H4unt3d Hacker #066 Scott Lyons “Csp3r”

Fantastic interview of our CEO Scott "Csp3r" Lyons by the ever amazing mike jones (H4unt3d Hacker).

mike jones 0:22
Welcome to the Haunter Hacker podcast number – I don’t know Scott pick a number?

Scott Lyons 0:30
Hmm.. 42.

mike jones 0:31
42? Okay, this works…

Scott Lyons 0:33
It’s nice and low. I mean, it could be it could be podcast… You know, we could do we could call it podcast 066 as in Order 66.

mike jones 0:41
Let’s do that. I’m down with that. Okay, 066 down. All right. News, I don’t have a lot of news. Very little to no news. Future speaking engagements are probably speaking for ICE coming up in October. And also the London police and Cyprus and so on, so forth. So if you’re watching the podcast, and you’re looking to send a speaker request, the email is [email protected]. So today, we have Scott Lyons one. Old school hacker. Goes by the handle of Csp3r. Scott, why don’t you introduce yourself for those people who have been living under a rock and don’t know who you are already?

Scott Lyons 1:28
Sure. Thanks for having me on Mike, Hi, everybody. Scott Lyons here. My hacker handle is Csp3r. I’ve been in this industry for well over 25 years Jesus, old, we’re both old. Um, I’ve done a lot of work all over the place from fed to commercial to freelance, right. For the last couple years, I’ve been running a company called Red Lion, you can find us at redlion.io. I’m also one of the CO hosts of Security and Compliance Weekly have to give that a plug as well. Where we actually make compliance sexy again, I know to borrow the term of phrase, but you know, it is what it is. So a lot of the work that I have been doing lately has been towards helping companies helping people understand what the basics of information security are. What we see from a services perspective is that there are a lot of businesses that are out there that want to be protected, but don’t know how to be protected, because they’re so focused on sales and marketing, that they don’t have time to really understand what that posture looks like. So a lot of the work has been really helping people navigate what is information security, you know, we’ve been in this industry for so damn long at this point, being able to have that clear vision and clear value of being able to put security towards a, you know, cap x, or an op x for a lot of businesses has really, really helped a lot of people and I’m talking about companies big and small. You know, everybody has the same problem. What the real systemic issue is that we need to start teaching our kids and our relatives what security means, what security looks like, and how to stay safe in a digital with a digital footprint. So yeah.

mike jones 3:22
Yeah, totally, totally. We also need to teach CISOS that too every once while too.

Scott Lyons 3:27
You know, it’s funny, because in the industry, we refer to CISOS a lot as the Chief scapegoat. And it really sucks being in that position. You’re given a budget, you’re told to secure an environment and then your hands are tied by either the CEO, the CFO, or the board, or the people underneath of you. So it really needs to be a both top down and bottom up approach. Right to be able to prop up a CISO correctly, it’s just there’s so many good CISOs that are out there, that fight the good fight. And then at the end of the day, if the company gets popped, they’re the ones who are getting shit canned.

mike jones 4:05
Yeah, I see that all the time, especially when you do incident response, you know, you get somebody, you know, makes a small mistake or doesn’t have a budget for you know, a specific application. Next thing you know, they’re on the chopping block for a cause.

Scott Lyons 4:18
Yeah, and a lot of the problem that we’re seeing as well is that C level execs in general are putting a lot of money towards tools versus actually buying people and you know what I mean by buying people what I what I’m saying is paying for people. Right? And building process, you know, on SCW – Security and Compliance Weekly, we actually had somebody that said something smart build the process, then buy the tool, you know, and it’s sort of a reverse of what we’re seeing in market space. Now. You know, with xDr out there and zero trust and all the other models that you want to throw at something if a company is not willing to spend at the end of the day to protect themselves, what can we actually do?

mike jones 5:03

Scott Lyons 5:04
And when you it’s one of those catch 22 hard points that we have a problem with.

mike jones 5:07
Exactly. And then when you look at, you know, companies that might not necessarily have the budget to hire a bunch of analysts, they’re going straight for the bells and whistles, right? They’re thinking that an application is going to take over what an analyst can do and do a better job. So they go after the shiny stuff. And Darktrace is a great application, if you need Darktrace. But the problem is, these people, you see those these groups that are buying Darktrace, and other applications of platforms aren’t even patching correctly. So you know, save some money, by the right people, get the process down. And start from the basics. You know

Scott Lyons 5:46
Yeah, and don’t just find the people that are directly out of college, either. I mean, there may be some diamonds in the rough there, but they’re still rough, you know, you need the experienced people who have been in these businesses for long enough to understand architecture versus security versus protection profile versus policies and procedures, you know, bringing somebody in directly from college. Sure, they may be cheap as dirt, it’s, you know, at some point, but they’re not going to have the requisite skills that a seasoned veteran would have that has been through the fire and brimstone of working inside of these organizations. You know, don’t just think that, hey, you know, somebody fresh out of college is going to solve all my problems. Well, unfortunately, they’re not, you know, there’s a big gap between what’s going on in the industry versus what’s coming out of colleges. And we’ve been trying to diagnose this gap for a very long time. And that comes down to the practical application of the skills. It’s one thing to learn Defense Against the Dark Arts. Right? But it’s something completely different to actually apply it.

mike jones 6:49
Right. And it’s completely different than reading about attacks and you know, lessons learned or you know, historical documentation, and actually have to be behind a console when that attack occurred. I remember when Titan rain hit the military and I was working Yes, Jeff calm. That was a first experience I had with an APT attack and back then we didn’t call them APT attacks. It’s a lot different the speed at which you have to react and have to analyze and think on your feet is totally different than what you read in a college book or or you see in an imitated simulation. So we talked about industry, man, we’ve both been industry for forever.

Scott Lyons 7:32

mike jones 7:33
You know, you’ve been a goon at DEF CON for how many years now?

Scott Lyons 7:36
I am going into my ninth year as a DEF CON goon. I’ve also worked at a whole bunch of different security conferences. So if you see me in a con, you know, stopover, say hi, he gets to a point where you don’t even have to sign up. You’re just voluntold You know? But working conferences has really opened a lot of doors. And if you’re on the fence about going to a conference, definitely go, you know, go for the networking go for the memories, don’t just go for the talks. You know, talks are great, but talks are also you can see them on you can see online, like IronGeek, Adrian Crenshaw, does a wonderful, wonderful job of trying to record as many talks as possible and put them up on his site. You know, definitely go check out Adrian’s stuff. You know, recently, I just went to GrrCon out in Grand Rapids small little conference, it was..

mike jones 8:31
How was it?

Scott Lyons 8:31
Definitely refreshing dude, it was insanely incredible. Definitely refreshing to be able to see a lot of industry family after this damn pandemic has just screwed everything up, you know, and to be able to sit back and trade stories of, you know, the highest of highs and the lowest of lows that have happened over the last year and a half. You know, and as you sit back and you start to hear what everybody has been going through, you sit back and you say to yourself, damn, I did that. Yep, that was me. I was in that I was I was in that hole. I needed help. And I should have reached out. You know, instead of just trying to grin and bear and deal with shit as men, you know, um, you know, the next one that’s, that’s coming up for us. Is Shmoo Con, right? We we refer to trying to get tickets to schmoo as National F5 day, if you’ve never heard of it, usually it’s about 1400 tickets that go in about seven to eight seconds flat. F5 as in we’re refreshing waiting for the ticket screen to come up and then it’s just a rat race to get into the queue and try to get everything taken care of and it’s a lot of fun, you blink and you miss it. But if you can get you can grab tickets to Shmoo either as an attendee or as a student, you know, like through Schmoo a student. Definitely check it out. It is one of those sought out go to conferences, put on by Heidi Potter, that it’s it’s an amazing, amazing time and it’s in DC in January. So the first round of tickets go up, I think 14 November at noon at this point. But regardless, go to as many conferences as you can. Meet as many people as you can, you know, develop that reputation and also take a look at the personal brand for being an information security artist versus yourself. Righ?. So you have to you have to be you basically have to split the two brands. Right? But by being at conferences, that’s how you start that journey, you know?,

mike jones 10:43
Yeah, absolutely. You know, I still remember my first DEF CON, and it was so so many years ago. And that’s the the DEF CON that I met a mutual friend, Tom Ryan, and talk about it talk about the talks, right? So I think I’m may have went to two talks that entire time. And the rest of it was being invited to parties and going to different parties and hanging out with different people, I met so many people, all of the all of the DC 303 you know, all those guys, and you just, you build that circle, and you build that family. And here it is, you know, 20 years later, and I’m working with one of the guys I met at DEF CON. You know, it’s a very small community and everybody thinks that, you know, cybersecurity is huge industry, but really the core people who were there when it started as a young infantile industry, there are very few of us left.

Scott Lyons 11:39
There are and that’s either happened through attrition, which is natural, right, like people leave the industry by people passing you know, we’ve had a whole bunch of people pass this past year that are that are industry people, or just people that don’t want to do Information Security anymore, you know, but there are definitely what I like to commonly referred to as the old guard. There are a lot of the old guard that are still around that are still willing to bend over backwards to help people like Pyro out of the 303 or Sky Dog out of Nashville. You know, you meet these people in in, you know, you hold them on a pedestal and then when you meet them, that pedestal just grows even bigger, you know, like Johnny Long, right? Oh, yeah. The original Google Hacker, you know, and if you get a chance, go and take a look at his no tech hacking talk from DEF CON 9?

mike jones 12:37
Nine or ten.

Scott Lyons 12:38
I was like we’re on 20 – DEFCON, what 29 at this point?

mike jones 12:42
29. Yeah.

Scott Lyons 12:42
Yeah. Yeah. Coming into it or going out. I there’s been so many DEFCONS flying by its just a blur, right? Yeah. Um, you know, my first one, I think was 18 over the Rio. Right. And then I came on to the I came on with SpeakOps under PW Crack, and Proctor and Pasteze and all those guys and helps with speak ops and then transitioned over to the swag team with Dasha and Secret, Brian. And haven’t looked back, you know, you’ve got to find your fit, you know. So it was no fun working with speakers but selling swag like that, that that level of chaos. If you’ve ever been in the swag room Thursday morning, immediately following getting a ticket. That amount of chaos. Like bring it on?

mike jones 13:37
Yeah, that and they used to have DEF CON at a different hotel a lot in what? I don’t think it was a Rio..

Scott Lyons 13:45
Was it The Sands? Was it Alexis park?

mike jones 13:49
We grew out of that hotel that they were having it. There were so many people there. They’ve violated the fire code. Yeah,

Scott Lyons 13:57
yeah, Alexus Park was the first one and then it moved to the sands and then went to the Rio and then for for the last couple of years it’s been with Caesars Entertainment. So between the Caesars forum, Paris, Bally’s? You know, the new Caesars forum that they just built was supposed to be this year but you know, at 10,000 attendees, you know, roughly 10,000 I may be a little bit over on the number but you know, there’s no way you can throw that in the forum. So just keep it in Paris valleys. You know, and like Balleys has its own holy crap. Are you kidding me? history. You know you want to talk about the haunted hacker? Yeah, wow. A Ballry’s. Holy crap back in the 80s. It was what there was a casino there was a fire on the casino floor killed 87 people moving at 20 feet per second. And fully engulf the casino floor. The firefighters who went into to battle the blazes. They opened the door got a backdraft fireball coming out of it like it was nuts. Right and Balley’s is allegedly the second most haunted hotel in Vegas. The number one is the Lux or Luxor you know with Luxor if you ever have been to Vegas or you want to go and find this on Google Maps, it’s actually really, really fascinating. A Luxor the theory behind it is that there’s always supposed to be two lions, right? There’s only one number one. Number two, the angles of the elevators are completely wrong. Right? Number three Luxo was sinking into the ground. It’s it’s fascinating when you look at this stuff, right, and if in Paris Balley’s if you go up to I think it’s the 17th floor. There have been reports of a young child that passed that plays in the hallway and you can hear him. So a couple of friends and I a couple of friends and I went ghost hunting on the 17th floor like we grabbed an app. I think it’s called necromancer and you need an external microphone for it or an external speaker sorry and you connect your phone in to the speaker fire up the app and start asking questions and shit you’re not we were getting intelligent responses.

mike jones 16:14
Wow Yeah, I don’t doubt it man. There’s a lot of history in Vegas like look at the Flamingo with the mafia you know Flamingo is hot with with organized crime. Most of most hotels there were based from the mafia and mafia ran them back in the day

Scott Lyons 16:28
Until then the mafia still involved don’t like don’t think they’re not you know. Speaking of the Flamingo they found Bugsy Bugsy Siegel’s getaway car that was always parked in the bottom. They found it welded in. So Bugsy Siegel, actual cars still underneath of the Flamingo today, you know, like that. That’s kind of really cool history. You know? Um, next time we go out to Vegas, I totally want to go to the Zak bagans Museum. Yeah, and go go ghost hunting at night. That to me just sounds Oh, so much fun. You know, being able to see jack of workings. Murder van, like, get out of here, man. You know, the doll collection. That’s all, like relegated with

mike jones 17:13

Scott Lyons 17:14
Yeah, like, Man, it’s amazing. You know? And like, I don’t know about you, right? But I’ve had a particular set of experiences.

mike jones 17:25
Why don’t you? Why don’t you tell us about the data center experience?

Scott Lyons 17:29
Oh, yeah, that’s headed. Um, so I’m in this data center. Oh, okay. You know, I’m missing a golden moment. Let me restart. So there I was, right. It was in the data center in Richmond, just just outside of Richmond, Virginia, big data center used to be an Xbox chip manufacturing facility where you could go from Silicon to chip with no human interaction whatsoever. Very cool, very large data center. Okay. sitting inside the data center, I had I had machines that were not communicating with me I don’t live anywhere near Richmond. So I did drive the three hour south to Richmond and spend the night but sitting inside of the data center, I’m sitting there at my at my Iraq, right machines doing the Blinky blank, right? Finally get into the machine after four hours of banging my head on it and having to call somebody, right. I’m feeling great. You know, I’m feeling like I just conquered the one of the most difficult technical challenges that I’ve had to conquer in a while, which is, you know, breaking into a blade server with with, you know, knowing nothing, um, who. So, there I am sitting in front of the in front of the rack lights are blinking, right? I pack everything into my bag. Right now. I’m on I’m on cloud nine, it just got into the server, I was able to recover it, you know, get access back to it. And I go, and I close the rack door and I pick up my bag, right bag goes over the shoulder, you know, it sits perfectly on my back like there’s nothing wrong, right? Like the best feelings in the world, right. And as I’m walking down the racks, right, not every single rack is full. So you should be able to see through the racking, if you’ve been in a data center, you know what I’m talking about? If you haven’t, you can easily Google what I’m talking about. And as I’m walking down the data center, the the cold row of the data center, right, I look to my right. And there’s somebody on the other side of the rack. Now at this moment, I knew I was the only person that was in this room. And mind you this is a massive, massive room full of racks full of servers full of secured storage full of high value stuff, right? I’m walking down the row. I look over and there’s somebody on the other side of the rack and I said Hmm, that’s interesting. I had to do a triple take right? As I’m walking this person is going lockstep with me Wait Why can I almost see through that oh no I’m I’m chugging it down to the end of the rack I flip around the the the aisle over to the hot row and I look and there’s no one there that’s awesome there was no one I’m at this point at this point I’m losing my shit did I did I did I did I Really?

mike jones 20:39
We should..

Scott Lyons 20:39
I know the weed wasn’t that good man. No, I’m just messing.

mike jones 20:43
We should use some K2s and head up there.

Scott Lyons 20:45
So I call up to the guard desk and say hey, you know I need to be let out right and so they let me out and I you know, I’m like, did I did I Really? Did I really just what’s that? Did I What did what did what? Right? Get up to the guard shack and I say to the guard and said hey, can you do me a favor and go back and check the access logs to the room? Right? I didn’t say anything guard comes back and goes your that you’ve been the only guy that’s been in that room for the entire day. I’m like, I totally saw ghost. I know what I saw. Right? Dude had on button-down shirt with a content Kentucky gentleman’s hat and blue jeans?

mike jones 21:27
That would be disturbing. Did he have a long beard?

Scott Lyons 21:32
No. I’m like, are you did that really just.. it did. Cool! right. So the next time that I go back to this data center, I’m totally taking the app with the phone and I’m taking a speaker with me and I’m totally going to do a spirit session inside of the, the facility and it’s I can’t wait to see what happens with it. Because if that happens again, like man,

mike jones 22:03
oh, yeah, for sure.

Scott Lyons 22:05
So and it’s just it’s wild, you know, you’ve got that much energy sitting in one place. And, you know, we as people who are trying to decipher what goes what goes serve out, you know, we sit back and we say, well, they draw on the energy in the room. Well, there’s more than enough energy in these data centers. Like you got to think terawatts at this point. You know, whether it’s a regular data center where it’s a mining center, you know, those mining centers are absolutely massive, you know, so it’s one of those experiences that you will never ever, ever, ever forget.

mike jones 22:43
Oh yeah, for sure. There’s a hotel here in Chattanooga, called the Reed house. And the Reed house is supposed to be haunted. And actually they held Al Capone there before his trial, in one of the rooms and the windows actually has bars on it so he couldn’t climb out but in that same room, there was some there was a woman in the bathtub they got decapitated. And I know our computer guys and our hackers that are watching here like why in the fuck are they talking about this? Shit we’re into. So grin and bear it.

Scott Lyons 23:14
Well, you know, I was I was to share another story if I may. I was out in San Fran for RSA.

mike jones 23:22
Oh man

Scott Lyons 23:22
years ago. Right, let’s, let’s go right down the rabbit hole here right out at RSA. Right? The wife and I are out there. And we said to ourselves, okay, well we got some time to burn right? Let’s go. Let’s let’s go to Alcatraz.

mike jones 23:38
Oh, yeah.

Scott Lyons 23:39
Right Right now the initial responses Wait, they actually let you out? Um, so we’re at we’re at Alcatraz and if you ever get a chance to go definitely do it. The most surreal thing that you will ever see in your life, right? I mean, they’re obviously everybody to each their own with experiences, however, is to stand on Broadway, which is the main sell run, right? Stand on Broadway, and listen to the levers being pulled as the doors are opening and golmaal. All right. So we’re walking around Alcatraz and I come up through the through the library. Right now the library is down the way and over so if you’re, if you’re looking down Broadway, right, the library is three. I want to say three or two or three rows over, out to the exterior wall and then down right. And I’m coming up through the library sitting there you know, dough, I listening to the history of Alcatraz on the headphones that they give you. And I’m standing there, come out of the library turnaround and I’m reading one of the plaques that’s on the wall. And as I’m reading this plaque that’s on the wall, out of the corner of my right eye an orb Literally came out of the jail out of the jail cell and disappeared into the crowd of people that were standing in front of it in the cell that it came out of was the cell where the where the where the, the correctional officers were killed in and killed.

mike jones 25:16

Scott Lyons 25:17
Yeah, like what? You’re kidding me?

mike jones 25:21
they had a riot or something there and I think one of the guards had his shotgun taken away from him and it happened

Scott Lyons 25:28
you can still see the marks of the grenade that was that was dropped down into the middle of the cellblocks.

mike jones 25:34

Scott Lyons 25:34
you know,

mike jones 25:35
it’s kind of weird too, because around the ceiling, there’s the catwalk is up against the wall. And on the left, they have the the library you’re talking about. And that’s where the guard got grabbed was on that row. And they took him over to the I think it was the same row as the Birdman where he was at.

Scott Lyons 25:53

mike jones 25:54
that’s where they killed him. But yeah, it’s interesting history that prison, so I usually name all my Wi Fi access points after prisons, like Alcatraz and Folsom and you know, just epic prisons, you know. So yeah, I mean, that’s a really cool story. I want to go back out to Alcatraz. There’s a couple places

Scott Lyons 26:14
you and i got to go. And we got to go ghost hunting,

mike jones 26:16
for sure. For sure.

Scott Lyons 26:17
You know.

mike jones 26:18
I watched that all the time. I watched Zach Baggins and

Scott Lyons 26:21

mike jones 26:22
you know, when people talk

Scott Lyons 26:25
on YouTube, Omar gosh, oh my gosh, TV. Oh my gosh, if you guys have never seen Omar and doing his ghost stuff, it’s definitely well worth it. Oh, when we go out to DEF CON, what we should we really should do is we should post up where Tupac was murdered, and try and connect. And you know, right there in front of Caesars? Yeah, you know, I think it’s between Caesars and over by the Linq? I think I think that’s where it was?

mike jones 26:56
Well it the new Shugnight documentary on Showtime has the exact location or actually they walk through the chain of events on that night. And they showed me on the street names and stuff is pretty chaotic, you know, just to look at look at that history. It ghosts totally intrigued me and not just because of you know, the life death, you know, kind of gray line. But also when you think about AI and think about how we’re advancing technology. I hope that we hit a point where we’re able to see or we’re able to, we’re able to experience those other dimensions that people see.

Scott Lyons 27:33
Yeah, and not the dimension that says that AI is nothing but if then else statements. I mean, let’s be honest.

mike jones 27:38
Yeah, yeah, for sure. So yeah, like culture is a big thing when it comes to what we do. A lot of us have been around together for a very long time. I’ve seen a lot of people split off and like you said, start something new, watched Raphesh Media started ticket company and then went from a ticket company. And now he does tech consulting for Oliver Stone. You know, we have a bunch of guys in the industry that have gone off to do some really fucking amazing shit. Really interesting stuff, too.

Scott Lyons 28:09
Yeah, that we have. We have in you know, it’s interesting, you know, you never know what the person next to us thinking and you never know what they’re gonna do. Yeah, you know, and like recently on SCW, we were talking about what is the difference between an activist versus activist?

mike jones 28:30
I was starting to watch that episode before we before I got into this. Yeah, tell us about that episode, because I want kind of a synopsis because I want to watch it later. But I want to know what’s what’s going down?

Scott Lyons 28:41
Uh, well, the episode. It was really good. It was it you know, the episode was a firefight right from the gate. You know, because it was a carryover from insider threat. The Insider Threat episode that we did two weeks ago. So you know, a lot of the same sentiment was still in our brains and you know, if you go and watch it you’ll see us go point counterpoint and just start arguing with each other. You know, what it really comes down to his motive comes down to societal norms, it comes down to access right? And it comes down to a perspective that one would have against what other people are doing right you know, you know, like does does anonymous do the right thing that that’s that that is like heavily debated. Are they doing it the right way? Again, heavily debated, you know, it Jester let’s talk about just a real quick. I jester doing the right thing? heavily debated. Is Jester doing it the right way. heavily debated?

mike jones 29:56
Who is jester ?that’s highly too.

Scott Lyons 29:58
Well, yeah, but yeah, but even Even to that point stay frosty, you know?

mike jones 30:02

Scott Lyons 30:02
So it, it all comes, it all comes down to how do you view the world? And how do you view what is right and what is wrong? What do you believe? And what access? Do you have to do something about it? Is there a method for being able to blow whistle? You know, one of my, one of my friends on Twitter is sitting back saying, well, as a white hat, you know, we have companies that we try to tell them to, we know, to like ears bleed, that, hey, you’ve got a problem, you’ve got a vulnerability, you know, you have records that are exposed, you have sensitive data that’s exposed. And companies as white hats, don’t listen to us. Right. But as soon as a gray hat or a black hat steps in, and exploits that, you know, suddenly the sky is falling, it comes down to it, what are people willing to pay for it to get the appropriate amount of security and there is a Pareto curve that takes into account your vertical plus the amount of protection plus your critical infrastructure, right? There is a Pareto curve out there that can tell you how much you need to spend to get, you know, X amount of security. But no matter what we do, and no matter what tools we throw at things, there’s always going to be an insider threat. And there’s always, especially in today’s day and age going to be somebody that doesn’t believe what the business is doing and says, Well, fuck you, you know, I’m gonna steal all of your data and go hack you.

mike jones 31:28
Or you’re gonna have a race to get the vaccine, and Chinese or other countries trying to steal the recipe or the combination of chemicals, and their..

Scott Lyons 31:39
Nation-state actors are never gonna go away. No, no, it’s never gonna go away. And what it all comes down to is money. Yeah, where is the money? Who’s got the money? You know, unfortunately, there’s not, at least in my own, in my own humble opinion, there’s not enough. There’s not enough charity work being done. Yeah, for sure. There’s not enough turning leaf over and giving somebody another chance. There’s not enough goodwill. It’s being passed around right now. Now, I know, it’s difficult with with COVID and everything. But hey, you know, if you’re watching this podcast, I’m pretty damn sure that you know, somebody that needs help. Right? You know, reach out to people, and even if they don’t need help, just reach out and say, Hello, you know, we’re all in this together, you know, and like, that’s the I’ve always been a big subscriber for hackers for charity. Alright, recently, we lost one of the big proponents in hackers for charity. And may he rest in peace, but being able to take our skills and give them to charities and nonprofits that can’t afford what we do, like, come on, man, that’s got goodwill written all over it.

mike jones 32:54
That’s God’s will.

Scott Lyons 32:55
Yeah, it is. It is. And we need to do more of that. Because guess what karma gets passed around, and it comes back tenfold? You know, whether it’s good or it’s bad. You know, we don’t have enough people that are asking the golden question, which is, in three months, six months, a year, three years, five years? How am I going to feel about the decision I’m making? You know, we’re not, we don’t ask that of ourselves too much. Because everything we do is Bang, bang, you know, we’re so used to hyperconvergence and moving at speed, and being able to do things at scale that we don’t have time to step back and say, am I okay with us? Right? And that leads full circle back to being an hactivist.

mike jones 33:36
Oh, yeah.

Scott Lyons 33:37
Am I okay, with what the business is doing? Or do I need to get out? Or is there an appropriate method to be able to change what’s going on for the better,

mike jones 33:44
or it gets to the point where the group as a whole changes direction? And at that point, that crossroads, Yes. You have to ask yourself, am I okay, with this mentality? Am I okay with this line of ethics? Now, during the pandemic, you know, you’re starting to see more and more hacktivist groups popping up because of the piss poor decisions by some governments, you know, and it’s, it’s, there’s a huge environmental variable when it comes to hacktivism. And you always see it when we get people that are power hungry, or, you know, money-hungry in the White House. And so,

Scott Lyons 34:23
but hold on timeout, because it’s not always the white house that’s doing it.

mike jones 34:27
That’s true.

Scott Lyons 34:28
Even though we all say shit rolls uphill, when it comes to governmental decisions, right? You can’t sit back and sit and say, well, it’s all the White House’s fault. Right,

mike jones 34:37

Scott Lyons 34:37
It not everything is the White House’s fault.

mike jones 34:40
Oh, no, definitely not. I mean, Arab Spring,

Scott Lyons 34:42
it’s all It all depends on how it’s been spun. And what we choose to believe of what we’re being told,

mike jones 34:49
right, right. I mean, if you look at like Arab Spring and stuff like that, it wasn’t just the white house but really his tyrannical actions by people with power. And abuse of that power that the hactivists really go after. It’s not so much, you know, they want to make money after data, you know, because money really was not an object, you know, it was more of making a point, you know?

Scott Lyons 35:13
Right. But at the same time, the general public’s gonna look at it as the haves versus the have nots.

mike jones 35:19

Scott Lyons 35:20
You know, I’m talking about the other side of the spectrum of what you’re saying, right? You know, it perception is what 99% of the battle? Yeah, right, with the eyes, with the eyes hear seeing what the ears hear that the the brain believes, right? People are looking at it, like, why are they going out and doing this? Sure, they may be shedding light, but there’s a better way of doing this. Right. And, you know, unfortunately, public perception of stuff that’s been done in the past has been looked at, you know, as a bunch of as a bunch of kids who are crying about not getting their milk, you know, we so it, you know, listen, that statement may turn a lot of people off, but just give me a second here, right? Um, there needs to be better diligence for the way that we do things, you know, the old guard way of doing things, it’s just not cool. That, you know, too many people get hurt too often. But at the end of the day, you know, it just how do we change things? You know, if not, if not being a hacktivist, or an activist? What can we do? And that’s an answer that I don’t have,

You know, what I’m talking about his public perception and how things have been portrayed? You know, what I’m talking about is a lot of people believe that there are better ways to do things then than what’s been done in the past. Now, you know, I know your history specifically. Right. And I’m not in any way shape or form degrading or demeaning it, right. You know, I’m just, I’m just trying to provide that other side of the coin view and say, Okay, well, if you’re going to go one way, you have to understand the, cause and effect, right to counterbalance. What is the other side of the spectrum look like? You know, in a story, there’s three sides to every story. Right, your side, their side and the truth.

mike jones 37:11
Right, somewhere in the middle.

Scott Lyons 37:13
Yeah. So, you know, it’s, it’s, it’s easy to sit back and say, Well, you know, orange man bad or, you know, current POTUS is is, you know, has dementia, right? It’s easy for people to sit back and start to classify that, but what’s really going on in the business world is really what’s driving these decisions. Right. Like, did you know that? Do you know what the number one export of Afghanistan is? Do you know this?

mike jones 37:40
It used to be poppy used to be to make heroin. poppies

Scott Lyons 37:44

mike jones 37:45
Yeah. Oh, really?

Scott Lyons 37:46
lithium. Did you know that Afghanistan and China signed a $68 billion deal to put a road between Afghanistan and China?

mike jones 37:54
thats shocking

Scott Lyons 37:55
You. didn’t know that. Okay. So did you know that Biden signed an executive order that said, half of all cars on the road by 2030 will be electric vehicles?

mike jones 38:06
Really? I wonder how the oil industry feels about that.

Scott Lyons 38:12
Did you know that the electric car facilities for China have been sitting dormant except the lone security guard for since the beginning of the pandemic?

mike jones 38:23
Wow. That’s crazy. So where do you see all that going?

Scott Lyons 38:29
No clue. I’m just asking questions

mike jones 38:31

Scott Lyons 38:32
Did you see this? Did you see it in the media? Because, you know, the wag the dog special has definitely been being played lately.

mike jones 38:38

Scott Lyons 38:38
And, you know, the disinformation and misinformation that’s been given to us has been fucking eye opening

mike jones 38:45
Yeah. I mean, when you look at the relations that Biden and his son had with China, you know, and the connections they have there, and how quick we pulled out and how fast the Chinese moved in. You know, I can’t help it, you know, put my tinfoil hat on and go what the fuck is going on?

Scott Lyons 39:04
Exactly. All these people’s what’s going on in the background that we don’t know about with these big business deals, you know, that are lining special pockets? Like, did you know that Pelosi is being referred to as the investment queen in some circles because every single investment that she’s made in the stock market has had massively wild success.

mike jones 39:29
She has a lot of hidden influence as well.

Scott Lyons 39:33

mike jones 39:34
And a lot of decisions. I mean, look at like take cryptocurrency for example. And the people who have the most power and the most input into that market, they do one thing and the market fluctuates depending on what they do. Elon Musk is a prime example. he dumps a bunch of shit into cryptocurrency. Next thing you know, the price goes up, and then he withdraws his shit and doubles his money,

Scott Lyons 39:56
but well also remember his his sphere of influence reaches much further than sending a penis rockin in the space.

mike jones 40:03
Yeah, exactly. True.

Scott Lyons 40:06
Yeah. And I saw that I was like, Wait, what? Yeah. but but here’s the deal. Like, even though we’re talking about all of this, you know, you and I and I, and I think I can speak for you here and you can totally tell me to STFU, right? You and I subscribe to this theory of don’t just buy what we’re saying at face value. do your own research. Absolutely. 100%. You know, and I wish that mainstream media would have that disclaimer at the bottom of every news story that they ever run. You know, don’t just believe us, do your own research, go out and find, what’s going on in the background. Right now.

mike jones 40:12
You know, take ross perot, for example, I lived right next to perot kind of privatized airport, and all the shipping and stuff. And I can’t count how many times I saw planes take off with no tail numbers.

Scott Lyons 41:00

mike jones 41:00
but, you know, what, is he doing dabbling in government? You know, it just it was really weird how things played out with that, and with ross perot. And then when I got my first, I was really fresh on the scene. And pro systems had reached out to me and said, Hey, you know, how would you like to come to our facility in Sudan? Sure. Cool. So I went and they have an actual they had back then. And this was unheard of back then. They had a malware creation lab. And I was like, why is Ross Perot creating malware? You know, it’s just one of those..

Scott Lyons 41:32
like, why is john McAfee installing, you know, McAfee antivirus across the entire government?

mike jones 41:38

Scott Lyons 41:38
you know, you know, and to make a really stupid correlation. Why is it that just after john McAfee supposedly killed himself, a building fell in Florida?

mike jones 41:46
Yeah, yeah.

Scott Lyons 41:49
I’m sure there’s no correlation there. But it just, it makes you wonder,

mike jones 41:53
yeah, yeah. But there’s a lot of people out there. And this this kind of supports your argument is that, you know, when you look at everyday people in the US, I would have to say, probably 90% of them walk around with blinders on as long as they can get to Starbucks in the morning. And a target on the way home, they don’t give a fuck about what goes on. And right there in their face. You know,

Scott Lyons 42:16
they don’t it but here’s the deal, it’s always been right there in front of their face.

mike jones 42:21

Scott Lyons 42:21
you know, since the day we were born to the day we die, it’s gonna be right there in front of our face without anybody knowing about it, you know, and security really should be the same way it should be right there in front of our face, but be transparent enough that nobody knows about it, but it’s there to do the protection things, you know, and unfortunately, trying to bring all of this back here. You know, we as information security people, you know, we try our hardest, but we’re constantly fighting an uphill battle here. Now, you know, the, big systemic change is going to come when the baby boomers and the early Gen Xers start coming out of management and the late Gen Xers, millennials and Z’s or COVIDs, whatever you want to call, the generations actually start coming up the ones that have that know the security that know what needs to happen, they start influencing all of that. And as we have the generational shift over, we’re going to see legal come back online with security, we’re gonna see law, come back online and regulation, come back online, with security. And, you know, it’s interesting that we have to take the approach of wait for the next generation to actually fix what our you know, previous generation fucked up.

mike jones 43:35

Scott Lyons 43:36
It’s sad to be in that position. You know, it’s really, really sad. You know, how many companies actually have board members that reached down into security, that can sit down with a security engineer who’s down in the weeds, and understand what that person is doing to provide protection profile for the business? You know, how many people down in security can reach up to the board? You know, Mike, it’s almost like, we need a goddamn Boxing Day between security and the frickin board.

mike jones 44:06
I’m down.

Scott Lyons 44:06
You know, of every single company, it’s almost like, we need that, you know, that perspective is just so, so important that a lot of people don’t get it.

mike jones 44:17
But there are a lot of companies, especially in UK that are a little more progressive. And they put people like us on boards, you know, I sit on a board of like two different companies. But again, they’re cybersecurity companies. And they know what they need to go forward. And so they look at people like you and me, and hey, we want those guys to tell us what to do here to help direct our movements. But they’re very few companies are that progressive. They usually look for somebody to guide the board who are venture capitalists, or they have their hands in all different kinds of pots and…

Scott Lyons 44:52
Vulture capitalists.

mike jones 44:53
Yes, yeah. And they want them on the board because they know the guys with the money and the Political so they can get

Scott Lyons 45:01
that’s what it comes down to..

mike jones 45:03
money, you know?

Scott Lyons 45:04
Yeah, you’re right. It all comes down to money. Are you making sales, sales rules the roost. If you’re not making sales, you can’t run a business. If you’re not running a business, you can’t pay people. It’s a domino effect. Right? So do we work with these businesses to say, well, you have to do sales and security and protect yourself with legal and understand your supply chain so that you can still make more… like like it fractionally compounds. And I know that’s not the right word. But you get what I’m saying.

mike jones 45:31
Yeah, it reminds me of the ship not Shipley’s, the donut shop, commercial where he says, you know, got to get up early, make more donuts, go to bed, get up in the morning, make more donuts? Yeah, the same same thing. And we

Scott Lyons 45:45
Always eating itself.

mike jones 45:46
Yeah. And we continue to see that. One thing that I wanted to dive into as well as the pentesting portion, right. So, you know, the days of looking at a snapshot of three or four day on site, you know, or even external pen tests. I think that’s coming to an end. I think that’s over. I think we’re getting into more of a How can we be part of your team?

Scott Lyons 46:12
It is and it is not? The is part of it coming to an end are for people that have been through pen tests. The is not is for people that have not been through pen tests. Like if you’re stepping into a pen test for the first time, and it is not a reoccurring pen test, you’re doing it wrong. Sit down, try again.

mike jones 46:31

Scott Lyons 46:32
Right? If you can’t flex your budget to be able to get quarterly pen tests going even if it’s for small pieces of the network, sit down, you’re not doing it right try again, no, a pen-testing came along because of PCI. Right? It came along because of PCI. PCI is the reason that the pen test industry is what it is. And PCI and the PCI council especially need to wake the fuck up. Right, in that, the requirements that they are putting on these businesses are not fitting security standards. Right. Um, and I am more than willing to say that to the council directly, like I do not care. What needs to happen is continuous pentesting continuous monitoring. Right, almost like a SOC2 continuous. Right. Unfortunately, that has been talked about, but it’s not been put into practice with the DSS. You know. So if we want to talk pentesting, you know, there are a couple of key markers that we need to look at. One, is it continuous? Right? Because pen tests, remember are only a single point in time. Is it continuous? Right? Does it fit the systems that you needed to fit? Have your systems been scoped correctly, and what a lot of companies will do is they’ll try to say, Well, our enclave that is directed by the rock, right, the rules of compliance, the Enclave that we have defined as the one that is the that is holding the CDE or the cardholder data environment, right? is only limited to these machines, nope, sit down, you’re wrong, it needs to be the entire business front to back because you don’t know if little Sally Sue in middle of Iowa that gets on her computer to check her email can access your CDE.

mike jones 48:16

Scott Lyons 48:17
Right. And it’s more of a holistic approach to it’s not it’s not a we have to follow the QSAC you know, or the this or that, sorry, the SAQD the self-assessment questionnaire. Um, you know, it’s, it’s, we should be applying this across the entire enterprise number one, number two, if you are a company that handles credit card information in any way, shape, or form, if you even dare to touch a credit card, you’re under PCI. It doesn’t matter whether you push it off to stripe, or PayPal, or a third-party provider does not matter, you are under PCI. And that’s the way that the DSS is written. But you know, you look at companies that follow the DSS and there’s not a lot of them. Not sure that the big brands do, right. Um, but at the same token, you know, 60 to 70% of companies don’t even have cyber insurance. So how in the hell can we ask them in any way shape or form to be able to pass or follow the PCI DSS How can we do this? You know, and don’t even get me started on cyber insurance. That’s another three-hour monologue because to me, it’s a joke.

mike jones 49:31
I’ve had to deal with cyber insurance for the past couple months when it comes to ransomware attacks. And I can tell you, that it’s a fucking nightmare.

Scott Lyons 49:40
You know, it’s so much of a nightmare that…Did you know that POTUS president united states White House, you know, whatever you want to call them. They actually had a meeting with insurance carriers and said cyber insurance carriers you need to start requiring compliance to get the insurance and that is A bad fucking idea.

mike jones 50:01
Yeah, totally.

Scott Lyons 50:02
Right. Um, and the reason it is, is because now we’re gonna see insurance carriers start to drive the information security market, which I don’t know about all that, you know, that’s a bold move cotton. Let’s see how far you get. I do subscribe to you must be this tall to ride this ride to get cyber insurance. Right? Do I agree that insurance carriers need to be the ones driving the market? Oh, fuck no. No, you know, they can’t even get their hands around what they’ve got now how are we going to give them the entire freakin market? Are you out of your mind?

This you know, it’s scary how they operate? Yeah.

And you know, in the same turn, the White House also directed NIST to start coming up with compliance regulations for private business. I’m over here like motherfucker, you stuck on stupid at this point? And I’m not saying that directed to the White House. I’m saying that in general, because it’s an exclamation for me. Are you stuck on stupid because we are having enough problems, being able to enforce what we already have, let alone come up with brand new shit. You know that we now have to turn around? The entire industry is sitting back saying Well, CMMC is supposed to be the white knight.

mike jones 51:08

Scott Lyons 51:08
It’s supposed to save us? Yeah, it’s it’s, it’s what 171 plus a little bit of ISO plus a little bit of 853. And a little bit of CSF in there. Right. CMMC has had a ton of problems getting out of the gate. They’ve tripped over their feet. So so many damn times. It’s not even funny. You know, now I have proponents of, you know, of CMMC that are practitioners and are certified by the IAB that are telling me No, no, no, no, no, it’s actually gotten better. We haven’t seen that.

You know. And I’m going to go ahead, when when the government gets involved in making compliance decisions and things like that, when it comes to technology. It’s always been an epic failure from day one. You know,

I mean, it’s gonna be a train wreck. Yeah, you know, and a train wreck leads to hacktivism it leads to activism, it leads to people fucking it up by the numbers, right. You know, at DEF CON, you know, we have we have a big old saying called don’t fuck it up. You know, at the end of the day, can you actually go home as an IT person or security person or somebody who’s watching this podcast and say to yourself systemically? Did I fuck it up today?

mike jones 52:16
No. You know, when you look at decisions that the government makes, you know, and putting mandates and compliance is out to put things in perspective for those. For those of you who aren’t techie, look at what’s happening with the border in Texas, right? So the government says you, you must get vaccinated those who aren’t getting vaccinated causing all the problems. Damn, you damn, you damn you. And in the same token, in the same breath, they’re allowing 15,000 unvaccinated people into the US from the southern border. So think about that on a tech scale on a very expensive scale. There’s gonna be a lot of money lost, and it’d be a lot of corruption because we’re there’s money, there’s corruption. And when I walk into a ransomware incident, and the cyber insurance people show up first of all their latest fuck every time and they come in hours late after every everything’s been destroyed if you got them to answer the phone. Yes, absolutely. And then when they come in, the first question is, how much is ransom? And who’s contacted threat actor? I’m like, bro, take a seat. Shut the fuck up. We’re this close to getting the systems back up. Yeah, relax. What let us take this. But they’re more concerned about, well, how much can we can we negotiate and, you know, they’re worried about pain. But if if we get into a habit of doing that, every time there’s a there’s a ransomware incident, even though it could have only taken us two hours, get all this shit back up. But they’re more worried about the ransom. If that continues, the ransomware problem is going to grow because they know that they’re going to get paid. You know, and

Scott Lyons 53:52
if companies did the basics of the fucking basics of digital hygiene and backing your shit up and taking the backups offline, you wouldn’t have this problem. Right? But what’s gonna happen is you’ll have leaders that will say, Well, I don’t have the CAPEX, OPEX or budget to be able to afford those machines. So you know what, just deal with it. Right? What was it I was looking on Twitter the other day, and I think it was off of Amelie Korans Twitter feed, where she’d posted up a conversation between a company and a threat actor. And the company basically told the threat actor, the only thing that’s been violated is your mother, which was absolutely brilliant, you know, throw it out, throw the keys away, we don’t care, fuck you, you know. And we as practitioners should be doing the same thing. You know, like, sit down, go away, you know, um, you know, unfortunately, businesses struggle with this kind of thing, you know, and a lot of it comes down to doing the basics.

But there’s another point here, and there’s a point that we’re missing and I’m gonna make it right now. 90, what, 94/95% of all hacks are social engineering. They’re fake. They’re vishing they are getting people to do shit they shouldn’t be fucking doing. Right, right. So, as a security practitioner, you should be taking the security awareness training that you raise your eyebrows, and giving it to your family. As a C level executive as listening to this podcast, whether it’s now or it’s 10 years down the road, I do not care. Buy enough fucking licenses for your people and your peoples people. Because as much Oh, you want to know, hey, you want to know what really grinds my gears? Right? Um, we all have an aunt in Iowa that just sits back and looks at her email, and doesn’t care whether they whether they get hacked.

mike jones 55:40
On web tv.

Scott Lyons 55:41
Companies need to provide evergreen security awareness training to absolutely everybody in the family. The supply chain is one thing, the family chain, and support and work chain is something completely different that no one is looking at.

mike jones 55:57
Yep. Absolutely.

Scott Lyons 55:58
No one, no one’s looking at it.

mike jones 56:00
And they never have. And that’s the problem.

Scott Lyons 56:03

mike jones 56:03
When you look when you look at you know, people’s families and how they need to be educated about cybersecurity during a pandemic. Companies should assume the responsibility of the families because guess what, they’re now part of your network.

Scott Lyons 56:18
Yes, yes. You know, as a small business owner, when I have when I have 25 people, you know, doing work with me, nobody works for me. And that’s a very, very, very important distinction. No one works for me, everybody works with me, because it’s a team environment at Red Lion. When I have 25 people that are working with me, it’s not just 25 people, it’s more like 180. Yeah, for sure. Because you never know what a family member is going to do to one of the employees and turn them from a loyal employee to a raging asshole.

mike jones 56:55
Yeah, that or the network now that you know, people working from home, that same connection is part of your company’s network, even though there’s a VPN between you and the office. Everybody who sits on your Wi-Fi, they’re now part of your company.

Scott Lyons 57:12
Yep, yep. And you’re pointing something out here, you’re pointing out the look of what are people going to do when they come when they bring their laptops, you know, that are either company-owned, or BYOD when they bring their laptops back into the network, but what nobody looks at is what is the company doing to those laptops when they take them home?

mike jones 57:30

Scott Lyons 57:30
You know, we’ve heard horror stories about iPads and tablets and computers that have been given to students where the cameras have been turned on while they’re at home. We don’t want to deal with that. Don’t do it. You know, sit down, go away. It’s all sides of the issue need to be looked at.

mike jones 57:54
Yeah, absolutely. There was an app that was just put out not too long ago. And it was to help companies and supervisors maintain connection with the employee, and basically ensure that they were working. And part of that application was being able to activate the camera. And I was thinking, man, if if I went to a company, and they installed that on my system, not only would I take the laptop and break it in half and ship it back to him and tell him to go fuck off. Yeah, but I would probably go after that company. Because I mean, well,

Scott Lyons 58:24
There’s a problem with that, because then you’d be liable for the damage to the company owned device. If it is a company owned device. You don’t want to work for the company, guess what? don’t work for him. Right. But if it’s a company owned device, you do want to work for the company, you do read through all of those papers that you signed when you first get into HR, you know.

mike jones 58:43
Assuming that and yeah, assuming they added that into the paperwork, because I’ve worked..

Scott Lyons 58:50
And if they didn’t, then guess who’s liable? It’s not you.

mike jones 58:52

Scott Lyons 58:53
It’s the company, the company’s open for lawsuit. You know, you want to talk about something funny, let’s talk candidly about how HR is not there for the employee. HR is primary job is to protect the business and if you think HR is your friend, you’re dead wrong.

mike jones 59:10

Scott Lyons 59:10
Let’s talk about that. Yeah, you know,

mike jones 59:13
100 percent 100%

Scott Lyons 59:14
you know, HR is not your friend. Don’t ever think it you know,

mike jones 59:18
I’ve seen that a lot

Scott Lyons 59:19
you want to fight me on it, you know where to find me, I don’t hide.

mike jones 59:21
I find that a lot with different companies, you know, like, Oh, yeah, we have an open door policy, you know, come and tell us your problems. And it’s sort of a sort of like the SS of the company, you know, you go in until the SS you know, give them what your confessionals or whatever. And then the next thing you know, that person is shit cannned, walking out the door.

Scott Lyons 59:41
Come with me, children, confess your sins! You know, listen, listen, I understand that, what I’m trying to talk about hearing what I’m saying is to open people’s eyes. Right We get so if we get so into the rut that we don’t have a chance to see above the above the shoulders? You know? So question absolutely everything.

mike jones 1:00:06
Yeah. When someone tells me…

Scott Lyons 1:00:07
Don’t sit back and be a sheep you know?

mike jones 1:00:09
when someone tells me, why do I care if the government is listening in on my conversation? I’m not doing anything wrong. That’s not the fucking point. The more people who allow that to happen, the more it happens, you know,

Scott Lyons 1:00:22
And we’re supposed to be we’re supposedly protected under Title 10. We’re to keep the government from, you know, illegally spying but

mike jones 1:00:29
But the Patriot Act ruined that.

Scott Lyons 1:00:32
Well, you know, it depends on which country the spying is coming from, even if it is US related. And that’s all I’m gonna say about that.

mike jones 1:00:38
Yeah, very true. Very true. Yeah. So, you know, where do you see our industry in three years now? Because I have mixed feelings about the direction we’re going.

Scott Lyons 1:00:49
I don’t see our industry anywhere, I’m going to tell you, we’re going to have the exact same systemic issue. And the reason being is because there’s been no advancements in the last Oh, God, how many years in information security, you know, everybody, everybody went to the gold rush and tried to enumerate and identify all the things and there hasn’t been any real, you know, there hasn’t been any real change. And we may have seen tools come out that are flashes in the pan. We may have seen, you know, blockchain AI, you know, all of this other esoteric stuff that happens to be media buzzwords, you know, marketing buzzwords and buzzword Bingo. We’re not going to see any more advancements in the next three years, next five years that we might we might start to see something change, but for the next three years? No. It’s still gonna be the same, it’s gonna be the same way that it was back in 1999. You might as well party like, it’s 1999 bad joke. I know. But um, look at the Bluetooth change.

Yeah, look at the Bluetooth stack. Now, if the Bluetooth protocol hasn’t been changed drastically in how many years?

Do you want to hit a ramp button? Try going after SS7. Okay, SS7, for those of you who don’t know, where is what is the protocol that text messages and SMS messages right on, you know, that will never ever, under any point be ever secure period will not happen. You know, and so, you know, what we’re telling people now is not just have two factor authentication, get a code sent to you? Because No, fuck that, right? Because we as hackers, we can actually spoof that authentication mechanism and steal the code directly out of the air. You know, um, what we’re saying is get the apps on the phone and use the use the app like Google authenticator app, or LastPass app or some other app, where the transmission of the code does not occur, maybe even better get better yet, get a UB key.

mike jones 1:02:36
Oh, UB keys are badass, bro.

Scott Lyons 1:02:38
I have a UB key coming in, should be here Friday. But get a UB key, though and start using hardware tokens.

mike jones 1:02:46
I live by UB key. I live by UB key. And then for like cell phones, if you don’t want people listening to your conversations when you’re not on the phone, or if your phone’s just sitting idle, Mic Lock, plug it into the the earphone jack disables your microphone. Little things people can do to secure themselves. But a lot of people just you know, again, they go back to that mode of thinking of, well, I’m not doing anything wrong. So why should I care?

Scott Lyons 1:03:11
Yeah, and that’s if the cell phone has a three and a half millimeter. You know, they What is it? iPhone, iPhone, you know, iPhone, like, I have..

mike jones 1:03:21
iPhone, fuck, you get no headphones?

Scott Lyons 1:03:23
Yeah, well, you know, it’s funny, because like, a back in the 60s and 70s everybody valued their privacy and their anonymity, and it was peace, love sex everywhere. And, you know, let’s put flowers and guns. And we’ve treated all of that for something that we can carry in our pocket, what the fuck happened to us.

mike jones 1:03:40
And it’s and it’s more powerful than the first supercomputer.

Scott Lyons 1:03:43
It is. Yeah, it is. The same thing can take us to the moon.

mike jones 1:03:46
Yeah absolutely. And I was talking to a retired CIA agent today. We’re talking about security and privacy. And he’s surprisingly, he’s a big privacy advocate. And we were talking about the, I guess it’s not a law, but it’s more like a hidden mandate, where if you’re within 100 miles of a border, they can grab your electronic devices, and go through your shit without a warrant.

Scott Lyons 1:04:15

mike jones 1:04:16
And he was like, yeah, you know,

Scott Lyons 1:04:17
And they put that towards national security.

mike jones 1:04:19
Yeah, he goes when you go when you go to speak at ICE, you know, maybe should question about this. And I was like..

Scott Lyons 1:04:24
Don’t take your phone. Take a burner.

mike jones 1:04:26
Yeah, exactly. I was thinking that’s a great idea, you know, but I had never heard of that until today. I was like, What the fuck Really?

Scott Lyons 1:04:33
Oh, yeah. Oh, yeah. Well, dude, go out and do some research on the horror stories of people that are coming back into the country where their electronics have been taken into force to open it, you know? It just.. ugh.

mike jones 1:04:44
So I did reverse on that. When I did a reverse on that with Bank of America. They sent me to a foreign country with devices to see how that country actually manipulates your shit. And I can tell you, when they walk away to check your device and it comes back. It’s not the same.

Scott Lyons 1:05:00
No, it never will be, and never will be there are tools out there like CellBright that will easily break in, or there’s an 0 Day that your current version, you know, hasn’t been patched against. You know?

mike jones 1:05:12
I mean, there’s all kinds of tools out there that can really fuck up your life for sure. And I mean, some of those apps to like signal and some of the other apps, you know, have been big targets for law enforcement, government, as well as hackers.

Scott Lyons 1:05:25
Yep. Yeah. Yep. So yep. Do not trust WhatsApp. I’m sorry. I’m gonna say not trust WhatsApp. Do not trust telegram. I personally, I’m a huge, huge proponent of signal. Yeah, right. Only because it’s not owned by Facebook!

mike jones 1:05:42
Whatsapp, Whatsapp is you know, yeah.

Scott Lyons 1:05:44
So, you know, do you really want somebody else reading your email, you know, you have to remember that a cloud computer is just somebody else’s computer. Yeah, like, come on, man. You’re killing me here. You know. Um, but I wouldn’t be surprised wouldn’t be the least bit surprised if somebody has WhatsApp on their phone. They don’t have Facebook Messenger. But yet, they still get the ads on Instagram about what they were talking about on WhatsApp.

mike jones 1:06:12
Oh, yeah. For real. I mean, so..

Scott Lyons 1:06:13
Would not surprise me.

mike jones 1:06:14
So me and Tom Ryan, we’re doing a talk in Westminster. And we were talking about that specific issue of your phone, detecting what you’re discussing, and then pumping a bunch of ads. So I have my phone in my pocket at Westminster. And we’re talking about Alexa, we’re talking about all these different devices. When I get back on my phone, I have like, tons of ads just to the shit that we talked about. And then the Amazon comes out. Oh, you know, the devices that we produce, aren’t always listening. Well, just recently, I think it was like a month ago, Amazon made public hey, we’ve got this new feature where it listens to ambient sounds. And when there’s a sound of a person walking into a room, we automatically turn on. I’m like, my No, no, you’ve always had that. You’re just making it public?

Scott Lyons 1:07:00
Coming clean. Yeah, yeah. Well, did you see what was it like $267 million? Fine. Under the guise of GDPR. Against WhatsApp for further abuse of of privacy?

mike jones 1:07:12

Scott Lyons 1:07:12
In terms of like, GDPR. Um, you know, gee, we need more, we need more stuff like GDPR to protect us, you know, unfortunately, you know, if, if, if companies aren’t going to get wise with the way things are done, we need it.

mike jones 1:07:27
Hmm. I don’t understand why we..

Scott Lyons 1:07:29
Go ahead.

mike jones 1:07:30
What Why don’t we have GDPR I mean, usually the

Scott Lyons 1:07:34
CPA here in the States, we have ccpa. And there are four other states that I know of right now that have privacy, like Wisconsin has privacy. Vermont has privacy, New York has the NYDFS CRR 500. And that’s sort of privacy, but it’s privacy more towards New York State people. Um, you know, what the Fed is doing is they’re leaving it up to the states to be able to figure out what privacy regulation needs to look like, and then assemble it. And what a lot of states are doing is they’re saying, well, ccpa was, you know, they passed. So why don’t we take that legislation and just, like, modify the shit out of it and make it for our state? You know, is that the way to do things? I don’t think so. I think we need more regulation up on the Fed for privacy. At the very least, we have what 15 states? 16 states? that have the legislation in argument in the argument stage and the hammering stage right now going through both the House and the Senate of each state. You know, it’s just we need it. You know what? I’m gonna say it right now. Privacy is an inalienable right and should be listed on the Bill of Rights along with the actions of how to protect privacy and what happens when privacy is overrun, period, end of story. It is an inalienable right to every human being to have privacy.

mike jones 1:08:58
Right? Absolutely.

Scott Lyons 1:08:59
If you’re going to expect us to live in a digital world where we’re connected 24 seven, privacy needs to be in the bill of rights for every person across the globe, right, especially in the US, but across the globe. Privacy needs to be the number one issue.

mike jones 1:09:14
Yeah, I totally agree because privacy is dictating a lot of the downfalls we’re looking at right now. And when you know in Alabama, I was speaking to somebody who works for a sheriff’s department. And they walk through the office and handed everybody this questionnaire. On that questionnaire, they want to know your social, they want to know your social media, aliases, all that stuff. And now the cops on the street are not only asking for your license, they’re also asking you for your Facebook profile, your social media profile. And to think about that…

Scott Lyons 1:09:51
But remember, that’s pub, but hold on, hold on. Forget its public domain.

mike jones 1:09:55
Yeah. Okay. It’s Yeah, what’s its internet is public domain. But here’s the issue. That bothers me is that, you know, when you look at Zuckerberg, and you look at Facebook, and how they become a political entity within itself, and then now they’re opening up their platform, not just now, it’s always been this way to the government. It’s kind of fucking scary, you know, and now you have cops on the street collecting data.

Scott Lyons 1:10:21
Let me ask you a question. when when when did Facebook really go live? When did it really go mainstream live?

mike jones 1:10:26
I don’t know, man. I didn’t pay that much attention to it when it came up. Because I hate the idea.

Scott Lyons 1:10:31
Oh, here comes the conspiracy theory. I hope you’re ready for this one. Sweet. Go back and look at around 911

mike jones 1:10:39
No shit.

Scott Lyons 1:10:41
Go look to the research. Tell me I’m wrong.

mike jones 1:10:44
Wow. I don’t doubt it at all. I don’t doubt it at all. Because 9/11 was the beginning of the end of privacy, truly.

Scott Lyons 1:10:52
Well, the beginning of the end of the privacy was actually before that with the Patriot Act.

mike jones 1:10:56
Yeah, yeah.

Scott Lyons 1:10:58
But 911 like, I literally want somebody who’s listening to this podcast to find me on Twitter. And DM me Don’t do this in public. DM me point blank and tell me I’m wrong. And tell me why.

mike jones 1:11:09
Yeah, the Patriot Act and nine 9/11 itself, was the end of human privacy in the US. And globally in some places, depending on which country and

Scott Lyons 1:11:20
all the countries because you got to look at the reach of the Five Eyes.

mike jones 1:11:23
Yeah. And then you look at what Snowden did. And with Snowden. Here’s my theory on that. You know, I think when he leaked that information, I’m like, we knew this shit already. You know, this is not news. But for those people who you know, go to Starbucks and target and wear their Capri pants and don’t give a fuck, that was big news to them.

Scott Lyons 1:11:44
Hey, we both wear capris. Okay. Don’t Don’t knock the capris until you try them. No, I’m joking. I’m completely joking.

mike jones 1:11:52
Or yoga, men’s yoga pants.

Scott Lyons 1:11:55
Dude, I keep waiting. Like, did you see the outfits from Space Force? Holy shit. I keep waiting for Peter Dinklage to come in and say, I got my space pants on, you know, like, wait, oh my god. Um, it’s almost like somebody got in and trolled. Space Force with their marketing, like, Oh, it’s so funny. Um, but no, you’re you’re right. It was right around that time where privacy died. You know? And everybody’s completely okay with it. But we as security people were like, no, that’s not okay.

mike jones 1:12:24
You know, it’s become a witch hunt. That’s why use the patriot act as a witch hunt. And you know, even with hackers, what I find really strange and kind of like suspect is me being vocal about my distrust for the government, and some of my bad feelings and bad blood that I had with them. Take that, for instance. And then all of a sudden, I have all these agencies wanting me to talk to them. And it’s like, Why all of a sudden is big push when, you know, five years ago, you wanted nothing to do with me? What’s changed?

Scott Lyons 1:13:00
The guard, the Guard has changed. Like the junior people are now moving into senior roles. And they’re being replaced by more junior people. So as, this is what I was talking about earlier, Mike, as we see the generational changeover in the generational shift, we’re gonna see things change. Things change, but they stay the same. And it’s just, we can, the question is, Can we stay at the pace that we’re at? Right? Can we sustain the pace that we’re at? And that’s more of a rhetorical answer than anything else? a rhetorical question cannot sustain it. You know, at the end of the day, the most dangerous person is the one who’s the free thinker. The most dangerous person is the one who has done their homework. Absolutely. And he was dangerous person is the one who does not walk around with their eyes closed.

mike jones 1:13:52
Yep. And that’s what I tell people is that, you know, the reason why we end up on lists by the government is because fear is a huge motivator. You know, when there’s someone out there that can pose a threat that has more knowledge in a certain area than the government? What’s the typical thing that they do? They isolate them and put them on list.

Scott Lyons 1:14:12
And to add to what you’re saying, what have we done in the security industry? Pretty much the same thing we have we have FUD floating around the industry, right? And we call it we call it FUD and that’s fear, uncertainty and doubt, FUD. Right? So we use got an industry is an acronym soup. You know, we use fear, uncertainty, doubt. And, you know, we do that to scare C levels who don’t know anything about security into Oh, my God, the sky is falling, and that way we get budget moving, but realistically, what a lot of people in industry don’t grasp is that compliance is the way to move a motherfucking budget, right? You want a company to move, bring them under compliance. You know, you watch how fast they move. If you say, well, we’re out of SOC2 watch how much money they spend to get ISO so that they can they can pump that into sales, you know, watch how much they spend, when they get breached, and card data gets spilled. Watch how much gets spent.

mike jones 1:15:14
Or watch how much money they spend to get out of a compliance audit, rather than, you know, going through it, they’d rather pay the fine. And those big companies that you know, the fortune 500, those are the ones you see, you know, they don’t need a pin test because they have money, they can just throw it, you know, get out of it, get out of a funding company

Scott Lyons 1:15:31
When a company gets bit by an insider watch how much they spend. Oh, yeah. Yeah, when a company gets bit by an executive who neglects a fiduciary duty, watch how much they spend.

mike jones 1:15:43
And I mean, look at the way that they used us in the beginning of this whole security push in the industry, right. So you know, if you want to sell a product, a security product, bring along the circus sideshow act, to show them how bad that you can smash their network and do a demo. And that’s how I got into the industry to begin with was, well, we can take this guy and show them what he can do, and they’ll buy our product. And I’m like, after a while, I felt like a circus act. I was like, fuck this, I don’t want to do this any more.

Scott Lyons 1:16:13
You know, we talk about a lot of the bad let’s talk a little bit about the good. If you do not know who InfoSister, aka Amanda Berlin, you need to go on Twitter and find her. Amanda who heads up the mental health hackers. We all in this industry, get beat up constantly. Yes, right. We’re constantly put down knocked around kicked, you know, if not by the people that we work for them by our own peers, you know, peers can actually do more harm than people that we work for. Right? But mental health hackers is an option. If you are hearing this and you’re sitting, you’re saying to yourself, you know, I’m really struggling right now. Reach out to Amanda, see what Amanda says, you know, she may be able to point you in the correct direction to get either some institutional help, or know somebody that’s been there that has been able to weather the storm, you know, and get you help, you know, at the end of the day, we’re all just bags of protein and juice,

mike jones 1:17:15
and bad attitudes,

Scott Lyons 1:17:16
and bad attitudes that need to get adjusted, you know, it’s like going to the chiropractor to get all your bones cracked, you know, I’m getting the mind cracked as well and set back and adjusted is something that we all need to pay attention to, you know, if you don’t know who Johnny long is, we were talking about him earlier, when hackers4charity, you know, the resource that just passed was invaluable to that entire organization. And they need help, right now, they need fucking help. And reach out to hackers4charity and volunteer your time and help them you know, like, these are people that are doing good stuff in this community. You know,

mike jones 1:17:56
Johnny has been doing that for years, man, Johnny has been doing that for years. Look at all of the technology brought into places in Africa, bro, like…

Scott Lyons 1:18:04
Being able to take AK47 out of kids hands and put computers there in in in replace? Dude, it’s been the warmest of warm feelings to hear him talk about the updates and what he’s done. And, you know, what HFC has done for nonprofits, you know, and if you are a part of nonprofit that, that needs Information Security skills, go hook up with HFC. Right? for charity, they’ll be able to place you with the right people, you know, but there are other people in this industry that are absolute pillars, and absolute rocks that have struggled just like we have, just like other people are struggling, you know, these pillars are well weathered. You know, like they’ve been through all the bullshit, they know how to handle this, you know, um, you know, like, I recently had some adversity in my life that I had to deal with, and I had to reach out to people because I found myself in a dark place, you know, thinking dark thoughts, you know, and for me personally, it was not. It was not normal for me to be there. And through working with people working through situations, you know, I’ve been able to really recover a lot of what’s going on and including myself, you know, like yesterday, I’ll tell you point blank. Yesterday, I went from 7am to 2am non-stop. And it was the best feeling that I had had in a very, very long time just to be able to start cranking through work and cranking through clients and start really affecting things across the board and then today nice and quiet, like the storm had passed, right? Tomorrow. I’ve got another storm brewing and I’m not worried about that until tomorrow right now. You know, I want to make sure that I’m giving you and whoever your listeners are right, the best look at “Don’t be a sheep” that I can possibly give, you know? So if you if you know of people that need help reach out, don’t don’t be sheep reach out make the make the first contact because you never know what a simple Hello, what kind of effect that has on people.

mike jones 1:20:21
Yeah, I mean, I came back from England, and it was in a really dark place because, you know, I didn’t know what was going to happen. You know, I was back in a country that didn’t want me here. And a friend of mine reached out, I didn’t know him at the time, had just met him on LinkedIn, reached out and gave me like, some hope, right? And talk to me every day, he messaged me, Hey, how you doing? Hey, how you doing? And just to check on me. And unfortunately, we lost him last Christmas, too, you know, things got rough for him and he couldn’t reach out himself. And I, you know, I felt bad because I felt like I owed it to him. But I you really had no idea. You know, so if you’re in that place, do make it apparent to somebody do talk to somebody. Because not everybody can can read those cues. And if, if you’re struggling, you need to let somebody know, because I’ve lost so many people just over the past year. to that same issue. You know, we we burnt we burn bright, but we burn quick, you know, and the faster we move, the dimmer the light get so, you know, take that time and break away from the computer. And, you know, like I did go fly fishing and fall off rocks and hurt yourself. Yeah. Which at least it lets you know, you’re still human right?

Scott Lyons 1:21:43
You’re gonna go you’re gonna go riprap on the riprap.

mike jones 1:21:46
Yeah, exactly, exactly. But it’s good. It’s good shit to break away and to, you know, open your mind to other things too, like meditation. And like, you know, I know that sounds hippie ish. But I live by it. You know, it’s good shit.

Scott Lyons 1:22:00
Well, I think it’s safe to say that if you’re listening to this podcast, you’re listening to this episode. And you have feelings of self doubt and denial. It’s not just a river. And, you know, the feeling of self worth, and you’re having issues, you know, you can totally reach out to, to, to me. I’m like, I can’t, I’m not, I can’t and I’m not going to speak for you, as well. I can totally reach out to me and I will try my best to be able to get you to somebody that can help.

mike jones 1:22:29
100% right. I’m right there with you on that one. So, Scott, man, I appreciate you coming on the show. Brother.

Scott Lyons 1:22:36
Thanks for having me.

mike jones 1:22:37
It’s been really great. We’ll have to do..

Scott Lyons 1:22:39
I’m just glad we didn’t talk about Schweddy balls. Okay. I mean, you know, to borrow it from SNL, you know, like, oh.

mike jones 1:22:48
Yeah, we’ll definitely have to do some more stuff together and maybe collaborate on some projects, because I think that we have good chemistry. And I think that, you know, we could make some changes. I think it’s good.

Scott Lyons 1:22:57
I have earth shattering changes coming on the horizon for me. So, I am, I am Trey, Trey excited. Um, you know, and it’s, it’s, uh, it’s, yeah, it’s, it’s gonna be fun. It’s gonna be a lot of fun. We’re going to try some things, we’re going to fail at some things and succeeded others and see where the spaghetti sticks to the wall. But no, it’s been an absolute pleasure for having me on. Um, you know, due to any chance that we ever get it, you know, you ever get together and actually sit down and start talking about problems and stuff and start diagnosing issues. You know, it’s always a fun time, you know?

mike jones 1:23:35
Yeah, yeah. I like being the one to help diagnose and not the one creating the issue. So it’s

Scott Lyons 1:23:41

mike jones 1:23:41
from it’s a change for me. So well,

Scott Lyons 1:23:43
we do that we do a lot of that. I know you’re starting to wrap up and everything but we do a lot of that on clubhouse as well. Oh, yes. So the if you’re if this is the first time you’re hearing about it, go out to your app store, whether it’s iPhone, Android, or whatever OS that you use, and take a look for clubhouse dropping audio chat. And there are a lot of really, really great security rooms on clubhouse that you really need to get engaged with like Monday nights at 8pm. Eastern. We do backdoors and breaches on clubhouse right. So instead of talking about the esoteric bs that we’re always trying to diagnose the perpetual craphole that we deal with an information security, we actually look at, how do you stop the cyber Kill Chain? Right? How do you do that identification in that process? What is the tabletop exercise? And when you get 30 people in a room, regardless of age, color, race, religion, or who the hell they work for working together to try to win a game it is absolutely beautiful. should absolutely try it out. You know, and then personally, like I’m starting up, you know, like a bedtime stories on Friday nights at 11 you know, just to get our brains off of security, sit back and read stuff. So you If you have a fear of public speaking, you can come and bring a book and start reading excerpts from the book and work on your public speaking. Yeah, we, as podcast people, we’ve really been able to hone the skill of, of being able to get the point across. Right and being able to take those dramatic pauses and knowing when to move and you know, how far away from microphone we have to be like we’ve been able to really hone that skill but I want to be able to give that opportunity to somebody else, you know, plus at the same time, you know, open up with go the fuck to sleep I mean, let’s be honest, that’s just straight up fun.

mike jones 1:25:41
Yeah, yeah, the game is a lot of fun, especially if you’re the insider threat of the… the unknown insider threat. There’s a lot of fun. So where can people find you on social media?

Scott Lyons 1:25:52
Sure. On Twitter, I am Csp3r. On Instagram I’m Csp3r_Official. On clubhouse I am Csp3r, and if you know how to find me on signal, then you know how to find me on signal. You know, other than that, you know, you’ll see me tooling around on some social media, but it’s not going to be like long haul stuff, you know. So yeah, um, you know, I don’t, I don’t hide. I’m here. You know, if you want to chat, I’m here if you want to, if you want to yell at me, I’d ask that you do it respectfully in dm, you know, and that way we can go point counterpoint and really try to change each other’s minds.

mike jones 1:26:34
You know, let’s be productive people, be productive. Alright, Scott, I appreciate it. And for those of you listening, this is Episode 066. And we will see you next Saturday, maybe this Saturday t0o? I don’t know I’m doing so many podcast. I’ve forgotten what my schedule is. But thanks and we’ll talk to you next time. Adios.


Translate »