Jeff Man 0:00
This week, we’re going to explore a little bit of a different side of the Security and Compliance discussion, we’re going to focus not so much on the rules of businesses following security and compliance requirements, but on the rules they need to follow to enable their employees and users to actually gain access to information technology systems. To explore this topic, we are joined today by Mr. Joe Brinkley, who is also known as the blind hacker. So join us as we continue our journey of tearing down silos and building bridges on security and compliance weekly.
SPONSOR 0:24
This is a Security weekly production. And now it’s the show that bridges the requirements of regulations compliance and privacy with those of security, your trusted source for complying with various mandates building effective programs and current compliance news. It’s time for security and compliance weekly.
RSA offers business driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access, control and reduce business risk fraud and cybercrime. RSA protects millions of users around the world in helped more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information visit securityweekly.com/RSAsecurity
Jeff Man 0:54
Welcome to episode number 26 of Security and Compliance Weekly recorded on April 28 2020. I am your self isolating host, Mr. Jeff Man joined with me today are my co hosts also self isolating in their little parts of the world. Mr. Scott Lyons Mr. Josh Marpet and Mr. Matt Alderman, gentlemen, welcome.
Matt Alderman 1:09
Day two of the easy restrictions in Colorado, but I can’t even tell the difference, so.
Scott Lyons 1:13
I was gonna ask was does – anybody remember the last time they actually took a shower?
Josh Marpet 1:17
Like last week or something? I don’t know. It’s,
Scott Lyons 1:18
You know, it was funny, I was scrolling through Twitter and I saw that the PR firm for the Deathstar announced that they’re that they that they are extremely pleased that they’ve completely eradicated COVID-19 on Alderan.
Delaware, it’s worse. Today is the first day you’re mandatorily required to wear a mask outside if you’re over 13.
Jeff Man 1:33
Yeah, we’ve been doing that for a couple weeks now in Maryland. Hey, before we jump into our discussion, I do have a couple of announcements to make. Are you going cloud native? See how to integrate application security in our next webcast with signal sciences also learn how penetration testing reduces risk in our may webcasts with core security, which is a help systems company. Apparently, they got acquired recently. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on demand library of previously recorded webcasts and trainings by visiting security weekly comm forward slash on demand. Each webcast you watch, you will earn one CPE credit to get that you just have to give us your ISC2 and we’ll go ahead and submit that on your behalf. Also, we have officially migrated our mailing list back to our original platform. We have our categories nailed down and you are now able to customize what you received from US based on your preferences by visiting securityweekly.com/subscribe, go there, click the button to join the list. Once you’ve joined, you will also be able to go back and update your interests so that we can grow with you as you progress through your journey in infosec. All right. As we mentioned in the pre-preview to this episode, the prelude we are joined today by Mr. Joe Brinkley. Joe is known within the security community as the blind hacker. Joe, welcome to the show.
Joe Brinkley 4:32
Thank you for having me.
Jeff Man 4:35
Great, we appreciate you taking the time from your busy schedule and we have no ill feelings about the fact that you bailed on us at the last minute last week we held our own and we were not holding that against you and we’re glad that you got things worked out and you’re able to join us again this week.
Joe Brinkley 5:00
Absolutely, absolutely. When last week was unfortunate, it was just moments before we were supposed to go get on the call, I believe and things started going awry with clients and when business comes up, you know, it comes first.
Jeff Man 5:14
Yeah, absolutely. We understand that here at security weekly productions, and we’re nimble, at least, at least in production. We’re nimble. I can’t say that I nibble. I’m not gonna say anything about Josh is nimble – nimbility. Is that a word?
Josh Marpet 5:30
Agility?
Jeff Man 5:31
Agility? Thank you. Thank you. Anyway, so Joe, starting off, why don’t you tell us a little bit about yourself, your background and how you got into the business, cybersecurity what you do. And then we’ll we’ll migrate into talking a little bit about this thing that you do on the side called the blind hacker.
Joe Brinkley 5:56
Alrighty, so for me started off as a standards, IT security engineer. Because back in early 2000s, there was no cybersecurity. There’s no penetration testers, everything was based on defense in depth strategy, and everybody was part of the operations team. So as I came up through the ranks and worked my way through some things at different various government agencies and places along the way, eventually now became a director of offensive security. And what that really means is I’m just responsible for product delivery at the firm I met. And we, we put out a standard issue red teaming and penetration testing, vulnerability, assessing and compliance reports. It’s, you know, it’s kind of always a passion of mine to be on computers. So long story short, I only started losing my vision at 16. But I was into computers before that. Thought I really wanted to join the Navy. Great thing about losing your vision is is nobody in the military wants you because you have to be combat ready. I’m lost my vision at six days after my 16th birthday very rapidly due to a labor’s hereditary optic neuropathy, neuropathy. If you look that up, it’s a really big word, all it just means is my optic nerve doesn’t have the mitochondrial cells in it, to grab all the data it sees and precisely focus it into through the nerve into my brain. So that’s why I use assistive adaptive technologies and kind of been that way since I was 16. And here, it’s been 20 years later.
Jeff Man 7:36
Well, I would Google the word, I’m just not sure how to begin spelling the word.
Joe Brinkley 7:43
That’s a short l-h-o-n For those that are curious.
Jeff Man 7:48
I am curious. So we like to start our show off by asking all of our guests the same question. I realized we’re having a little bit of a different type of discussion about security and compliance today. But we are just interested in getting your take on this thing that we call the security and compliance continuum, just you know, where do you fall? In terms of security versus compliance? No, right or wrong answers, just your thoughts.
Joe Brinkley 8:19
So a lot of people like to go around and say, compliance is not security, but I can tell you that compliance can drive security. At portions of my career, I have been the policy writer for programs and projects that I was on. So you know, at first I, when I first got introduced to it, and was told to write my first, security, security, SSP, and they like, this is what it should look like. And this is what you build. Like, this is stupid, who’s gonna follow these, and then turn around and, you know, handful of years later, I was able to go finally go, Hey, you guys need to be doing penetration testing. You guys need to be following these things. Because your program and your entire policy says that we’re supposed to be doing these things at a quite a bit more frequent basis, then you’re doing was able to drive home some some security using compliance.
Jeff Man 9:15
Great. Thank you for your response. And your thoughts on that question. It’s, it’s not inconsistent with the way some of us feel about security and compliance. I have one, one or two questions just sort of sort of shift gears into this blind hacker thing. First of all, silly question, but I feel like I want to ask it because I tried. I try to make sure I’m using correct terminology. So what is the current invoke proper, appropriate, politically correct way of referring to people such as yourself that have some sort of I don’t even know what you call it. That’s why I’m asked visual.
Joe Brinkley 10:04
Visual. So I’m legally blind visually impaired. So that’s why I felt safe grabbing the pseudonym, the blind hacker Because ultimately, being legally blind, I can’t operate a motor vehicle I yeah, you know, legally certain things that the law prevents me from doing because my visual acuity is the scale and then there’s the you know me. So I love the legal vision.
Jeff Man 10:36
What’s that?
Josh Marpet 10:37
I love the fact that you stated very carefully, I can’t legally operate a motor vehicle, but you know, Hey, come on, I’m just saying..
Joe Brinkley 10:43
Well, you know, the issue with that is, is to operate a Segway, or some of these electric scooters in certain counties and places, you’re supposed to have a driver’s license if you’re over the age of 16. And that, and you’re not even supposed to operate them. In some places, if you’re under the age of 18. Without a driver’s license, well, I’ve used them before, you know, to get around some of the larger cities, but you know, that was a, you know, out of scope. Have I ever driven a car? No, actually, so again, because I started doing the whole, I’m in a parking lot, you know, my mid 15, you know, 15 years old, six months, and then I never kind of graduated to the road. And then like I said, I went to go take my driver’s test, or my, my driver’s test, and you put your eyes a little thing and go a II II, I can’t read the rest of it anymore. And literally, almost overnight, the rest of it went away. And so I just legally never operated a motor vehicle.
Jeff Man 11:43
Well, thank you for sharing that. I was actually looking for a little bit more of a generic response. I mean, we’re going to be talking about the Americans with Disabilities Act today at some point, and in terms of how companies can and should, being complying with those statutes or that statute is it’s still in vogue. I mean, most of the people that I meet that have some sort of disability, by definition, don’t consider themselves to be disabled. So is right is the is the term still something you should use or not use? And what is the alternative?
Joe Brinkley 12:20
Again, disabled define, ultimately, from a standard society definition, I can’t do something. So therefore, I’m disabled, I do view myself. I did talks in public hacking while blind, where I talk a little bit more in depth about the technology and things that I use. And I talked about, I just consider myself differently-abled, because I’m able to do a job I’m able to do the things that I do so.
Jeff Man 12:49
Gotcha. No, I appreciate that. Like, you know, I try to be sensitive. Sometimes, even though Josh and Scott think I, I’m pretty insensitive, based on our pre air discussion.
Scott Lyons 13:00
No, no,
Josh Marpet 13:02
we don’t think you’re insensitive we just think you’re hilarious with your people skills.
Scott Lyons 13:06
Yeah. And plus, you know, cyber insurance? I mean, who’s gonna be sensitive about that? I mean, come on.
Josh Marpet 13:11
PCI, what, what, what?
Jeff Man 13:15
All right. Do any of my hosts have any questions for Joe?
Matt Alderman 13:21
Well, so you know, one of the things I know that when we were building security software, one of the requirements that comes out, Joe, you probably talk about a little bit as it was section 508 requirements, right. That’s for the accessibility requirements for software. And I, you know, having worked for a number of vendors, I always knew this was one of those things on the backburner, right? It was one of those things you kind of got to when you wanted to get into certain federal agencies because of Americans with Disability, I think it’s a requirement in there. Talk a little bit about section 508. I mean, what do people do? Don’t do? What’s the level of requirements there? Can you give us any guidance there? Because it’s always been one of these interesting areas that we haven’t, you know, most of the companies I work for haven’t dug into very deeply.
Joe Brinkley 14:13
I absolutely can’t sell one of them, that’s actually a really good question. I like it. Um, so the, here’s the thing, as you said, 99% of the time for a professional company, meaning someone who produces software for security, for professional purposes, not going to name any vendors, they don’t care. 508 is the last thing on their mind. The reason that I’ve been able to function so well, and my job is the limited vision that I do have allows me to still see the screen extraordinarily ballooned up. But um, you know, I will tell you if I was fully blind, there are certain you know, name brand mainstream software. That I would not have a chance to use. There’s there’s no way. And personally I, you know, I don’t have enough clout to reach out to them to tell them, Hey, can you guys do better? You know, I’m slowly getting there throughout time as, as we said, adopted the name-blind hackers. So that happened, you know, August 2018. And I really bit into it because you know, that’s it became who I am, you know, I wasn’t, you know, just Joby anymore, I was doing this because I’m visually impaired and trying to show people being differently-abled doesn’t prevent them from completing the jobs that they want to do as a penetration tester red Teamer forensics, so on, so on. So, a lot of the software in that in those categories. Unless it’s CSI-driven. It’s just not usable.
Matt Alderman 15:49
And so I assume you use tools in your day job, that are either command-line interface, or, or you can figure out how to use them without being 508 compliant.
Joe Brinkley 16:03
Yeah, so there is, back in the, I’ll say, years ago, a certain very popular vulnerability scanner was not 508 compliant remotely. So I built a tool that would interface with the API and go in the backend and run the scans for me do the things I needed, bring me the results, create XML, email it to me and then be able to use a parsing tool that I built as well to tell me you know, kind of more or less what was going on, you know, I’ve shared that with people that are entirely blind, and they’ve loved it. Now, that soul, specifically a much better interface, html5, not quite great on the 508 compliance, just in readability per line per, you know, top to bottom reading left to right reading. But there’s, they’ve gotten a lot better, you can at least get the data now, other pieces of tool edge, large vulnerability, and exploitation vendors, still, more or less, when you use a physical app still, based on the desktop, it’s extraordinarily tough, unless you build it in. When you move to the web interface, interfacing with an API and a command line that then brings you the data on a webpage, it’s a lot friendlier, it’s a lot better. But it’s still not like, you know, again, having a limited vision I have in the years of experience with it, I get where it’s at, if I were to try to introduce somebody brand new, there’s going to be varying levels of understanding of where the data might be at physically or relative to a screen location.
Matt Alderman 17:39
Right? Yeah. Because you have to kind of know which cells have which data, so you know, how to kind of know where it’s at. So you know, how to parse it or, or whatever you have to do to build your tools. And I think I know which tool that is, hopefully, they didn’t lock down the API’s on you like they did most of the other people.
Joe Brinkley 17:55
They did, but it’s, again, it’s it’s one of those things that work around. There’s a lot of free open source vendors, you know, I got to highlight the some of the guys from the bloodhound, that was a tool that I did actually complain about stuff in their slack. And they immediately said, oh, by the way, here’s this command line and gesture version that has these other things. And then other people grab that capability and wrote other miniature tools that can focus on do I want to go for domain admins who I want to go for machines that are easier to exploit, I want to go machines that are missing patches. And so they the using bloodhound, you just drop the adjuster, it brings it down and instead of popping up in the nio for j, which is very visual and GUI, heavy. Now I just drop it into command-line tool and say this is the things that are important to me. And it brings me that data back.
Josh Marpet 18:49
Joe, let me ask you a question. And I’m going to sort of push back a little bit, I should tell you that I have a little bit of background. My mother was a Nara certified instructor that’s North American writing for the handicapped Association. So I was actually a sidewalker. And leader we worked with physically handicapped people as well as people with developmental disabilities and some significantly handicapped. So it’s every single person that we worked with, had an individualized set of needs, and abilities. And so you’re talking about some of the things that work for you, which are a command-line interfaces work much easier for you because they’re text-heavy, so things that are text-heavy for you are the best. Okay, I get that. That makes sense. You can read them. I don’t know if you use a Braille reader or a magnifier or whatever. But command line interface means it’s text you can read it you don’t the balloon it beyond comprehension, to see the GUI, but for somebody that has a physical limitation where they have no control of their hands, they’re using a for example, a mouse deck to you know, to peck at a keyboard or to to indicate what they need to be typing better and so it guess my point is, is not everything should be command-line interface. Instead it depends.
Joe Brinkley 20:04
I don’t believe that either.
Josh Marpet 20:07
No, I know I wasn’t I’m sorry, I wasn’t saying you were I just wanted to point out that there’s an individualized set of needs for each person. Does that make sense? And I’m sorry if I came across badly?
Joe Brinkley 20:16
Oh, no, no, absolutely. There’s, you’re right. You’re right. There’s a lot of because the, you know, American Disability Act Ada act 508 compliance covers everybody from physical like you said to mental developmental, it and by the way, it is one of the hardest things to comply to, I will say a major shopping read sailor named off of a used to be a book company, right? They themselves don’t have the ability, as big as they are as much money as they have, most of their site is at 508 compliant, most of their tools are not 508 compliant. You know, there’s certain things that you know, you know, even throwing, you know, billions upon billions of dollars, that it still isn’t going to get them to the place that every single person is going to be able to use the site without issue. And I understand that, so that but that’s why the talk with, if you have the ability to have an API, leave it open, you know, make make a comment that outbreak or document it somewhere that I have the ability to generate the data that I need to see where people see relatively speaking, or people entirely blind, to lightly blind, have the ability to pull that data down. And then so but those again, leaving the main interfaces there for those people have regular usage to, as you said, Maybe just a mobility difference. Instead of using a mouse, they use a, you know, a straw, a I mice movement, anything, right? So the data is there just needs to be accessible to everyone is, which would be the great thing, but I get it’s tough.
Josh Marpet 21:54
So I like your point, which is, you know, the one step that a website, a tool developer software development company, just about anybody can do is leave the API open so that accommodating programs can be utilized to use that API. Am I vaguely correct there?
Joe Brinkley 22:12
Yeah, absolutely. So, you know, example. You know, I’ve helped. I’ve tried to help students before, they come to me and say, Hey, I’m, you know, I see you’re the blind hacker. I’ve seen some error, you know, heard some of your screams. I’ve understood the things you talked about. So I decided to this year, I was going to take a forensics course, and I was like, fantastic. So forensics, kind of already and see a Linux forensics already ccli. A lot of these things. Well, there Oh, my course only teaches with some of the Windows CE based tools, no CSI, they are GUI and they grab metadata and you go from there. How can I do that same work. So I was like, Well, here’s the alternative tools. Well, my professor doesn’t know them, so I won’t be able to be graded on them. So to me, that was a deficiency amongst a professor and efficiency amongst the program.
Josh Marpet 23:03
I teach forensics, I have taught forensics for years. And if you don’t know a whole slew of tools, you’re not a competent professor. Sorry. You may have a core curriculum that mandates you use encase because you’re a law enforcement, school or whatever. But you should be able to at least accommodate with tools that are CL hell encase has a CL I believe I looked it up.
Joe Brinkley 23:21
Yep.
Josh Marpet 23:23
But I mean, you know, you’ve got to be able to use alternative tools, autopsy sleuth kit. There’s a dozen tools out there for anything you want to do. Okay, maybe except volatility. But, you know, like, it’s, yeah, I totally agree. That Professor needed to be smacked.
Joe Brinkley 23:42
I mean, that’s just volatility. I mean, you know, there’s other ways of grabbing memory from RAM, you could just DD the RAM. There’s, I mean, so many alternatives, but the fact that the professor was unable to do that, so I mean, it’s, you know, it again, that kinda I can tell you the story about the time that I went to university when I still lived in Maryland and said, Hey, I’m, I’m 18. I lost my vision two years ago, helped me out. And so yeah, a lot of you guys know me now. I’m very technical. And I know a lot of stuff about a lot of stuff. And yeah, you know, I don’t share the story often. But when I went to this university, and I sat down, and there I am in the entrance exam, and one of their things is to build a computer well, because the person going over the exam, the proctor going over the exam, saw that I was using my feel, by the way, I put the whole computer together, it booted up and operated, I installed the operating system on it, but because I screwed in hard drives because I looked at the CPU and knew that the gold corner goes in the other corner and I put instead of looking I just knew that I knew where it was. These are things that I just knew, implanted in memory and just built computers still even visually impaired. And because I put it together, he told me I’d never make it in this industry. And I believe that for a while. So from 18 to 20. I was not in the cyber and History, I was not in the computer industry, I wasn’t remotely computer-related. And then finally, going forward, I said, that’s my passion. I’ve got to do this. And you know, we’ve already discussed the rest of the history. But fortunately, somebody gave me a chance and the rest is history. So, to me, it breaks down a lot of time with people not understanding those individual needs. And because there isn’t clear compliance written on what does a person with a visual impairment need, oh, they just need all text? Well, not entirely true. Oh, a person with a physical disability who uses our mobility disability? Who uses a mobility controller instead of a mouse? Well, they need these things. Well, always not entirely true. It’s hard to do it and I do get that but I would love to see people taking it a little bit more seriously. Because there’s no reason that people with a differently-abled with visual or hearing impaired or physical mobility shouldn’t be able to do these jobs. Our brains work just as well. And you know, everybody’s like, oh, you’re missing the one senses everything. No, our brains work just as well, we just can focus a little bit more on particular things. That’s really what it boils down to. Right. So by the way, infosec, Daredevil almost became the name but I decided against that just the blight hacker just saying,
Jeff Man 26:24
is there? Is there a legally blind visually impaired equivalent to a squirrel? Or maybe you’re better than ours? Um, quick question for you. And then we’ll take a break. You know, you talked about a lot of the software doesn’t have this stuff built into it to help you out? Are there? You know, and maybe this is a longer answer, and maybe we’ll save it for the break, and you just give us a teaser? But, you know, what are some of the tools that are available that that are sort of ancillary tools that help you use other software? And or what are some things out there that you actually do, you know, satisfy compliance and help you do your job by giving, you know, help helping to enable you to be on a computer?
Joe Brinkley 27:18
Oh, absolutely. The could the quick answer is modern day technology has come a long way. There is built in screen zoom, and almost every operating system I’ve used Android, iOS, Windows, Mac, so and so forth. There is screen readers built into each one of those same things, screen zoom, colorblind modes, there’s, there’s a large set of tools out there, just kind of understanding the tool that you need to the operating system that you’re using, and then just getting as familiar with it as you possibly can because you’re gonna have to remember at some point, that’s your eyes. That’s your ears. That’s, you know, the thing that is augmenting, you know, the lack of, you know, the sense that you have so
Jeff Man 28:05
Great. Alright, we’ll take a quick break. We’ll come back and continue the discussion with the blind hacker.
