Breaking the Sky: How Vulnerable Are Our Satellites? Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Breaking the Sky: How Vulnerable Are Our Satellites?

September 01, 2025 • Joe South • Episode 201

Send us a text

Grant McCracken shares his groundbreaking PhD research on satellite security, revealing how vulnerable our orbital infrastructure is to cyberattacks and the urgent need for better security measures before quantum computing renders current encryption obsolete.

• Satellites face unique security challenges with limited patching windows of only 15 minutes during orbit
• Most satellites run on outdated technology with numerous vulnerabilities that can allow complete takeover
• A real-world attack in 2022 showed how Russia could penetrate ground stations and control entire satellite constellations
• Post-quantum encryption will be essential within 5-10 years according to global experts
• CubeSats (small satellites) can be purchased and tested by anyone, creating both research opportunities and security risks
• Bug bounty programs provide unique opportunities for security researchers to specialize and potentially earn substantial rewards
• Zero trust principles must be applied to satellite security before launch since patching in orbit is extremely difficult
• The infrastructure dependent on satellites includes GPS, cellular communications, and financial transactions

You can find Grant on LinkedIn by searching "Grant McCracken Dark Horse" or contact him directly at grant@darkhorsesh.com. His company Dark Horse Security helps organizations at all budget levels improve their security posture, including pro bono work for those who cannot afford security services.

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:53

How's it going? Grant, it's great to get you on the podcast. You know I can't remember when we started talking about this thing, probably because of the four-month-old. Just ruining my schedule and my PhD at the end of the semester is just insane. So you said ruined. What does ruined mean?

Speaker 2: 1:18

Like you like, it just made everything complicated. Or, like they like, spat up on it and the dissertation was ruined.

Speaker 1: 1:25

Or yeah, I mean the issue is like the scheduling, the workload. You know, like going into the PhD, it's really hard to understand what the workload is because like there's no, there's no like syllabus, there's no outline or anything like that. You know, I mean like they give you an outline of like a sample dissertation, but like there's, you know, two primary methods you can go about going to get your PhD and then there's a whole like there's like a thousand different templates out there for dissertations and so your entire academic career. You know you are told like hey, at week eight you have a test, this is what's going to be on the test. You need to know all of this stuff right.

Speaker 1: 2:06

Week four you need to have this paper done. The paper should be on this topic. You know you decided the topic a long time ago and everything In the PhD. There's none of that. It's okay, go figure out what you want to research and then tell us and if we approve it, then go read about it and then come back and tell us how you're going to like test your theories, what your theories are, and then you go do it and a couple of years later you come back with your findings and hopefully we give you your PhD.

Speaker 2: 2:34

So that's and I apologize for being an idiot, you'll learn that's a recurring theme here. What so? That's? That's how PhD. So like there's no, like there's no like course load for PhDs, like I, I honest I had no idea.

Speaker 1: 2:46

No, it is literally so. You have a, you have an end goal at the end of each course, but you set that end goal. So I and I didn't know this for the first year, I literally didn't know this. That that's how it worked, you know, and I was trying to like, figure this all out. And then I finally got a chair that was like competent and whatnot, and he was like no, you need to be setting like a goal for each semester and then work towards that goal, and me and you form a plan on how you're going to achieve it. I let you know if it's realistic or not. So, like it's, it is completely out there. Like you know, at the beginning of the summer semester, my chair just asked me what do you want to complete this semester? And I was like well, I got to complete these three things, and those three things encompass like 70 pages of work, wow.

Speaker 2: 3:29

So so you have completed your PhD or it's still in progress, or, yeah, I'm working on it. Or it's still in progress or no, yeah, I'm working on it. Okay, if you don't want me asking so what's the? What's the? I assume it has something to do with security and you can tell me to you're. You're like, nah, it's, it's rocks man, I'm geologist, but I mean what? So? What? What are you studying? What are you trying to like? What's your hypothesis, sirs?

Speaker 1: 3:54

I don't, I don't know my yeah, yeah yeah, so I guess I'll start with like the problem statement. Right? The problem statement is that we have, you know, an astronomical amount of satellites in space that are legacy satellites, that are no longer running on you know modern technology, that are potentially not even functioning. And the ones that are functioning are vulnerable to a whole host of thousands of attacks where an attacker could literally just take it over and take over that satellite.

Speaker 2: 4:22

I want to learn about this. I want to learn about satellite hacking. I know nothing about this, and so you're making it sound very Wild, westy, which sounds like fun. Yeah, no, it is, it is.

Speaker 1: 4:31

Okay, I didn't think it was. And then my chair was actually an Air Force employee, moved to a Space Force employee and he literally said all that he did every day was satellite security stuff. And he literally told me he's like there's no standards, like we're literally just trying our best to deploy like security standards on these satellites because once they're launched, like there's no patching them, like if you patch it, it takes days to patch it. Right, because you have to, you have to, you know, really compile all of those updates, send it to the satellite at a very specific point in time. You have a very limited window, maybe five or 15 minutes, maybe, if you're lucky, and then hopefully, if it downloads at all at a very slow rate, then it's able to install and pray to God that you don't get any, any issues, because when it goes around the globe, you know in the next 12 hours or six hours, whatever it might be, that's your time to troubleshoot. For 15 more minutes, wow.

Speaker 2: 5:28

And you can't, you can't brick the thing. Yeah, yeah, no, no crowd strike updates.

Speaker 1: 5:35

Yeah, oh, yeah, yeah. So I'm I'm researching how to apply zero trust principles to make the satellites more natively secure out of the box before we launch them in an effort to prepare for post-quantum encryption. So technically, yeah, we can throw satellites up there and you'll be able to have post-quantum encryption on it. You know, have like post quantum encryption on it, but the post quantum encryption doesn't mean much if everything else is vulnerable to you know various attacks, right?

Speaker 2: 6:03

When we say vulnerable, I mean cause you, you so like, if we're talking about like a normal machine, right, it's got like services running on ports and and you've got you know so like potentially running like vulnerable software, or I mean, in some cases I imagine maybe it's not even encrypted, what like? What's the like as an attacker you're potentially posed with like the same, like you've got like five minutes to kind of try to throw an attack at it. It doesn't seem like it. I don't know. I so like what are? Are the vulnerabilities just things like rce or I don't know, sequel injection or whatever? Just what? Yeah?

Speaker 1: 6:39

I would say for the most part, like, there's standard vulnerabilities, the main issue is the patching process and there's no really good way of handling like that problem. Right, Because, like, you have to get them, you know so many, you have to get it. You know so many gigs within such a short amount of time over that distance. And if it gets, you know if there's a man in the middle of attack, for instance. Now you just uploaded a piece of malware, right.

Speaker 1: 7:06

And like the problem when, like what we saw with the Viasat attack in 2022, with Russia, right when they penetrated, this company on the ground took over their ground station, started communicating directly with their satellites and took them all down, right, they only had to infect one satellite and that one satellite was then used to propagate throughout the entire constellation from there, right. So Russia now says, okay, well, I have my own ground station. If I got root on their constellation, I could just use my ground station to communicate to it and just point it directly at it and we're going to follow this constellation around the globe. Okay, wow, so it like turns into a more, almost like a more advanced, persistent threat.

Speaker 1: 7:46

You know it's like once they're up there, it's like okay, now it's very difficult to get them out.

Speaker 2: 7:53

Yeah, that's wild. You mentioned another thing in there that I'm curious about, and again, it seems like you've actually got the intellectual capacity to kind of understand and talk about these things. But post quantum encryption so like. So I'm not so like I understand in principle what sort of quantum computing is and the opportunities provided there Is. It are, we, are we, are we that close to a state where, like you know it's, it's going to be usable? And then what are the implications downstream? Obviously, for encryption it's pretty significant. So can you go into that just a little?

Speaker 1: 8:29

bit. Yeah, so you know, post-quantum encryption is built off of, like, what we call classical, you know computing classical encryption, right, where you're doing a key exchange and off of that key exchange you're building that secure tunnel. Post-quantum encryption, or PQC, is essentially, you know, backing off of that same theory. They're trying to solve right now the reliability of long distances through various like weather and other anomalies that happen between you know, us on the ground and the satellites in space, right, so the farthest they've gone is, I think it's, 1200 kilometers above the earth, and then it also they also tested it out. So they got a link, they got a quantum link from one ground station to the satellite and then, as the satellite moved, it transferred that link to the other ground station without dropping connection or anything like that, which is a huge milestone. That was something that was thought to be just completely impossible because essentially, the equipment that is on the actual satellite that is talking to the ground station, it needs to be so precisely calculated that people just thought like okay, like this is never going to happen because the satellite can move when it's in orbit, like if it goes, you know, if it's one centimeter off, like it's, it's never going to hit its target, right? So, you know, china actually figured out how to do it At least they wrote a paper about it and there is some debates about whether it's, you know, completely, 100% authentic, based on what they're telling us in the paper, or maybe they actually did it and they're way ahead of everyone else.

Speaker 1: 10:08

So, you know, I've talked to experts throughout the globe at this point a whole host of different countries and companies and all of them give me the exact same answer when I ask them for, like, a timeline of when this is going to be relevant for the rest of the world, right?

Speaker 1: 10:23

And they said everyone has told me for sure, 100%, within 10 years. A lot of them are leaning more towards five years, if it's not already there and we don't know it. And the big problem is companies not adopting it fast enough, right? So, like that's a huge, you know, risk that I'm actually pointing out in my research is like, hey, we have the time now, like theoretically, we have the time now. We should be using this time to invest in the capabilities, because a whole lot of our infrastructure runs off of satellites, but companies are still slow to do it because they're saying, well, it was 10 years away, 10 years ago, right, like we should already be there technically because everyone's been telling us. But it's when you start looking at the research, it's like they're they're proposing that they spoke to their satellite or communicate with their satellite over quantum already, and if they're doing that at that level, there's no reason why they can't bump it out infinitely, you know, for distance, like there's literally no reason. Okay, yeah, it's an interesting way to start the podcast.

Speaker 2: 11:25

Yeah, I mean cause you're just talking about things that like I. I mean it's not every day that I get to talk to someone that's doing PhD research on satellites and quantum encryption or whatnot. So I say not every day, I mean there's been exactly zero days in my life that, prior to this one, we're talking about this kind of stuff. So no, that's fascinating. Thank you for sharing. That's really interesting. If you have papers or articles where people kind of dumb it down for the proletariat might be happy to try to digest some of that, or I don't know, I'll let you know.

Speaker 1: 12:05

If I find any. Because, you know, I was literally I think it was last week I was thinking to myself, you know, okay, I feel like I have a good understanding of like the small amount of quantum encryption that I understand, right, and I was trying good understanding of like the small amount of quantum encryption that I understand right, and I was trying to think of like what's the total knowledge base out there, because I'm talking to way smarter people than me, people that specialize in quantum. My PhD actually doesn't specialize in quantum. It's taking the quantum requirements of what it needs to actually work and then saying, okay, we can throw zero trust on it in these ways, and this is proven via this method that I worked through, right.

Speaker 1: 12:43

So, while I was, I was thinking about, like my level of knowledge with it and I I feel comfortable in my level of knowledge, but my level of knowledge is like 1% of what's out there at best, probably me being generous, right, and I'm sure someone that's, you know, a quantum expert is going to listen to this podcast and be like, oh, he just explained quantum completely wrong. You know. It's like, okay, well, you tried dumbing this down, you know, to like a fifth grader, you know, or a high schooler you know what I mean Like I'm not saying that you're at that level, but like being able to just talk about it with you know normal people. It's like almost impossible.

Speaker 2: 13:20

Yeah, I, I, I'd love to understand it more. Again, I don't want to take up all your time talking about this. Sorry, I'll I'll stop bogarting the conversation and and uh, and, let you, let you do your thing.

Speaker 1: 13:35

No, no worries, and let you do your thing. No, no worries, you know. I mean my audience is pretty much used to it at this point that you know, this conversation, this podcast, will go wherever it wants to go and there's no telling where it will go. But you know, grant, why don't we start with telling your background, right? How did you get into IT? What made you want to go down the security route? Right, like, tell me what that looks like for you. Because everyone's path is so different and I always start everyone off there, primarily because not only do I want to hear it, I want to understand your story. But if there's someone else, you know, in my audience, right, that's watching the episode, that's listening to it, and they're contemplating getting into IT or security or going down that path, I found that it's always helpful that if you could just find someone else that went down that same path with a similar background, you can hear okay, maybe that's possible for me, right, and it gives that little momentum that they need to get going.

Speaker 2: 14:29

Yeah, sure, so I've been in cybersecurity for a little over 13 years at this point, mostly like application security. And as for how I got into it, I think, like a lot of us in security, kind of tripped and fell right, like so I I always, you know, like to do things with computers. Like I built my first computer when I was 10 or something like that, and so I was always doing stuff with computers, overclocking and like you know cause you're playing games with friends and you know you gotta I couldn't afford a nice gpu, so you gotta like milk everything you could out of it and and so you're, you're always so like there's there's a little bit of like the hacker, you know mindset in that. You know you're like physically trying to like overclock the ram. You're like up in the voltage and seeing just where it'll break and just how hot it can get. Like what if I, you know, do this other thing, and so you're so kind of already was like playing that. And then you know, in high school you know we mess around with different stuff on the machines there just to be able to play games or be able to go to sites that the field, you know they didn't want you to go to and nothing like horribly nefarious, but like there's a lot of sites that would just be like blocked for whatever reason and so so. So, yeah, just kept doing that and I actually went to college for communications or my majored in communications. I thought I was going to work in like marketing or HR. I don't know what I was going to do write stuff but yeah.

Speaker 2: 15:50

So I graduated in 09, which happened to be, for those that are fans of history, a bad time to graduate. There weren't a lot of jobs and so kind of kind of just was kind of lost for a few years while just trying to figure things out. And then a buddy that I used to play games with and went to high school with. He was like he got a job at white hat security through like a Craigslist ad, like I didn't know like real jobs were on Craigslist and and, and he told me to apply. He was like you could do this, you could figure this out, and so I did that. I got the job and you know, white Hat security at the time had something that you know I refer affectionately to as like a farm system where they'd bring in people of all natures, including, you know, people that that were, you know, like myself. There were people that had gone to, like culinary school. There were people of all walks of life that they'd bring into this group that they called the TRC and they'd kind of train them how to do application security. And then they'd turn them loose on web apps and you'd go do your assessments. You'd configure the scanner, you do, you know, some people turned out, but some people, you know, had successful careers out of it. Anyways, long story short, that's how I got into security.

Speaker 2: 17:08

I did that for a while and then, and then I eventually landed at BugCrowd, where I was for the last 10 years, where I worked my way up from, you know, doing triage and validation, all the way up to when I left. I was the VP of ops, so I oversaw at different points, support, customer success, hacker success, services, pen testing, a number of other teams that I can't quite recall at this moment, but so did a lot of different stuff and had a lot of different opportunities. And then, after I left Bug Crowd, I was like, okay, what's next? And I was like I want to do something a little bit good. So I built a I know how effective what I was doing at Bug Crowd was in terms of like bug bounties and phone disclosure programs and sort of pen testing as a service, and so I wanted to make that accessible for smaller organizations. So that's what I built Dark Horse to do is to make those services available to organizations of all sizes and budgets.

Speaker 2: 17:54

So we work with really, you know, we're not limited to SMBs, but like small SMBs that can't afford, you know, a bug crowd or a hacker one or something like that. They want those, they want to be more secure. We're going to help them be more secure. Right, we're not a nonprofit, but we're pretty close to it, at least that's what the bank account says. But again, it's, it's good, it's, it's fun. I enjoy, I enjoy helping businesses. It's, it's a great, it's a great spot to be in and you get to feel like you give back a little. And then it's also just been a new challenge. I I've, I've always been a breaker, not a builder, and so it's been really fun to be a builder. Yeah, so, anyways, that probably more information than you or anybody else wanted, but hopefully that's helpful.

Speaker 1: 18:38

No, it's really helpful. It's a fascinating journey. And I say that because actually recently I was talking to a friend who's the director of like offensive security at a professional services firm. I was asking you know what offensive certs he has? And he listed them off probably like four of them or something like that. I think I like forgot that I was getting my phd at the time and I was like, man, I want to start like studying for you know my oscp, right, like I want to get a little bit more active on the offense side. And he goes dude, you got enough with your phd, wait till you graduate. Man, I'm like, oh yeah, oh yeah, I got that thing going on.

Speaker 2: 19:16

Yeah, I can't imagine what it's like to do the PhD thing. It sounds kind of fun, honestly, but it's probably not. It's probably like the OSCP, where it sounds like fun, it's not.

Speaker 1: 19:28

I think once you get into the rhythm of it and you are studying something that you're passionate about which is usually the case for the PhD, or at least it should be you know, it's a little bit easier to actually do the work, and especially with what I've been finding with like LLMs. So I use Grok pretty heavily to like give me very good research articles and papers. Just, you know, right off the bat, because I found out early on, google was just completely useless when you're trying to like find research articles, or I mean like it is completely useless. And I went to chat GPT and it would, you know, hallucinate more than anything else and it would just give me, you know, out of like 20 articles, you know 15 of them were completely fabricated and I'm just sitting here like I can't, like I'm not making any progress, you know so grok huh, what about quad?

Speaker 2: 20:24

I'm just, I'm just intellectually curious, because I I'm spending a lot of time with llms.

Speaker 1: 20:28

We're building some some llm stuff, but yeah, go ahead yeah, I haven't used claude that much, but I'm actually going to start here in a couple months when I start like building out my AI model and whatnot, because I'm not a developer, right so. But I can read code, I can understand it and, you know, work my way through it. At least I know how to do that. So as long as I have something that's like prompting me to go down that path, even if it's incorrect path, at least I have something in front of me. You know, I think it'll be helpful.

Speaker 1: 20:58

So I'm actually going to put what I get from Grok up against Claude and see, you know, see what actually works, cause I actually just upgraded my, my desktop, literally for running this model, because I I put my specs, I put my specs in a Grok. You know I was having, I had a 3080 and I put my specs in a grok and it said, oh yeah, it's going to take a month to run all of your tests, like it cannot run into errors. I'm like, okay, what if I go with a 5080? And it said, I'll take 24 hours.

Speaker 2: 21:25

Okay, I guess I'm upgrading that's crazy. I mean the 3080 is still very capable. I didn't know it was that big of a step change between 30, 80 and 50?.

Speaker 1: 21:36

I think you know, I think on like the gaming side, they're very similar. But when you start using like the actual Kudo cores, kudo cores and whatnot, that's when it like is completely separated, which you know 90%, 95% of people aren't going to be using it for that.

Speaker 2: 21:55

Yeah, so what model are you running that through? Because I mean, ostensibly that's not going through grok, cause grok you can't necessarily I. You can tell me I'm wrong, I don't know if is there like a mini version of grok that you can like run locally, or or are you running that through Like what? What? What LLM are you using locally?

Speaker 1: 22:11

If, you don't mind me asking. So I'm I'm actually not using an LLM locally. I need to start, I want to, but how essentially it's going to work, is it's going to run through PyTorch? Pytorch is going to working through it like that, trying to enumerate the network and all that sort of stuff, and then there's a whole bunch of different modules in the code that have like different it prevents different attacks, and then separating out the network, adding in micro segmentation, using like open zd to go in and apply it to the satellites, separate out the network, limit the access, you know all that sort of stuff. Right? So it's. It's simulating all of that within within pytorch. The llm is more of. Really, the llm is mostly just like grabbing the information and putting it in front of me as quickly as possible, rather than having ChatGPT or Google give me straight up false information. At least Grok, most of the time, is giving me something real, got it?

Speaker 2: 23:30

So when you're simulating these constellations, do you have the firmware that ostensibly some some satellites running? I mean, this sounds pretty, pretty involved. Like to be able to have all that in. I'll let you go.

Speaker 1: 23:45

Yeah, yeah. So that's like the last phase of my actual research really. So it's kind of broken up into three phases and it's designed like this to eliminate as many questions later on down the line that I don't want to answer, right? So the first phase is actually talking to different experts in the area of, you know, post quantum encryption, satellite security, zero trust, though primarily those three domains, right, those three specialties and getting their feedback on some leading questions towards my research, not even telling them necessarily what the research is, but it's very leading, you know, in the way that I ask them and whatnot, not to like get a certain answer, but to get a answer about a very certain thing without giving them specifics, essentially.

Speaker 1: 24:31

And then the second phase is the model phase that I just explained to you using PyTorch. And then the third phase is actually me buying a CubeSat, for I don't know. I think it's like a thousand bucks or something. Buying a CubeSat for I don't know. I think it's like a thousand bucks or something. Buying a CubeSat, deploying their own firmware on it and then deploying my security stuff on it and throwing a tax at it to see if it still holds up.

Speaker 2: 24:51

What's a CubeSat? Sorry.

Speaker 1: 24:52

Yeah, a CubeSat is probably the most common form of a satellite, typically like, when you say satellite, you think like okay, it's as big as my garage. Like you know, I can't have one at home, why would I ever have that? That's actually like very few of them. Like the imaging satellites yeah, they're really big, but communication satellites are typically, you know, anywhere from like three U to 12 views. It can go bigger than 12 views. The same, you know, like server rack, you know sizing, that that we use.

Speaker 1: 25:20

It's the same same same theory with that right. So most of them are between like 3 and 12 u's I think it is in size. So it's pretty reasonable. So I'll just get like a 3u cube set and go from there okay, and you, so you can.

Speaker 2: 25:33

I again. I'm just all this is new to me. So like there's like sounds like a company that just like manufactures things that are built for space and then you throw your own firmware, whatever you want, on it. So so that's, that's essentially how people are putting stuff into space. They're kind of the same way they put stuff on their network. Okay, I'm starting to see where the problems lie.

Speaker 1: 25:55

Yeah, okay, essentially, essentially, people will buy these CubeSats to like test out their stuff and they'll be like okay, it mostly works.

Speaker 2: 26:04

Now I'm gonna go spend the 10 million to actually like build the satellite itself and then we'll launch it, you know okay, but like it's so, like people are just putting whatever onto these things, okay, I can, I can see where the I can. I. I figured there was. I figured there was more layers of obfuscation or something in there.

Speaker 1: 26:28

No, it's just a bunch of Linux boxes floating a thousand miles up and once you get to it, you get to it. There's no like I didn't get in, it's like no, you get to it, You're pretty much in, Huh, Just okay.

Speaker 1: 26:42

Yeah, I mean, think about the infrastructure that we have that runs off of it. You're pretty much in, huh, just okay. Yeah, I mean, think about the infrastructure that we have that runs off of it. Right, like you know, gps, cell phones, you know financial transactions are validated through satellites. Sometimes it's a lot, it's a lot of stuff. When you start looking at it it's like if someone were to attack us, like yeah, they, they would easily just intercept all communications in the country you know.

Speaker 2: 27:06

I'm in Starlink or and you've got there's I don't know if you've seen them, but like there's a company called ASTS or something like that, but they're, yeah, they're doing like you know, like cellular satellite stuff. I'm not totally sure, but yeah, I mean it certainly seems like it also has like a lot of like I could see cell communications going to satellite sooner than later. In terms of it just makes a ton of sense. You don't have all like sort of the terrestrial issues with like terrain and everything and you kind of always have access, and then it's, yeah, I could see okay, yeah, okay, makes makes a lot of sense. Cool, I had no idea that. I mean that sounds like a lot of fun.

Speaker 1: 27:47

Yeah, okay, yeah, it'll be interesting if I could pull it off. It's like like once a week or once a month. You know, I'm just like man, I hope I can actually pull this off, like I don't know, I don't know if I could do it. You know, I talked to like other people that got their PhD and they're like, yeah, that's a normal, that's a normal feeling, like you don't actually know if you're going to pull it off, like really, until you get the okay that you passed. You know what?

Speaker 2: 28:12

I mean not to, not to start an existential crisis, but like what happens. If you like I mean like is if the fact that you can't or or't or like if something isn't able to happen, right, I mean, you're kind of also, you know, like I don't I forget if the term is like null hypothesis or something like that, but like you know, you kind of like prove something didn't work. Is that still like a valid outcome in the eyes of, I don't know, the arbiters of PhD-ness? Or like what happens? Do you have to like go back to square one of PhD-ness? Or like what happens? Do you have to like?

Speaker 1: 28:44

go back to square one, like how do they manage that?

Speaker 1: 28:46

Yeah, so it's like if you test everything out and you validate the tests and the people on your dissertation panel say like, yeah, like he couldn't have done anything differently to get a different result, like that's just what it is, then you can, you know, write in and say like, okay, well, like this process, this entire method doesn't work, it's invalid and you can still get your PhD on that.

Speaker 1: 29:08

It's just when it's when, like your research methods and how you're obtaining the information and all that sort of stuff isn't like valid you know methods and sources and whatnot that they'll basically take it away. And you also, you're also on like a timeline right or a time limit. So they want everyone to be done within like, I think, five years, which is pretty steep, but my university wants everyone done in like three, when they like start penalizing you if you go beyond three, which is interesting. I've heard of people go in 10 years and they still didn't pass. Wow, so I don't know, I don't know about that, but typically it's like a five year time limit, where you have five years to do this research topic and if you don't, then you have to like re-justify why your research is still valid, because someone else could have done it by then.

Speaker 2: 29:55

That's fair Wow.

Speaker 1: 29:56

Okay.

Speaker 2: 29:57

No pressure.

Speaker 1: 29:57

Yeah, yeah, right, at least at least learning that I can be wrong and still pass. You know that that gives me a little bit of comfort because I can be wrong.

Speaker 2: 30:06

You know pretty good at it yeah.

Speaker 1: 30:08

Right, right. So you know to kind of circle back right to your, to your background. You know you talked about tinkering, which I actually. I just did a whole lot of that with my own desktop. It was very frustrating.

Speaker 2: 30:21

The ram was Doing the CUDA situation man.

Speaker 1: 30:30

I did that. Oh man, yeah, the the RAM was like I put the RAM way too high and the timings were off and my computer was crashing just nonstop. I'm like okay, fine, like it has to go down. You know, but I remember in the early beginning phases of my career like I was super curious too and I was like I wasn't just a tinkerer, like I was definitely a professional breaker of things, you know, at the company that was lucky enough to have me I say. I say that, you know, as a joke, obviously, but you know, it was interesting though, because I approached it from how would a user interact with this product? Right, because I'm, you know, the background is I was on the support team for enhanced 911 application, right, that gave like exact information of where someone was when they dialed 911, something that didn't really exist prior to this solution, not to the same level, and whatnot. And so I would just go through the solution and use it like my users would use it, and I would run into all these bugs. And so I would just go through the solution and use it like my users would use it and I would run into all these bugs and I basically turned into like the support team QA person, because I would always run into the most random problems and there was like a policy on the support team like if you're running into something that makes zero sense, you've never seen it before and if the engineers never seen it before, just take it to Joe. Joe probably has notes on it. He'll walk you through it. Like you know, like eight times out of 10, you know it was actually valid.

Speaker 1: 31:52

You know, one time a coworker of mine, I was trying to do an upgrade on a Linux server that had SE Linux enabled on it and it was like fully deployed, like I fully deployed it for them because they needed it. You know, fully deployed. They thought so I went and configured everything. It was configured properly and he went to try and do an upgrade, brought everything down, couldn't bring anything back up and it was getting blocked. And two hours later he like reaches over you know my desk and he's like, hey, have you seen where? Like all this stuff fails, like it just won't start, and like the engineers were stumped and everything. I was like, yeah, I've seen that. What customer? And he told me and I was like, well, did you turn off SELinux? He goes no, I was like, yeah, you need to, you need to turn it off. And here's the 20 commands you need to turn it off.

Speaker 2: 32:38

Okay, just, okay, just so it's a good way to learn, you know yeah, yeah, yeah, that I mean that that's that kind of mirrors some of the stuff that I did early bug crowd right where I just even actually at the end too, like I just like people would still come to me and just be like you know how does how to?

Speaker 1: 32:56

how can I find this like piece of like esoteric information and I'm like, oh well, it's like the combination of like 19 different variables and it's in these six different sources and you compile them and then you figure it out and so, yeah, cool, okay do you think that that's like a good maybe like a good bug bounty method, right, when you're specifically going into you know an environment, right like yesterday or maybe two days ago, I was looking at, like you know, meta's bug bounty and I, yesterday or maybe two days ago, I was looking at, like you know, meta's bug bounty and I think it's like bug crowd or something like that, right, or hacker one, and I was just trying to think to myself like, well, how would I even approach this going forward? You know, because it was talking about, I think, like the Oculus, you know, headset or something like that. How, what do you find to be the most effective method? Like, where do you get started with bug bounties?

Speaker 2: 33:45

Yeah.

Speaker 2: 33:46

So I will caveat it by saying that I am I am not the world's best bug bounty hunter, probably not even the world's like 50,000th best hunter, bug hunter, right. So like I I helped run and manage a lot of those programs, but I myself and I've done some bug hunting and again, I have my OCP, so like I know how to like find vulnerabilities. So that's mostly the perspective that I'm bringing here. But I'm sure people far better at bug bounties can elucidate far more effectively on this topic. But I absolutely think that's kind of the right thing to do. I absolutely think that's kind of the right thing to do. I think that I mean, that's probably a good place to start with. Almost everything is make sure you understand how it's supposed to work, and then you can go break it right, so like, if I understand okay, so like the application, like if I'm pen testing an application or whatever, right, I need to understand, okay, what should I be able to do and what is this supposed to do? And then that gives you some ideas around how you could abuse it or break it If I'm, if I'm supposed to. You know, just to use the classical like checkout process, right, if I, if, if, if I'm supposed to, if this process is supposed to enable me to pay them money, then what if I could get it to pay me money? Or what if I could get it to pay them less money, you know, and so you start building out, like different use cases around. Okay, what could I potentially do? Like, okay, I'm supposed to be able to use view my account information. What if I can view somebody else's account information? What if I can update their information? And so I absolutely I think that that's absolutely the best place to start.

Speaker 2: 35:21

A lot of people don't necessarily do that because it feels like you know a lot of you. You just, you know you're, you're so so fast out the building that you, you know, you, you end up making three less and you end up where you started, kind of thing, where, like you know, you just want to get going. That's fine, right, you can do that. But you're going to have a much more productive time if you sit there and you like read the docs and you understand. Okay, like, these are also a bunch of, like, different API endpoints that can potentially do something else that, like you know, you can't do in the UI. It's some potential attack surface that other people aren't necessarily looking at, or you know things like that.

Speaker 2: 35:58

Again, with the gigantic caveat that I am, I am absolutely not the world's greatest bug hunter. I also say that one thing that in my experience of watching people be effective bug hunters, one thing I've seen, or seem to have seen it, when bug hunting, people tend to have like specialties, so like developing a specialty and kind of just focusing on that as opposed to like trying to do everything. That makes you a lot more effective at identifying things. That as opposed to like trying to do everything that makes you a lot more effective at identifying things that everybody else isn't going to find. If you're just, if you're just a generalist there's a ton of generalists out there, right? Everybody can look for the same, you know, restored and reflective cross-site scripting. If you're able to look for something that is more niche and you don't necessarily focus on cross-site scripting like everybody else does, you can you can still, you know, find stuff that, again, other people aren't looking for.

Speaker 2: 36:49

That said, again, going back to that, that thing about the documentation and going deeper and really like getting into the weeds, there's a lot to be said for that depth and that level of persistence and, again, understanding how it works and where it hooks back to.

Speaker 2: 37:05

For instance, there was a couple of guys that there's a program that sticks out in my mind where this program had been running for a long time and people had not found a ton of stuff, and these guys just decided to come in and they found cross-site scripting all over the place and they made somewhere they made hundreds of thousands of dollars off this and it was just like how, how, how did like everybody else miss this?

Speaker 2: 37:31

Right, it's not like it was like five other people there were a ton of other people but what they did is they just they just went and were far more. You know, everybody else kind of just put their payloads in these random places, whereas, like they went in and they there's like these, these aspects where you, you know you you have to do things that are like 19 layers deep and then it'll get bubbled up, you know, seven pages away and in some sort of like administrative console or whatever, and like that level of like effort and persistence also has like a lot of value. You know when you're when you're working on stuff. So I know that I don't know how much of what I said is actually going to make any sense, but there's a lot of different ways to bug hunt. Again, depth and specialization and focus, I think, are probably some of the most effective tools that most people can use. Make sense Sorry.

Speaker 1: 38:24

Yeah, no, that definitely makes sense. And you know, that's the thing that I really like about security. That when I discovered it kind of piqued my interest is that you can go so deep with it. You know, you can specialize in such a very small section of, like web app pen testing, like cross site scripting or whatever might be like on a certain you know OS or a certain web app. It's, it's fascinating for me because that just tells me I can learn like there's no end to my learning. You know, which really helps the noisy brain that I have to be able to like zone in and really, like you know, start learning and focusing on something. But yeah, and bug bounties have always been interesting to me.

Speaker 1: 39:09

You know, I remember I remember a couple of DEF CONs ago that I went to. I was talking to someone in Line CON and he was talking about how, like he found four or five vulnerabilities early on in the year, literally like January and February, and he made enough from it where he just took the year off. A lot of those guys that's the case. That is so insane to me to think, oh yeah, I can. Just, he probably stayed up really late a lot of nights that he missed sleeping. Things that I can't do right now because I have a four month old, but, like you know, for two months of work he just made like two years worth of income and he's just there hanging out. You know, like it, industry is out there where, as a side job, as a hobby, you know you can do something in your industry, make two years worth of income in one, go right Within one month and then take the rest of the year off because you're done.

Speaker 2: 40:13

Yeah, I will. I will caveat not to be a wet blanket, right, but those, those are like rare in terms of just because, like I don't want people to be like, oh, I'll just go work on bug bounties for two months and then I'll make two years of salary, because to get to that point it's a lot of effort. You'll see people get gigantic payouts. I saw somebody post, you know like some quarter of a million payout for, for it was a, it was a Google Chrome sandbox thing. I think Wow.

Speaker 1: 40:49

And so oh yeah, I think I read about that.

Speaker 2: 40:51

But like to get there right, like I'm not, I'm not, I'm not doing Google Chrome sandbox escapes Right, and so like. So the guy, the guy that's pulling that stuff off, I mean they're, they're again just like in another tier, not just another tier, like seven tiers higher and so. But it's absolutely possible. And I agree, there's nowhere, there's no like off the top of my head. There's not really any other. You know, you say you're like yeah, I don't know, I was just trying to think of like another another, another, another job or something, I don't know.

Speaker 1: 41:26

I was thinking like a carpenter, if you're a lawyer, you're going to be working for a law firm and you can't do your own thing on the side. If you're doing your own thing on, you know, if you're doing your own thing as your full-time job, you're not doing extra stuff on the side. That's outside of that. You know, like same thing with like traders, you with like traders, you know day traders.

Speaker 2: 41:50

They're not like. They probably have their own portfolio, but they're not, like you know, doing what they would do with other people's money. Yeah, so it's. Yeah, I completely agree. I think I think bug bounty is is a really incredible tool for organizations and for individuals too. It's also been like it's been like, you know, we'd see a lot of you know people's lives changed by it, right? I mean, obviously, the individual you just mentioned, but you know you got people in developing countries too, where you can make just way more money than you could make locally and so, like a lot of people there will do it full time. Again, it's. It's got ups and downs, right.

Speaker 1: 42:46

Just so we're super clear on like it's it's got, it's certainly got a lure, but you can also go through, like some deserts and, and you know, not find anything for months or years and and that's a that's a lot tougher to to kind of handle and it's you know so, but and started your own company. Tell me, tell me about that, right, because I guess it obviously it would have been. I mean, we weren't, we weren't recording at the time, but you know you didn't have any kids at the time, so it was probably. Did it like even register to you, like as a risk? Or you know, like just walk me through that process of starting a company, because I think right now, right, I'm thinking through it myself. Should I like do my own thing full time, or what does that look like? And I'm sitting here and it's like, no, you idiot, you have two little kids. Like you need a stable income. You don't need to be an idiot right now and go start a company and, you know, not succeed.

Speaker 2: 43:23

Yeah, I mean a couple of pieces and, you know, not succeed. Yeah, I mean a couple of pieces. One, I kind of saw it so, like there's been a couple of points in my life where, like, it's been kind of now or never type situations, and so this is kind of another one of those Just to give you some examples of past ones where I was like 26, 24, 26, some number at when I was at White Hat and I decided to leave, I just bought a one way ticket to Southeast Asia and I was just going to go backpack around Southeast Asia because I'd never I'd never traveled internationally. But intellectually I knew that if I didn't do it then I may never do it again. Right, so, like and and and I feel like my, my, now obviously I self-fulfilling prophecy kind of situation, but like, like, I don't think that I could pull that off now, and like and then I had that decade of bug crowd right, where, like, I couldn't have pulled it off anytime in between there, and so those three months ended up being like a whole year of backpacking all around the world and doing a bunch of stuff, and so and I'm super glad I did it Right and it was fantastic and so, but again, just kind of it's either now or never. And so same thing with COVID.

Speaker 2: 44:31

During COVID I've I've always wanted to kind of live out of a travel trailer. I don't know I'm, I'm like a a little bit of a vagabond at heart, and so I just bought a travel trailer and went around to like national parks, working remotely, and it I loved it and it was, it was great. So but I I got, I did that when I could because I wasn't sure when. Anyways, I'm belaboring the point. Same situation here where, where I didn't have any kids at the time and or any sort of expectation of a child coming into the picture or any sort of expectation of a child coming into the picture and and so I knew that like this is one of the least risky points in time for me to. If I was ever going to try to build my own thing, it would be this or it would be now. And if I was ever going to try to build something and I was going to be successful at it, I have 13 years to back me up here. So like I don't think there's going to be another point in my career where I have like 13 years of experience in in, like a field that, like, I'm pretty dang good at.

Speaker 2: 45:30

And then, on top of that, I had a high degree of confidence that I know what people are paying for this in market. I know what people, you know, I, I know people are paying for it in market and so I know that there's no reason why I couldn't sell this. So I it was a confluence of those things where I said, okay, like, so, like it was very intellectual, as it were, right, like it's not, it's it's, it's less of a you know. So it wasn't like an emotional decision, right, where, like you know, I, I, it was just like kind of spur of the moment.

Speaker 2: 46:02

It was like, okay, like this is pretty data driven and I feel fairly safe in in doing this, and if it doesn't work, I know I can eject right and I'll go run customer success somewhere or I'll. You know I, I can, I can find another role, reasonably confident in that I don't want to misspeak, who knows, maybe I couldn't actually try, but so, yeah, so that that, that that was that was kind of the, the intellectual process behind it. Would I go do it right now If, if, like it was right now, I probably wouldn't, that's so true.

Speaker 1: 46:38

Everyone, everyone always thinks oh, I got, I got time, I'll, I'll do it later. I got the time to do it. You know, I'm only 20, right, 23, 24. I got the time to go and do something like that, right. And I always tell people you have so much less time than what you think.

Speaker 1: 46:58

One, you don't know when you're going to die. I mean that's just a point blank fact. You don't know when you're going to die. At least you know 9.9 of us out of 10 don't. Right and like when you're young, that's when you need to be taking the risk.

Speaker 1: 47:10

If you don't have a family, if you don't have anyone depending on you, to, you know pay the mortgage or you know provide in any way, right, like, I think, back when I was in my 20s and I studied abroad, in Germany, and I mean that was, that was like the best time ever possible, I mean I got, I got all the partying that I could have wanted out of the way I traveled across the globe alone to a country that I'm not familiar with. I I spoke a little bit of the language at the time, but you know it like it was a challenge for me, you know, not as extreme as Asia. I mean, I couldn't imagine doing that right, but it's still like you have to execute when you have that time. You know that makes a lot of sense and I feel like people forget that. You know they always think like, oh yeah, kids, kids will be down the road.

Speaker 1: 47:59

That's five years away. It's like, okay, well, yeah, that's five years away and you're talking about doing something for an entire year. What are you going to do? Like, in between, you think that you're just going to take a little baby on the road? Like, trust me, seven days in, you're not going to want to leave the house.

Speaker 2: 48:15

Yeah, but that's not to discourage anybody from doing. I mean, the best day to start was yesterday, the second best day is today, kind of thing. It's like you know, obviously you know, just because, like timing is almost never ideal. I mean, even at the time, right Like I, when I left white hat, like I turned down a promotion to go, everybody told me I was crazy, like, except for like a few friends that were like, yeah, go get it. Uh, you know, like my, like my, my family and and whatnot were like I don't know about this, like you've got like a good job, you know, like you know, and so, and, and it's tough to make those kinds of decisions. So I mean it's never, it's never gonna feel ideal, right, just I, I'm sorry, I'm just I'm just pontificating to anyone that's kind of on the fence Like do, like I'm not telling people to like go take stupid risk, but like also, don't, don't not take those risks. Right, because there's also like there's a component to it where, where, on your deathbed.

Speaker 2: 49:20

Right, and this is kind of my, this is kind of the thing that that made me decide that I do want kids. Right, because there's a period in life where you're like, do I want kids or not want kids? Right, you have to like, actually ask that question and like on your deathbed, right, am I going to? Or, when I look back at life, am I going to be disappointed that I, you know like this is going to cost me. Like I know it's going to. It's going to cost me physically, mentally, financially, it's going to. It's going to cost me physically, mentally, financially, right, but like, if I look back and I didn't do this thing, like would I? Would I be happy about that?

Speaker 2: 49:51

And and some people's answer maybe that they're like, happy that they didn't have a, have a kid or whatever, but like, for me, it was like no, I think that that's part of like, the human experience and so, yeah, so I guess I want kids. All right, let's go. And same goes for the business, right, like I, I, I'd have a hard time looking back and being like, did I, did I, did I? Leave it all out on the field and and knowing that I didn't go, do these things, I, you know, like I, I don't want to, I don't want to, I want to regret not having done something, even if it ends up being a failure, and so that's been a powerful reframe. For me it's just kind of always taking that perspective for the end of life and saying, okay, like, even if this sucks and even if it goes sideways, if I like, I will know that I tried right and I can live with knowing I tried. Not having tried is a lot. It's a lot more tough to live with.

Speaker 1: 50:52

Yeah, yeah, that's a really good point and that's definitely how how I, you know, think about, or quantify, you know, different choices in my life. For sure. You know, like when I I try to fast forward and when I'm at the end of my life, what do I want that to look like, you know, and if it if right now what I'm doing doesn't fit with what I want that to look like, I know I need to correct something, I need to fix it Right and I would I would 100% regret not having kids if I didn't have kids, like 100%, and I felt like I would regret it without having any kids. Right. And now that I have kids, it's like by far the best thing I've ever done. Like I have so much fun. I don't get any sleep, but like I have so much fun, you know it's great, you know just seeing the kids grow and everything.

Speaker 2: 51:41

It's exciting. I'm curious to know what that's like. Again, people people always say that and and I anticipate it being fun I I look forward to like teaching them how to think, like when I'm with like other kids or like I don't know, like nephews or nieces or stuff like that. I'll, like I don't know it's it's fun to like challenge their thought process. I'm like you know, like they'll say words to me and I'll be like, but what does that word mean? Like you know, just watch them like try to have to like explain like well, why do we do that? Why does the, why does the world work that way? And I don't know. I I think that's a ton of fun.

Speaker 1: 52:19

They probably think I'm a terrorist, so Brent, I feel like I have to have you back on for another episode Maybe. Maybe when you're in the thick of it with with your new kid or just coming out of it. You know like we can touch base and be like, well, how is it, you know, cause I call it, I call it going into the suck. You know like, oh, he's going into the suck or I'm going into the suck, I'm just coming out of it where it's just like a haze. You know, for two months, like with my first kid you know she was born in March and I don't start remembering, like I don't have another memory until May Like I negotiated a whole deal, you know, with a sponsor and everything in person. I had a really nice dinner with a friend of mine and I don't remember any of it. And a couple of weeks go by and my buddy reaches out and says, hey, did you ever send them the contract? It was like no way. I don't know what you're talking about.

Speaker 1: 53:09

Sleep fatigue.

Speaker 2: 53:10

Yeah, yeah, cause, you're just not sleeping.

Speaker 1: 53:12

It's just, there's just no sleep. That's the thing.

Speaker 2: 53:16

That's why I'm curious about the the working from home aspect, cause again, I'm I never leave the house, so like um, when I had an hour in between meetings, I was napping Okay, had to yeah. Yeah, they're. They're not due till March, so we're still pretty early in the early in the story. So I got some time, but a little bit less time than you think?

Speaker 1: 53:41

Yeah, less time than you think.

Speaker 2: 53:43

I believe that yeah Well, that.

Speaker 1: 53:44

Yeah well, grant, you know I I apologize for going over. We got a little, we got started a little bit late here, but you know I really did enjoy our conversation and I definitely want to bring you back on talk about, like what you've learned new about quantum and and satellites yeah if anything at all, we'll see.

Speaker 2: 54:02

we can talk about your new book on on quantum and satellites for dummies. Yeah right, explain it like I'm five.

Speaker 1: 54:10

Before I let you go, how about you tell my audience, you know, where they can find you if they want to connect with you and where they can find your company if they wanted to. You know, reach out and learn more.

Speaker 2: 54:19

Yeah, so my home address. Just kidding, so I don't know if you want to dox yourself?

Speaker 2: 54:23

Just kidding, so I don't know if you want to dox yourself, so you can. You can find me on LinkedIn. My name's Grant McCracken. There's another Grant McCracken on there, there's a couple others, but maybe Grant McCracken Dark Horse You'll probably find me there Grant McCracken security, something like that. So feel free to reach out or connect on LinkedIn.

Speaker 2: 54:45

Grant at darkhorsesh is my work email and darkhorsesh is Dark Horse, obviously, the organization that I've kind of built. Again, we're happy to help organizations at whatever stage they are in their security journey. Our whole goal is to kind of make those solutions accessible and affordable, and so, even if you're not able to afford security, I've got pen testers that'll work for free because we kind of use the crowd. So, like there's people that'll gladly do pro bono work and then I'd be happy to give away the platform for free as well. So, like we're just here to try to make people more secure. So if you want to be more secure, whatever your budget it's a wooden nickel and a rubber band, right we're happy to kind of do whatever we can to help you become more secure, if that's what you want to be, we want to help you get there.

Speaker 1: 55:33

So that's my pitch Awesome, cool. Well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host