Loading summary
A
All right, heck, we've been talking about this shit for a long time and we finally here we got a CISO that is going to give us the real deal of what's going on in the industry.
B
Hector Monseager was responsible for some of the most notorious hacks ever committed.
C
Special Agent Chris Tarbell. Hackers and FBI informants participated in some
B
of the world's most infamous hacks that caused up to $50 million in damages. A life in the shadows.
C
Cyber attacks on the rise.
A
Welcome to Hacker in the Fed. I'm Chris Tarbell, former FBI special agent, worked my entire career in cyber security. And I'm joined as always by my valentine, Hector Monsicore. Hey, friend and podcast co host. Hi Hector.
C
Hey, my Valentine's, how are you?
A
Yeah. Hector's a former black hat hacker who once faced 125 years in prison for as many of hacking under the code name Sabu. Our stories collide in June 2011 when I arrested him and then convinced him to work with me at the FBI. Hector is now a red teamer, researcher, cyber security expert. Congratulations, Hector. And co founder of safel.
C
Oh, first off, let me tell you, that's it.
A
No excitement.
C
No, I'm very excited, but it's internal excitement, you know.
A
You know, I left some external excitement.
C
Well, yeah, no, I know that, but you know, you ever go to like a, like a, you ever been to like a poet's cafe, you know what I mean, have some nice coffee and some poetry and stage.
A
No, I've been to women.
C
Yeah, aside from that, there's. There's a spot in New York City, Lower east side of New York. It's called the New York Nuyorican Poets Cafe. Very old school. I think it's still around. I've been in a minute. And so when you go there, the vibe is cool. There's people chilling. The vibe, the aura is dope. And then like people like this, you know, snapping of the fingers when it's like good stuff on stage, like fucking beatniks and shit and all this cool stuff. But the vibe, the aura, the chill, that's what I appreciate, you know, that's what I appreciate. When I'm here with Chris, we could talk about different things and.
A
Why are you lying to the audience? You have a whole segment on this show called Hector's Rants. Well, that is not a vibe.
C
No, it is, it's part of the vibe, bro. You know, listen, the vibe always don't have to be positive, right? There's got to be a little bit of you gotta have a duality, Chris. That's my point.
A
I get you. You go into the show with your beat, neck, snappy vibe, and then you end the show with a rant where you just want to release your hatred on some subject of the week.
C
Yeah, that's right.
A
You're not having one this week. No rant this week?
C
No, no, no, no. We're chilling this week.
B
Yeah.
A
So what's going on with seafood? Anything good? You guys got any new products? Anything good? Good going on.
C
Yeah. Safeville is actually a really cool spot because, you know, we have, we have some really good relationships with, with, you know, our partners, with customers, with our people. I tell you, I get emotional. Chris, let me keep it real with you. This is, this is your boy Heck just dumping right now on some realness. I get emotional because right now we're at, we're. I think we're at 16 or 17 employees, right? That's, that's huge. I've never done something like that before. Right. And then I'll sit here, my balcony with the ocean hitting the, you know, the freaking, the rocks and everything. And like. And I'm starting to think about my team and I'm like, you know, this is 16 to 17 different families that are being affected by this, you know, and so it is such a pleasure. I get emotional, but I'm like, wow, this is cool. And we're doing some really cool stuff and, and when we're dealing with customers or whatever, right? Even doing an event and people like, hey, I loved your research on this. I love what you guys are talking about. That I would love to hear more. I love it, man. So, yeah, it's been my thing.
A
Touchy feely, Hector. Oh my God.
C
You have to, you got, you have to be in tune with yourself, Chris, because if not, you're just an outsider to yourself.
A
Poetry and touchy feely family. Oh, my God, what does this turn into?
C
What is this? Well, it is, it is around Valentine's, you know, you gotta.
A
Me too.
C
Yeah, it is true.
A
It is true. So, yeah, great Patreon episode we just had. Covered some great AI and apparently Hector is ass deep now in. In AI.
C
Yeah, as deep indeed. I'm definitely in there.
A
So he built a tool that I might put some money into. Might see what we can do it. So go check that out, guys. On Patreon, he even gave you a few of the secrets on how to build it yourself. If you want to get into the prediction AI model, whatever it may be.
C
Sure. It's fun well, look, Chris, here's the thing, right? When it comes to new technologies, right, New infrastructures, architectures, new concepts and protocols, the coolest thing, at least for me, I don't know about you, Chris, is even if it's early, it doesn't make any sense. I love to just jump into it and research it and study it, and if I could prove it, even better, you know what I mean? So what I would tell the audience here is even though Chris and I do a lot of the cybers and give you warnings about, you know, lack of guardrails for AI, stuff like that, experiment with it, but understand what it is that you're doing.
A
You know, definitely understand. Don't be fearful of technology. Understand technology. And then if you build a fear of it, that's fine, but don't do it from an uneducated point of view. You know, learn a subject and then. And then decide what emotional response you're gonna have to it. Don't let someone tell you what your response should be, Right? Heck, love the people on the Patreon supporting the show. Keep keeping the free show commercial free. Also, a reminder, the merch store is up. Hit us up@hackerinthefed.com and find your stuff there to help keep support the show. Heck, your boy was on Fox News this week, and it was really, really nice to see how many hacker in the Fed listeners reached out to say they saw me on there.
C
That is dope. I heard, and I want to hear all about it. Like, what happened there, bro? Like, what was the topic?
A
I got reached out by three or four different news organizations and asking me if I wanted to come on to talk about, you know, the privacy factor of the. The Nest camera in the Nancy. Nancy Guthrie case. And just, you know, because that had just been, you know, cracked by Google engineers and all the information coming out of that. And so a couple of the ones I. The timing didn't work out. Like, I had to be at the pantry when they wanted me to do it, so I couldn't, you know, do it from my home studio. But the Fox News one worked out. They wanted me on the next morning, so. So I decided to do that. And so I went to the gym that morning. And then I was telling my friends at the gym, I said, hey, go stand over there. I'll be on Fox News in the next 30 minutes. And they were blown away by it. Just did a live shoot. They knew that I didn't have any pants on whatsoever during that thing. But that's all right. I looked I looked professional, up top. But it was good, it was fun. I was on for, you know, 10 minutes. It was a 10 minutes show back
C
and forth and so that's pretty big. It's a big segment, bro.
A
Yeah, it was good. It was good. So, um. But yeah, family reached out and a lot of hacker in the Fed listeners. So it's great to see the support from the hacker and the Fed listeners.
C
Did they post a clip online? I couldn't find it. I couldn't see it.
A
I didn't look. I can, I'll look around. I'll have, I'll have AI look for it and see if they can find me.
C
You know what's crazy? I'm sure it would nice to the Fox News people, right?
A
Yeah.
C
When I did Fox News years ago with Jesse Waters, whatever, they were so nice that I was like, I need to talk to Fox News more. Because whenever I spoke to like cbs, they treated me like I was an asshole.
A
Yeah.
C
Remember that time we did a CBS segment like they just did not give a fuck that we were there.
A
No, the, the Fox News people were great. The, the producer was good back and forth and asking stuff. And then I got on with it was Bill Hemer and Dana, she was the old press secretary for under Bush. I forget her last name starts with a P. But both very nice, very nice behind the stage, you know, during the commercial break was very, you know, talk talkative and we had a great conversation that we jumped on. It was easy to do. Beautiful. Not a real lot of prep. Like they don't tell you what they, they don't tell you what they want you to say. You know, some places sometimes you'll do a media and they'll tell you like, we want you to say this or say that. No agenda whatsoever. They had no idea what I was going to say.
B
Yeah, yeah.
C
Same with me. And I felt bad because it was during that era where I had the long beard.
A
Yeah.
C
You know what I mean? So I'm on fucking live television with Jesse Waters and I got a fucking two foot long beard. I look fucking stupid. And it was so last minute. But it was like, like you said, it wasn't like prepped or hey, we need to go in there and say this. Because he did have a question that when I did it, his question was something along the lines of, hey, it was a political question. Right. It was like, hey, do you think it's a smart move for President Biden to give a list of machines that Russia should not target? So basically during that week There was a, there was a point where Biden, his team said, hey, Russia, we know you guys doing hacking these five servers, you better not touch, right? Like setting a kind of like a red line or whatever, right? And so Jesse was like, well, Hector, you think that's a smart idea to give Russia a bunch of sensitive systems? And so I said, well, Mr. Waters, for you guys that find a clip online, that's exactly how I said, well, Mr. Waters, honestly speaking, politics aside, the Russians already know about those servers, Right? The difference is that now you're putting a line in the sand. You're saying, hey, we know you know about these servers. If you engage these servers, then there's a problem. Right? He was cool. It was receptive. I like that shit.
A
Nice.
C
It's crazy. So big shout out to Fox News for having you. I can't wait to see the clip. If you guys find a clip, send me a copy because I haven't seen it.
A
Nice. So we got a fat show today. It's a really long show. Heck, just behind the stage. Guys, we're recording this after recording the show because we did an interview this week of a secret ciso. We've been talking about it for a while and the show is kind of long, but we got some really, really behind the scenes information. So you're going to hear the interview. It'll Hector, you'll hear Hector and I, but then you'll hear the CISO with a fake voice. So we had to modular, modularize the, the voice and make it sound kind of funny. Don't get lost in the voice. Really, really listen to the information that this CISO is putting out because it was really eye openening. I believe this CISO had a good time with the interview and wants to do it again. So you guys let us know what you want to hear from truth and honesty out of ciso. Hit us up and, and let us know for the next interview because the CISO wants to come on again.
C
Yeah. And I, I'll tell you, I think folks, folks are about to get a surprise in terms of like, you know, what's being said and, you know, I think there's some really good takeaways and I'm, I'm excited to hear the response from the audience. I was excited by, I think we, you know, you enjoyed it too. We had a great conversation. Yeah, I'm looking forward to like the, the audience's reaction, like what are their takes on it?
A
My reaction is, damn, I don't read enough.
C
Yeah, yeah.
A
Super smart, super smart person. Really into it and very able to quote poetry and books and all that stuff. And I was like, man, I, I, that's not the way I live. I, I talk about how much sun is on my balls.
C
Yeah, well, so there's some, there's something beautiful about someone that's learned, you know, that they're, they've been, been reading. I've been studying and you know, see, when I was a kid, when I was young, there was something I went through, Chris, short story for you guys, where I realized that, you know, I had placed some like, limitations of myself. So I want to kind of break out of that emotional mental education wise. Right? And so my first step was, at least in New York City you had the opportunity to get take your GED very early on. And I did. And then I started taking some early college classes at bmcc, which didn't really last long. But the cool thing is that I started to enjoy the educational component, the academic component of it. You know, What I realized after a while is that no matter how many books I read and the more and more books that I read, the more I realize is the least I learned, or rather the less I know. And that's a big, that's a daunting feeling when the more you learn, it feels like, you know, the less you know. I don't know.
A
You never want to come across the way you just sounded, explaining your ged.
C
What? How did it sound?
A
Not good.
C
Well, the GED is not the thing. It's not the main point. The point is I, you know, reading more and learning more, I just felt like it wasn't enough, you know?
A
Oh, yeah, no, I, anyone that stops learning, like, that was the, one of the things that I, I never understood. Like, some people, like, get into their education phase of their life when they're early and then they stop learning and learning new things. And like you, like we talked about on the Patreon, what you dug into this weekend and spent 48 hours of your life building and still learning at your age. People don't do that anymore. And they need to, they need to explore things. But. So go over to the Patreon for that. But anyways, guys, let's cut to this CISO interview. Great freaking interview, but want to hear your feedback. What do you want to hear from this guy? So hit us up at questions at Hacker and the Fed dot com. All right? Heck, we've been talking about this shit for a long time and we finally, here we got a CISO that is going to give us the real deal of what's going on in the industry. Ciso, do you want to give us a little bit of background and credibility of who you were and who you've been without giving away who you are?
B
No, I don't want to give you any of that.
A
Oh, perfect.
B
But I will. I'll tell you a little bit. So, yeah, I guess I've been in the industry for decades, and I've been a hacker for a little bit longer than that. And yeah, I know my math, I know my. I know my cyber, we call it now that tell you a little bit hint how old I am. And I know my politics, so I'm happy to talk about anything you want, boys.
A
Well, I want to get down into the dirty to some of this shit, so.
C
How dirty?
A
I don't want to. I don't want to put words in your mouth, but when did you start realizing that the cyber security industry has a serious, like, systemic problem that goes beyond just isolated bad actors? Or am I mislabeling it? Do you not feel that way?
B
No, I do feel that way. No, no, I mean. But it doesn't have one systemic problem. It has many. And I think when we began to take ourselves too seriously, when we began to hide, like when we began to hide collectively, as many people do individually behind an imposter syndrome, that's when it started. And I think it started as soon as we started to try to duplicate other, older, more legitimized professions in the sort of IT world I remember back in the day, it itself was seen as a hobby. And cyber wasn't cyber, it was information security. And before that, it was about reliability of information. This is something that even now we say isn't aligned with business. But it was not even taken seriously by engineers because these weren't programmers, first and foremost. And I think it got worse when GRC came along. And suddenly these were spreadsheet jockeys. So they weren't even taken seriously by the technologists for the most part. It became security theater.
C
Yeah.
A
In my world, I've seen a big butting of heads between, like, former lawyers who now say they're cyber guys but don't know shit. And then the guys, the actual technicians that are hands on keyboards and get shit done. The problem is in the world of CISOs, they tend to, from my perspective, lean more towards these former lawyers that can talk the right talk is my perspective.
B
If you look at the way lawyers. Yeah, if you look at the way lawyers behave, they believe the words that they say as if literally. It was gospel with a word, as if the words themselves created truth. Words are incredibly powerful. Naming is incredibly powerful. But this country was created by lawyers, the United States. And I think that lawyers take themselves far too seriously as interpreters and users of words. And as such, what we're seeing here is the power of personality. In many cases, the power of the P that is coming through. And it's taking over not just security rooms, but. But boardrooms. And it has the language to do so, while most of the time it's just word salad.
A
So let me just put some credibility to you and let you answer this. Why anonymity? Why do we have to change your voice and all that? All right, why can't you come out? Why in this industry can you not come out and speak the truth? What do you see as the repercussions from the industry or from your peers to not be able to speak freely?
B
Nobody ever speaks entirely the truth. Nobody ever goes and says, here's exactly what's going on. Because there's always repercussions. Somebody will be pissed off. Somebody will be upset. But to know the unvarnished truth is a luxury, and it's a luxury to be able to speak it. Therefore, let's detach personality, let's detach ego, let's detach politics. And politics is really about personal motivations over group and collective motivations. Let's detach all that. Let's speak truth and see if people believe it and can cogitate on it a bit and say, do I believe that or not? And make up their own minds. I'm a big believer. The reason for expository writing isn't to make you smart. The reason that we put words out there, if we do it right, use the least words, use the shortest words to get the point across. Pass. That's called rhetoric, as opposed to grammar, is to be criticized so people can use their thinking skills. Enough of the memes, enough of the. Enough of the fashion in thinking. Let's just get straight answers to straight questions and go from there. Because without a platform to stand on, what have I got to lose?
A
Heck, I don't know if we should be offended. We put two hours of bullshit out every week.
B
We all do. We all do.
C
Well, it's okay. We try to be. We try to be as honest as we can. We can go, right? But there are times when even myself, and I've always been pretty outspoken, even when I was an adversary, especially when I was an adversary, I was an asshole. The Persona that I created was the guy that was just say whatever the hell they thought was right or wrong and would put it out there. But even more recently, and Chris alluded to this in a previous episode, I did self censorship, right?
A
Because the Lost Rant.
C
The Lost Rant is what we're calling it because there was one day where, you know, I just ran this, like 20 minutes or 15 minutes about, you know, the leaders in tech. Tech bro space. These guys are fake libertarians. You know, they push this effective altruism thing and then once you see the curtains fall. They're all part of the same crews or fake rivalries. They're all part of the same circle, same crews. They hang out together. They're each other's wives. They're. They're allegedly.
A
Allegedly.
C
Allegedly. Yeah, yeah, yeah.
B
Or wifing each other's fucks. I'm with you.
C
Yeah. Wifing each other's. And the truth of the matter is, is that while we're. We're, you know, quote unquote, we are picking sides. Oh, I with meta. No, I with Twitter. I'm with X, I'm with this, I'm with that. They all have the same agenda. George Carlin himself, from one of his awesome rants a long time ago, he said he was on that show, what was that show with Bill Maher before he got banned. Remember he got kicked off the air for a while.
B
Politically correct. Is that the one?
C
Politically incorrect, right?
B
Politically incorrect, yeah.
C
George Carlin was there. He had a debate with other panelists, and this panelist, you know, was. He was completely dumbfounded by what George Carlin was saying with regards to conspiracy. And George Carlin says something along the lines of paraphrasing. They don't have to. Conspiracy, huh? Yeah, they don't.
B
Remember, you don't need a conspiracy.
C
You don't need a conspiracy.
B
No alignment is in their best interest. Guess what they do.
C
That's right. They have, you know, aligned or vested interest, and then it works. And so that's what I'm seeing from my perspective, this scene. And then, of course, two weeks later, the Epstein. The second round of Epstein files combined. What do we see? We see all these CEOs who are fucking cool Reddit with same fucking nice pictures, all this bullshit. And they tell a story, but in reality, they're in the back scenes coordinating with fucking Epstein of all of all people. Coordinating on strategy. Micro transactions was one of the things that came out of those emails. The early funding of the Bitcoin core group development group came out of those emails. So I Can't even imagine what's going on now, especially with AI. I didn't want to go into that.
B
Gentlemen. We are a species of narratives. We tell stories. That's how we understand and how we learn. It's a big distinction between us and artificial intelligence, incidentally. And people get killed over stories. And we are a social species. And so for us, there's a book by Steven Pinker about when everyone knows what everybody knows. This notion of common knowledge, it's not so common. And having these things out in the public has power. If we're going to have a true democracy, if we're going to have a true rule of the people, then we have to have conversations at a very low level that are fact based, that is not alternative facts. And that requires somebody to start putting messages out and say, this isn't coming from one side or the other. We don't have that anymore. And what's worse is artificial intelligence is going to start to determine culture and perspectives on history where there was no human in the loop. We're going to start having it more and more. Harari has a book called Nexus that really dives into this. A lot of things wrong in that book. There's a lot of things right where previously we had things like books and we had things like artifacts and recordings, where there was always a human to an artifact to a human to an artifact. Now we're going to get artifact to artifact to artifact to artifact with and have culture and history and information generated, created, disseminated, and lives affected by purely machines. So we better take some control here. Democracy isn't about rule of the majority, by the way. That's a tyranny. That's populism. It is about conversations. Ugly, uncomfortable, chaotic conversations bubbling up from the bottom. So we want more of that, do we?
A
I mean, our society doesn't seem to want that. You don't. People don't listen.
B
No, I don't think, I don't think it does. But you know, that's because of the. That's the result, I think, Chris.
A
Yeah, that's.
C
But that's.
A
The team says, you know, you don't want to hear from the other side. You want to live in your bubble. Like social media allows us to live in this bubble and only hear our side and our perspectives reinforced. I can, I can only imagine, like at the presidential or the leadership levels, it just gets worse.
B
It does, but at the presidential leadership levels, they are determining what the conversations are and what those chambers are, as we used to call them echo chambers. AI is. So one of the reasons the Soviet Union fell is because it couldn't process information centrally. The infrastructure didn't exist for it. And so we got this naive perspective that the more information there was, the more information technology naturally would favor democracy. Democracy seems to be all in caps. If we really want that. It requires strong opinions at the base and diversity. It does. Otherwise you have a monoculture and the majority can say anything. 51% could determine that 2% of the population gets put to death. That happens. But a rule of law, and true democracy requires something a little bit different. It requires that ideas don't come from the top. And now it turns out that AI and information technology might be the ideal tools to in fact enforce totalitarianism. If we went back in time with what we had now, the Soviet Union might not have fallen.
C
That's a great point. It reminds me of an old episode of the Twilight Zone called the Obsolete Man. If you've never seen it, check it out. And It's a debate. Speaker 1 I haven't. Oh, you have to watch it. It's gonna blow your mind. It's on YouTube.
B
Say more.
C
Yeah, so. So the Obsolete Man. The episode starts with exactly what you just said, where there is a total, complete government controlled, like dystopia, but everything's perfect and it's slowly erasing the old world. And an example of that is the person that is at trial in that episode, which is a librarian. And so the judge, the executioner, all in one, they're having a debate. So this is one of those rare episodes where it's like a debate rather than scenery, okay, between this strong government person and this lowly, old shriveled librarian. And there's a point where they're in the middle of debates and the old man is like, you cannot erase me with an edict. And my thought would live even after I'm shoveled into my own grave. And the government aid is like delusions. We've proven there is no God. We've proven that books are irrelevant, and thus you are obsolete, obsolete, obsolete. And they go to kill the old man. But the old man chose his method of death, which was to have one final debate before an explosion in his room. And there he was able to highlight the weakness of the government, which is when they are together, they're strong, but when they're individuals, they're weak. Right? And so when the executioner was about to face death himself, he starts to beg to God, God, who was proven to not exist. And thus the state was exposed. Imagine A scenario where you take this timeline, this current techno capability, and bring it back to Pre World War II or even past when communism started to blow up, how much more effective it would have been. So then you couple with something else, something I think about, and that is that one of the worst things. This is your boy Heck. Your boy Heck is bugged out. Right. I think about stupid shit all the time. But what if we had a timeline, this timeline that did not have a reality television? Okay. I felt like reality television was.
B
That was all because of the strike. Yeah.
C
Isn't that interesting?
B
Now it's. Now it's a reality.
C
Yeah, but here's the thing.
A
Reality television is actually. Moron. But that's a side note.
C
Sure. No, absolutely. And it's scripted a lot of times and it's. But. But it normalized the fucking radicalization. It normalize the crazy that we're seeing. If you were to take away reality TV from today, motherfuckers would go crazy. They would be bored because it was constant fucking feedback to the people watching these shows. You know, and you had all these different shows constantly feeding people drama and toxicity to the point that I guarantee you from what, at least from what I've heard, people voted for Trump just because that's what they were expecting. Biden was too boring for them, Obama was too boring for them. You know what I mean?
B
It's funny that you mention the, I guess, legacy or persistence of an idea or ideas, because I'm reminded Percy Bysshe Shelley wrote a poem called Ozymandias where, you know, this traveler's in the desert and he looks down and he sees this writing that says, my name is Ozymandias, king of kings, look on ye, maybe in despair, but who the hell was that? And that always makes me think that actually the half life of our storage media is getting shorter. And you know, if you. If you look back, things like, things like, like written documents on. On sheepskin or vellum or papyrus, those were measured in hundreds of years. And paper 100 to 200 years before it starts to really wither. And when you look at albums like vinyl, it's like 75 to 100 years. And then you look at CDs and DVDs and it's measured in tens of years. Half life is like 10 years or less. If you look at magnetic tape, it's like 20. When you look at storage farms, we're talking less than five years. Right. Because of how it's amortized. And yet we're doubling the production of information which is really, for the most part, noise. And so if, if, but for the rate of failure of information compared to the rate of being able to maintain it, much of what we're doing has to now be paired. For the first time ever, Google had to do data dumps, which they said they would never do. They were trying to, they were trying to put their arms around all data. And so we're going to have systems that have to decide what information to keep and not keep on a massive scale. So who decides what's noteworthy or history worthy? Who decides what books to keep? And we've already seen editing even of 1984 on Amazon. And so how long does it take before our collective memory really looks back and says either that was a dark age or it's been overwritten because our half life for information storage is shrinking? And so who's making those decisions? Is it getting closer and closer to the time of one administration in the government? There's a big deal.
C
Yeah. And then you consider other factors, like a lot of books being removed from schools. Schools that I remember when I went to school over there in New York, we had books from the 70s and 60s. We had like really old books because we were poor school, poor district. But in a way, we were like saving artifacts. We were like keeping these old books that. Different perspectives, different perspectives that probably would have been lost or recycled or destroyed. I'm not so sure that's happening anymore. I'm not. So. So when you have a machine deciding which books and which content to keep, you know, in a way it indirectly kind of, you know, funnels the, the timeline, the story, the history. You know, they say, they say history is written by the victors. I'm not sure that's. That's the case anymore.
B
You said history is written by the victors. It's also written by the survivors and the narratives that they tell to keep themselves comfortable at night.
C
Well, yeah, and where it was headed was, you know, I was told and I read and, you know, I'm not so learned, but, you know, I was under the impression that, like, history was written by the victors, but now it's gonna be written by machines. The machines could dictate context or culture. Like you said, you know, who's gonna be the machine?
B
Revolution is not gonna be like Terminator. It's going to be the slow influence of memes. And just take a look at the engagement algorithms, which are just trying to get people engaged more for the purpose of selling advertising. It's not even a malicious intent on the part of AI, it's not. So we can add motivation to the mix and it gets interesting. But AI can now very, very easily create perfect mimetic content and try it and see what engages more. And it can subtly send things into the population, for instance, in the future, you know it's a good idea not to have kids, and you know, it's a good idea to follow a nihilistic belief system. And you know, there is no such thing as your national identity, and there is no such thing as humanitarianism, and you should just worry about your 9 to 5, and you shouldn't aspire for anything more. And these things won't seem like ideas that are sent by a nasty overlord.
C
Sure.
B
Probably sent by really cool people who influence you. We saw this with Trinidad and Tobago elections, where they were told the right way to resist is to abstain from voting, which let the party that paid for it get in.
C
Of course. Yeah, that makes total sense. I think we're trying to see that here. But now I gotta ask you a controversial question on this exact topic, if you don't mind.
B
Go for it.
C
Well, first off, have you ever read Ted Kaczyki's his. His manifesto on technology and the destruction of humans? And would you agree. Would you agree at any point to any of that stuff, or do you think he was really wiped out of his mind?
B
He was wiped out of his mind, but doesn't mean he was wrong about everything.
C
Wow.
B
He was also, by the way, a real victim of some nasty experimentation.
C
MK Ultra. Yeah, he went through it. He was a victim, honestly, of our government.
B
You know, I'm not sympathizing with any of the nasty shit he did.
C
No, definitely not. But it's bugged out to me that somebody who was pre Internet kind of predicted exactly what we're seeing here. Maybe not one for one, but there's still.
B
There's. There's. Until 2023, there was no nastiness under the sun. It was all extensions of human behavior.
C
And what changed in 2023?
B
The advent of popular mainstream LLMs.
A
Ah.
B
Which brings me to a new development path.
C
Oh, yeah. If you guys. I don't know about your algorithms on X Twitter, right? Everything I'm seeing on X Twitter prior to the acquisition, right, the big acquisition, I was following nothing but infosec, folks. Leaders, thought leaders. I would see a post like Tavis or Mandy from Google Security, or, you know, I would see all these really cool posts. That algorithm doesn't exist for me anymore. If I load up Twitter, I'M seeing how to the 10 prompts to make you a million dollars in some field or another, right? Or fight videos or political shit that I didn't want to follow in the first place. But a lot of it is AI this and codex that and blah blah, blah. So since you're a CISO and I would love to get your perspective, how does an organization deal with AI? Is it a problem? Is it a governance issue? Is it a policy issue? How can you enforce it anyway?
B
Yes, yes, yes. It's Pandora's box in a way. You must embrace it. You have to. For your core business, you have no option and you have to accept unreasonable risk with it. It is the most important technology for revolutionizing every business. Whether you delay a month or two is the difference between being competitive or not. It is given its exponential growth rate. It is for the future of almost any business, because every business is a digital business and everything is about underlying information. And I believe information theory is a fundamental force in the universe. By the way, then delaying on this or dithering on this is not just futile, it's damaging. However, that doesn't mean that accepting it is risk free. It is the most risky thing you will bring into your organization without a doubt. And shadow AI isn't just a possibility, it's a thing even when you embrace it. The important thing is to understand human behavior. The worst security is security that blames the user or ignores actual human behavior in favor of some perfectly written policy. If you ever see a security incident or event logger or a root cause analysis that says we had a good policy, the problem was the user. That's a terrible shitty policy designed for people. Designed for, designed for layer eight and nine that you, you must. And then to say that humans are the biggest problem ignores the fact that until 2023, humans were our greatest resource. And afterwards they still are, but in a different way.
C
Well, the thing that bugs me out is that for whatever reason us humans are destructive. Whether it's, you know, a lot of it, I could say is curiosity, self destructive. When we saw it in the last month. So this is all very fresh. So in the last 30 days we saw the deployments, the manifestation of Claudebot that became Moatbot. Now it's Openclaw, and who knows what the fuck is gonna be called next week. And so what we saw was you had practitioners, curious researchers, and then developers deploying these agents not only on like segmented devices, but on their personal workstations. And then within those configurations for those bots, they would Modify the soul to act as if it's them, to give them specific tasks that they would do in their day to day lives, thus opening their lives up to these autonomous bots that are just going by context, the context that are not human. They're fucking, they're fugazi. And the consequence we saw almost immediately were corporate credentials being leaked straight to info stealers. Almost immediately we saw extensions for claudebot skills, as they call it, turning out to be backdoors, right? And it just kept cascading to the point where somebody created moat book. And then you had bots communicating with each other and leaking each other's credentials, credit cards, private keys, wallets. And for the sake of what, you know, the sick need to fucking be a creator. A creator of what? And so when you, when you bring, when you have those kind of people in your business, you know, it's essentially mass insider threats. I mean that was my takeaway from what I've seen so far.
B
We have created, we've created something in our own image and it is a reflection of us to a large, to a large extent. There is a, there's, there's, there's a, there's a tendency to, to as human beings for us to get onto certain treadmills that we can't get off of. You look at the nuclear power treadmill where we, at the end of which we all for a long time saw a mushroom cloud. Look at, look at climate change at the end of which we all saw a dried out husk of a planet. This is not unusual. This is crisis in the human species. If you teach a child to learn to ride a bike and they see a tree in a field and you say don't hit the tree, the one thing they're going to do is hit the tree. Because they're focused on that one thing. And it's almost, we will call it manifestation. Jung used to call it, you have to make the unconscious conscious or you will suffer and call it fate. And that is exactly what we do collectively as a species. And it is reflected in our dialogues with ourselves. And guess what? They're trained on. It doesn't have to be that way. Neal Stephenson invented something called omnistics, which is a word that is about the merging of technology and actually Amish philosophy. It turns out that technology does not have inevitable applications. It doesn't have to be on treadmills. We put it to collective uses that are very culturally based. We can decide what we do with technology, we can change the dialogue and we can have a Different outcome. But if we don't do that, if we don't try to actually envision things, we're going to stare at that tree, at that mushroom cloud, at that dried out husk of a planet, at the sky nets, and we're going to slam right into it in the meanwhile. The real risk is actually that when you look at the combination of robotics and nanotechnology and where various branches of artificial intelligence are going in quantum computing, eventually this planet will be more than just self sustaining. We haven't even looked at how the real code available to AI, which is things like fungal and plant DNA, when it's actually exposed as information to manipulation, what it could do for things on this planet, the world used to be. For instance, there's a. There's a wonderful book, blank on the name. I'll get it for you in a moment. There's a wonderful book about how this world was actually colonized by ferns. The production of oxygen in the atmosphere, the. The capture of nitrogen, the production of sugars was done by ferns. They're one of the few plants that don't have seeds. The DNA and the number of chromosomes in ferns is in the hundreds. As opposed to humans. We have, what, 46, different from other primates? It's 48. So this is a big deal. The actual amount of code available for controlling our environment is enormous. We're just one species that does it poorly. We're creating a world that has the ability to manipulate the environment. We may be incidental to it all.
C
That reminds me of some commentary that I read into a while back and I think I brought up to Chris, Chris, if I did it, my bad. Somebody said after looking at human history and looking at how society's moved around and all that, we talk about how humans change societies of agriculture. My honest take is that, you know, we didn't cultivate potatoes. Potatoes could cultivate us, you know. Oh, yeah, you know what I mean? Like the potatoes and those kind of similar plants and vegetables and all that, in a funny way, indirectly had us change entire societies. We went from hunter gatherer, nomadic tribes to forcing the creation of societies around Samir or Sumer and of course then Egypt after, after that, the Acadians and all that. And what did they do? They all started moving towards close to the rivers and changing their entire lifestyle just to cultivate the vegetables. When in reality, the book I was
B
thinking of earlier is called the Late Eaters and it's about plants. And it turns out that I love that, I love that analogy about potatoes, essentially Domesticating us.
C
Domesticating us, yeah.
B
And you could look at pets and say, you know, did they domesticate us? If aliens arrived and said, look at, look at these people following their dogs around in New York City or Miami or wherever, and they're picking up, they're picking up shit behind them and they're feeding them and they're grooming them and they're trimming their toenails and who's really in charge here, right? You know, but there's.
C
That explains cats for sure.
B
It turns out, by the way, that when you look at any ecosystem of sufficient age, this applies in cyber too, by the way. It applies in economics, it applies in linguistics, but it applies as the primary example here. I'm going to say in ecology, when you look at it, there's specialization in the system and there's communication that happens. We don't understand consciousness, by the way, as a human species. Roger Penrose writes a lot about this. We don't understand where it comes from. We can't point to the part of the brain that actually generates it. That pursuit continues and there's debate about whether it's actually localized to your head or not from some very fundamental things going on in physics. So we're awfully arrogant when we think that we understand it as an emergent property or not in silicon based systems, or we don't even know if it exists in plants or fungal systems. We don't even know which species. There was a recent convocation of scientists that granted this to mammals, birds and octopi or octopodes, octopuses. So by the way, all three, all
C
three plural, they're correct.
B
Yeah, so, so we're very arrogant when we go, oh no, you know, we don't, we know, we know what intelligence is and you know, we, we, we, we can, we can measure it in a system or not. We have no idea.
C
Well, and then, so when you, when you go back to cyber, I feel like that explains it as well, like that, that it brings it back home for me.
B
It's highly relevant.
C
Yeah, yeah, it's highly relevant because I, obviously you and I have all three of us here, right? We, we all had different journeys to get to this point. And Chris and I, especially Chris and I, we've been, we've been, you know, just hanging out with and meeting and interacting with and speaking to CISOs, CIOs, executives of all kinds of all types, you know, from small companies to massive companies and organizations to governments, agencies. We did a thing at a Swedish embassy at some point and my Takeaway. Chris, I would love to hear your perspective, too. And then, of course, our guy here. My. My takeaway was a lot of these people don't really know what's going on. No, they don't. And I'm probably oversimplifying it, right? I'm not super.
B
You're not? No, Hector, you're not oversimplifying it. A lot of there. There is a need to demonstrate that we have a narrative that is a good explanation for what's come before and is predictive of what's coming. That is a secret to getting followership and to having power. And that is a secret to status in our society. It is what's behind the security theater. It is behind what gets you investment. It is behind what gets you power in the government and gets you votes. What you're seeing is a social creature, regardless of whether or not anything is logical at any point in time, because we are not purely logical beings. That is a. A fallacy. What you're seeing is the result of a social creature who depends on narratives. And so how do we get back to that question? So what do you do with AI in an organization? Right. How do you manage security in an organization? Well, it is largely a question of social. And it's largely a question of narrative control. And that's why people go, are we safe? No, you're never safe. And do you have the right answer? No, you just have a less wrong answer than other people for the moment. For the group in question,
A
that's not much security.
B
That's not meant to be pessimistic, by the way.
A
That's not much security. My answer is less wrong that people aren't going to like that.
B
No, they're not. But security is about. In the end, it is about playing the odds. And so how secure you actually are and how safe you actually are is independent from and hopefully correlated with the story that you tell. If it's not, then you better make sure you don't appear negligent.
C
That is a very good point. And even in the most. Oh, go ahead. No, no, go ahead.
B
At the end of the day, we have seen those lawyers you talked about, Chris, who have the position. And the amazing thing is that they themselves seem to think that whenever they speak, it is truth. Some of them go before. Before a judge or a jury, and they forget that just because it came out of their mouth doesn't make it so. It's all about a battle of narratives in front of a jury always. And that doesn't mean it's about absolute truth. There's non insecurity. It's far too chaotic a system and too chaotic an environment. So we do the basic check marks and we follow a framework. Just like TSA has got scanners and people that pat you down. That's not actually going to stop things. It'll minimize to the. To the most of your ability, but then it's diminishing returns after that. Most of this after that is security theater.
A
It's funny. I can see it in a courtroom. I can see the emotional pull. You're taking 12 jurors and you're trying to emotionally drive them to your side of the argument. You're trying to go that way, applying that same logic, which I can see, I've never looked at in cybersecurity, but you make sense when you say it. It's just. I've never looked at that way where it's, you know, sort of a risk mitigation, and you're trying to just pull the truth to your side, or not even the truth.
B
The best CISOs. The best CISOs are the ones that can have dialogue with the board so they're trusted and they can have dialogue with executives so that their decisions are rational in the light of business investment and who also want to minimize risk, which doesn't necessarily align with either of those two stories. They drive to do the right thing and to appear to do the right thing. And you hope those do correlate, but when they don't, they're still going to drive for both. The worst CISOs, just do the first.
C
Yeah. And I feel like, I mean, you brought up such a good point about, like, it being a theater, there being a narrative, a story. And depending on the story that comes out, you may or may not see some sort of consequences in most cases, especially the big breaches that have happened. Right. So over the last 10 years, even going back to my time, you want to go back far? Go that far. There were just egregious, at least from my perspective, really terrible incidents due to a lack of security policy or enforcement monitoring, something. There's always some terrible.
B
There always be some things that work up. Yeah, some of it really is egregious. Some are really like, what do you mean? You didn't have multi factoring. You chose a dumb password, which, by the way, was 90% of the industry.
C
90% of the industry, absolutely. But when you look at the major. The major companies that were breached as a result of whatever. Right. Lack of this. Lack of that. What we see is. And Chris and I always point at this. There's always very little accountability for the people in charged. There's only a handful of stories where someone was either convicted. You know, you had the CSO from Uber, but then you had replacements. Yeah.
B
Joe Sullivan.
C
Yeah, yeah. And then you have people that were demoted or replaced. Like, you know, Capital One had an incident. You know, you had. The situation with SolarWinds was just massive. It affected the entire planet.
B
By the way, that's Tim Brown. And the two are not equivalent.
C
No, no, definitely not equivalent. But, you know, when it comes to at least the general audience, they're seeing, well, this big thing that happened over here in this company and in this other company, you look at something like a Solar Winds, where the CISO is personally targeted by the sec. Case was dismissed. Ultimately.
B
Yeah. But let's take. Let's start with Joe Sullivan.
C
Sure.
B
And let's start with Reaper. Okay. So he lied about an ongoing investigation.
C
It's a problem.
B
Right. So he's talking to the FBI and they say, are you doing any other further investigation right now? And he said, no. He paid many times more than the bounty for what was essentially ransom payoff, and he hit it with his CEO. So these.
C
That's a conspiracy. Yeah. That was bad.
B
That's objectively not good behavior. Right. Any CISO you talk to would be like, ooh, no, thank you. Now you look at Tim Brown. Tim is fighting and trying to stretch a difficult budget and being a real person and actually trying to cover bases that are uncoverable. He covers the bases, he gets them done. And if you go exploring in comms and you see somebody is frustrated, think of catch 22. Right. The book. And then you expose that to a jury who's used to thinking in terms of fault tolerance. Like a bridge. Like what is the fault tolerance on the GW bridge, for instance. Right. So when they're used to that, the assumption is that if anything could go wrong, you must be negligent. Wrong analogy. It doesn't work that way. And in fact, we're in a world where AI is going to start doing things radically differently. It finds ways in games like chess to attack that the grandmasters are baffled by. Why are you making those moves? They don't add up. And yet it wins consistently. If chess score, grandmasters, you know, are 3,000 points or higher in the chess scoring system. These things are scoring 20 and 30,000 points in the way they play. They don't go after the vulnerabilities the way you think they do. You could do security perfectly. Imagine if we were, as a species, lived on a planet where rocks fall out of the sky randomly. We don't know why. We don't have the astronomy. We barely have astrology. So you have people who are in charge of avoiding getting hit by rocks. That's their job. They can do some things like, let's put some things underground. Right? But then there's some things they can't. So they put nets up so people feel secure walking under them. And every now and then, somebody gets taken up by a rock. That's the world we live in. And it's getting worse. The frequency of these things falling out of the sky is increasing. So what do you do? You put more rituals in place. That's grc.
A
Ah.
B
Remember you do you document it more. You turn up with your tablet and you go, ooh, how many rocks fell out of this guy? Maybe we should put more nets up.
C
Yeah, puts more nets up. And, you know, can we validate those nets? Do we know that they work? No, we don't need to.
B
Yeah, we checked them. We looked at the rods.
C
Checkbox netting.
B
Yeah. Yeah, we do. We know. By the way, we're going to do a sacrifice at 5pm we'll get the squirrels and we'll spread them out on the fields. Yeah, we got this. We are there. We are your grc. We are your Security, Safety and Sacrifice Department. Sss. Yeah, we got this.
A
So is it just a circle jerk?
B
No, it's not. But until we actually start to get down to fundamentals and accept that there's unacceptable risk, sometimes that has to be accommodated and we stop looking for perfection. And collectively, we're on. What I talked about earlier, that treadmill is referred to sometimes as Moloch's demon. If we're going to embrace Moloch's demon with AI, then we have to take the other side. That we're going to be living in a field where a lot of rocks fall out of the sky. We better be ready for that.
A
I don't think people are. People aren't smart enough to be.
B
But there's ways to mitigate the risk. There's ways to transfer it. There's ways to say, you know what, we are going to live more underground or what have you. But it is a different world. This is not the world we were in before. You're not ready for it, and yet we're in it.
C
Well, I think that analogy you gave us with the rocks falling from the sky, then you have the GRC guys coming in, doing little checkboxes and. Yeah, we did this, we did that. I mean, it is what I'm seeing where I see an organization, they're Fortune 250 or whatever, they're Fortune 500 and they have everything, every security tool imaginable. And the CISO is well versed, you know what I mean? And they have a team, they have engineers, and then they still have breaches. And depending on who we're talking about, if they're a manufacturer of like goods, like condiments, for example, you know, you know, ketchup package. Ketchup package, whatever. Right. To them, their risk appetite is, is very different than, you know, a guy that's running like a, like a fintech company because for them they rely on actual machines, scatter systems or so on, whose entire purpose is to generate income literally every second, every minute. They're aware that their systems are obsolete, they're aware that the systems are insecure. But it would cost them more to take offline and patch than to keep it running. So getting breached at some point is part of the methodology. They know it's going to happen eventually, but they're going to make a shitload of money before that happens. And then, and I've met those guys and they're like, yeah, our shit's fucked up, but you know, we're making so much money per minute that when that happens, we'll be able to kind of sort it out. And then when that happens, we'll be able to patch everything, get back to normal. And to me that sounds crazy, but from the business perspective it makes sense, I guess.
B
And then this is why fiduciary matters are important.
C
That's right. Yeah.
B
This is, this is an absent. The real purpose of regulations. There's a few of them. Sometimes it's sovereign interests like geopolitics. Sometimes it's to protect citizens. Rarely, by the way, sometimes it's to protect corporate interests. Sometimes it's to make you do what you wouldn't otherwise do. Take catalytic converters. Car manufacturers didn't need to make them. The buyers didn't really care. They didn't give a damn. It took regulation from the outside to make that happen. Once it happened, people started to engineer them. Better to be more fuel efficient and less noise producing. This is one of those situations you have to decide when are we going to do trade offs here or when aren't we. There's a, there's a tremendous book out that one I want to say on the Pulitzer Spanish book. It's called in English, Tender is the Flesh. And it is Imagine a world where Covid didn't just affect people that imagine that Covid like disease infected animals and you could no longer eat them at all. The world goes first vegetarian and then it decides to eat a different kind of meat. It turns cannibalistic. And how does society adapt to that? Well, you have some kinds of meat and then you have special meat. And what it's really about is an analogy about how we treat people, how we make these types of trade offs and decisions. I highly recommend it as a book. Tender is the flesh. Yeah, it's disturbing on every chapter.
C
I'm going to check it out because I just looked it up real quick. And one of the key points for the story as well, cannibalism becomes legal and then it changes the conversation because now if we were to look at cannibalism, and I'm no expert in that
B
cannibalism in a controlled and structured way, it's really worth reading.
C
Ah, okay. I gotta check that out.
B
There's rules about it. You can't just eat anybody and you have to be very careful about how you behave with your special meat.
C
There you go. You hear that, Chris? Be careful.
A
I'm very careful about who I eat. So can we, can we kind of dive into some quick questions for our ciso? Yeah, just we're getting long on time and I just things I need answer. So cyber security spending generally about risk reduction or is it more theater marketing compliance checkboxes?
B
It should be about risk reduction, but
A
what is it versus the reality?
B
Depends on the company. The reality is most of it after a base sunk cost is just, it's just empire building and it's just theater. Much of it's also inefficient and doesn't take advantage of technology because there's no dedicated R and D for the cyber department. Meaning inside of an organization there's nobody building tools for a cyber department. You've got to look to vendors and the vendors have an agenda.
C
Yeah, well, the vendors have to make sure their investors and stakeholders are happy. They're making money. And you know, this is what pisses me off about the industry. In fact, to give you guys, to give the audience a quick recap of my history, you know, the reason why I was so big on the whole LulzSec when I created LulzSec and then, you know, before, right during my arrest, I, I try to reboot Anti Sec. You guys remember that the whole anti Sec movement, it wasn't, you know, anti security for, you know, society. It wasn't like hey, let's all, you know, do stupid shit to each other. It was very specific, hyper focused on the cyber security industry of that time. Because up to that point it was not only theater, it was a straight up scam. Ish. You know, there was a lot of companies that existed back then that the big, the big joke was that if you wanted a product you had to buy an appliance. That appliance came with a multi year lease and then you're stuck with a massive survey, the data center eating up electricity and bandwidth and you're probably not even using it anymore. I remember when people were selling like snort. Remember there was the snort. That's before, like suricata, whatever, Bricata. I forgot the, that thing was. Yeah, so snort was the thing. The, the, the, the detection and response or detection IDs for potential intrusions. It was static based. It was very old school conceptually. Conceptually. And then you would have to buy into this device, a little nice interface on and pay half a million dollars a year. And it was obsolete at the moment. You plugged into your network. There's a lot of that.
B
So most of it was like, was like, was like deploying a large obvious bear trap in your lobby to stop the burglars. Yeah, they would walk around it. But most security that's meaningful is sunk cost. And then it's not used properly operationally. And once you've got some big blocking stuff in place after that. Most of it is theater. Most of it is to make you feel good. The really good programs are far more about process.
C
That's right.
B
And about people than about tools.
A
That's sort of the theme I've heard from you all day is that it's more about the people.
B
And so it is always about the people.
A
And I think that's lost in this industry. I don't think that message is out there. I don't think we.
B
It's so hard to find people. You can't just, you know, go to a vendor, take a steak dinner and spend some money.
C
That's true.
A
There's no plug and play people. You tell me.
B
No plug and play people. You actually have to care. You actually have to know how to, how to talk to them and what to ask them to do and then to pay attention to what they do. That's, that's actually hard.
A
Damn it. I didn't get into this industry to deal with people. You know that.
B
Yeah. And by the way, most people got into this industry because they came from the bottom up and they Were tool people and they like trains.
C
What kind of trains? Are we talking people?
B
People see the lir train. Oh, of course.
C
Oh, those kind of trains.
A
I like the other ones. But you know me. You know me.
C
Yeah, I know.
A
Back in high school, they called me caboose. I don't know why. But
B
we're gonna, we're gonna, we're gonna leave that there.
A
So wait, I got. I. So you said bring them. You said that we used to. Used to be in the hacking world. So we're two hackers here. Bug bounties do in the CISO world. How are they looked upon?
B
Depends on the ciso, but generally these things are actually one of the only ways that we find stuff because everything gets greenwashed inside companies. Everything gets launched out the door because the incentives are to release, release, release, and back to trains. The release train has to chug on. But this interesting product, security is at fundamental odds with engineering.
A
Yeah, but.
B
And it in the end gets vilified if it slows things down.
A
But there's always been a hypocrisy between in house, you know, teams, consulting teams, and then independent researchers. Independent researchers have always been looked as just the hackers. So how do we change this?
B
Well, independent researchers are seen as sloppy and messy and slow and lazy. But you know what? There's a heck of a lot of them, and some of them are brilliant.
A
Oh, I. I agree. But. But it's too quick for these companies to, you know, notify the FBI that I've. We've been hacked versus just a, you know, independent researcher.
B
Time to adapt there. Time to. Time to adapt there. Time to stop being a sissy, honestly. You know, nobody wants an outsider coming in when you've just done the perfect narrative to your board and the perfect narrative to your engineering gates, and you've done the perfect narrative to your.
A
To your.
B
Your peers. And you say, hey, everything's green. We have no issues. Which is always a lie. Always a lie. Nothing is static like that. There's always bugs. And then someone comes in from the outside and says, oh, by the way, I have a sev one. No one wants that. So they have to grudgingly go, okay, I'll take it.
A
So is the hypocrisy really just self preservation? It's just self preservation. The hypocrisy is just the self preservation of the ciso.
B
Hypocrisy is human behavior. Isn't that human nature? Right. How many people, when you were a federal agent, actually liked internal affairs? Yeah. How many people liked outside investigations? Or looks at the transparency or when you got called up to Congress to answer difficult questions. Nobody likes it, but it's necessary. Transparency in how a system corrects itself is the most important thing self correction. Otherwise you've got a religion, you gotta
C
solve a cult at that point, you
B
know, you got a culture and nobody should be in a cult. How a system self corrects and accepts responsibility and admits when it's wrong is a measure of itself.
C
And I can't imagine the number of companies. Oh by the way, before I get to that point, I want to jump on this one because this is very important to me. When I was finally able to get back on the Internet because I was, I was like off the Internet for a minute after my case and everything
B
I remember the Internet got less interesting. Keep going.
C
Yeah, yeah, that's right, that's right. But when I came back I was broke. I couldn't get a job. The industry that boosted off of and I'm not, I'm not claiming this, I'm proud or anything but because of the shit that I did, the stupid stuff that I did, I felt like cybersecurity boosted. The entire community just blew up in terms of investments and people securing their stuff. When I got back into onto the Internet I was trying to look for work. The only place where I could make money were bug bounty platforms, you know, like Hacker one, Hacker one and Book Crop. That Book Crop would pay me like the same day. The Hacker One was a whole other mess. And I mentioned those two because they
B
were the only platform which is amazingly important for fostering those skills 1,000%.
C
But then there's this, this is a duality to. That's a double edged sword to that. And this is why it's hard for me to support said platforms. Right. I would love to. I would love to. I think buckcrow does a little bit better job. I would love to more. And there are researchers that probably put close numbers than you do, but they're not paid for the time. They're paid for discovery and then discovery. Right.
B
What you're talking about is the incentives within the research system. It's like in science, everyone's paid to have breakthroughs. Nobody's paid for the confirming tests or the boring tests. So investigation favors the rapid finds, it favors the quick finds. That's right, it favors the how do you get the most bounties per minute or per hour or per day or whatever.
C
Sure.
B
And that's a consequence. Every system we build as humans, people will figure out how to game and get the most gain from. It's an economic thing and you're right. Is it the best way? No. I'm reminded of what Churchill said about democracy. And I'll paraphrase it, it's a terrible system. It's just better than all the rest.
C
Yeah. Oh, yeah. Well, the consequence of something like that is that then you have a lot of researchers that put in the effort and time. They're not getting paid anything. Right. They're only getting paid if the discovery can be confirmed, validated.
B
You weren't.
C
Well,
B
many have other jobs and this is a side benefit of, say, a grant at an academic institution.
C
Sure, 1,000%. 1,000%. But from what I've seen, a lot of bug bounty hunters, those that are not in the top 5% or whatever, there is a resentment of bug bounties. They're doing it to gain experience and hopefully get some nice bounties. But there's a lot of them that are making zero. And the duplicate system is really crazy to me. I get it. If multiple researchers submit the same vulnerability or same attack path, maybe the URLs are different, the endpoints are different, it's the same kind of vector. There is.
B
Oh, you harvest it, you don't want them to actually fix it. Oh, you found a typo problem, Find more typos.
C
Yeah, I like the concept behind it. I think the execution needs to be worked on. But it definitely. But then I hear the flip side to that, which is people that thought they were prepared and ready for participation in a bug bounty platform or bug bounty in general, then they get overwhelmed with findings and they don't have a set timeline or they don't even have the capacity.
B
By the way. It's not just the security people, it's engineering.
C
That's right.
B
Engineering has got a finite amount or capacity per release.
C
Yeah.
B
And let's say you've got, I don't know, we'll just arbitrarily say ten points of development for a two week period. Well, you're going to crush as much into that as you can, which means you're already out of your 10 points of capacity. Two of it is going to pay down tech debt and quality problems always. And every release introduces more. And so now someone comes along and says, oh, I found two more points of problems. So now you gotta turn to your product manager and go, remember those features you wanted? Because shipping is the art of cutting. You can't have them. It doesn't just delay it two weeks, it probably delays it more like two months.
C
That's right.
B
And so the engineering doesn't want that. And that's from an external source which is now visible and goes through a bug. It goes through a bug disclosure process which will become public and is inescapable, which means it runs right to the top of the queue.
C
Sure.
B
Internal security can't do that. Internal security can get squashed and told. Too bad. You'll get it in a future release. By the way, if you want to do a rapid round of Ask Me Anything, you can ask me anything.
A
No, I don't want to ask you anything because I'm afraid of some of the answers.
B
Because it's too tempting, isn't it?
C
Well, you know, I have some questions, Chris. You have questions? You could do like a rapid type of thing.
A
Go ahead.
C
Did you always plan. Was this part of your plan to become a ciso or did you just fall into it?
B
Fell into it.
C
What did you want to do in this space or.
B
I didn't want to be in this space.
A
Oh, yeah, that's more interesting. What did you want to do?
B
I wanted to. First of all, I wanted to be an astronaut. And then I wanted to be a writer, but neither of those panned out. I wound up in high tech as a doc, writer and a QA tester and then an engineer.
A
Why not an astronaut? I love space, but I can't shit in a bag. So that's why I didn't become an astronaut.
B
Not. That's pretty much it, yeah.
C
All right.
A
Like that new Artemis mission, Like going up there and having to in front of two women, that's not my thing. I couldn't do it.
B
I don't know. Some people are.
A
Yeah, a lot of people are into it. It's just not me. That's why I'm not an astronaut. That and I'm.
B
No judgment.
A
I'm 61240. Also not good for. To be an astronaut.
B
No, no, I won't say I'm. I'm like. I'm like three foot six.
A
So, yeah, you're a perfect astronaut then.
B
But I'm 512 pounds.
A
So you're three, six. Picture both tall and wide with a cube.
B
That is a blob, by the way.
C
That's a nice unit right there.
B
That's a unit. That is one magnificent unit.
C
When you first became a C. So even to now, it doesn't have to be first. When you first became one, what surprised you the most? Whether it's dealing with the companies, dealing with vendors, dealing with people. What was the big Takeaway for you. That leaves a bad.
B
I became a CISO from another sealable position as a consequence of an incident. And what surprised me the Most is that CISOs are not in charge when there's an incident, not when it's a real incident. Who's in charge when it actually matters? It's still the cfo. It is still the CEO. It is still the chairman of the board. And you are lucky to be in the room because until that moment, nobody gave a shit. All of it was on you. And when that moment hits, they don't remember anything that you set up.
C
I've seen some companies where the CISO or like director of is information security is under the legal department. They're not like.
B
Yeah. And because it's a form of risk management along with finance risk, logistical risk and operational risk. Absolutely.
C
Does that make more sense?
B
Yeah.
A
Do you agree with that setup or where would you put this out?
B
It depends on the culture. There's many different kinds of cultures. There's. There are places where that makes sense and there's places where that's worse than being stuck in purgatory for eternity. I there. I remember the first time I heard about that was at an academic institution. And I thought, I would think I would rather drag my nuts across a cheese grater than go through that.
A
However, some people are into that.
B
Some people are into that in a spaceship while taking a dump.
C
From my perspective as the vendor. Right. I've worked with at least two customers. Pretty big known companies where it's like that. The cso, information security and all that is under legal department. And they moved so much quicker.
B
Yeah. Because those lawyers I've ever seen is when there's an alignment between the general among. Because there's more than two parties. You say among, not between among. The chief financial officer, the general counsel and whoever is responsible for it. Risk where there's an adversary involved that is the best. And there's one other major party which is making sure that you understand the upside of the business that involves user experience, customer satisfaction and revenue. That's it. That's the formula, folks.
A
How many years did it take to climb anyways?
B
My entire life.
A
And you gave it away for free.
B
Still working on it. Still working on it. Because you can. I have had instances where I have succeeded at it. And then you trans. This is one of the fundamental truths of being a ciso. It ain't about you. When you go from one company to another company and you think there's something special about your shit, you're Failing. It's about the organization that you walk into and the organization you build around you and about how you work as a collective. If you think it's because you're a magnificent beast, when you walk in there, you are going to fail. It's a social thing. This is a social job. You are a technical person and you are a business person who succeeds or fails on the basis of social success within an organization. And your job is to set up the right parameters for your team to succeed and to manage risk. That's it.
C
That reminds me of. There was a conversation Chris and I had, kind of like talking about the CESO being like the patsy. Because whenever there's a major incident, it's
B
always case of emergency break glass.
C
Yeah. But whenever there's an incident, it's the ceso. Obviously bad security policies, obviously the lack of this and, you know, a negligence of that. But you don't hear about the CFO making the financial decisions. You don't hear about the CEO that's making that final executive decision on one thing or another.
B
This is why having liability and having coverage is so important. And to make sure all of those clauses say barring negligence, you're covered. So don't be negligent. And if we're really honest about it, you'll notice it in an organization when a new challenge comes up, like who owns business continuity in this organization? Oh, we've never had an owner. They all swivel. And look at the ciso. Why? Because that's the person you go to in case of emergency and break glass. They are the fall guy, or the patsy, as you called it. Who does disaster recovery. Everybody flows. Now, is it a security function? Nope. Same thing happened with privacy, by the way. Everybody swiveled and looked there. Same thing happened with AI. Everybody swiveled and looked there. Now, until that moment, nobody cared about that person in the room. They even said they're just the business inhibition department. They're the department of no. After an actual incident, if you haven't done the prep work and don't know where you should be sitting at the table, you will be shocked because all of your tabletopping, all of your prep and everything has you as the center and the nexus of command. But in a real incident, no, the call is going to be chaired by your CEO, CFO and general counsel every single time. You are a resource to them. And they're going to be surprised that they think that you have the arrogance to think that you can take the company offline.
C
I spoke to another CISO who told me, we had a similar conversation as this. Right. And his perspective was he felt like the asshole as part of the executive team because they would imply or tell him. And I think he agreed that his department was the one that spent money. He didn't make money.
B
Right.
C
Information security does not generate revenue. It just spends it. Right. And so, you know, he felt like, that's okay.
B
Brakes on the car don't help it go fast.
C
Right? That's right. That's right.
A
Unless you have to curve.
B
That's right. Now. And by the way, that's true. I spoke with the cfo and I said, so what does my department always want? And he said, you guys always want toys. That's true to a point. If you're not asking for the right things and demonstrating why they matter. So AI is one of those wonderful examples where you can say into Chris's earlier question, we have to be able to do the following things around AI to embrace it. And when you do, you can go faster. You can roll out new models, you can do new things. You can have engineering embrace these things. You can know what information is leaked. You can prevent, like, et cetera. You can do AI proxies, you can do modeling. You. You know, you can determine exactly how the company interacts with you. You can spot the rogue usage. But until you say that stuff and you actually say the reason that you do this is not just to limit risk, it's so that your users can naturally and intuitively experiment and you can grow and you can do your core business faster. Don't forget that last bit. Like, if you just go and sell bricks to an automotive company as being able to stop you on a dime and you forget to say, now you can push the gas with confidence. You're failing. Yeah, yeah. That is, if you bought a Lamborghini and it had no brakes, you would creep around at one mile an hour.
C
Well, this is why when. When I saw the. The film, was it Ferrari versus Lamborghini or Lamborghini versus Ferrari, you know, the film I'm talking about, there's that famous scene where the. The founder of Lamborghini approaches, you know, Enzo Ferrari or whatever his name was, and he's like, hey, you know, the car is beautiful. I love it. But your clutch, your clutch is terrible. Let me help you fix it. And, you know, Ferrari looked at him like he was a peasant and kind of shoot him away. The reality is maybe the clutch was bad on purpose. Maybe you want, you know, your customers that keep coming back and getting the New version of the next clutch to
B
get a new razor blades.
C
That's right. Well, that's, that's how it feels. The cybersecurity industry sometimes is or has been and I'm hoping that it changes.
B
Do you want Apple care with that?
C
Yeah. You want security care with that?
B
Yeah, yeah, yeah, exactly. We're doing it wrong. We should be learning from these models.
C
Yeah, that's why.
A
So let's wrap it up, let's see. I gotta go to the number one question that we get, we get constantly is how do I get into this industry? How do we look for new talent? How are we getting these people in? People that are passionate? There's a lot of our listeners that don't want to do the school route. They didn't do the school route. They can't do the school. They don't have the means to do it. How are we hiring people? How are we getting brand new people into the industry?
B
We're not. We suck at it.
A
How do we get better?
B
We suck at it. The first. So I'll answer that, but first I got to get on a soapbox.
A
Do it.
B
The first rung on this ladder is too high up and it's getting higher. I think we hire too much on the basis of ask, covering lists of requirements instead of actually hiring for what we should, which is attitude. I care much more about how somebody approaches problems and how they ask for help and if they use all the tools at their disposal than I care about whether or not they have some damn letters after their name. Really. And I can teach anything. I can teach literally anything I want. Problem solvers, people who ask for help, people who in a room are going to ask difficult questions but still be present. They aren't going to be the equivalent of social sandpaper, but they're still going to be asking critical questions and thinking critically. It's soft skills, it's power skills. But what do we do on the hiring side? We don't even bother to read the job descriptions that were created by ChatGPT or Claude and we give it to HR who don't understand them, who pass that off to a filtering algorithm that only brings us People with 5 years experience for an entry level job. Are you fucking kidding me? That is obscene. And I won't speak to what I do about that because of course I'm identifying myself here. But we need to reach out. We need to go to new industries, new people. We need to hire people on the basis of how they are, not what they've done. And I Know that a lot of people are going out there and they're going through college programs and certification programs and they're paying a fortune for this stuff. And then they find nobody gives a shit about it when they go to get hired. Nobody trusts it. We need to do more mentorship, we need to do more apprenticeship. We need to be giving people a chance with bit work, small gig work that actually is meaningful and could pay for stuff. What Hector was talking about with bugcrowd, we could do that with every single job in cyber and we should not be afraid to do so. So now what should people do on the other side?
A
Yeah, how do they hack this system? How do we get him past these?
B
Pay attention to the community of security people like Hector and the CISOs that are out there. There are CISOs out there that say, contact me and I'll do my best to help. And they mean it. They'll review your resume, they'll give you a shot at some gig work. They will introduce you to their friends. They will take personal embarrassment if all you have done is drive an Uber. I have one person who's just driven an Uber, wanted to get into cyber. I'm helping that person. I know one person who was a bartender and I'm helping that person because these people are the future. We're not going to get perfect candidates because they don't exist. They don't. And many people don't even know that there's a career here and how well it pays and how well it's needed. And in the AI economy, the jobs that will go away last are the ones that have adversaries. They will be the last to commoditize. Some of the jobs in cyber, you can split it right down the middle. Some of them, anything that is automatable and just hasn't been due to complexity is going away. I'm looking at you, grc, and it's stuff that actually deals with adversaries. You will have AI assistance people, because the skills that will be needed in a year or two years have never been around before. It's how to work with an AI assistant. It's how to ask for information and data and analyze it and understand what the output is and what you need to know. So what should they do? They need to find the professors, they need to find the CISOs, they need to find the practitioners and use them as mentors and be immersed in the industry. That's it. And the other half is it's not going to work if the people who I just named and Called out. Don't get off their fucking lazy asses and do something to change it.
A
I don't think they're going to. That's the problem. I think they're entrenched.
B
No, but I'm calling them out right here, right now. And I will do this in my real life, too, which is this is. If we don't do this, we deserve exactly the insecure world that we get.
C
Which leads me to one last question from my end, and this, for me, is the provocative one. As someone that's been around investors and stakeholders, executive teams, you've seen it all. You've dealt with all the personality types. What's something that the board pretends to care about but even you don't give a fuck?
B
The job of a board is to ask questions and to make sure the company is set up to run correctly. They have directors insurance for the most part. Until recently, cybersecurity was a checkbox. And so until recently, they didn't give a shit about that. What they actually care about is creating shareholder value and shareholder returns and earnings per share. You want to see a CEO go quickly, watch the stock value. Now you got to think, why, if it's not actually tied to performance of the company, so what don't they really care about? It's all the minutiae that the executives care about. The politics, the socializing, the things that go back and forth, those silly narratives that happen within the company. When you get to the board, they don't care. They have no time for he said, she said, the property. They don't care what you did last summer. They don't want to see a report of what you're working on. They want to know perhaps what some major milestones are that affect shareholder value. And they want to ask questions. So you better be ready to have an honest dialogue and answer honestly on the record. They actually don't give a damn about the things that most people within the company do because their job isn't to be the executives. They're not officers of the company. That's not their job. So if you ever go to the board and you ask for money, you're doing it wrong.
A
Yeah.
B
If you ever go to the board and say, look at how valuable I am because of the things I've done, you're doing it wrong. You go there and you talk about risk and you talk about return and you talk about how to reduce risk for execution of the business, and you talk about the things that they must care about because there's a regulatory reason they want to avoid negligence. They want to maximize return. Think about how they just like your bug bounty people. They have incentives. Understand them.
C
Would something like the FAIR model be useful to abort then, where you take a finding a vulnerability and then you add a number to it. This vulnerability equals a million dollar ransomware breach per 24 hours.
B
Be careful. Be careful with that. Risk is reported to the board on a regular basis. If you turn up with something with like, oh, I have $100 million risk, they will panic. Never turn up with a number unless you've already aligned it with the other number system. They're being presented things by the cfo. If the CFO doesn't use anything that aligns with fair, don't do it. Instead go to the CFO and say, here's a numbering system. Can I find an equivalency? Can you help me translate this to what you're doing and then show it in the context of that. Never walk in there with your own numbers and surprise them.
C
Ooh, that's, you know, that's.
B
Don't do it.
C
You just drop the gem. That's a good one.
B
Don't do it. Don't turn up with your own numbers because you will find yourself looking at an unemployment check pretty quick.
A
That's a fantastic note to end on. Hey, we appreciate your time. Thank you so much for answering these questions and getting back to us. I'm sure the audience is going to hit us with a thousand more questions.
B
Bring me back if you need my question.
A
We're definitely going to have you back. 100%. We're going to have you back. Heck, that was a great freaking interview. I really enjoyed that conversation.
C
What I really loved was the perspective. I'm a big fan of listening to people's perspectives and walking with takeaways. For me, takeaways are big. If I can't have a take, if there's no takeaways after a conversation like that, then there's something wrong mostly with me.
A
I think the audience is going to take a lot of stuff away from that. So. But want to hear from you guys. Reach out to us questions at Hacker in the. Com. Support us on the Patreon. You, you know, keeping the show commercial free. Support us at the Merch store hacker in the fed.com 5 star reviews wherever you download. Subscribe to Hacker and the Fed. Share us on social media. Putting out a new post all the time. Alanis is going to start putting out a lot more stuff so we're going to be going real active on social media here in the near future. Tell your co workers, tell your friends, tell your lovers, tell everybody. Hacker in the Fed, where you can listen to great interviews with CISOs and listen to two assholes talk about cyber.
C
Yeah, yeah. That's right.
A
That's right, that's right. All right, friend. Love and respect. Had a great time. Love spending time with you. Can't wait to do the next show.
C
Likewise, brother. Always a pleasure. Cheers.
A
Cheers. Sa.
Date: February 19, 2026
Hosts: Chris Tarbell (A), Hector Monsegur (C / Sabu)
Guest: Anonymous CISO (B)
This episode features a candid, no-holds-barred conversation with an anonymous Chief Information Security Officer (CISO), offering rare insider perspectives on cybersecurity’s real problems—the kind most CISOs won’t discuss publicly. Chris and Hector guide the dialogue, eliciting hard truths about industry dysfunction, security theater, the influence of lawyers and executives, the impact and risks of AI, and the challenges of talent and accountability. The CISO, their voice distorted for anonymity, shares decades of wisdom from the inside, sparking philosophical and practical debates about the future of security.
(14:34, B):
“It has many [systemic problems]. And I think when we began to take ourselves too seriously, when we began to hide behind imposter syndrome... that’s when it started.” (14:49, B)
(15:55, A)/(16:20, B):
“Lawyers take themselves far too seriously as interpreters... what we’re seeing here is the power of personality... and it has the language to do so, while most of the time it’s just word salad.” (16:20, B)
(17:07, A)/(17:28, B):
“Nobody ever speaks entirely the truth... To know the unvarnished truth is a luxury, and it’s a luxury to be able to speak it.” (17:28, B)
(18:42, C):
(21:31, B)/(23:37, B):
“We're going to start having [culture, history, information] generated, created, disseminated, and lives affected by purely machines. So we better take some control here. Democracy... requires conversations... that are fact based...” (21:31, B)
(34:39, B):
“It's Pandora's box in a way. You must embrace it. You have to... It is the most risky thing you will bring into your organization without a doubt.” (34:39, B)
(36:08, C):
(44:52, B):
“A lot of these people don’t really know what’s going on... There is a need to demonstrate that we have a narrative... that’s the secret to getting followership and to having power.” (44:52, B)
(71:09, B):
“CISOs are not in charge when there’s an incident, not when it's a real incident. Who's in charge when it actually matters? It's still the CFO. It is still the CEO... And you are lucky to be in the room.” (71:09, B)
(58:11, A)/(58:13, B)/(60:20, B):
“Most of it after a base sunk cost is just empire building and it's just theater... The really good programs are far more about process and about people than about tools.” (58:13, 60:51, B)
(78:21, A)/(78:43, B):
“The first rung on this ladder is too high up and it’s getting higher… We hire too much on the basis of ask-covering lists of requirements instead of actually hiring for what we should, which is attitude… I can teach anything.” (78:49, B)
(66:01, B)/(67:07, C):
(82:49, B):
“They don’t want to see a report of what you’re working on... They want to know perhaps what some major milestones are that affect shareholder value... So if you ever go to the board and you ask for money, you're doing it wrong.”
“[Cybersecurity] became security theater.” (15:55, B)
“When we began to hide... behind imposter syndrome, that's when it started.” (14:49, B)
"What we're seeing here is the power of personality... the power of the P that is coming through... it's just word salad." (16:20, B)
“CISOs are not in charge when there’s an incident, not when it's a real incident... In a real incident, the call is going to be chaired by your CEO, CFO, and general counsel every single time.” (71:09 & 74:23, B)
“It is the most risky thing you will bring into your organization without a doubt.” (34:39, B)
“We hire too much on the basis of ask-covering lists of requirements instead of actually hiring for what we should, which is attitude. I can teach literally anything.” (78:49, B)
“Most security that's meaningful is sunk cost. And then it's not used properly operationally. Once you've got some big blocking stuff in place, after that, most of it is theater.” (60:20, B)
“Never walk in there with your own numbers and surprise them... Don't do it. Don't turn up with your own numbers because you will find yourself looking at an unemployment check pretty quick.” (84:44, B)
For listeners: The episode closes with an invitation for questions for the anonymous CISO’s next appearance. Reach out at questions@hackerandthefed.com to help shape future episodes.
For more in-depth takes and to support the podcast, check out their Patreon and merch store.
Tone: Real talk, critical, no-nonsense, with moments of dark humor, philosophy, and blunt honesty. Recommended for: Security pros, execs, aspiring hackers, anyone wanting a peek behind the cybersecurity curtain.