From Cipher Wheels to Modern Data Security with Jeff Man Pt 2.

Show Notes

Ready to unlock the secrets of cryptography and cybersecurity from a seasoned expert? Join us as we welcome back Jeff Man for the riveting second part of his story, where he navigates a hectic schedule filled with speaking engagements at premier conferences like B-sides Edmonton and GurrCon. Jeff opens up about his efforts to achieve work-life balance and self-care, sharing plans for a rejuvenating two-week road trip and the enriching experience of spending quality time with his spouse. The episode is a treasure trove of insights into personal growth and the delicate dance of integrating professional and personal lives, especially in the wake of retirement and the COVID-19 lockdown.

Travel back to 1987 and explore the pivotal role Jeff played at the NSA in enhancing military communications security. We delve into his assignment on the manual crypto systems branch, where he utilized classic cryptographic techniques, including the cipher wheel, to improve the US Special Forces' communication methods. With detailed anecdotes, Jeff recounts how he tackled the challenge of creating a practical and secure solution that could be easily memorized by field operatives, shedding light on the evolution of cryptographic practices and their profound impact on military operations.

Our journey through the world of espionage and cybersecurity continues as Jeff shares captivating stories of government espionage, data collection, and the technological advancements that often remain hidden from the public eye. From Cold War tactics to modern data interception techniques, Jeff provides a comprehensive overview of the cyclical nature of intelligence work. Rounding out the episode, Jeff reflects on his transition from the NSA to the private sector, candidly discussing the ethical challenges and evolving landscape of cybersecurity. Don't miss this fascinating exploration of history, personal growth, and the ever-changing world of cybersecurity.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:54: The Journey of Self-Care and Innovation
• 9:03: Revolutionizing Military Communication With Cipher Wheels
• 22:41: Exploring NSA History and Cryptography
• 28:40: Government Espionage and Data Collection
• 40:12: Government Cybersecurity Ethics and Challenges
• 51:47: Lessons on Data Security and Compliance
• 1:02:12: Navigating Early Cybersecurity Career Insights

Transcript

Speaker 1: 0:54

How's it going, jeff? It's great to have you back on the podcast. You know we're doing a part two today because your story was so expansive right before that. Like I couldn't just leave everyone on a cliffhanger, and mostly for selfish reasons, I couldn't leave myself on a cliffhanger, right. So how's it been going?

Speaker 2: 1:15

Yeah, it's been busy. This is the busy season. I forgot when we recorded our first session. I feel like it was like a month or two ago yeah and uh, it might have been june, it was before vegas.

Speaker 2: 1:25

I know that, so you know, hacker summer camp has come and gone. Summer has come and gone. I was talking previously about uh, in the fall I'd be speaking at b-sides edmonton, which is in canada. Edmonton alber, as well as Gurkhan, got the Gurkhan shirt on. That hasn't happened yet. That's the end of September, so I feel like you're getting me back on. We talked a little bit last time about how it had taken a long time to pull the trigger on this, but this seemed to come much more quickly. The second round that's what happens when you leave people with a cliffhanger.

Speaker 1: 2:01

Yeah, yeah, I guess. So I've also taken a very, very aggressive approach to lightening my schedule the back half of the year, because it's just it's too much, you know, trying to juggle four or five different things all at once, you know, and trying and try to right, try to have a family as well, right, like I don't want to be working until 9 pm every night, but yeah, that could be a third episode where we talk about, uh, work, work life, family life, balance, self-care.

Speaker 2: 2:30

I've been learning about self-care this year. My wife and I have been on a journey of learning how to relate to each other more closely after 34 years and empty nesters. And what do we do now? We're staring down retirement and ultimately death. But this is supposed to be the prime of our life and I've talked to many people that are in the same situation and they're like, yeah, I don't know what I would do with my wife. I had to hang out with her all day long.

Speaker 2: 2:58

But we're we're trying to be a little bit more proactive and plan some things. Like you know, we're taking a two week road trip the back half of October, just for fun, just because I've never taken a two week vacation before because of you know the workload that it's like dang, I'm going to. I'm going to do it this time. So we're going to take a road trip. Our ultimate destination is to hang out with a dear friend of mine, pioneer in the industry, especially in terms of security B-sides Mr Jack Daniel. Some people might have heard of him, although he's retired now and it's very quickly. People forget about relics from the past. But, yeah, self-care. But that's not the purpose of this call today. We can save that for yet another episode.

Speaker 1: 3:42

Yeah, that might even be good for maybe an episode like kick off the new year. You know where we're talking about.

Speaker 2: 3:50

You could even do it as a roundtable. I know there's several nonprofits in the industry that are focused on various aspects of that, mental health hackers being one of the primary ones that I run into a lot, and they do lots of cool things just to try to help people. As it turns out, what I'm learning is self-care, take care of yourself, all work and no play. Make Jack a dull boy. It also drives you to drinking and you know bad habits and all sorts of other things and failed marriages and stuff like that.

Speaker 1: 4:22

So anyway, we digress. Yeah, you know it's interesting. You brought up how you know people always say like I don't know what I would do, you know, with my wife after retirement if I had to spend all day with her or whatnot, and like it kind of takes me back to like the very beginning of COVID right, because me and my wife got married two weeks before the lockdown started here in Chicago.

Speaker 1: 4:45

Right, so we got married, moved in together for the very first time and now we're locked inside with each other Right, and we're told we can't go outside, we can't go to the gym, we can't go to work, all these things, and that was. That was like like trial by fire for starting a marriage. I mean that was insane.

Speaker 2: 5:03

We heard stories. A lot of people didn't make the cut. You know they. They were used to getting along when they were each working and had their own careers and had their own you know, support groups and social groups and whatnot, and all of a sudden being stuck with one another. Yeah, Not a lot of people didn't make it.

Speaker 1: 5:21

Yeah, I know quite a few that didn't, and it's I don't know like. I feel like it was definitely difficult, but I'm glad that we, you know, stuck in there or whatnot. Right Like it's. That was a feat in and of itself.

Speaker 2: 5:33

I feel In and of itself, I feel Right, well, yeah, I mean, my wife is my best friend. It's been an exciting year for me because one of the things we're learning is she needs to have her own things to do. I obviously have my own things to do and a lot of that is being out Security community, hacker community, like you know mentioning, I go get a bunch of conferences every year, but I had a chance to her stuff, my stuff and stuff that we can do together. One of the things that we're trying to do is for her to enter my world and for me to enter her world. So I've been able to take her to a couple of the hacker and security conferences this year and that's been a lot of fun because you know she likes talking to people, she likes meeting people and I tend to hang out with people.

Speaker 2: 6:22

People approach me and it's just been fun watching her engage with other people because you know she's got a lot of experience and a lot of wisdom too, about all this stuff that we all talk about and care about, and she's been hearing me talk and bitch about security things for 34 years. So she was always my sounding board over the years when I was trying to figure out how to explain some difficult security concept to a client. I'd run it by her and she's great at making analogies and that's something that I've learned to do not as well as she does, but over the years to try to help people understand concepts by putting in into a language and into a context that they can understand. I got that from my wife and she's great at it, so anyway, yeah, she's, yeah, she's pretty awesome.

Speaker 1: 7:15

I hope to bring her to many more conferences in the future yeah, it's fascinating how, you know, two people can kind of like complement each other that way. Right like it's, it's really it's, it's great to have that. I don't quite have that just yet with my wife. She's a special education like early childhood teacher, um, and so like me talking about anything with cyber security just goes straight over her head. She's like I don't know, you need to break it down more for me, and I was sitting here like I don't know.

Speaker 2: 7:43

I kind of told you the the basics there, yeah, but most of us in the hacker community, especially the white guys, you know, we are just adolescents at best, if not toddlers, on the inside. So she's probably perfect for you yeah, yeah exactly not making.

Speaker 1: 7:58

Not making any judgments or accusations, it's just trends, guys yeah, the only difference is she doesn't have any patience for me. She has way more patience for her students, but none for me.

Speaker 1: 8:09

You know right right interesting well, jeff, you know where we kind of left off in part, one for one for the audience. If you haven't already listened to or watched part one, please go do so. I'll leave the link in the show description or the show notes, whatever it is. But where we kind of left off was we didn't quite get to your invention while you were at the agency. So why don't we talk about, maybe, the problem that you were faced with, that you were trying to solve for, and then what the invention is and how it's used?

Speaker 2: 8:43

Sure, yeah, I started at NSA in late 1986 and spent a couple months taking courses, introductory courses, learning about the basics of cryptography and kind of the things that NSA did, waiting to get my clearance, my top secret clearance. When I was finally assigned to an office it was probably early 1987. It was in what at the time was called InfoSec, the defensive side of the house, and I was reporting to the manual crypto systems branch. So this was back in the days where there wasn't a lot of digital encryption going on. I think public key cryptography had been invented. You know Diffie-Hellman algorithm I think that was done early on but not a whole lot of practical application for it yet. So most of what nsa did from a defensive perspective infosec being defensive was produce manual. You know manual crypto systems, what we were doing, but a lot of machine crypto systems. You know things that you see in movies army guys talking on radios. The radio itself is on a backpack. Well, there there's other things besides just a radio that are encrypting the voice signal, converting it to digital, doing encryption, various different methods. You know dating that technology kind of dates back to World War II. A lot of people are familiar with the Enigma machine. But in the 70s and 80s at NSA, with the advent of more digital machines and just more machines in general, things like electronic typewriters and copy machines you know what we used to call Xerox machines, because Xerox was the company that you know made the. You know they were the first ones or the main ones that made them Everybody assumed that paper systems would go away.

Speaker 2: 10:36

Nsa was continuing to move towards more machine-based cryptography, building little black boxes where data went in in plain text form and out came cipher and all the magic and secret stuff happened inside literally little black boxes. So one of the things that I was doing or I guess my primarily Mary assignment working for this organization was to do sort of a security evaluation of the existing systems that were out there, the manual systems, and one of the first assignments I had was working with US Special Forces, the Green Berets. They had as their primary form of communication something called a one-time pad, and a one-time pad was literally a pad of paper. There was two copies, five, maybe 50 groups of five letters I don't know how many exactly there were printed on a paper and you would write your message one letter at a time, above or below the letter that was printed there and then you would use something called a visionaire table or a visionaire square. This is a copy that was the first page of every one-time pad for the US Special Forces. So that's the dimensions of the pad, maybe three inches by six inches thereabouts. This table represents what was called trigraphs, three-letter combinations Again, trying to get it up there so you can see it the communications sergeants that were part of the special forces teams.

Speaker 2: 12:20

They were responsible for sending and receiving the messages, doing the encryption and the decryption Back in those days. Very often they were sending the messages still in the late 80s by Morse code and they were receiving the signals by radio signal and they'd have a receiver. They'd set it up, turn to the right frequency, listen for the message, write it down letter for letter. And the way it works is you write down the letter, whether it's plain text or the cipher. You've got the key. There's a unique third letter. So you write down plain text. There's the key. The third letter becomes the cipher. The cipher gets sent. The other end has the same key. So he writes down two of the three letters and gets back to that first letter because it's a unique three-letter combination. So that's what they used as their primary form of communication.

Speaker 2: 13:15

They also had a backup system in case they were deployed somewhere and had to drop their backpack that had all the one-time pads in it and still wanted to send an encrypted message. They had a memory crypto system and my assignment was to come up with a new memory crypto system because the one that they'd been using. We'd done a security evaluation prior to when I was there and determined that it was vulnerable and it could be broken. So I set out to try to come up with a new memory system for them, and I had just gone through history of cryptography courses and learning about all sorts of classic substitution systems, transposition systems, cipher systems, the Caesar cipher from back in Roman days, cipher wheels and little Orphan Annie, decoder rings and all that kind of stuff, and I was trying to use a lot of those different techniques to see if there was one that could be used, because a memory system, by definition, needs to be something that you can memorize and be fairly easy to use.

Speaker 2: 14:20

One of my sort of going in goals was to take advantage of the guys that were the radio operators. They had these things more or less memorized. They would have this paper every time they cracked open their new one-time pad as a backup, but they would memorize these things so that they could do it in their head much more quickly. As I was visiting them, you know, we said sort of the work groups for the various communication charges from various teams come together and I would present ideas of you know what if you did something like this? What if you did something like this? Here's a couple options what works, what doesn't work.

Speaker 2: 14:59

I think I mentioned on the first episode I was a business major, so I was like applying basic business practices, trying to get you know group buy-in and all that kind of stuff. But as I was like in a little classroom or meeting room talking to you know eight or 10 guys turning around writing on the whiteboard and trying to do this and also demonstrate, you know a couple of different variations of what I was trying to hope, hope, hope them, hope to get them to buy into. At some point I was struggling because I'm like I'm not going to memorize these things, I'm using this awkward table and it's just time consuming. And at some point I was back in the office and I was thinking you know, I just learned about cipher wheels. I was back in the office and I was thinking, you know, I just learned about cipher wheels. There ought to be a way to make a cipher wheel out of these, these alphabets. And so I talked to the guy that was my mentor I think I mentioned him on the previous episode, the guy that does that used to write logic problems for Dell Crossword Puzzle Magazine. I talked to him about it and we figured out yeah, there is a way to do it. So I drew it out on paper and you know, cut it out, glued it to cardboard, put it together and made just maybe a five or six inch large wheel, cipher wheel that had a. This is what the prototype looks like. So we know what we're talking about. The one I did was on cardboard and paper. It was a larger edition, but basically two wheels and there's a little window inside the second wheel or inside the second row that has a third alphabet that's hidden. So you line up your two letters, whatever they are trying to get it focused here, and in the window is the third letter. So it was magical.

Speaker 2: 16:37

I took this cardboard, paper-based wheel with me the next time I visited Special Forces and they loved it so much they stole it from me. I mean, they literally didn't give it back to me. I was like, fine, you can keep it. So the next time I went and visited them, I made like maybe a half dozen more and they just snatched them up and at some point I was like you know, know, we're nsa, we're in the business of supplying you with all your crypto systems and your crypto materials. Would you like us to make these things for you? And they're like, oh, we would love that.

Speaker 2: 17:06

So I went and found, uh, a machine shop at nsa that would build prototypes of little black boxes and I gave them some specs and so they came up with this being the prototype of this Cypher wheel. And I had two of them made and I took them with me and showed it to them and like, oh, they loved it. So we found a way to get them produced as cheap as possible Got the unit cost down to $10. And they wanted 15,000 of them. The sad part about this story is I could not find at NSA a way to only spend $150,000. Everybody I talked to was doing multi-year, multi-million dollar engineering projects, three-year R&D projects, five-year R&D projects, development projects and, for the life of me and I talked to dozens of people where do I go to find the petty cash box? All I need is $150,000. Ended up had to call back to the army and say I can't find a way to get this paid for. Will you pay for it? No, I'm not a problem. So I got the money from the army. We made 15,000 of these wheels.

Speaker 2: 18:12

So I've been carrying around the two prototypes of these wheels for years, going to conferences and, you know, every once in a while, you know, somebody would say they're in the army. Or I'd meet somebody from special forces and I'd say, oh, do you ever remember using a little cipher wheel with your one-time pads? And at some point somebody said, yeah, I remember that we call it the whiz wheel or the whizzy wheel. So when I would meet guys that were green berets, you know, after that I'd ask about the whiz wheel and you know a lot of people remembered it. I met a guy at DEF CON, I think back in 2017 or 2018, you know, prior to COVID Actually. A friend of mine met this guy that was an ex-green beret or former green beret and said, hey, do you remember the whiz wheel? The guy said yes, and they said would you like to meet the guy that invented it? And the guy was like heck, yeah. So you know, I met this guy and he was very excited because he had been in special forces back in like the late 90s, early 2000s and he very much remembered using the whiz wheel. He was the communication sergeant. They called him the POMO. That was sort of their nickname for that position on the team.

Speaker 2: 19:27

The long story short is I, you know, got to know this guy. We corresponded and somewhere along the line he said you know, I think you'd qualify for membership in our alumni association. So well, I was never in the military, you know on special forces. So he goes. Oh, I know, but we have special status for civilians that made significant contributions. So he was able to get me a lifetime membership in the Special Forces Association. So I've got my membership made of metal. It doesn't get me first on the airplane or anything like that, because that has to be retired military or active duty, but it's still kind of cool to whip out every once in a while and gets me a free drink every once in a while.

Speaker 2: 20:11

Last year 2023, I got to speak at their convention. They have an annual convention. It happened to be in the town where this guy that I had met lived, so he was hosting it, and I gave a talk to the convention about the origin of the whiz wheel and I asked I sort of put out an appeal I said you know, I've never actually seen a production model because by the time they were made and distributed I had moved on from that office. And if anybody's got them and is willing to part with them, my goal was to have it put on display at the National Cryptologic Museum. That's part of the National Security Agency at Fort Meade, maryland, and also there's a Special Forces Special Operations Museum down in North Carolina, in Fayetteville, at what used to be known as Fort Bragg but is now Fort Liberty, I believe, and that's one of the main special forces bases that I used to visit all the time.

Speaker 2: 21:04

So a couple days later, by the end of the conference, the guy, my friend, walked up to me and handed me two actual Cypher wheels. So this is one of two actual production model whiz wheels. I mean it's made out of aluminum, it's nothing fancy. But in talking to these special forces guys they were very appreciative of the wheel. One guy told me that, while they had the letters memorized, very often when they're deployed they might be up for 24, 48, 72 hours and you don't have recall when you're up that long. So he said, yeah, it was a lifesaver to have that wheel available to use in certain situations. The guy my friend that had got me into the association in the first place, he's on a Facebook group and he said shortly after he met me, he posted to that group. Hey, I'm at the inventor of the whiz wheel. So there's this.

Speaker 2: 21:59

All sorts of chatter about remembering this trigraphs, since people were citing the ones that they still remember. One person said whoever made that thing ought to have a national holiday named after. So apparently it made a difference for him. Long story short. I mean it's already been a long story, I guess, but that's what you wanted me to do. I was able to get one of the prototypes and the production model I donated to the National Cryptologic Museum. I did that shortly after I received it back in 2023. Put it on display this past April. So the cipher wheel that I invented is currently on display at the National Cryptologic Museum.

Speaker 2: 22:41

If you happen to be in Maryland or traveling near Baltimore or DC, it's a pretty short haul up to Fort Meade and the museum's open 10 am to 4 pm, I think, monday through Saturday. Come and see the cipher wheel on display. They were excited because they don't often put stuff on display and the inventor is still alive. They've got a lot of very relics there. I mean they've got I don't know how many Enigma machines. They've got on display.

Speaker 2: 23:07

One of Hitler's personal Enigma machines. He had his own special set that you know. One traveled with him and one was in his eagle's nest or whatever they called it where he used to hang out. They got lots of cool stuff. I mean, you know the cryptologic museum is is.

Speaker 2: 23:23

If you're into this kind of stuff, I guess you have to be a certain kind of geek. It's a real fun place to visit. There's a lot of history there and a lot of stories and a lot of mystery involving, you know, cipher and cryptography and and it's really, I guess, for us aging Krippies and people that you know worked at NSA and you know I was there for 10 years. I didn't spend my whole career there but very much unsung heroes, especially World War II. You know the role of cryptography and being able to break codes and ciphers that were transmitted by the enemy. You know we're very pivotal in changing the outcomes of most of the wars that we've fought in, in fact all the way back to the American Revolution. I mean there was cryptography and secret writings and codes and ciphers employed. I mean it's been around for thousands of years but definitely has been a role in US history for thousands of years. But definitely has been a role in US history.

Speaker 2: 24:21

I was at NSA during the first skirmish in the desert, desert Shield and Desert Storm back in the early 90s and I hope I don't get in trouble for saying this, but it was impressive for me to be young and at that time I was over in operations, the real side of NSA that people you know know and like to think that they know about. But basically it's the code breaking side, the intercepting the messages and trying to were doing it and getting them back to NSA headquarters. However, we were doing that that's probably all the classified stuff that might still be classified, but we were getting stuff back, breaking the encryption. Getting back to the messages, getting those messages relayed to troops in the field, commanders in the field, very often before the intended recipient of the message is getting the decrypt from his radio officer and his cryptic was impressive to me as a young kid and that was sort of to me what the that was NSA's, that's NSA's mission, that's what NSA was designed to do and that's what NSA is and was in the business of doing. So kind of seeing it in operation, seeing all the planning and all the things involved with getting that kind of stuff out there, that was kind of cool.

Speaker 2: 25:50

So, and you know, the Cypher wheel, the Whiz wheel, played some role in that encounter. Yeah, later on in 2001, after 9-11, when we started fighting battles in Afghanistan Special Forces there's a group, a Special Forces team, that fought the first battle in the Afghanistan war horse soldiers. Because they were deployed so early, they didn't have any, they weren't really ready for the desert and they were attached to a local tribe and went in and attacked a city and so they were on horseback, so they came to be known as horse soldiers. There's a movie about them called 12 strong. I had to meet their camo, a communication sergeant, a couple years ago because he and a couple of the members of that unit started a distillery.

Speaker 1: 26:42

So there's a— yeah, I love their whiskey. You've heard of it. Yeah, I've got a bottle of it.

Speaker 2: 26:46

I've got a bottle of it over there that's autographed by this guy. That was the commo. But I was talking to him when I met him and he remembered using the whiz wheel. He said, you know, we didn't take it with us on that battle because at that point they had the beginnings of encrypted radios and stuff like that. But he said it was definitely with us because, again, it was originally. I mean, what remained in use was the memory system which they still needed to have the trigraphs, because that's what was used with that. So that's the story of the Whiz Wheel and, as I said, I had two prototypes.

Speaker 2: 27:21

I had two productions. One set is at the National Cryptologic Museum. These two will end up at the Special Operations Museum in Fayetteville at some point. They're sort of COVID, really screwed up the museums in general. So they're getting reorganized and relocated and refunded and stuff like that. But it'll get there eventually. My goal was simply, you know, I'd been carrying them around for years. My family knew the story, close friends knew the story, but at some point I was like, yeah, this is a piece of history, somebody should take an interest in it, and they did. So that's kind of that's kind of.

Speaker 1: 28:00

Yeah, and that museum is open to the public. Yep, absolutely.

Speaker 2: 28:15

I do tell people you know Fort Meade is right at the intersection of the Baltimore-Washington Parkway, BW Parkway and Route 32. And there's a very clearly marked exit sign for NSA and there's a sign for National Cryptologic Museum. So you take the exit loop around, go under 32. You'll come up to an intersection. Turn left, you get to the museum, turn right, you get shot at. Fair warning.

Speaker 1: 28:34

But it is very clearly.

Speaker 1: 28:36

Okay, that's really fascinating. You kind of bring up some of the lengths that the country will go to to intercept communications that are encrypted, that kind of determine and sway the power on the battlefield. Like I remember reading somewhere that before we even went into Iraq, like something like two months beforehand, we had intercepted all communications, we owned all communications in the country. We owned their entire water system, electrical grid, everything you know like that's like a superpower almost. I mean like that's almost like the finger of God coming down and touching you know a country right, like because you're owning the entire infrastructure of that country, right, and I always.

Speaker 1: 29:30

I just find it fascinating because I then I went and I read an article about how the agencies went and set up a you know like their own. They either set up their own encryption company in germany, I think it was, or they like took over a company in germany and like basically put a backdoor into this encryption algorithm that like russia was buying in north korea and all of our enemies, very conveniently, were buying it, but like that that's such an extreme length to get to it, so it kind of like it weighs the importance of it you know properly in your head, I think Well yeah, I'm somewhat familiar with what you're referring to because I was in the last, I think, year or two or three, but it could have been before COVID.

Speaker 2: 30:21

I feel like it was in the last couple of years where it came out that the CIA I think you know it set up a storefront and you know it was like a legitimate business that was selling stuff that had embedded little extras in it, type of thing that none of us can confirm nor deny. But it really speaks to I mean it speaks to more of the classical history of espionage and intelligence and counterintelligence. You know I started at the agency during the Cold War. So our enemy undeclared, declared enemy was the Soviet Union. Soviet Union and the US back and forth, you know, from the late 40s on up still today, arguably, although it's Russia, not the Soviet Union have been engaged in sort of this clandestine, you know, cat and mouse type of game where lots of deception, lots of things go into trying to steal data. You know the Soviets were very good back in the day at recruiting people to spy for them.

Speaker 2: 31:25

When I was at the agency in the late 80s, early 90s, there was a couple very famous espionage cases exposed Walker Whitworth, two guys that were Navy or one of them was the Navy Gosh, I'm going to forget all the names of them. There was a guy that was basically selling. You know, we had all these super secret keys for all of our crypto systems and this guy was selling them and he'd been doing it for like 15 years. Nobody nobody caught it Walker. I think his name was Walker Walker Whitworth. Anyway, they're in the history books or you can find it on Wikipedia. But the one guy the reason that he got discovered was because he was going through a divorce and his wife ratted him. But you know, he had been basically selling keys and getting money from the Soviets and he didn't have political aspirations, he didn't have a bone to pick with the US government, he just basically entered for the money. And you know there's been a long history of trying to find people's weaknesses and why would you get them to turn? And there's still some application to that these days in terms of social engineering and things like that.

Speaker 2: 32:41

In terms of social engineering and things like that, you know there's variations on a theme, but it still goes down to how do you get the information and what are creative ways to get the information. I was having a conversation with some people a couple weeks ago it was probably in Vegas where they were talking about yeah, did you know that you can record sounds just by gauging the you know vibrations of various things? And of course I'm like, yeah, I'm not going to say anything about that because someplace might have known about that for a hundred years and have been doing it. But you know, nsa primarily, when I was there they were picking things out of the air. It was all. It was radio waves, various frequencies high frequencies, low frequencies, frequency hopping but it was intercepting communications and signals traffic. They had whole organizations that were doing statistical analysis of the signals that they were collecting to try to determine if it was an actual signal or if it was noise, and lots of math went into that.

Speaker 2: 33:43

It's funny because these days, with all the data that's out there on the internet, proliferation and all the traffic, we're sort of back to data analysis in some ways. Not big data, but trying to make sense of more data than you can assume manually. A lot of the techniques are still the same looking for patterns, trying to make sense of more data than you can assume manually. A lot of the techniques are still the same looking for patterns, you know, trying to compress it down into something that's even visual. I saw a talk I think it was actually a GURCON a couple years ago where the speaker was talking about mapping network traffic and, rather than just trying to do a schematic of where things were going, he was, he was plotting it based on something and like look at the patterns, wow, yeah, we used to do that a long time ago. Nothing what goes around comes around. There's, there is, there's definitely a cyclical nature to all this. It seems. If you've been around long enough, there is a good yeah, it's.

Speaker 1: 34:39

Uh, it's fascinating how you know the agencies at times or in some ways, right will be so far ahead of like what's publicly available, right, and someone will come out with it, you know, and people in the government that have that know right.

Speaker 1: 34:58

They'll be like we were using that 10 15 years ago, right like I, I always go back to, uh, you know, the zero dark 30 movie right the very first time when people saw like the, the four, the four, uh, night vision goggles, right, everyone I mean at least everyone like you know, kind of like tangentially in that hobby right in america was like, oh, those are the coolest things, right. And then you talk, you talk to a navy seal or you, you, you know, hear an interview of them. Several years later they're saying, yeah, we use them because those were like the most trusted things that we had. We had better stuff, like we had a lot better stuff, but that was just the most trusted. We knew that wasn't going to break, right, like that, that's just like it.

Speaker 1: 35:46

Kind of like it blew my mind when I heard that, because it's like man, we thought that that was like coolest thing. You know, we never, never seen it before, never thought about something like that before. And here they have it's. It's just a casual, you know, tuesday night, wednesday night, you know, whatever it is Right, right, I always, I always took that, you know that always like piqued my intrigue, right, because I'm a very, uh, I'm a very curious person. It's always, it's always drawn me to the federal side of it, right.

Speaker 2: 36:19

Yeah, there's uh I mean you know I do another podcast Paul's a pretty publicly known thing. Now how long NSA might have known about it and who they might have attempted that against, that's probably still classified. But there's other things that people talk about that I'll just I'll just play it safe and keep my mouth shut because I don't want to tip the scales. I mean, I mentioned the Enigman machine when I started working at the agency in 1986, the fact that the Enigman machine had been broken by the Allies during World War II. That was still a secret and it wasn't declassified until like 1987 or 88. And the reason it wasn't declassified is because there was some entity somewhere in the world that was still using the Enigma machine and we were still intercepting traffic from it and reading it. So you don't want to say, oh yeah, we already broke that, because you're going to lose your source of information. And that's one of the key elements for the classification of data, at least in that classical sense, is. It's not the content of the data itself necessarily back in those days, it's how you're getting it. That's what's top secret and compartmented, your collection methods, what we call methods and sources. That's very often what is the secret that needs to be kept.

Speaker 2: 37:55

Another example from World War II is the architect of the Pearl Harbor raid, admiral Yamamoto, japanese admiral.

Speaker 2: 38:03

We had intercepted and broken the Japanese communications prior to the beginning of World War II. I mean we had decrypts of the messages that said you know, close the embassy, close the Japanese embassy, come on back to Tokyo, because we're getting ready to go to war. And there's controversy over whether that message was held and not sent to Pearl Harbor and all that kind of stuff. But the point is, shortly after that there was an intercept where they figured out that Yamamoto was going to be on a plane going from point A to point B and so they had an opportunity to take him out. They didn't want to immediately send a bunch of fighter planes out and take him down because that they felt would have tipped off that. How did they know that he was on that plane? So they ended up sending out a scout plane that just accidentally bumped into this plane and sent somebody to shoot it down, just because, and that helped keep the secret that we knew how to read the communications of the japanese drama awards yeah, that is, that's really fascinating, I.

Speaker 1: 39:09

I feel like we could probably go for another hour or two, right, just talking about that sort of stuff, because we could. Yeah, well, once, once the interest in me is peaked, it just doesn't stop. Right, I'm gonna go back and I'm gonna start reading things on that, right, but you know, jeff, why don't we, I guess, fast forward a little bit? Right, because before, in part one, you know, we kind of sped past that, we sped past your, your invention, and then we kind of sped past you know, the incident, or however much you can tell me about the incident Right, that that result, or I guess, ended up, you know, with you leaving the agency, right?

Speaker 1: 39:50

Can we talk about that a little bit?

Speaker 2: 39:52

Yeah, and you know for the full. For a more complete version of the story, if you happen to catch my talk like if anybody's going to GurkCON I'll be giving this talk at GURCON. Besides Edmonton, I actually signed up for a conference in Philadelphia called JohnCon and I'll be giving the talk there. I don't tell the whole story, it's just a piece of it. But towards the latter part of my career at NIA, the internet was becoming a thing.

Speaker 2: 40:18

I was with a group of guys that was learning how to do ethical hacking, penetration testing, breaking into systems and networks to see how well they were resistant to it, but then to discover the vulnerabilities and the ways that things were being broken into. We were doing that for a couple of years and there was complexities to it. There was political issues, there was bureaucracy issues. This might sound foreign to people because we live in a post-9-11 world, but there was this thing called the NSA charter that basically said NSA doesn't do what NSA does to US citizens, and while the idea of let the good guys break into your network and tell you what's wrong before the bad guy does seems like a great idea, it was technically violating NSH charter, so we had to, and I was the one doing it work with the lawyers to get the special permissions and to figure out a methodology that could accelerate the process of getting authorization to perform these pen tests. That was the most painful part At the very beginning of us doing this and trying to get authorizations. It would take weeks and sometimes months to get permission to just break into an internal network or an internal server at NSA, and one of the problems was everything that we did had to be classified top secret. And then it had to, because that was the classification of the network and the computers and the servers and the mainframes. And because it was top secret, we had to go through a very lengthy process and we were making that work. We were making headway, I was making headway with the general counsel that's what we called the lawyers, the lawyers and we were getting to the point where we were sort of coming up with a good way of doing it, a methodology that was repeatable, not only informing the pen test but also the process of getting the authorizations and permissions and all of our docs in a row.

Speaker 2: 42:14

But somewhere along the line and I don't know the exact details, but word got out that NSA had this capability and Internet was new. Everybody was plugging in new. The World Wide Web knew. But we eventually got an approach through one of our sister agencies I believe it was DISA, Defense Information Systems and Security Agency security agency. Look somebody, look it up. Disa approached us. They had a contact at the Department of Justice, which was an unclassified civil agency, and they wanted to hire us to do a pen test or engage us to do a pen test. There was no money exchange.

Speaker 2: 42:55

So we had to go through this very lengthy process and I was working with the lawyers every step of the way, because unclassified networks at those times were the purview of NIST, National Institute of Standards and Technologies, and NSA was responsible for classified networks. It was also fairly common knowledge within that circle that NIST didn't have a lot of capability in those days, so they would very often sort of have a handshake agreement under the table, gentleman's agreement to pass the work on to NSA anyway. So we embarked on figuring out and I was following the lawyer's direction how do we make this work? So there's a whole litany of stuff that had to be done, which was a several months long process, was a several months long process. We got to the point where we had a letter that was written and signed by the director of the National Security Agency and addressed to the attorney general.

Speaker 2: 43:53

You know who was you know, the oversight above the Department of Justice. It happened to be Janet Reno, if you remember that name. It had been signed and it had been dated for a Thursday of a certain week in August and the weekend before somebody popped, defaced the Department of Justice webpage website and that was the first time a government website had been publicly defaced and hacked. So it was in the news. It was a big deal. I come into the office on Monday and get a phone call from my point of contact to the Department of Justice and he said help, we were hacked over the weekend. So I said well, let me see what I can do. I hung up the phone with him, got on the phone with the lawyers, explained what had happened and I said you know, I'd really like to get people on the ground by tomorrow to try to help them out with forensics. By the way, there was no forensics capability, there were no forensics guidelines, there was nothing written down at those days. All we had was the cuckoo's egg by Cliff Stahl, because he had sort of invented the idea of doing forensics and trying to track back where an attack might have come from and how things might have been done. But we figured we were more capable than most because we had been learning the inner workings of Unix networks and networking of that Unix systems. So the lawyers gave me some guidelines or requirements of, gave me three things I needed to do. He said one get the request from the DOJ in writing. So that's not a big deal. I called them back and they sent a memo, inter-office memo or whatever. So that was done. And the second one, second criteria was don't go alone. I said, okay, that's kind of cool. You know there was a bunch of us from our team, our team that we called the pit. A bunch of us got. I think there was four of us that went down initially. And the third thing was don't go on your own authority. Have somebody send you, have somebody in your management chain send you. So I did all those things. So we got a team on the ground on Tuesday.

Speaker 2: 45:58

Now, back in those days everything was hardware-based. You know a web server was running on somebody's own server that was in their own machine room, data center and it was hopefully outside of a firewall, if they had a firewall. But you know it was owned and operated by the entity. There was no concept of outsourcing or hosting at that point and, of course, when they discovered the breach, the first thing they did was pull the plug on the server and rebuild it. So whatever forensic evidence might've been there was pretty much wiped out. But there were other systems, there was other servers, and so we spent a couple days looking around for things.

Speaker 2: 46:33

So Tuesday goes by, wednesday goes by, thursday comes and we go down there and we're there an hour or two and I get a phone call. It had somebody from the home office, from the pit, somebody that stayed behind, and he said Jeff, the shit's hit the fan. You guys got to drop what you're doing right now and come back to the office. So we did so we took an hour or so, hour and a half to get back. So we got back to our office and we were immediately escorted into the conference room for the deputy director of InfoSec. He was not in the meeting, but he was next door. He knew what was going on.

Speaker 2: 47:12

Same lawyer that I'd been working with for months and months trying to make this all work. I was teaching him about hacking and pen testing and what it all meant, how it all worked. He was Irish and I don't know Irish. Soulless, ginger redheads. You know, if they get mad sometimes they get really red. And he was just enraged. He was like Heatmiser in Year Without Santa Claus, if you know that story, and he was just yelling at us and mostly me, since I was the ring leader about how we had done something to break the law. Weren't we aware of the NSA charter? What we did could get the director fired, if not prosecuted. And you know, apparently it was a very bad thing that we did and we were all kind of like, yeah, we were just there to help.

Speaker 2: 48:02

The customer asked and at least that was my attitude. It was like you know, I went to you and asked you what had to be done to get me there. The manager that I had had sent me, that person, did kind of throw me out of the bunts. They disavowed giving me permission. They said that I had been deceptive and had not explained to them exactly what the nature of the request was, which was bs. But you know, whatever I you know I'm not even saying who the person is, because let bygones be bygones.

Speaker 2: 48:33

But what was interesting was the talk that I put together this year. That I'll be giving is sort of the the story of my couple years after I left the NSA, leading up to where I got into PCI and I started doing PCI in 2004. And when I was putting the talk together I said, oh, I got to tell a little bit about this story and I've got a lot of the evidence. I've got copies of the letters went back and forth. I've got a copy of the letters from the director that had never got sent and I saw the date on it and I'm like you know, it was like August 21st or something like that. And I'm like that's weird because I left before the end of September because, you know, in government the end of the fiscal year is end of September and I left before the end of the fiscal year. So I'm like wow, that was like five weeks.

Speaker 2: 49:21

And I think about all that transpired in terms of I was put on double secret probation. I had my clearance pulled. They still let me sit at my desk, but they disabled my access to the network, which was silly because we all had like a half dozen ways to get on the system. But I had to go talk to all sorts of people at internal security and external security and lawyers and this and that and the other. But they also at the time, because it was coming up to the end of the fiscal year and it was post Cold War we hadn't had, we didn't basically have an enemy in 1996 that we knew about. So they were doing a buyout, they were letting people, they were paying people to leave, basically, and I finally become eligible for that. So I took advantage of them paying me basically a thousand dollars for every year of government service and I'd been at NSA for 10 years and two years with the Navy prior to that. So they paid me $12,000, which was basically three months of pay to go out and I had gotten the first job offer that came along and I was leaving on a Friday and starting. I think I maybe took a week off, but starting a week later with like a 30% or 40% pay raise. So you know, it was like a no-brainer. Like a no-brainer.

Speaker 2: 50:43

A bunch of us have been considering going out into the private sector anyway because of the allure of making more money solving the world's problems. But for me, in part at least, it was getting rid of the bureaucracy and the red tape. Because you know, when I first started doing pen testing in the private sector, we'd get a customer saying that they wanted it done and we'd negotiate a start time and a start date and we'd go do it and write up a report and present it, and that usually took place in about a month, if not quicker, and they were very appreciative of all the findings that we had and we would work with them to fix things, and so this follow-on business was just a lot neater and cleaner and we didn't have to wait weeks for dozens of signatures and initials from all sorts of different levels of management. So that's kind of how I left. Two anecdotes I'll share with you, because I know we're coming up on close to an hour. It wasn't until DEF CON. Again, it was probably 2017. It might have been a little bit before that 16 or 15.

Speaker 2: 51:47

I didn't go to DEF CON until 2014 when I went to work for a vendor in 13. And the next year I got to go to DEF CON for the first time because I'd been a consultant, a billable resource, for most of those years. That wasn't allowed to go out and play and go to conferences unless I did it on my own. But I, I was at DEF CON and it was. I think I was in that if you've ever been to DEF CON, I was somewhere between Bally's and Paris and sort of a thoroughfare when DEF CON was over in that area.

Speaker 2: 52:19

And who do I bump into? But it's this lawyer that I had worked with very closely for months and months back in 1996. And I hadn't seen him. It was probably 2015. So it had been almost 20 years since I'd seen the guy and I'd been kind of pissed off at him for most of those 20 years because I felt like he threw me under the bus and he turned because he was so into it and we were very, you know, had a very close working relationship. He was learning a lot and he, you know, to my way of thinking, he turned on me. The first thing he said to me when he saw me was I forgive you and I'm like what are you talking about? You forgive me, I'm the one that's mad at you. And then he proceeded to tell me about how, since he was the one that had sent me, he had gotten in so much more trouble than I did. And he was able to withstand it, of course, because he ended up still working at NSA for probably another 10 or 15 years after that and became known as a cybersecurity expert and so on and so forth. But he also told me that they weren't just trying to fire me, they were trying to find reasons to charge me with treason and they wanted to prosecute me. So I'm like, oh, that's good to know. Many years later, my God. So I'm like, oh, that's good to know. Many years later, my God. So that's one anecdote.

Speaker 2: 53:36

The other anecdote I'll tell you is I went out to Vegas to DEF CON this past we're in September now, so it was just a month ago One of the guys that I used to work with at NSA he actually was a manager that was across the hall from the pit. Really great guy, sharp guy. He's been involved in cyber for many years. He worked at NSA probably another 20 years after I did. Then he went to work for Center for Internet Security, cis, got involved in the CIS Top 20. I won't say his name to protect the guilty. This is not a story about him as much. But he said he was going to be speaking at DEF CON this year and I had seen him post on LinkedIn a couple of weeks before DEF CON where he was saying you know, I'm kind of excited to go out to DEF CON and have a chance to speak. And he was reminiscing and thinking I remember the first time that NSA officially went to NSA and he said it was in like 2007 or 2008. And I thought, you know, good Lord, we had people from the pit going to like the first or second DEF CON back in 93 or 94.

Speaker 2: 54:43

One of my frustrations, one of all of our frustrations, was how long it took for NSA to do things and to change things. And I left in 96, and he's saying that NSA officially went to DEF CON 11 years later when we were screaming those of us in the pit were screaming at management guys, you got to get with the times. Things are moving much more quickly. Internet speed is not three to five year design development projects anymore. You got to speed it the hell up and change your way. And I just thought, holy crap, 11. It took them 11 years after I left for them to get around to get into defcon of fish. That's one of the reasons you know, other than you know, other than this little incident, that was one of the main reasons why dnsa was just because they were too freaking slow and they were too full of themselves. They had kind of a monopoly, at least on the InfoSec side, because they had no competition, but they also fell behind very quickly. I mean, they used to be the sole provider of cryptographyystems, data protections for, obviously, the military and the government, and they just were in a lot of ways not equipped to compete when competition became available. We are a free market system. So I left.

Speaker 2: 56:08

It was bittersweet. If things hadn't have blown up I might have stayed there a while longer, although a lot of us were looking to go out into the private sector. But I did the private sector thing for a few years, did pen testing for a few years, got frustrated that nobody was changing anything. We would break in one way, come back six months later and break in the exact same way. Passwords hadn't been changed, permissions, trust, relationships hadn't been changed, things hadn't been patched or updated. And at some point I was like why, you know, why isn't saying we've got root on all your systems? The equivalent today would be domain admin. Why isn't that getting the point across? You've got problems that you need to fix something.

Speaker 2: 56:56

So I was very frustrated at not you know, that wasn't working. There had to be a better way to doing things and a lot of the clients. They didn't really understand security. They didn't understand any of the technology. They didn't understand any of the concepts of data security or cybersecurity or information security. And along came PCI and I fell into PCI. It's a love-hate relationship, mind you, but one of the reasons why I love it was, all of a sudden, it gave me an audience with clients where they may not have understood things any better, but they had to do stuff. So all of a sudden, okay, how do we make this work? They were listening in a way that they never listened before, so I kind of had a captive audience. But it was where over I've been doing it for 20 years, developed a few techniques and honed a few skills.

Speaker 2: 57:47

I like to think I got pretty good at trying to explain the concepts of data security in a way that most people will say, yeah, that makes sense, we should be doing that and then help them to start doing it. But it was a big stick because just pleading with people and telling people that it's in their best interest to do things differently or to make huge investments in security when they're not understanding why they need it or how they need it or where they need it or what do they even have to protect Home Depot the CEO when they were breached, which was gosh over 10 years ago, he's rather famously quoted as saying why do I care about cybersecurity? We sell hammers. Well, they also deal with lots of, you know, tens of millions and hundreds of millions of credit cards that got stolen because that was lucrative. Back, the bad guys started monetizing.

Speaker 2: 58:43

So the lessons learned, the things that I learned from the past, I I think they still largely apply today, although the world's changing and I'm and I'm happy to acknowledge if some, some of the concepts have become outdated and obsolete, giving way to other things. But I haven't run into a whole lot of and we're still struggling with getting people to change factory settings and defaults and changing the default passwords and or coming up with strong passwords or eliminating passwords all together. And let's move on to some of the other forms of authentication, like biometrics. There's all sorts of clever things, but the bad guys in the hacker community can always think of a hundred ways to bypass and get around it, and the human nature wants us to get things done. We want all the data and all the things fast, so the convenience of the internet, but at the same time, we have this concept that we need to secure all this stuff.

Speaker 2: 59:41

And you know, frankly, I don't think we're doing a very good job.

Speaker 2: 59:44

At the end of the day, I don't know if we can do a good job.

Speaker 2: 59:47

Part of me thinks and this is the curmudgeon in me thinks that the ship has sailed, the handora is out of the box. That if I can help one company, one organization, be a little bit better and be able to stay in business, I feel like I'm making a difference, and I've had the opportunity to do that with working within the construct of PCI, where I talk to many other people that keep beating their heads against the wall and are frustrated because their organizations and their clients aren't doing the things that they need to be doing, but they don't have this regulatory stick behind them, at least not one that's as powerful as PCI, because PCI is quite simple. You don't have to follow it. You just don't get to engage in commerce and do business and be able to take credit cards, and there's some companies that opt out of that, but most companies want to opt into that and so money talks.

Speaker 2: 1:00:43

It's been a huge motivator and companies by and large that are involved in it have gotten more secure, whether they liked it or not or whether they wanted to or not, but they know they needed to. So they could avoid the fines and avoid the breaches, avoid the public scrutiny if their company is involved in a breach. That's the state of things, and I don't know how, but I've been doing it for 20 years. That's what my career has been PCI, wow.

Speaker 1: 1:01:13

So, jeff, you know I have one last question before I let you go. So when you were transitioning from the agency to you know a company, right? What was that process like? Did you know someone at that company that got you the job, that kind of knew your skill set and whatnot, or you know, was it literally that easy back then where you got let go on Friday or you left on Friday and you started a new place on Monday? I asked because a lot of the people that I talked to with you know TS clearances and whatnot, right, they all say that like they're basically completely lying to employers to employ them for the first five years, five to seven years after their employment with the government, because they can't tell anyone that they even worked for the government.

Speaker 1: 1:02:00

And especially when it's like the only thing that they've done. They have nothing to lean on, you know. So they're making things up just so that they can get employed. What was that like for you?

Speaker 2: 1:02:12

Well, I think in part it was a unique time in history because this whole what we now call cybersecurity is kind of a new thing and there weren't a lot of people that knew anything about it, knew how to do it. There wasn't the gazillion vendors out there selling all sorts of solutions and have all sorts of use cases like we see at the RSAs and the Black Hats these days. There was like four or five companies that sold firewalls and most of them, you know, started with building a firewall for the government. There's a couple of freeware vulnerability scanners one flipped and became closed sourced and commercial, and one stayed open and that was about it technology, technology wise. So what was in demand were people that kind of knew what it was all about.

Speaker 2: 1:03:00

I had been talking to a couple different companies and much of us had gone on different interviews because we were always kind of looking for that grass is always greener on the other side of the fence. None of us had pulled the trigger. Well, one of us had left One the original members that had left before all this had happened. Um, but you know, none of us were in a huge rush to leave. But you know, when I sort of went through what I went through. I started calling people that I might have been speaking to before and I got in touch with a guy two guys that were running a practice that were doing government work. It was a government contractor, but they were just beginning to want to spin up a practice that would start looking at the private sector, and that was kind of new. Back then there wasn't a whole lot of focus on the private sector. So I was hired by these guys an office chief and his deputy for a government contractor with the idea that I would come in as sort of a co-director, third in command type of thing, and focus more on building a practice that was focused on the private sector and one that was doing vulnerability assessments and pen testing. As it turned out, the two guys that I had interviewed a couple of times and went to work for they both resigned within like a month after I started this company because they went off for their own better offer to start a practice and do it more their way out from under the auspices of a government contractor, which was almost as bad as working with the government. So my immediate job out of the agency only lasted for six months and two or three months I'm like, okay, I got to look for a more permanent position and I kind of was in a rush and I took the first offer because I really wanted to get out the door before the end of September and be eligible for the for the buyout. So I I went on a bunch of interviews and I think I ended up getting offers from like four or five different companies and I didn't take the one that offered the most money out of the gate. I went with the company that it seemed to be smaller and leaner and was more serious and interested in spinning up a commercial practice that would focus on the private sector. And let me build a team of people doing pen testing. We called it pen testing, but it was mostly vulnerability assessment.

Speaker 2: 1:05:31

Back in those days People wanted to know what all the holes were. They didn't want to know if you could break in. They knew you could break in. They wanted to know all the ways you could break in. That experience was that was a little bit more deliberate, and I took more time and tried to talk to different types of companies. Half of them were I guess they were all pretty much still government contractors, because that was pretty much all there was back then, at least in terms of professional services companies, but I went that route.

Speaker 2: 1:06:00

I know a lot of people these days think the way to get into this business is the entrepreneurial route and I talk to many, many people that are excited about their startup company and they have this vision and a lot of them I feel like that's the path to success. Is the entrepreneurial route, like well, there are other ways to do it. You're not going to get rich and retire and buy your own island, necessarily being a consultant. But if you want to make a difference and feel like you're impacting people's lives and have a sense of accomplishment which I'm not saying you don't get that by building some sort of product company and becoming a vendor. But I've always had this thing against vendors because they were competing for the same dollars. Many of my clients in the early days. They only had so much to spend and they felt like they needed to buy something rather than buy somebody telling them what they needed to buy, which makes sense at one level. But you know, at the end of the day they still didn't know what they were doing and they were buying the thing from the most convincing sales guy. So I've had, for most of my commercial private sector figures, sort of a disdain for vendors and for salespeople from the vendors. Not personally, I know. I have many friends that are salespeople, but they understand where I'm coming from. It's a competition thing, but beyond a competition thing it's.

Speaker 2: 1:07:28

You know your job is to sell something. My job is to help the client be more secure. You might say that that's what your job is, but you have this conflict of interest because you got a quota to meet and even if you're a reseller, we've got a hundred widgets on the shelf. We got to move those these quarters. So all of a sudden that widget is. That is the absolute solution that you need, mr Client. In fact you need 10 of them. How many can I put you down? For?

Speaker 2: 1:08:01

I'm not saying everybody's like that. I used to go around saying that vendors are liars and then I went to work for a vendor and I found out, no, they're not lying, they just don't know. They don't understand it any better than anybody else does. All they know is to read from the script that sales and marketing people put together for them, and I'm grossly, you know, painting a very wide picture here. There's exceptions to all of this, but generally speaking, people don't know what they're talking about. And I say that having 40 years under my belt. I don't think anybody knows what they're talking about. But I don't know what I'm talking about, frankly. But I have 40 years of having the conversation and I've seen a few things and I think I've learned a few things about how to motivate organizations to do the right thing or help them to rethink how they're doing it.

Speaker 2: 1:08:50

I've given talks over the years.

Speaker 2: 1:08:52

One was called Rethinking Security. What we're doing isn't working, so maybe let's try something different. Let's try something old rather than new, like applying the actual principles of data security, the way that we used to do it in what was arguably the organization that invented the discipline, which was InfoSec at NSA. So I don't know if that's the answer. Yeah, like I said, it's not a. My experience is very much a uniform experience because it was a point in time and a point in history. So I don't know how helpful it is other than to be diligent.

Speaker 2: 1:09:24

Take your time, I tell people, look for something that you like to do. Look for something that you feel like you have the aptitude or you think you could do well at it. Hopefully they're the same thing. Do that, you'll get paid well, you'll get paid enough to make a living. You may not be able to retire rich and buy an island, but there's a lot of people that make a pretty decent living and, at the end of the day, most of us need to make a living. We've got mortgages to pay and mouths to put food in and college tuition for our children to think about in years to come. You're probably not there yet, but most of us are in that boat.

Speaker 1: 1:10:04

Yeah, I have about 18 years before I have to make that first payment for someone other than myself, right?

Speaker 1: 1:10:12

Well, there's no time like the present to start saying he has or teach them to be a hacker, and they don't need to go to college right, they could just, uh, give themselves the the degree that they need, right, that's right. Well, well, jeff, you know it's been a fantastic conversation like it was. The last time I'll absolutely have to have you back on talk about some mental health stuff and whatnot, what that looks like for you. But yeah, I mean it was a fantastic conversation. I really enjoyed it. I appreciate the opportunity. Yeah, absolutely. Well, you know, before I let you go, how about you tell my audience or remind them again? You know where they could find you if they wanted to reach out and maybe connect. Or you know where they could find you if they wanted to reach out and maybe connect. Or you know, uh, you know, learn more about you.

Speaker 2: 1:10:56

Sure, my Twitter X handle is Mr Jeff man. I'm Jeff man on LinkedIn. I'm mostly on LinkedIn these days. If you Google me, if you go to YouTube, you can find presentations that I've done at various conferences, and if you go to the end, usually there's a slide that actually has my email and even my cell phone number. I've actually had people call me only like once or twice, but I do try to connect with people as much as possible, giving life advice, mentoring as much as I can, and try to help out and give back as much as I can. So spell my name right. It's only one N, a-n and type in Jeff Mann in security. I'll pop up in most of the browsers out there. Search engines.

Speaker 1: 1:11:42

Awesome. Well, thanks everyone. I hope you enjoyed this episode. Go check out part one in the description of this episode if you're interested in hearing more. Thanks a lot, jeff.