From Sewers To Subsea: Rethinking Data Centers And Defense Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

From Sewers To Subsea: Rethinking Data Centers And Defense

November 24, 2025 • Joe South • Episode 213

Send us a text

We trace a winding path from offshore rigs to elite red team ops and into subsea data centers, using one sewer-side breach as the spark for a new way to secure and scale compute. Along the way we unpack social engineering basics, the blue vs red culture clash, and whether AI is building features or changing outcomes.

• junk folders, platform fatigue, and curated personas
• kids chasing influence and the low barrier to entry
• leaving school early, offshore work, and non-linear careers
• social engineering as ordinary behavior with intent
• red team vs blue team dynamics and trust
• the sewer break-in that birthed an idea
• how subsea data centers plug into power and fiber
• threat models at sea and nation-state realities
• latency wins for gaming, streaming, fintech, telehealth
• AI hype, thin moats, and the need for stack control

Find Maxi: most active on LinkedIn; launching an AI security blog and weekly newsletter at maxirynolds.com

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Affiliates
➡️ OffGrid Faraday Bags: https://offgrid.co/?ref=gabzvajh
➡️ OffGrid Coupon Code: JOE

➡️ Unplugged Phone: https://unplugged.com/
Unplugged's UP Phone - The performance you expect, with the privacy you deserve. Meet the alternative. Use Code UNFILTERED at checkout

*See terms and conditions at affiliated webpages. Offers are subject to change. These are affiliated/paid promotions.

SPEAKER_01: 0:53

How's it going, Maxie? It's great to finally get you on the podcast. I think that this thing has been in the making for like three years at this point.

SPEAKER_04: 1:02

I know.

SPEAKER_01: 1:03

I know. It's great to just finally get you on.

SPEAKER_04: 1:06

It's it's nice to be here. I remember being like woefully, egregiously, deeply embarrassed and full of cringe because I'd gone, I can't remember why, but I'd gone into my LinkedIn like filtered messages. Somebody had said I've messaged you on LinkedIn. I was like, I couldn't find it. So I went to this sort of until that point unknown to me folder, and I saw these people and I was like, and so I started reading them. I was like and then I got tears and I was like, oh god. Because yeah, for for for a long time and it, yeah. So apologies. But here we are. Look, we made it just.

SPEAKER_01: 1:41

Yeah, it's it's weird how that happens. Like I check it like maybe six months, maybe, if I remember, you know. Yeah. And like it's always just like crazy, like how some are getting filtered, and you know, it's like, oh, this is a real thing, and it like completely got filtered away from me. You know, like what are you doing?

SPEAKER_04: 2:02

But funnily enough, I do check my junk email probably weekly. I've got that in mind, but not on LinkedIn.

SPEAKER_01: 2:09

Oh, yeah. It's it's two different, it's like two different communication forums or mediums. You know, like you don't think you don't think on LinkedIn, oh I have a junk folder. You know, you you know it on email.

SPEAKER_04: 2:23

Yeah, it's it's and I also think of LinkedIn as somewhat social productivity, sure, but but actually mainly social, like a a professional social media. But the but email that is work, so that's probably why my brain separated them. But after the environment a few weeks ago, I've checked it weekly. So yeah.

SPEAKER_01: 2:47

Personally, I like hate social media, uh which which I guess is interesting, you know, because I have a podcast, so I'm not forced to be on there, you know. But I just like schedule all of my posts and I'm just like done with it, you know. Like I don't I don't look at it, I don't care, you know. No. Because it's just too much.

SPEAKER_04: 3:07

It is too much. It's a huge drain on time, resources. I also tried to try to stay up. I've got some sort of quote unquote fake profiles that I use for meme culture essentially to s to stay up on it, to make sure I've got jokes. But other than that, there's nothing there's nothing on there for me. Right. Yeah.

SPEAKER_01: 3:26

Yeah, it's it's a huge time sink. And I I just feel like you're not getting the authentic person. Everyone is kind of just painting themselves as as the best possible, you know. And it's like, it's like I I approach it from a different different angle, right? Like when I was posting, like, you know, me posting.

SPEAKER_02: 3:45

Yeah.

SPEAKER_01: 3:46

I mean, it would literally be like it would it would literally be like, I just failed this cert test that I probably should have passed. Yeah. You know, like, or I just messed this, you know, like whatever it is. Because it's like everyone makes it look like, oh yeah, I just took the hardest cert, passed it on the first try, or yeah, you know, did this insane work and you know, was totally fine. It's like, okay, that never happens.

SPEAKER_04: 4:08

Yeah. Or my kid just said to me the most the deepest thing I could basically a philosopher, my two-year-old, I'm sure they did, Karen. I'm sure they did. But yeah, when I remember when Facebook first came out, and I've not been on Facebook for over a decade, not even sort of with a fake profile, but I remember when that first came out, it was slightly more realistic. People hadn't adopted the showmanship yet, at least not to my memory, at least not for my cohort in Scotland at that time. And it was sort of useful because I went to work offshore so early. I could keep up with the with the things I was missing out on, which has its pros and cons. I was like, I'm missing that, you know, birthday at 18. I was like, oh, I'm missing such a good night out. But I also, yeah, I just I got to I got to keep up with people and it was really good for that. I did like social media for that for a long time, and then it was no longer that. It was you're annoying, sort of long lost ants, getting in touch, and then the showmanship and the sort of what would really be the precursor to influencer the influencer economy sort of started back then, people and they're building.

SPEAKER_01: 5:20

Yeah. Yeah, it's a weird world that we live in now, and like how quickly social media kind of like changed all of that, you know? Like I I think back and I never I don't know. I I mean like I just never looked at Facebook and I just thought of oh, I'm gonna, you know, be sponsored by some company and present some product or no, I mean like obviously I don't even do that today, but yeah, you know, for for people to do it just in general, you know. But now it's like the main thing that some kids are like aiming towards.

SPEAKER_04: 5:52

It's like they wanted to be a Mr.

SPEAKER_01: 5:54

Beast, right?

SPEAKER_04: 5:55

Yeah, yeah. But trying to get but you know, it used to be when I was eight or nine, I went I I wanted to be a pop star. Cannot sing, cannot dance, and I'm I'm bivaried, I'm not even extravaried. So, but I wanted to be that it's sort of similar. The the problem with the influencer economy in terms of relative to children wanting to be influencers, quote unquote influencers, is the barrier to entry is lower. So it used to be you had to go on audition. Similar, similar things, right? You you wanted to be sort of in entertainment, it's almost like when you were younger. I think most of us did all of my friends when we were from five to probably, I don't know, 13, 12, 13, we were making up dances in our in our bedrooms together and pretending we were one of the Spice Girls, which is ridiculous, but it's it was prevalent. So what we have today is influencer culture where the kids kind of they want to do that, but the problem is the barrier ten trays solo. So you don't go on audition, you don't have to practice, you just get on the internet, you stay in your room. There's not a lot of skill required. I mean, the more skilled you are, probably the more influential you'll be, maybe. There's, you know, there's some quality that the that the big influencers have that I probably can't articulate, but it's just changed the way that you have to you have to sort of manage it as a parent. So my mum laughed and she was like, Yeah, of course, you could be the next Lindy on. But it was well, you'd have to go to singing lessons and you'd have to go to dance lessons and you'd have to do these things. Whereas now as a parent, you've got to say either, okay, we'll get you, you know, set up and you can sit in your room and you can do that, or no, I can't have you on on the internet doing that at 12 years old. Those are really the two choices you have as a parent, I think. So it's it's changed a lot, but actually for children it hasn't changed. They want to be, I don't know, known known entities. Yeah. And that's been true for a long time.

SPEAKER_01: 8:00

Yeah. That's it's interesting that you bring it up and you kind of mention it like that. I I I guess I never even thought about it like that, you know. Where, you know, I I don't want to say back then, but like, you know, 15 years ago.

SPEAKER_04: 8:16

No, back then, yeah.

SPEAKER_01: 8:17

Fifteen years ago, like it was like, yeah, you have to go and do these lessons and you have to go and try out for stuff.

SPEAKER_04: 8:25

Yeah, you want to be a soccer star, get out there with a ball, you know. Yeah.

SPEAKER_01: 8:30

And now it's like, oh, I'm gonna if I want to get the scholarship to some college, I'm gonna go and post my videos on YouTube, send them to all the coaches, yeah, you know, show skills training and all that sort of stuff. Like, I'm sure that's happening. That's totally different. Man, that's a totally different way of approaching and when I was in high school, I had to like convince coaches to come out and see me if I wanted to do something like that.

SPEAKER_04: 8:54

Yeah, no, it has changed. And in some ways, it's it's great. We can't fight, you can't fight the future every step of the way. But as an adult, obviously you can't help but see how it's changed and and perceive it sometimes to be for the worst rather than the best.

SPEAKER_03: 9:09

Whereas kids are like, this is amazing.

SPEAKER_04: 9:12

But children are idiots. So if they're not sentient beings, we shouldn't, we shouldn't always listen to them.

SPEAKER_02: 9:18

Right.

SPEAKER_04: 9:19

And that's why I don't have children.

SPEAKER_01: 9:25

Yeah. So Maxie, you know, we kind of just dove right in.

SPEAKER_02: 9:28

Got in, yeah.

SPEAKER_01: 9:29

But uh you're doing some really interesting stuff with Sub C cloud, subsea data centers.

SPEAKER_02: 9:36

Yeah.

SPEAKER_01: 9:37

How how did you get started in this world? I'm just gonna generalize it, of IT overall, right? Yeah. How did you get started? What kind of piqued your interest to say maybe this is something for me? Yeah. Right. And just walk me through that journey.

SPEAKER_04: 9:53

It wasn't it was a wild ride sort of looking back, and it's interesting because as a step parent, I'm I would hate for my you know children to take this path. But of course, you don't think of it from a parental point of view, you only think of it from your own growing up. But I left school when I was sort of 15, which I'm sure my mother was thrilled about, but I also left home, which again I'm sure she was thrilled about, but I thought I was an adult. And so I was looking for I'd you know had all these like small crappy jobs. Essentially, I was a cleaner and I worked in bars even though I was underage. I sold shoes. There was some petty crime. It was it was wild for a few years, and then I got to about 18, 17, 18. I was working in a call centre at that time, I think. But I was just about to get fired because one of the managers had listened in to the all calls leaving the call centre. It was a Tesco call center, so sort of like a Walmart call center. Some calls get flagged, but they're all recorded, and it was just me on the phone of my friend for four hours. I just phoned them for you know half of my shift because I w what did I know and what did I care? And I remember she was sort of laughing, she was smirking. I was like, I know what's happening. She must have just been thinking the call sort of thing. And I had gone to this age where I still didn't know what I was doing, obviously, evidently, but I was more interested in like or or I had more sort of what is the rest of my life gonna be like? Is this it? Sort of thing. I was coming to that. And I wanted to travel, I wanted to leave where I was in Scotland. So I started to think about the jobs, but I hadn't I hadn't finished school. So most of the jobs that were open to to me would have been like going to a foreign country and teaching English. But I didn't have an English like credit because I didn't finish school, so probably should have gone to university and studied something like that. But I'm actually glad that I didn't. I ended up working offshore oil and gas sort of by hand. I knew about the industry because my granddad had worked offshore and my dad was then working offshore. So I fell into that and I stayed offshore for about 10 years building robots. I got sort of most of my training on the job on the oil rigs. I was given, you know, a really good opportunity by somebody I'm still close to. We basically inspected pipelines, made pipelines, and other offshore infrastructure. And yeah, so for about 10 years. And then I moved to Los Angeles after sort of seven other countries trying a few other countries and traveling a lot, and I ended up well, first of all, I ended up in Miami, and I was like, oh, I do not like this because I didn't party and don't take drugs. I drank probably too much, but not, you know, to go out and to go out and get drunk, just a dabble in whiskey. And so I ended up moving to Los Angeles and then I got into stun work for a little while, which was enjoyable in its own right, but it was never going to be a career. And then I was still working offshore on and off, and I'd over the sort of 10 years I'd worked offshore, I'd gotten some long distance degrees. Some I finished, some I did not. Um, and one of them was computer science. And so I ended up with a job down in Australia, which was again sort of haphazard, but took the opportunity, went down to Australia, worked for one of the big four down there, and was taught pen testing and red teaming. Social engineering was my first sort of introduction to social engineering as a profession, not just a natural skill. You know, I started out by saying I was a little bit of a social nuisance. There was some petty crying between 15 and 18, and a lot of that involved social engineering. We just didn't know that's what it was. We just thought we were sort of bullshitting our way into places or out of places where we were in trouble, so on and so forth. And here I was like, there's a career in this, this is amazing. So I ended up doing that for a few years, and then my last job, and I was contracted like independent, and my last job was for a data center, in-house data center team. They were responsible for the security of data centers for a company that you and I definitely know about and everybody else knows about too. And we got into one of their data centers, which I think was hosting very sensitive material, and we gotten through the sewers of all places because it was very well guarded. I didn't think we were gonna get in. That was again there was a lot of luck involved in that, not just skill. And the more skill you have, the more important luck is. So we got in through the sewers, and I remember it being a really big deal. Everybody that we were with was like, we're gonna white faced and just like this is really bad. And me and the couple of other people who had been contacted, we're like, this is amazing. And then I remember thinking, because of because of working offshore for so long and then doing red teaming for so long, I was like, well, if you want to keep them safe, put them underwater. And it was no more sort of brilliant than that. It was really just this simple, like, if you want to keep them safe, this is what to do. So then I knew that I was leaving the like social engineer red team in space. So I phoned my old boss and said, Hey, what do you think about this? He was still doing lots of things offshore, was renting out vessels with crew and ROVs. And I was like, What do you what do you think of this? And he was like, I've had similar thoughts. I like it. I think, yeah, if you want to do it, you should do it. And then I was like, Do you want to do it with me? And so he does, and it's sort of been an enjoyable ride up until now, but it's been four long years of trying to get chasing the wrong things, chasing some of the right things. You don't actually know what you're doing until it does or doesn't work out. That's startup culture. It's problem solving from start to finish, and you never know if you're solving the problem correctly. Yeah.

SPEAKER_01: 16:04

That's fascinating.

SPEAKER_04: 16:05

That was a lot for you. Good luck breaking that down. Go on, though.

SPEAKER_01: 16:08

No, I it's a it's an interesting path. You know, I I never looked at, you know, the crime world as being mostly like social engineering, right? But as soon as I started to get into like security, because I yeah, so I got my degree in criminal justice, so I'm very well acquainted with, you know, like serial killers and all that sort of stuff, right? Like, like a lot of the documentaries that come out, yeah, or like TV shows about them, I don't even watch because like I sat through that class and I'm like, I do not want to revisit that again. No, no, you know, and so but like I never looked at it from social engineering. I just looked at it as someone, you know, kind of being not calling you this, right? But like when you're a ser serial killer, you're typically a sociopath and you're manipulating people, you know, to do things that they may or may not normally do, you know, to for you to gain an advantage over them, right? And once I got into cybersecurity, I was able to say, like, oh, that is like social engineering, like to the absolute max, though, with the worst intentions possible. Yes. What are some basics of social engineering that people may use in their day-to-day lives that they don't even realize? Because, like you mentioned, you know, you were already good at it and you didn't realize it. Yeah. Well, what are some of those skills?

SPEAKER_04: 17:32

Well, I mean, I think social engineering, there's been this industry carved out of what is essentially human nature. It's it's like social engineering isn't something, an industry that was thought upright. It's actually carved out of things that we all do every day. It's interaction. And so even a serial killer, they are manipulating people to do things sometimes that they would already do. Who was the guy? As soon as you get his name, you're gonna be like, you didn't know his name, you're an idiot. But who was the guy, I'm sure he was gay and he was taking men home and murdering them? He was kinda hooky.

SPEAKER_01: 18:21

I I know I know who you're talking about.

SPEAKER_04: 18:24

Yeah, was it is it is it was it Ted Bundy or was it not Ted Bundy? I don't should one of us look this up.

SPEAKER_01: 18:30

It wasn't Ted Bundy, it was they made a show about him on the body.

SPEAKER_04: 18:33

They did make a show. Yes, I'm gonna Google gay now. We gotta look serial killer and all your audience just shouting, you idiots.

SPEAKER_01: 18:41

Yeah, right.

SPEAKER_04: 18:42

Uh I don't know who Richard Podgers is, but he's come up. But again, I did just type in gay serious killer song, which is great on my snarch too. Jeffrey Dahmer.

SPEAKER_02: 18:53

Yeah, yeah.

SPEAKER_04: 18:53

Jeffrey Damer, okay, Jeffrey Dahmer. So it's likely that the the people that he had sort of gone home with him, not well versed on him, I think I've got the basics. They would have they would have been doing that anyway. So he wasn't trying to get them to do something they wouldn't do, he was simply manoeuvring so that they would do it with him. And so most people will hold the door open for you. Like you'll hear this in social engineering all the time. You know, you've got women going in with fake pregnant bumps or people going in holding like the cartons with like eight coffees, and you're like, could you just hold the door? People will hold the door for you. You're just saying, do it for me because of this. And so it's social engineering isn't difficult until you sort of get in your head about it. But of course, I have a lot more practice than than other people because I to get out of some sticky situations from, you know, um 14, 15, 16 years old. So you sort of, I would say get the gift of the gab in a way, if that's the I don't know if that's a British thing or a Scottish thing or a worldwide one, but you sort of become confident in your ability to talk yourself in or out of something. And if it works great, you get high from it. And if it doesn't work, then the police are probably getting called. But yeah, it's I think social engineering is it's it's human instinct, it's just now you're doing it with some level of intention. The other person's unaware of that, so it's asymmetric and it's sort of unfair in a way, but such is life. Yeah.

SPEAKER_01: 20:27

Yeah. A couple years ago, several years ago, I used to work for a credit bureau.

SPEAKER_02: 20:33

Yeah.

SPEAKER_01: 20:34

And, you know, if I said their name, everyone everyone would know their name. And we we had a really good red team. Like our all of our red team, you know, came from like the military and the NSA.

SPEAKER_02: 20:47

Yeah.

SPEAKER_01: 20:47

Because the the director over the red team, he came from the military. So he was like, I'm only gonna hire, you know, yeah. And uh, you know, they they like started challenging, you know, my side of security, the blue team.

SPEAKER_02: 21:02

Yeah.

SPEAKER_01: 21:02

And so one of the things that they would challenge him with is like, oh, I bet, you know, we could like scan the badge or you know, we'll stake out the place for weeks, and security won't even know, right? Because security actually did like roaming patrols around the building. This is in the middle of you know, a big city, right, in America. And uh, sure enough, you know, one of these guys like basically didn't shower for like two or three weeks, dressed up as a homeless person, sat outside the front door, yeah, roaming security, didn't do anything to you know, get him to leave or anything. He scanned someone's back, went into the lobby, and then, you know, went into this side door that like essentially we would take like vendors there if they weren't already like on our trusted list or something, but they wanted to do a presentation, we would take him, you know, to this room that's like sequestered, you know, on the on the lobby floor.

SPEAKER_02: 21:56

Yeah, yeah.

SPEAKER_01: 21:57

So he goes in there, plugs in his Ethernet, and he immediately gets connection to the network. And you know, like they had been, you know, talking it up for weeks with us, and we're like, we literally have a solution that is looking at the Ethernet ports and shutting them down.

SPEAKER_02: 22:12

Yeah.

SPEAKER_01: 22:12

Like, what what are you even going to do to this?

SPEAKER_02: 22:15

Yeah.

SPEAKER_01: 22:15

You know, and he got right in, and it was he just did something. He did like three things that we just never expected someone to do, you know.

SPEAKER_04: 22:23

And that but that's the problem with the defensive side. You've got to expect all you can't possibly do that. It's it's the it's the harder side. It's it's impossible, actually. But one of the things like I've I said in the book, and I continue to say, is you have to be like on the def on the well, on the defensive side, it would be great to think like an attacker, sure, obviously, but it's not always possible. But and then on the attacking side, on the offensive side, you have to you have to be like contrarian, it has to be counter-culture. You can't buy into the if you're if you're an internal red team, you kind of gotta not like the company. Not really, not truly. You're you're doing it out of love. It's like being a strict parent sort of thing. You're not doing it to be a dick. You're doing it because, you know, you have to do that to be good, but it has to be counterculture focused. You can't care about what they care about. In fact, you've got to, you've got to be against them most of the time. And it's a really interesting job that way. I really, I really liked it because you'll talk to people within your organization and you kind of like them and you hear how they think and how they talk, and then you're like, I have to weaponize this. This is amazing. And not everybody has that in them, but then the people that don't, I don't even know if they should be on the defensive side. I think defensively you have to have an us against them mentality for the objective, but not the outcome, right? The outcome is you want the organization to be more secure, but the objective you you can't be with everybody. You've got to be like, you've got to be. I don't know another way to say this. I hope that you don't have to beep on my cussing out and that your audience isn't like disgusting about okay, good. But you have to be a dickhead. Have to on both sides, like you have to think differently than the rest of your organization. And you have to be willing to do things that everybody may not like. And obviously on the offensive side, that's fine. People expect that from you. On the defensive side, people are a little more you're gonna make me do what? Every you know, there's if it's I don't know, if it's fishing exercises or whatever people are doing now, especially with AI, that's very interesting. I I have I've not properly looked into how AI is helping or not hindering, I guess, security. I'm sure it's yeah, uh it'll be interesting to see.

SPEAKER_01: 24:51

Yeah. No, you you bring up a really good point. And I I think a lot of people kind of miss this point, right? In security, you're not really you're not really supposed to be liked.

SPEAKER_04: 25:03

No.

SPEAKER_01: 25:04

If you're doing your job right, a lot of people dislike you.

SPEAKER_04: 25:08

Yeah.

SPEAKER_01: 25:08

I mean, like when people would come up to me and ask me for different things, my initial response, like the first five times, is no. No, like, no, get out of my face. I don't want to hear this. That's the worst idea I've heard. Yeah. You know, like you literally just made my board for the day.

SPEAKER_00: 25:27

Like, good job, you know. Amazing.

SPEAKER_01: 25:30

Like, I got on a call one time. I was working for a large German automotive manufacturer. I got on a call one time because I was deploying a WAF globally, and there was 150 developers on the call. Now, one, it was extremely difficult for me to get 10 developers on the call at one time, right? For something that they like absolutely had to do. But for 150 of them to be on the call at the same time, that was weird. I get on the call and for an hour and a half, they're just like berating me, trying to trick me into agreeing to essentially like bypass the WAF completely. And they were using terms that I didn't quite know the definition of, you know, like they were trying to get me to do things that, but they weren't trying to tell me what it was that they wanted me to do.

SPEAKER_02: 26:18

Yeah. Yeah.

SPEAKER_01: 26:19

And I, after like literally 90 minutes of being on this call, I just reached out to my engineer who's also on the call. It was me and him and these other guys. And I reached out to him and was like, Are they trying to get me to bypass the WAF? He goes, Yeah, I just realized that too. And I like cut off the lead dev that like that was talking at the time. And I said, I'm gonna tell you this right now. You are doing what I just told you to do. We're not bypassing anything, I'm not putting in another rule. And he was like, Oh, I'm gonna go to the CISO then. I was like, Good luck, I'll schedule the call for you. Like the CISO isn't going to tell you anything different, you know? Yeah, and like sure enough, he like reached out to the CISO in the back end and was like, Do I have to listen to Joe? And the CISO was like, You need to listen to Joe as if I'm the one telling you it. Yeah, you know, and yeah, like that's the kind of support that you need. But like again, those devs hated me, you know, for like two years they hated me.

SPEAKER_04: 27:13

Good job. Is it's like it's both fortunate and unfortunate because everything that we do in security matters, and yet nothing nothing matters because you will be breached. It is possible, and we can see it all, but good God, we're trying our best. If you if you listen, then we'll be a little bit safer and a little bit safer and a little bit safer. But of course, it's not it's not foolproof. And then that it's one of the worst things about all humanity is it's sort of like this example which riles me. You hear it used to be smokers, maybe, maybe in the future it'll be vapors, I don't know. But you remember it used to be the people who were smoking, they were they would always say, Well, Bob, Bob dropped dead of lung cancer and he didn't smoke, and you're like, Okay, well, that's one. But you've given yourself a 50% increase of all cause mortality by having your your cigarette, but it's and it's impossible once people get this one in their column, they're like they over-generalize it. So once you've been breached, but you put in all this effort not to be, then you have all these people go, well, it didn't work. And you're like, well, they tried all the other things, and that's how they gone, and now we know, but it's it's a it's a thankless task most of the time. It really is. It really, really is. And then of course there are things that happen now where it's sort of conspiratorial. So what was the was it the Baltimore Bridge? I remember people thinking that was a cyber attack. The outages, the CrowdStrike one, people were so sure that was one, and it's one, you know, new engineer that pressed the wrong button. The AWS one, I was at a conference, so I wasn't up to date on that, but I'm sure people were immediately like, it's the trying. I'm sure that they were. And so, yeah, we've got this conspiratorial, both internally and externally, this this conspiratorial mindset where your organization is against the internal security and to think we're out to get them, and they're also against being breached, but won't do what it won't always do what it takes. I sound a little bit cynical on people today, and I don't know that I always feel this way. It's just that you've taken me back to what it's like to get people to do things within an organization, and it's so difficult.

SPEAKER_01: 29:32

Yeah.

SPEAKER_04: 29:33

But yeah.

SPEAKER_01: 29:33

I'm very glad I'm not on that side of security anymore. It's the most frustrating thing possible.

SPEAKER_04: 29:41

Thankless.

SPEAKER_01: 29:41

It's like, hey, can I just get you to do your job? Like it's just your job, you know, what we pay you for, you know, like but uh you bring up you bring up the mentality though of security overall, where the attacker only has to be right once. Once. And the blue team, the other side, has to be right 100% of the time. And if you're right 99.9% of the time, guess what? You still failed, you got breached. So, like with that data center breach where you went through the sewer system, what was that experience like? Because I I'm sure I'm sure the experienced people on the team were probably thinking immediately, one, this never should have been able to happen, two, we're about to get in a lot of trouble. Three, we're getting arrested. You know, it goes through all of those, all of those things. Even though you have the proper documentation and everything else like that, you're still probably getting arrested and you have to like talk your way out of it to some extent, right? What was that like?

SPEAKER_04: 30:42

I think what's like people fail to realize about red teamment is most often, more often than not, all you have is a piece of paper where you give it to whoever cat. To you, and you say, This is uh no, I'm supposed to be here. And they're like, Oh great, you've got letter heads. I do not believe you. Get on your knees. I'm gonna we've already called the police, and you're like, no, fuck. Call the person on the lair, call your, but no one wants to call their boss and be like, There's a piece of paper here, but there's also someone who is, you know, intruded and they also do not smell good in two cases here. One, we've gotten through the sewer, and you're a guy who hadn't showered for a few weeks. So they're just like, this doesn't make a lot of sense to me. And sometimes they will call, and then the person on the other end of the line will be like, Yep, I'm on my way. Always I always prefer when it's someone local. If I'm caught, first of all, as an immigrant, I don't want to be arrested. Definitely don't want to be arrested today. I'd be straight to ice pretending I've, you know, come from Mauritius. But um, like, send me back there. But um, you shouldn't joke about those things. But no, I always want that person to be local, and sometimes they would agree to be in the area too, which I think is is quite helpful. And yeah, it's sort of the job is interesting, the job is fun. That is to me the most fun you can have uh is on the offensive side. You get to think differently, you get to do things that the general population, A, generally can't conceive of, and B, even if they could, generally wouldn't do it, right? The consequences are too steep. All of those uh hurdles, barriers are removed for us. We get to think up the worst things, the most intricate things, and then we get to execute on them, and there's really mainly no consequences. I think a few years ago, and I can't remember the names, so just generally, there was a team who were breaking into, I think, a government facility, they were caught and they were arrested, and I think they were prosecuted, and the whole industry was like, what the fuck is going on? And I was just getting in, I think, at that point, and I was like, is this a is this a big deal, is it? And they were like, Well, yeah, because then we can't, then we can't we can't do our job sort of thing. If this is do you want arrested? And I was like, no, but generally speaking, the consequences are also removed, and then you just have to report your findings step by step plus mitigations in a sort of empathetic but also business-centric way. I think that's like one of the best jobs in the world. So yeah, I I enjoyed getting into those sewers and crawling through them. And we also there was like a galley, so in for sewers, most sewers, there's sort of galley areas where for people who are gonna inspect them or perform maintenance, they can enter, and they're usually over six feet tall. And it just happened that this data center sort of connected with that, which you want to say it was an oversight, but it but was it because that data center was unbelievably secure. I could have set myself on fire. I don't think the guards would have come to help. Like they were very well trained. We tried everything, we tried every surface thing that we could. The Hassur thing was like a last-ditch effort. We had to go to the city, to the municipality, and get like blueprints, and we were all like, oh, it's possible. But if it wasn't, I don't think that we would have gotten in. And so that's sort of interesting. It was again the more skill you have, the more luck is important, and that was luck. Like there was no skill involved in the sewer being there. It was just all right, let's find the manholes or the entry points and see what happens here. We we still, even once we figured out how close the galley area was, we still didn't know if we could get there undetected. So it was, yeah, it was it was a really interesting job. I really enjoyed it, even though I was not it wasn't the most cleanliest of jobs. But it, you know, it was it was interesting. I did enjoy that. I enjoyed getting in. It's funny when you walk into a room and you can feel there's been an argument or something, you know. We all have that like sensor. And we I remember standing in that data center with the team who were following us, they were internal again, and they didn't have anything to do, but they were just following us. And they were like, I just remember looking at them going, Oh, this is really bad for them. This is really, really bad for them. And then we're like, okay, yeah, it was it was an interesting, it was a really interesting job. I'm sort of glad it was my last one because it was a good one to go out on. It gave birth to the company that I run now, obviously. And yeah, it was it was a success, which is a good note to end your red teaming career on. But yeah, and if I could do more data centers, I probably would, because they're very interesting places.

SPEAKER_01: 35:31

So did the did the galley get you just onto the data center grounds, or did it get you like into the data center?

SPEAKER_04: 35:38

No, it got us close enough to the data center. We still had to sort of go through another few barriers, but it was very close. It wasn't within the perimeter, but it was close enough to the very, very edge of the perimeter that we knew sort of where to go next. And then and then it became the job became a little bit harder, but getting into the galley was a sort of celebration or first step celebration. But yeah. And I don't know, I can't remember if we gave a heads up to the Maris Pali. I'm sure we didn't. I'm sure that we did not.

SPEAKER_02: 36:12

Yeah.

SPEAKER_04: 36:12

Like we're gonna be using these, but yeah, it was because so let's say we had to break into just the galley, and I can't imagine a job where that would be this sort of objective. But if we if that was the case, then we would have been dressed in totally different attire. Because one of the big things for red team and social engineering is what you're wearing. You know, social engineering especially, you can't turn up in all black for a day job. You better turn up looking like you're in office attire or whatever it is, you know, high viz APE and a clipboard sometimes. Actually, Oasis, one of my sort of favourite bands in a lot of nostalgia, around them and they went on tour. And when the tickets first came out, they were going for like$10,000. And I was like, mother! And I looked at my partner and I was like, I'm going to need some high viz, maybe a clipboard and a set of ladders or something, because I'm going in the back of that arena. I'm not gonna not go. So, yeah, what you're wearing caddies, some sort of authority. But yeah, we would have been wearing something different if it was just in there. Because what if someone was actually maintaining our inspect in the galley and we go in and we're dressed in hazmat suits? I wouldn't have would have been like, what are you guys doing here? And we I would have had no good answer. I'm like, looking at stuff. So yeah, preparation also. Yeah, preparation, how you're dressed, how you're gonna get through all her deals. I kind of always I do everything in reverse on those sorts of jobs. So what I'm gonna do when I get in there, although I start there and then work backwards. I can't do it in like its linear form. Have to have to start at the end and and work backwards and sort of zigzag. If this happens, I'll do that, if that happens, I'll do this. And no plan survives first contact with the enemy, but it's good to have planned, it's good to get your brain into that way of thinking because you sort of loosen it up, it's it's like warming up. You loosen it up for anything could happen and often does. So yeah, security is security is fine. You know, the actual like logical part of it is still fun. I think you're not liked, but it's fun.

SPEAKER_01: 38:15

Yeah, for sure. So you're doing subsea data centers now.

SPEAKER_03: 38:20

Yeah.

SPEAKER_01: 38:21

What are I'm sure there's unique risks with that. Like, how does that even work? Because you have to probably run cables all the way down to the bottom of the ocean wherever the sub-sea data center is.

SPEAKER_02: 38:35

Yeah.

SPEAKER_01: 38:36

And they're probably at risk to some point or some extent of tapping the cables or whatever it might be.

SPEAKER_04: 38:43

Yeah. I mean, they're definitely sort of vulnerabilities. So we already have a lot of power cable sub-sea. Basically, you know, like 99% of all traffic over the internet is going through a cable, and uh, most of that has gone through sub-sea cables. Where are you based?

SPEAKER_02: 39:01

Chicago.

SPEAKER_04: 39:02

Chicago. Yeah, so ours probably isn't. I'm usually in California, but ours are usually uh ours probably isn't, but most a lot of traffic goes through sub-sea cables, they're already there. And of course, those need power. So everything offshore assets need power. So there's a lot of power cables. There's also a lot of countries that export cable, France exports cable, not cable, power through cable to like Denmark. So we tap into those power cables, and then of course the fiber optics are already there. So in terms of like the logistics and the operations, it's actually really easy. In terms of the vulnerabilities, we face the exact same ones that the cables themselves face. The good and the bad of it is like if it happens, it's a catastrophe. If a bad actor gets to us, that's that's not good, obviously. Um, but it's a lot harder to do. You need a ship, you need divers or ROVs. It's it's expensive, far more expensive than on land. To do a red team on an offshore asset is very expensive. Now, of course, if you're a nation state actor, you're going to be well founded, you're going to be able to do it, but it's a little bit more traceable because again, you probably need a ship now. Ships have like AIS, they're identifying tags and they can be followed, but they can be turned off. So you can turn it off. So then we're reliant on sensors of the cables, sensors in the units themselves that sort of let us know it, you know, the the the unit's being raised and we did not authorize that. Like, what do we do? And then you become reliant on satellites. So it's more finicky in some ways, a lot harder to do for us in some ways, but it's a lot harder to do for an adversary. There's no just bad actor who's out there who that's going to be able to do it. It's going to be a nation's state. And if it's going to be a nation-state, they'll do it on land or they'll do it sub-sea. They'll find a way to do that. So that in and of itself doesn't matter. We hope that it's a lot more difficult for them to do, but it's not possible. And if it can be done, it will be done. So we just have to find different ways to secure. And again, it's sensors, but it's also when we have 20 units, which roughly is about 40 megawatts of compute at a site, then we have a security vessel, security slash maintenance vessel that stays on site. That doesn't mean that there aren't subs that can be detected, but again, if they want to break in and destroy the units, they will be able to do that, but they'll be able to do the same online. So it's an interesting little dance that we're all in together, geopolitically speaking.

SPEAKER_01: 41:45

That's a really good point that you bring up. That uh like if if your data centers were to get breached, that's like the least of the problems that would have occurred to enable that sort of attack.

SPEAKER_04: 41:58

Yeah.

SPEAKER_01: 41:59

Which I didn't even think about it like that. So that that makes a lot of sense. To your end customer, then, are they I mean, it's just probably just connecting over an IP because you you have network access, so you're you just have an IP.

SPEAKER_04: 42:12

Exactly. Right? Yeah. Okay. Yeah, that's it.

SPEAKER_01: 42:15

Huh.

SPEAKER_04: 42:15

Maintenance is is similar also in that we load balance if a rat goes out, then a rat goes out. You know, we'll bring it online someplace else. If an entire unit goes out and it's two or three megawatts, that's a different story. We might be able to sort of load balance that to some degree. Or we might have to switch out the switch out the units. That's kind of it. We promise that within a 12-hour window. I guess the only thing that would elongate that would be severe weather, which you know you get in the North Sea and you get everywhere, but it's slightly different than on land. Because severe weather on land, you might still you might that window might grow by three or four hours. For us, it might grow for, you know, eight hours or something like that. We need certain conditions before we can go out on deck. But if we're in a port or a river or a dam, then it's the exact same. We can probably get it done in less time, but further offshore, it's a little bit different.

SPEAKER_01: 43:08

So would most of your customers then be like nation states? I mean, maybe, maybe not. What would you say makes up most of your customer base?

SPEAKER_04: 43:20

So initially, so military just now, and then we're starting to sort of get back into this commercial adoption curve. We were slow on that for a while. Most of our customers that way, we thought we're going to be the hyperscalers, but actually the hyperscalers don't sort of set trends, they adopt them once they've been figured out. So most of our customers are either S or we're renting directly out to the market, sort of neo-cloud structure. And then we have these sort of really tight partnerships with companies who either know about or heavily involved in the offshore industry already. So they're maybe platform owners, things like that. And what we do with them is we'll co-locate with them, or offshore wind, we'll co-locate with, and then we go out to give out to the market and get generally private tenants just now, but or NeoCloud, sort of just written out to the market. And then now we're starting to see some of those big players who need to care about latency, you know, maybe because they're streaming games or entertainment, then we're starting to see them pop up now too. But the commercial adoption is coming, but it's not quite there yet. We're not a well-known enough entity. We're starting to get there, but it's sort of we're still esoteric. But it I guess when it really started to change was with the, I don't know if you would call the advent of AI, but definitely the advent of commercial AI relative to the public, then people were starting to think like, oh wait, we actually need much higher rack densities. Who does that? And that at the time it was only us. And so that's we saw a lot of uptake there as well. So I think as we move away from tra if we move away from training and we move into inference, which requires edge, then we'll probably grow and grow. And I expect to see that over the next sort of 18 months is is is a lot of AI adoption.

SPEAKER_01: 45:22

That's interesting. Like the the companies that are really paying attention to latency for their product.

SPEAKER_04: 45:28

Yeah.

SPEAKER_01: 45:28

I mean, you can't get any closer than No.

SPEAKER_04: 45:32

And like 55% of the world's population lives coastally, and then a sort of large amount of the remaining also live close to water. Like that's how we set up our societies, right? And so yeah, you can't get closer. We uh some of the latency metrics that we have are like a 98% decrease in latency, which is wild.

SPEAKER_01: 45:52

That's insane.

SPEAKER_04: 45:53

But it doesn't matter for everyone, and that's kind of uh not the problem, but that's this slow adoption because it matters to maybe some fintech and it matters to telehealth, but we're not doing that holistically in society just now. So it matters like to just these little niches, then of course everyone cares about their Netflix. No one wants a buffer in time, and it also matters to like gaming, but it's it's yeah, we're we're still niche, but we're growing. We can see what it probably looks we can see around a few corners, or we've got like a long enough line of sight, but after about, I guess, call it 18 months from now, we're blind and we're guessing, just like every other company. Because it all depends on AI. And AI just now is a bubble. How big is a bubble? I don't know. I don't know if anyone knows. I think to be a really sort of big bubble that is felt either nationally or internationally, the sort of bubble size in terms of GDP has to be over six percent, I think, is a rule of thumb. And right now, AI is about, I think, three or four percent of GDP. So we're not there on a huge bubble, but we might get there. Alternatively, it might be that the hyperscalers, Nvidia and OpenAI are the most injured parties if this is a bubble and it bursts. And the rest of us can go, okay, well, we'll go back to Google search. Like, let's see what happens.

SPEAKER_01: 47:17

Right. Yeah, I was I mean, I I know we're coming up on time here, but I was watching a video earlier that said that NVIDIA's market cap is now bigger than Germany's entire economy.

SPEAKER_02: 47:30

Yeah, yeah. It's wild.

SPEAKER_01: 47:32

My only my only comment was NVIDIA is now too big to fail.

SPEAKER_02: 47:37

Like it basically is.

SPEAKER_01: 47:39

You see that kind of market cap evaporate, you know, on the SP 500. I mean, that's a 30% decline, basically.

SPEAKER_04: 47:47

Yeah, that would put people in a bad mood. Yeah, exactly. It's it's interesting to think of it that way, but it is circular if you kind of look at the mic.

SPEAKER_01: 47:55

It's so circular. It's so circular. But basically, it's like guys, you can't think that this is a good idea. I mean, you have to be like 10 times smarter than me. Well, how am I pointing out that this is a terrible you know what I mean? Like, come on.

SPEAKER_04: 48:10

No, it is. It's it's sort of wild that I mean, it's sort of I don't know, reductively, there's more nuance to it than kind of how I'm gonna bastardize this, but ultimately we need to know or we need to see open AI succeed because the hyperscalers are currently paying for their GPUs because they're putting money into NVIDIA. Nvidia's giving it to open AI in the form of GPUs and sort of their other, I don't know if they're SPE structures, but some structure. And if OpenAI fail, well, what's gonna happen? Sort of thing. So it's sort of interesting that way. But yeah, the the hyperscalers are currently paying for open AI's trajectory, I suppose. So if they fail, then what happens? And if they don't fail, then great, it does get paid off. But let's see. Let's see, because it because again, like user behavior hasn't changed significantly. Like AI is still very visible at the moment, and it it's changed in how we get some to some outcomes, but it's not really changed the outcomes themselves. I need information, will I search it? And now I get it in a bar at the top of the screen. It didn't change anything for me, right? I would have gotten that information anyway. It changed how I interact with customer support, but I was going to get the customer support anyway. And the promise of AI was it will do things both better than us, which I think that it in some cases it does, but it will also do things differently. It's not doing things differently. Like, we are not changing rules because of AI just now. And my favorite sort of way to think about this is stop signs. I want to get into a Waymo and never stop. I don't have to stop until I've reached my destination because it knows where every other car is. I don't need a stop sign anymore. I don't even need to stay on the same like speed of the road anymore. I can go around obstacles because it knows where every other car is. It gets me there safely, far more safely than my Uber driver from multiple levels. But it's not changed that yet. It's just changed the speed and the safety, but ultimately I get there the exact same way as if someone was driving it. So until it changes outcomes, it's gonna be very sort of interesting to in in in how we think of it. Like I think people are still trying to make it a feature just now, but to be a winner in AI, it's gonna have to be more than a feature, it has to be a different part of the stack, and you have to be involved in all of the stack from the infrastructure all the way through to the product. And again, I don't know if this is maybe the right note to finish on, but there's no moat around LLMs just now. You pop the same query in to name your top five, rock, chat GPT, can't think Gemini, you know, perplexy. Same. I don't know. You read an answer to me, probably can't guess who gave you the answer. So where's the differentiation? Now we're working on preference. It's sort of interesting that way.

SPEAKER_01: 51:06

Yeah. No, that's a really good point. It'll be interesting to see how everything, you know, kind of shakes out.

SPEAKER_04: 51:12

Yeah, I know. I know. Well, that was that. On that note.

SPEAKER_01: 51:16

Right. Yeah. Well, Maxi, you know, I I really do appreciate you coming on. I think it was a great conversation. I really I definitely really enjoyed it. Me too. Um, but yeah, th thank you so much for finally being able to come on.

SPEAKER_04: 51:28

Thank you for your patience. Thanks for keeping on trying because I am sorry. But yeah, no, it was really good, really enjoyable. Let's see in a year's time what's happening with AI and we can discuss that and I can tell you if I got abuse for the things I said about both parents and people in security.

SPEAKER_01: 51:46

Yeah. Yeah, we'll do it again for sure. Perfect. Yeah, Maxi, before I let you go, how about you tell my audience where they can connect with you if they wanted to connect with you? Yeah. Where they could find Subsea Cloud if they wanted to learn more.

SPEAKER_04: 51:59

So I'm most active on LinkedIn. I know I slighted it earlier by calling it professional social media, but I am most active on there somewhat, like I browse X every now and again, but you know, I'm trying to post there more often, we'll see. And I am just about to start like a essentially an AI an AI security blog, which makes me sound like a boomer. But also like a a newsletter that will go out just hitting the high points and then some like hopefully what will be perceived as thoughtful analysis on AI and AI security every week. So you can find that probably maxirynolds.com. And then yeah, LinkedIn. Not for you, you go to you go to spam, but for everyone else, they can get in touch with me there.

SPEAKER_01: 52:47

Right.

SPEAKER_04: 52:48

Yeah.

SPEAKER_01: 52:49

Awesome. Well, yeah. Well, thanks everyone. I hope you enjoyed this episode. Cool.

Joe South

Host