-long process of getting authorizations, in theory, to be able to ping a target, ping a ping scan, a network segment, ping a box to see what it was, do any.

Speaker 2: 41:46

And this is long before the days of any kind of commercial vulnerability scanner, like most people know Nessus these days. Um, ironically, the, the guy that founded the company that produced Nessus, was one of the guys on our team. Um, so there, you know there is a connection there. But, uh, back in those days we had two freeware versions of vulnerability scanners. One was called iss and one was called satan. Uh, and you know, you can imagine at a government or top secret organization it's very politically minded how well using satan went, went over as a tool, but it had to be classified top secret.

Speaker 1: 42:28

If in fact, we used it, I might have revealed a secret yeah, you know, maybe a couple years ago at this point I talked to someone that was a cyber warfare officer for for the military right and he talked about how he would be handed target packages and he would be tasked with creating essentially, you know, the payload, the exploit, whatever it was the entire thing, and putting it all into essentially a command and never hitting enter. You know he's not allowed to hit enter. That goes to someone else where they hit enter on their keyboard after it gets approved and everything else like that. And you know the.

Speaker 1: 43:13

The amount of times that he said that you know things would change right in between the time that he created it and the time that it was approved and then it was actually executed was was significant and it was very frustrating because that process is so long and arduous to go through. Just for basic things, basic things, you have to change permissions on a file or whatever it might be Simple terminal tasks. It's really fascinating to me. Were you ever handed a target package that you couldn't get into, that you couldn't find you know anything against, I would think back then that it would be a whole lot easier than it is today, because now today, everyone's kind of hyper aware of security, and so even I feel like even the just regular average desktop is a little bit more difficult to get in, and maybe that's my naivety, right Is? It's a little bit more difficult to get in today than it would have been 20, 30 years ago, right? Because everyone is so hyper aware, I need to deploy these patches.

Speaker 2: 44:26

Well, the short answer is no. I was never handed a package because we, for the time that I was involved, we were so new that we didn't have really a formalized methodology for delivery of services, so we weren't well known. I mean, we I talked to an old manager from that time last summer, caught up with him, found him on Facebook several years ago, and then COVID happened. We finally got together for lunch and we were talking about things like the TAO and I was like you know, did the TAO come spring from what we were doing? He goes no, not really. That was. I know where it came from. It was from a different area of NSA. But he kind of scratched his head and thought a little bit. He says no, what you guys were doing. And we call ourselves the pit by the way, that was our nickname for our office, but in the folklore the pit was the first red team at NSA. But he said you know, you guys were kind of the beginning of what's now US Cyber Command. So you know, that's how far back we go.

Speaker 2: 45:37

I mean, I started doing this, as near as I can remember, back in 1992. So over 30 years ago I was breaking into what was mostly Unix systems and mainframes back in those days. But in as much as we were kind of new, we didn't have a very formalized methodology and a formalized way of approaching us, and engaging us then was teaching people about Unix file permissions and directory settings and things called set UID permissions, which basically any application or service that was running on Unix many of the early ones that were written had to be executed as root in order to perform. So even you know. So there was a bit that was set in the permission that when it executed anybody could run it. But when it was running it was basically running it as root and if you could get it to crash and hiccup, very often it would dump out into a shell but retain its status, so it would be a root shell.

Speaker 2: 46:47

Very common back then and you know probably 80 or 90 percent of the services and applications that were available on any unix system out of the box had these set uig bits set to execute as root. Um, that's the type of thing we were doing and it was much more teaching people sort of you know, basic hygiene and and we weren of thing we were doing and it was much more teaching people sort of you know basic hygiene, and we weren't only. We were figuring it out as we went along, what's good and bad, and you know we used to joke all the time. Well, this is a feature, this isn't a bug. A lot of people were doing that and that's why we started to have hardening guides and hardening standards and things that you need to do if you're going to install or turn on a Unix server or a Unix workstation or, later on, a Windows workstation or server.

Speaker 1: 47:48

Here's all the 10 million things that you need to do to lock it down before you let it loose on your network. What's the? What's the tal?

Speaker 2: 47:52

group. Gosh, what is tao? Everybody's listening. It's going to shout it out technical access organization. That's not right. I could google it real quick. Tailored access or tailored access, thank you.

Speaker 2: 48:06

It was a group that was exposed by wLeaks several years ago, back when the whole Edward Snowden things and Julian Assange kind of stuff was going on. It was basically a super secret group at NSA that would do a lot with, I think, what you were describing as being handed a package and then go do stuff and very surreptitiously so it was a very super secret organization that a lot of people got outed as it. Very few people knew it existed, especially not in the public realm, and so it kind of got blown up and a lot of their exploits were exposed publicly and so on and so forth. So a lot of people know about tao, kind of from the whole Edward Snowden, wikileaks type of thing. So that's why I brought up TAO. I was not responsible for the predecessor. I'm not an ancestor of TAO. I'm apparently an ancestor of US Cybersecurity, which was much more mission-focused sort of upfront about defense really still, as opposed to offense.

Speaker 2: 49:14

And again we started doing this ethical hacking, breaking into networks in the early days to test the security and let's see how secure you are and find the holes and the vulnerabilities by attempting to break in, which, by the way the way, is pretty much the movie plot to the movie Sneakers, which I happen to be wearing a t-shirt that is a reference to the movie Sneakers, but that was kind of our inspiration and, ironically, to this day most red teaming companies, pen testing companies, kind of follow a very similar methodology, especially if they're doing physical access. So if you've not seen the movie Sneakers and you're trying to break into the industry, there is sort of a canon of movies that you should watch and some of them are old. But War Games is the classic. It came out in 1983. Matthew Broderick, sneakers, which came out in 1992. Robert Redford and Ben Kingsley a huge cast of really famous names at the time were in that movie.

Speaker 2: 50:16

1995, hackers, angelina Jolie. Same year, a movie called the Net, which hardly ever gets any attention, although I met somebody at a conference a couple weeks ago and they said that the Net was their favorite hacker movie. Sandra Bullock, also 1995.

Speaker 1: 50:36

Other movies since then, but those are sort of the classics of the original kind of hackers being pimply-faced high school kids that lived in their parents' basement and never saw the light of day and had the black hoodie and knew everything about computers and breaking in, so anyway, yeah, so you know, jeff, I want to ask you what made you stay in the agency for so long, because you said in the beginning, right, there was there's a significant amount of turnover and someone you know figured out how they could essentially leave, and you know, under a year or so, right. So I'm sure, I'm sure, you probably knew about that method and whatnot at that time and I'm sure you probably even, you know, thought about it, right, like, is that something I want to do? Maybe I want to stay here. Even, you know, thought about it, right, like, is that something I want to do? Maybe I want to stay here. What was, you know, the things that you weighed, um to stay at the agency for so long?

Speaker 2: 51:37

And then why did you end up, you know, leaving when, when you did, uh, there's a whole story to why I left and I'll try to make it short for you. But, um, I mean, when I came to the agency because I wasn't critical skill, I was not given I didn't. I was on the regular pay scale, didn't have the accelerated pay scale, so I got paid less than everybody else, didn't qualify for a lot of the extra programs because they were just for the critical skill people. There's intern programs that existed for all the different skills, skill groups and disciplines within the agency and you had to go through the intern program to get all the different qualifications, to be what was called being professionalized, which was a threshold to if you ever wanted to be promoted on the GS scale from a 12 to a 13,. You had to have professionalization, which is sort of a you know, modern equivalent of certification. You're like everybody in this industry has to have a CIS, sp type of thing. Um, so I mean part of my motivation for staying and I was there for 10 years was I was doing cool stuff. A, uh, I had kind of had and have kind of a chip on my shoulder that I wasn't given all this special opportunity and the people that were, they weren't really doing anything in particular whereas I was doing stuff, and very, very quickly.

Speaker 2: 53:00

The reason I left and I tell this story more in depth with the talk that I'm giving this year. I've given it several times and I've got a couple more to give. The next one would be am I giving this talk at DEF CON? I'm not. I'm keynoting B-Sides, edmonton, alberta, in September and I'll be giving this talk in GRR CON, which is Grand Rapids, end of September.

Speaker 2: 53:27

So if you want to hear the story, full story there. But essentially we were doing this pen testing exercise and we were asked to do it for a civil agency, so a non-classified network. We ran into some political issues in terms of things that are similar to what Snowden was bringing to light. But when that was exposed and we got in trouble, and because I was the team leader, I was the one that was really in trouble when there was a particular incident that happened in late August or mid-August of 1996, I was gone from NSA before the end of September 1996. So there was a significant incident that happened, that was life-changing, that changed the course of my career, and within six weeks I was gone from NSA. I'll have to leave it at that, because this is only an hour podcast and it's a pretty lengthy story.

Speaker 2: 54:30

Yeah, that means I definitely need to bring you back go see me at gurkhan or besides edmonton or look for I don't know if I've seen this talk, even though I've given the talk a lot this year. I don't know that it's been recorded much, but uh, you know, as as a teaser, I I've given three sets of talks over the years that tell my NSA story. The first one was Tales from the Crypt Analyst, which was when I was actually a crypt analyst, and then the sequel I have stickers too to promote it More Tales from the Crypt Analyst, which is where I tell more of the in-depth story of the origins of the first red team and the pit. And then this year it's Tales from the Crypt the afterlife.

Speaker 2: 55:10

What did I do after I left NSA abruptly at the end of 1996, up until roughly 2004, where I started doing PCI? It started out as a how did I get into a PCI talk? Somebody that's a former NSA cryptographer. So I'm considering resurrecting all three of these stickers. So if you do go to Gurkhan, I'm hoping to have the box set of the stickers available, as it were. I mean free for giveaway.

Speaker 1: 55:38

Yeah, that'd be pretty awesome. You know, jeff, I really want to go longer, but I guess that just means you know that I have to bring you back on.

Speaker 2: 55:48

You have to bring me back to the last podcast that interviewed me. They let me talk for three hours, so I'll say which podcast was that? Uh, it's called the team house.

Speaker 1: 55:59

I think I heard like the first hour of that.

Speaker 2: 56:01

Yep, well, I think it went viral, cause, uh, I don't know what constitutes viral, but it's at 115,000 views the last time I checked. Oh, wow, I don't know what. Their audience is Very diverse, because they talk about special operations and warfare. I think they've got a lot of military-minded people, not just cybersecurity people. I'm happy to come back anytime, because all we've done is the intro, uh. But yeah, uh, I'm happy to come back anytime because, you know, all we've done is the intro, yeah.

Speaker 1: 56:33

Right.

Speaker 2: 56:33

We've we've touched lightly on the first 10 years of what's more than 40 years in the business. So, uh, I'm happy to come back, uh, as time allows.

Speaker 1: 56:43

Yeah, yeah, absolutely, I'm, I'm definitely, uh, going to get you back on the schedule to come back on, let's do a part two. Sure, that'll be awesome. Well, jeff, you know, before I let you go, why don't you tell my audience? You know where they can find you if they wanted to reach out, and maybe even you know the link to. You know whatever company you're working for, if you want to put that out to put that out.

Speaker 2: 57:13

Sure, I work for a company called Online Business Systems the website is wwwobsglobalcom and I do primarily consulting and advising from a security perspective, primarily for PCI, the payment card industry. I just finished my first version four report on compliance earlier today. It's going through final review and then it'll be signed and delivered to the client. But I've literally been doing PCI for the last 20 years, which is disturbing on some levels. But there's a reason why I do it. It's kind of a love-hate relationship. We can have a story about that. I also, on the side, I'm a co-host of a podcast called Paul's Security Weekly, which you can find at securityweeklycom.

Speaker 2: 58:02

I do quite a bit of conference speaking. I've been out there a bunch. This year I'll be speaking at defcon at the crypto and privacy village, and there's apparently something new at defcon this year called creator stage, where all the villages submitted like their top two or three talks to this creator stage. So I think I'm doing that and I assume that means it's a separate talk. I'm not sure they're also resurrecting Sky Talks, but instead of it being affiliated with DEF CON this year it's affiliated with B-Sides Las Vegas. So I'm going to be doing a Sky Talk, sort of adjacent to B-Sides Las Vegas I think it's actually at the hotel next door, I forget the name from the Tuscany, so I'll be speaking at DEF CON and B-Sides Las Vegas, what we call Hacker Summer Camp, and then B-Sides Edmonton. If you happen to be Canadian A you want to come up to Edmonton, alberta. It's beautiful in September. It's not minus 30 yet, but I'm keynoting B-Sides Edmonton up there. And then the last weekend of September so it's like the 27th, 28th or 29th, somewhere in that range is GURCON and that's in Grand Rapids, michigan. Highly recommend going to GURCON if you want to go to a hacker conference. Some of the hacker conferences aren't with us anymore, some are fast going away, but it's holding its own and it's a pretty decently sized but not too big hacker conference. It's not too big, where you can't have conversations with people and have pretty good networking sessions without the crush of humanity like some people experience at things like defcon.

Speaker 2: 59:51

Yeah, so that's it for the pitches. Uh, I'm on linkedin, you know. Type my name in, spell it right. Uh, google me again. Spell my name right. Uh, you'll find me in different places. I, I'm sort of on twitter, but I'm not, you know, just like everybody else. Yeah, um, I'm on facebook, but I'm not. You know, just like everybody else, um, I'm on Facebook, but I'm not. I don't do social media. We started the conversation, yeah absolutely Well, you know.

Speaker 1: 1:00:17

Thanks, jeff, for for coming on. Um, I'm probably gonna. I'm probably gonna go to one of the conferences that you mentioned, so I'll definitely, uh, be in touch and maybe we'll meet up for a drink or so over there Sounds good, All right yeah absolutely Well. Thanks everyone. I hope you enjoyed this episode. Thank you.

People on this episode

Joe South

Host