Jeff Mann (2:32)

The link is down in the description.

Jack Murphy (2:35)

All right, and Jeff, on to you. One of the things we like to ask our guests is what's your origin story? Like how did you grow up and what led you into the crypto world, the cryptography world?

Jeff Mann (2:50)

Well, it's a great question and ironically on the podcast that I'm a co. Host. Co co host on. Paul Security Weekly. We often tell start with the interviews with the same kind of how'd you get your start? Question. And, and for many years, if somebody asked me, how'd you get your start? I'd say, well, I, you know, I sort of cut my teeth. I got started at nsa, but I realized a couple years ago that that doesn't really tell the story. The real story is how did I get to NSA in the first place? And I'll try to be succinct. I grew up in a family of pretty smart people. My dad was a physicist. He actually, in the 1950s, came to the Washington, D.C. area, went to work for the Naval Research Laboratory around the time that they were experimenting with hydrogen bombs, hydrogen devices, I guess the first one was not technically a bomb. He used to tell stories about how he was on a ship in the South Pacific and he got to watch the detonation of the first hydrogen device, obliterating a little atoll called Aniwetak. So my dad being a physicist and me being like many people having daddy issues. I grew up, I was like, I'm not going to be a physicist. I don't. I. I tried to avoid physics and I did. I'm the youngest of four boys. We all liked to do puzzles. We were all sort of analytical problem solving. And I really grew up doing puzzles, crossword puzzles, crypto quizzes. Back when we used to have newspapers and comics pages, there'd always be like a little Caesar cipher type of cryptogram that you had to solve, usually like a famous quote or something like that. I went to college, didn't know what I want to do. I graduated with a business degree because it was the easiest major I could find. That required the least amount of work, the least amount of term tapers, and I didn't have to take physics. My mom at the time had gone back to work and she was working for a different naval institution called Naval Surface Weapons center at the time. And she actually got me a summer intern job before my senior year of college, working, ironically, for a physicist. Only this guy was doing anti submarine warfare research. My first week on the job, my first day on the job, he asked me, what do you know about anti submarine warfare? Of course I didn't know anything about it. And he's like, well, I could explain it to you, but, you know, there's a book came out recently, it explains it about as anything, as good as anything does. So he handed me a copy of The Hunt for Red October. So I thought, this is really cool. My first week on the job, and I get to sit and read a book. So, summer, intern, job, graduated, looking for, you know, what do I want to do with a business degree, was putting in applications to a lot of different places. My mom, who worked in human resources, or personnel, as they called it back in the day, she had a friend whose daughter had gotten a job at this place called the National Security Agency. And being born and raised in Maryland, I'd never heard of it because it used to be very clandestine, and nobody knew it existed. Nobody was supposed to know it existed. There were no signs on the highway or anything like that. But I filled out a standard government application, mailed it in, got a response from him, and went to Fort Meade for a couple days of aptitude and skills testing, psych exam, polygraphs, you know, all sorts of different prodding and poking, but most of it was just taking these various skill level exams, aptitude tests, and long story short is I scored really well in the tests, and so they offered me a job. What I didn't know was they just hired me. When I first went to work for NSA, and this is back in 1984. I'm sorry, 1986. 84 was that George Orwell book. I was granted a secret clearance, but I was going through the background investigation to get a top secret clearance, so I had to wait a couple months. While I was waiting, I essentially went on a bunch of job interviews, and I ended up in what at the time was the defensive side of the house, which we called at the time, Communications Security, soon to be renamed Information Security, later on to be renamed Information Assurance, now sort of dissolved, and you have U.S. cyber Command. But I'm getting ahead of myself. So I went to work for the manual cryptosystems branch, and they were looking for someone to do cryptographic analysis of manual crypto systems that they'd produced and were fielded by primarily the military. So I went to work for him. I had somebody that was there on assignment from the operations side, a real cryptanalyst. He sort of took me under my wing and became my mentor. And he was actually the one that advised, yeah, this is a pretty good job. You should take this. So one of my. One of my first assignments was actually my customer was US Special Forces. So there's a little connection there. And I can tell that story in a minute. But the day I knew that I was in the right place and I had found the right place to be was I'd Mentioned growing up, my whole family liked to do puzzles. And when we would go to vacation at the beach in the summer, we'd buy a single copy of a Dell crossword puzzle magazine that had all sorts of different types of puzzles in it. But they always had one or two logic problems. And we all love to do the logic problems. And there was usually like a little table that you could use to fill out and kind of help you solve all the clues. And basically the logic problems were like maybe eight or ten statements about a bunch of different things. And you had to try to just based on a couple clues, connect the dots and, you know, maybe it was there's five different students taking five different classes. What's their favorite subject from five different teachers in five different classrooms. And they'd give you just very sparse types of clues like, Sally loves biology and it's next to the red room and statements like that. You put it together and try to figure out whose class. You know, who's the teacher, who's the student, what's the subject, that type of thing. My one day at lunch, you know, so that was something I grew up on. One day at lunch, I'm talking to my mentor and he's working on something and I asked him what he's working on. He says, oh, I'm writing a logic problem. I was like, oh, I love logic problems. Says, yeah, I write logic problems as a side job for Dell cross report. So it was like, you know, the planets were in alignment. I knew I was in the right place. So my start at NSA was really in cryptology and I was doing analysis

Jack Murphy (10:10)

of

Jeff Mann (10:12)

systems and really just designing systems. My very first assignment was to come up with a replacement, a new memory cryptosystem for Special Forces when they were deployed. They had at the time, one time, pads, paper pads with the key, the random key written out on it that they would use to manually encrypt and decrypt messages and then send them. But if they had to, you know, exit someplace really, really quickly or they're on their run and they had to drop all their paper, they still wanted to have a way to communicate securely. So they needed to have a way of doing a memory crypto system. So that was my first assignment, was to come up with a new memory crypto system for them. In doing that, I. I had just been through, you know, the five months of waiting to get my clearance, taking all sorts of Introduction to Cryptography classes, History of Cryptogr classes. I'd learned about things called cipher wheels. If you've seen a Christmas Story, you know, the Little Orphan Annie, Dakota ring. Right. And I thought, you know, there ought to be a way to take a visionnaire table, which is what Special Forces used, which is the Alphabet, 26 offsets and a big table which for Special Forces actually translated into. Try to get this on screen for you. I think it's 123 unique three letter groupings that they called trigraphs. They would memorize these things, the combos.

Dav (11:44)

When you put something through a one time pad in a trigraph, it's considered impossible to decrypt, Right?

Jeff Mann (11:51)

Absolutely. There is no cryptographic solution for it. There's no brute forcing. It's completely random based on the fact that there's only two copies of the key in the world, one on each end. And as long as not stolen or compromised and used only once, it's unbreakable. But anyway, I, I, I, I was struggling to, I wanted to use the same essentially algorithm, use these trigraphs and use this visionnaire table. And I thought there ought to be a way to do it on a wheel. So I like figured it out with graph paper and, and drew one out and my mentor helped me with it and we kind of came up with the design. First one was glued to cardboard. I took it with me the next time I went to. What's that place in North Carolina called now? Fort Liberty. Yeah, used to be called Fort. We can't say it anymore. But I turned my back to write on the board, turned around and the thing was gone. They'd stolen it from me. And I'm like, guys, where's my wheel? And they're all like looking around. So after a couple visits and bringing multiple handmade copies, I finally said, you know, we're in the business of, you know, we're nsa, we're in the business of making crypto systems and all sorts of crypto for you. Why don't we just make a bunch of wheels? So there was a machine shop at the time of nsa because back in those days they were building little black boxes, engineering little black boxes that would go in different places. So I had them make a prototype of this thing that we called the Visionaire wheel. So the three letter combinations would just line up. You get your two letters and the third letter appears in the window. They loved it. So we ended up producing 15,000 of them and distributing them to U.S. special forces. This was all the different groups. This is probably in 1988 I would say. And as far as I can tell, they were using it up into the early 2000s until, you know, digital crypto solutions and encrypted phones and stuff became popular. So that was my very first assignment. Made a wheel. And if I may, shameless pitch. At Fort Meade, which is where National Security Agency is located in Maryland, there's something called the National Cryptologic Museum. And at the end of this month, end of April, a copy, one of the production models of what came to be known as the Whiz Wheel, or I came to learn that that's what they called it, is going to be put on display at the National Cryptologic Museum. They're excited about it because they're not usually putting stuff on displays where the people responsible for it are still alive. I'm excited about it because something I did that was just a little. A silly little thing as far as I was concerned, actually turned out to be very instrumental in the mission of U.S. special Forces for over a decade. I had the opportunity to meet someone that was a former Green Beret a couple years ago at defcon, a hacker conference in Vegas. And actually a friend of mine met him and found out he was a Green Beret and asked, oh, do you remember the Wiz Wheel? And he said, yes. And they said, would you like to meet the guy that invented it? So. So I met the guy. And long story short, he said, you know, I think you might qualify for membership in our alumni association because you kind of made a significant contribution. So he got me a lifetime membership in the Special Forces Association.

Jack Murphy (15:24)

That's fantastic.

Jeff Mann (15:26)

That's super cool.

Jack Murphy (15:27)

Yeah.

Jeff Mann (15:28)

And I had the opportunity, you know, Covid came along, kind of blew things up. But I had the opportunity to speak at their convention last year. It was in Indianapolis, which is chapter 500, like the Indy 500. And I asked the guys there, when I was speaking, I said, I've been walking around with the prototypes. I have two of them for 30 some odd years. I'd never seen a production model of the Wiz Wheel before, and I put out an appeal if anybody was willing to donate them. I was trying to get a couple, one of which was to be put in the National Cryptologic Museum. That was the goal. Anyway, they came up with two. One has been donated, will be put on display. This is another one. This is a production model of the. The Wiz Wheel. And this one is designated if we ever get a contact for the Special Operations Museum. That's down in North Carolina at Fort Liberty. That's where the. We want to put the other one. This is a little piece of history.

Dav (16:31)

It's amazing.

Jeff Mann (16:34)

So I'll pause for a minute. That's how I got my start, just solving puzzles, got into crypto, designed something, came up with a little quick fix that was really just an aid for me. And it ended up being something that was, you know, pretty critical to the mission. Many missions that I don't even know about of many International Forces teams.

Dav (16:56)

Before we get deeper into it, since

Jeff Mann (16:58)

you're the first, I think you're the

Dav (17:00)

first guest we've had on from nsa. We've done all kinds of different federal agencies. Could you explain to our audience a little bit about what the National Security Agency is, what their mandate is, their job, why they came about?

Jeff Mann (17:15)

Sure. I mean, I'm not a historian. I can give you a little bit of the history. I've probably forgotten more than I know about it at this point. NSA, I believe, was started in the late 40s. It was sort of after World War II. You know, organizations that were doing code breaking and things like that during World War II kind of got reorganized and they came up with this idea for the National Security Agency. I want to say 48 or 49 was when it was convention.

Dav (17:48)

So it was like the National Information Agency or something first, wasn't it?

Jeff Mann (17:52)

Yeah. You probably know more and you can Google quicker while I'm talking.

Dav (17:56)

Yeah, sure.

Jeff Mann (17:57)

To get the exact story. It'll come back later on in my story, but I'll share it now. You know, the charter, the mission of NSA is, I always used to describe it to people, the operations, what we call it operations is basically to be the big ear of the country, responsible for primarily monitoring and intercepting signals. Anything that was going out over the airwaves, which back in those days was mostly radio, a little bit of, you know, eventually television, you know, maybe some telephones, but primarily radio waves, the whole spectrum of. Of sound. NSA's mission was to listen to everything and, and try to intercept whatever they could from other countries, adversarial countries. Third, you know, nation states is what we call them these days and, you know, just keep tabs on everything. So at one level was a big collections agency. It would collect a lot of information and there'd be people that would try to break codes and ciphers when those were in play. Others would translate foreign languages that they intercepted. And there'd be other people that would read it and try to, you know, extract useful information that gets put together on, you know, daily reports that get sent to the White House and the Pentagon and other places. Anybody with it, you know, is a customer intercept collections and communications that are collected at a broad level. That's what the mission has always been with some rules that were put in place in the early 70s after Watergate and Watergate investigations, Senate subcommittee hearings that happened after Watergate, one of which was a Senate subcommittee that was chaired by Senator Frank Church. And their output was called the Church Proceedings. And they published several volumes of material. But in essence, what they, they discovered as a result of the Watergate investigations, the Watergate break in from the early 70s was that the, the three letter agencies like NSA, FBI, the CIA had a lot of power and a lot of capabilities at their hands with not a whole lot of any kind of oversight or rules dictating how they would operate, you know, rules of engagement, as it were. So one of the outcomes of that was what I came to learn when I went to work for NSA is the NSA charter, which is still to this day a classified document. But basically what it says is that NSA can only do what NSA does to other countries, foreign, foreign nationals, and specifically NSA cannot do what it does to US citizens. Now fast forward to 9, 11 in the Patriot Act. The rules kind of changed a little bit, but I mean, that's the charter that NSA was built on, so.

Dav (21:08)

But you guys are also in charge of like maintaining America's communication security as far as the US Government, right?

Jeff Mann (21:19)

Well, yeah, I was, you know, just warming up to that. You know, like when I went to work for nsa, I was working on what we would have called the defensive side. Information security, Communication security. And it was, you know, probably classified that maybe 10 or 15 or 20% of the mission, you know, of the personnel and the resources of nsa. So even when I was there at the time, there were people there that were, had been there for a while, working the mission for a while, and everybody sort of had a chip on their shoulder. Everybody was considered Infosec, as we called it, sort of the bastard stepchild because operations got all the headlines, operation got all the budget, operations got all the glory. And Infosec, which was the mission of providing secure communications and crypto to all of the, all of the U.S. whether it's the military or any level of government where they needed to have secure communications. That was NSA's purview, that was NSA's responsibility, the InfoSec side. So I came into an organization that kind of had an inferiority complex. Always did and probably always will. Of course it doesn't exist anymore, but there was always this conflict between operations, what everybody knows nsa, that if they Know what NSA is, what they're doing, and then us doing the really important stuff that you don't get any credit for, like making sure that people can't steal any of our communications. So a lot of cryptographers, a lot of mathematicians coming up with the algorithms and the, and the machines, the little black boxes that would secure the communications for, you know, the, the military primarily, any level of government interdepartmental communications,

SimplePractice Announcer (23:08)

you

Jeff Mann (23:08)

know, embassies abroad and things like that.

Jack Murphy (23:11)

And, and you, you went in, you said you went in around 86. Is that correct?

Jeff Mann (23:16)

Correct.

Jack Murphy (23:16)

So. So the Cold War was still a very real thing at that point in time.

Jeff Mann (23:21)

Why, yes. Yes, it was. Which is one of the main reasons why I was hired. I was hired at a time when NSA was hiring 100 people a week. And they'd been doing that for a couple years because they'd gone through a lean time in the 70s where they really didn't hire that many people. Like, the guy that was my mentor had been hired in the early 70s, and then they had just had a handful of hires from like, the early 70s to the early 80s, and they really hired a bunch of people. This is where I get a chip on my shoulder. We didn't call it STEM back then. They called it critical skills, but they were mostly looking for mathematicians, computer scientists, and engineers. And if you had a degree in any of those fields, you. You would get a job offer. And you were paid on an accelerated pay scale, so you got paid extra. I think the engineers made the most, but don't quote me on that, you know, anywhere from 10, 15 to 20 or 25% more than what I was making as just a peon, regular employee. But, you know, they hired me because I scored well on the aptitude test, the skills test, and so I was not a critical skill. And those hundred people around me that were hired the same week I was, they were first in line for promotions, they were first in line for training opportunities, first in line for diversity tours, going to other organizations. Because the game at the time was if you wanted to be promoted up past a certain level, you had to have what was called a professionalization degree. And the professionalization degree would be similar to certs that we know of in, in the cybersecurity field these days. And to get that, to get that professionalization, you had to have a certain amount of work experience, certain amount of diversity of work experience working in different places. You had to have continuing education and various, depending on what field you were choosing in various, various other Things, you know, if you wanted to go into the computers, you'd have to write a computer program at some point and so on and so forth. So I, being just a regular employee was, you know, not getting the opportunity to get the diversity tours. And I tried to get into an intern program and I wasn't qualified for it, not because I wasn't a critical skill, but because I had a horrible GPA in college. I won't say what it is on air because people would be shocked. But you know, my mentor did a good job of kind of nurturing and talking to friends of his, like on the operations side of the house and getting me some diversity tours on my own because he knew I was going to need it. But yeah, they, they hired a bunch of people. They would go off to get a graduate degree and the government would pay for it. They called it the 2020 program. So they'd work 20 hours, go to school for 20 hours, and then they had to give back government time to, to offset the time that they went to school. But what they failed to figure out for many years was the clock was running while they were in school on their retirement. So you could literally like go, go to grad school, get a graduate degree completely paid for by the government, and after about three months you could quit and out to the private sector and get paid more. And that's what a lot of people did. So they were kind of growing by attrition. And because I didn't qualify for the 2020 program initially, I didn't get to go to that. I didn't get to do the intern programs. I just sat in this little office and designed a wheel that was used by special forces for 12 years and, and I'm told saves lives. I was also there at the sort of the beginning of the computer age. You know, IBM PCs were kind of a thing, I think. You know, my first office, I had a standalone IBM PC. It wasn't networked yet, it didn't have Windows on it, it was just dos. In fact, I think my first one didn't even have a hard drive. But one of my, my, one of my early assignments, can't say it was my second assignment, but one of, one of my early assignments in this office was I was approached by another customer, another military branch, and they were responsible for communicating with one time pads with people that, shall we say, had been recruited in certain places in Eastern Europe. And the one time pads that they were using in the field were really tiny and they could hide in the heel of your Shoe type of thing. And they were printed on rice paper so that when you used it, you could destroy it by eating it. But the caseworkers, the handlers, were in skiffs, controlled spaces, offices on the, you know, on the good side of the world. And their version of the one time pad was sort of like a legal pad. But they came to us and they said, you know, it takes us hours and hours to decrypt and encrypt these messages because they're getting situation reports from these people. And they said, there's this PC sitting on our desk. Is there any way we could use that? And me being young and naive, like, yeah, I don't see why not. Of course, I didn't know it at the time, but I was working for an engineering organization whose mantra was, there's no such thing as software. There's only hardware. All they did was build little black boxes. So I took up the project of coming up with a design for writing a computer program that could run on the IBM PC and taking the one time pad key and instead of printing it on paper, putting it on a floppy disk, which I forgot to grab, so you'll have look at the save icon on your. On your word. And that's what a floppy disk looks like. And I had to go through an engineering process, a design review process called the FSRS Functional Security Requirement Specification. It was specifications to build secure hardware, and I was building a software program. So I kind of had my. To fudge my way through it. I had to go through a review process with all the executive management of InfoSec. InfoSec was organized. It was. It was a directorate. And inside the directorate were various groups. And every in every group had offices and divisions and so on and so forth. But all the group chiefs, and there was like five or six of them got together, and that was the board of directors, as it were. And I had to present the idea to them. And they said, yeah, go ahead and do it. And I came back with the design and had to go through its own security review, which produced issues that had to be addressed. And I went through that process and eventually went back and pitched it to them and said, okay, I've met all the security requirements, met all the objections. We're ready to go. It's ready to field. And the director, the chairman of the board, I don't know what his exact title was at this point, he said, okay, we'll let you do this. And literally he said, don't do this again. To my knowledge, it was the first software based system that NSA ever produced. And it was simply a computer program that would automate the process of doing a manual encryption and decryption with a one time pad. But I actually ran into somebody about 10 years ago at a conference that remembered using it. We called it Centaur because it was a half paper and it was half electronic. So Centaur. Every, every system we produced had to have a cool mythological name attached to it. So we came up with Centaur, semi automated, one time tab. Can't show it to you because it was software.

Dav (31:03)

So just to like correct me if I'm wrong, trying to paint the picture here, the person on the end user in good guy land is taking like an Oregon Trail floppy disk, putting it into the computer and then typing in the encrypted message he had received. And the computer would spit out the decrypted message, correct?

Jeff Mann (31:23)

Yep, that's pretty cool. And conversely, if he wanted to send a message, he's typing in a message, hitting the button to encrypt it. And the trick was one of the secrets of a one time pad is you use one page at a time, as much of it as you need, and then you destroy it. So we had to come up with a way of securely deleting a page of key at a time off the floppy disk. And part of that was coming up with a secure deletion or a secure overwrite routine that was a requirement. And so I went searching and asking various offices, you know, can you, can you show me one, can you give me the specs for one? And it had never been done before, so we had to come up, you know, it was a requirement, but we had to come up with what would this look like? And so we had to come up with a routine for doing an overwrite of the one time pad key that was on a floppy disk, doing it in enough so other really smart people at similar agencies couldn't figure out how to way to read the data off the floppy drive used to be like a flimsy piece of plastic where stuff was printed on it, bits, bits, bits and bytes in various sectors, kind of like a vinyl album, only smaller and much more compact. And you know, things that get deleted off of memory space on floppy disk and hard drives traditionally, at least in those days, didn't really get deleted. You just, you would move the needle to a different part of the record and start writing new information there. And the point to where your information was, which was sort of kept in a master list on the drive or on the floppy Disk that was erased, so you didn't have the location anymore. But nothing was done to remove the data off the drive itself. Eventually it would come around and get overwritten. So we had to figure out how do we zone in on exactly where it is and delete the right amount of keys so that it can be done. So there was some engineering, as it were, or software design that had to be done, and people weren't happy about it, but they let us do it.

Jack Murphy (33:35)

You know, in the late 80s or around that time. How were you keeping up with what was going on in the computer industry? Because it was moving fast. Like I remember like in 88 hearing about like the first one gig hard drive and thinking, what would anybody ever do with a gigabit hard drive? That's insane.

Jeff Mann (34:00)

Hey, I had the same thought when I got my 10 megabyte hard drive on my IBM PC. Yeah, who would ever fill that up? And now I think I have more storage space on my smartphone than the supercomputer that I used to use. Yeah, in the early days of nsa. So, yeah, I mean, there was try to be a politically polite answer to that question. On the operations side, all you have to do is figure out how to intercept stuff. And as communications got more advanced in terms of the cryptography, you and other sister organizations perhaps come up with other ways of capturing the data, perhaps, maybe before or after it's been encrypted or decrypted, you know, and that's the land of espionage and so on and so forth. On the infosec side, it was actually really a struggle. And I saw it at the very beginning. And it came to a head, you know, later on in my career in the early 90s, where technology was catching up with infosec, which was, you know, responsible for taking three to five years to design a little black box. And we'll get it to you when it's ready. And we're responsible for providing, you know, all this, your communications. Probably the first. Skipping forward a little bit, but the, the, the first real test of that for the government in general and, for NSA in particular was when a, a program came out called Pretty Good Privacy, which, you know, don't quote me on what year it came out, probably late 80s, early 90s. And it was an encryption program and it was written with public algorithms, not NSA designed algorithms. And it was based on what we call public key cryptography, which is where you have a pair of keys, one that does the encryption and one that does the decryption, and everybody uses said

Reese's Commercial Announcer (36:02)

everything happens for a reason. But maybe everything happens for a reason. Reese's Take noise canceling headphones. Do they block hearing to heighten taste? That sound seems to show Everything happens for a Reese's Forget whatever plans you

SpinQuest Announcer (36:18)

have this weekend because you're staying at home and playing on Spin Quest and there's never been a better time to sign up than right now. New users get $30 coin packs for just $10. All the table games you love with hundreds of of slot games and real cash Prizes. That's at spinquest.com S P I N

SpinQuest Announcer (36:36)

Q U E-S-T.com Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (36:46)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (36:59)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (37:03)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (37:23)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (37:29)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (37:38)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer.

Jeff Mann (37:44)

That's SimplePractice.com if you're online at all every day, multiple times a day. But the idea is you have a public key that is used to encrypt the data and that can be sent anywhere. It's not secret. And the only way you decrypt a message that's been encrypted with that key is if you hold the secret key and you hold that close. That's the private key and it's a one way relationship like that. So you have to do a key exchange. If I want to communicate with you, I give you my public key, you give me your public key. We do something to verify we're really talking to each other and then we're off and running. We can send messages to each other. Well, so fast forward a little bit. You know I I left the manual cryptosystems office. I was there for about three years and then I did finally get into an intern program. There's not much to this story. It'll go quick. I went over to the operations side of the house. I did happen to be there during Desert Shield Desert Storm. So I got my, my certificate of appreciation for participating in Desert Shield Desert Storm. I was an intern so I was doing six month tours in various office. My last tour of the intern program was back on infosec side in what was called fielded systems evaluations. So we're back into the. I'm back on infosec. It's the early 90s. There was a time when one of our clients, and this was probably, I would guess 93 or 94, one of our clients, one of the military branches, came to NSA and said, why are we spending multi millions of dollars on a secure communication system with you guys? Why can't we just use pgp? And that was really a slap in the face to, to the power structure of at least the infosec side of things. And there was literally an all hands on deck call put out for everybody in infosec to stop what you're doing. Everybody work on an attack against pgp. And there was a couple guys in an office nearby that actually did come up with an attack against it. And they were paraded around as heroes. They got huge cash awards, wars. They were taken down to the Pentagon, the White House. I mean the red carpet was rolled out for these guys. Months later, you know, when all the dust, dust settled down, you know, everybody's got a short attention span. They did a lunch and learn in our lab to just tell us peons that worked with them about their, the attack that they'd come up with pgp. And what they essentially had done was figured out a way to send a document, let's say a word document. Only it wasn't word, it was but some predecessor. And they found some unused bit space in the document that they were able to insert a virus as it were. And you know, if they sent this document to somebody and could trick them into opening the document, it would execute this code that would essentially steal the key rings, the secret key rings, and attach it to an email back to whoever had sent the email. That might sound familiar to you guys if you keep up with cyber security schemes today. Sounds a little bit like a phishing attack. Yeah, only we don't, you know, we don't click on attachments anymore, we click on links. But I, I remember sitting there and you know, Hearing them describe this, and then they got to the point where they're asking, you know, does anybody have any questions? And I raised my hand. I said, wouldn't this work against our stuff, too? And they kind of looked at each other and they're like, well, yeah, so. So what's the big deal? Said, well, our mission was to come up with an attack against pgp, and that's what we did. I'm like, okay, if that's.

Dav (41:45)

What.

Jeff Mann (41:46)

If that's how you sleep at night. But, yeah, I mean, well, and. Which is very. And I'm not. It was funny then at the time, and it's kind of a funny story now, but, I mean, they did make a difference. They did come up with an attack. But as is true most often, and I've been in this business 40 some years, when you're attacking crypto, very rarely are you going after the algorithm itself. You're going after the implementation, and either the implementation of the cryptography itself or, or what we call the key management or the key distribution. So they didn't essentially break the algorithm, they just stole the key. Right. When is. When has that ever happened before in the history of the world?

Jack Murphy (42:34)

Right. Jeff, can I, Can I back you up real quick? I just want to ask because you were, you know, the Soviet Union was a real threat when you joined the nsa, and then the Wall felt fell and the Soviet Union was no longer. Did the NSA at all go through any kind of identity crisis? Were there issues where, like, who's our enemy now? Or did you guys just kind of have a mission and drive forward

Jeff Mann (43:01)

there? I don't know if anybody in power would admit to it, but absolutely there was issues, because once the Great Satan fell, that was Reagan's term for President Reagan's.

Dav (43:13)

The evil empire.

Jeff Mann (43:14)

The Soviet Union, the evil empire, once they fell, yeah, for the first time in a long time, NSA had to worry about, you know, budget requisition. They had to go before Congress and justify what they were doing. Right. And I'm not a conspiracy theorist, but, you know, Desert Shield, Desert Storm happened shortly after the war Wall fell, and, you know, terrorism became kind of the, the thing that kept things alive. But that wasn't really a. A clear. A clear and present danger. Quoting my Tom Clancy books, it wasn't something you could put your finger on. I mean, I, you know, I remember watching videos about terrorists when I was waiting for my, my top secret clearance to come through, and, and, you know, classified briefings at the time about, you know, what did the terrorists do back in the 70s and 80s, they'd hijack planes, they'd blow them up. You know, that. You know, they. That was the thing back then. You know, there. There was, you know, one plane in particular that, you know, nobody knew it, but there was people on it from NSA and CIA, and there was suspicion of whether people knew.

Dav (44:34)

Oh, you're talking about Lockerbie.

Jeff Mann (44:38)

I can neither confirm nor deny, but it's been a long time, so it's probably declassified at this point. There was the one plane where they landed somewhere and they. They killed a passenger and shoved him out the wind. The pilot's window.

Dav (44:56)

Yeah.

Jeff Mann (44:56)

And. And it was. It was a. I think it was a Navy enlisted person. Yeah, it was a diver, I think. Right. And they. They. The reason they tagged him or pulled him out is because he was in uniform. Because what I remember hearing at the time, the, you know, the briefing I got, the video I watched about that, was there was a flight attendant that had been asked to collect the passports of all the passengers. And for whatever reason, US Citizens get a blue passport, but government employees get a red passport. And so she was able, as she was collecting the passports, to somehow hide the fact that she was collecting red passports. I mean, when I was at nsa, I was issued a red. It's more like a burgundy passport. Yeah, that's your official passport to use on international travel, and you're only allowed to use that password. But then I was pulled aside and said, take both. And I did. And, you know, for the official get through customs, the red one comes out. Everywhere else, it was the blue password. I'm just Joe Citizen much because of that experience of that plane being hijacked. So, yes, there was an identity crisis. There was a justification for budgets that had never been realized before, and computers were becoming much more a thing. I mean, we sort of leap forward, frogged over the whole machine age into the digital age. And NSA was largely unequipped for that and. And slow to. Slow to respond. You know, think, you know, probably too soon, but, you know, think a large ship that's, you know, pointed towards the pylon of a bridge and. And how hard is it to steer that and turn that thing right? I'm five. I'm five miles away from that particular. What used to be that particular bridge. So they were very slow there. There was also a certain amount of attitude, I would say, in. In sort of the old guard were like, you know, people can, you know, is it Henry Ford? You can have whatever color car you want as long as it's Black. I mean they, they sort of had a monopoly on crypto and, and so they weren't very quick to change. They did start farming things out to contractors and third parties. The classified telephone that was popular at the time that I was there called a secure telephone unit STU and they were up to the STU 3, the third version which looked like an old fashioned office desktop phone. And there was three contractors that were allowed to build it. It was rca, GE and Motorola I believe. Three models, if you're old enough to remember those and have worked for the, the government. So early 90s, I'm back in this field of systems evaluation office. And that's where I started doing penetration testing is what we called it then. But trying to break into computers and network systems, we were, we were assigned to break into military facilities throughout the world. And at some point we decided why don't we just call it penetration testing? Because that's what the world's calling it. Let's become hackers. So that was early 90s, the, you know, NSA trying to respond to the changing world, they reorganized and formed what they called the Systems and Network attack centers. It was, the vision was that it was going to be a center of excellence and it have all the really smart people and NSA has lots of really smart people and they were going to be experts on everything related to computers and networks. And of course we'd been doing this for a couple years at that point, this small team of people and we had realized because of being involved in something that's interconnected, we realized very quickly there's a whole lot of people in the world that are focused on this problem. I don't care who you are, you have a small subset of 10, 20, 100, 200 people. There's no way to compete against the whole world, right. For that kind of brain power and distributed thinking, let's say. But they went about doing the reorganization and that's when the office that I was in got pulled into it and we were sort of formally given the task, small group of people that I work with of just doing. We called it vulnerability and threat assessment. But for lack of a better term, we said we're hackers and we're learning how to do pen tests. So that was. We were formed officially, I guess 93, 94 at least in terms of this new organization. We moved to a. I'm sorry, I just want to.

Jack Murphy (49:46)

I'm curious because you coming from, from cryptology, had computers been a hobby? You know, had you been learning C or like C, like I Don't know what language or languages were prevalent at that time, but. Right, but how were you personally and then as an organization, how were you managing. How are you catching up with these teenage kids who had nothing better to do than to figure out how to, you know, break into.

Jeff Mann (50:23)

Well, I mean, I graduated from high school in 1980, and I remember taking a computer math class. So it was late 70s, but it was, you know, very rudimentary type of PC. I think I was programming in BASIC and it was kind of cool. We wrote our programs to punch tape. It was even before the era of floppy disks. So I'd have two or three or four feet long of punch tape that I would have to feed into a machine to read my program. So I was kind of interested in it. I had an older brother, one of my older brothers, sort of the brain of the family. He was. He. He was into physics and engineering and. And he was always buying the new toy of the month. So he, you know, he built a computer, you know, build it from scratch, kind of like you build, you know, the old ham radios. Of course, he did that when he was a kid. But at some point he built his own computer, very rudimentary. And then, you know, what was popular at the time, the Apple IIe or Macintosh or something like that. He was always getting computers. He was the first one to have the first video game, Pong, and he was the first one to get a Nintendo and an Atari. You know, I kind of grew up playing video games at the arcade. Everybody remember that, you know, put a quarter in the machine and play the game and. And keep putting the quarters in. So I, I was into it because it was new and it was kind of fun and different, but I wasn't like, how does this work? And digging into the innards of it. But at nsa, you know, when I was in the intern program, I had to write it. One of the assignments was to work for a programming office and I had to write a computer program. That was one of my assignments. And at the time, NSA was converting from their own mainframe supercomputers that they had their own custom operating system on it and. And their own primary programming language that all their number crunching, cryptanalytic, calculating, statistical counting types of programs had been written on. They were migrating over to what at the time was fairly common Unix workstations, primary Sun Microsystems later, you know, SunOS, later to be called SolarIS. So the IBM PC left, and in came a Sun workstation. The old pizza boxes, Spark 5 tens, whatever they called Them. So I had to, I had to rewrite a program that had been written in a, in a proprietary language at nsa, in C. And of course I got it to compile and then got it to hang the first time I ran it because it, it worked, but it didn't optimize for the number crunching type of thing it needed to do. So, you know, I did that. It was kind of cool, but I wasn't really into it. Into it. But the idea of breaking into things, that was kind of cool. The idea of going someplace where you weren't supposed to be, be learning a hidden trick or a hidden feature. There weren't many exploits in those days. It was mostly features of the operating system undocumented or undocumented or just learning the tricks of how to fool the computer or trick the computer into giving you stuff. Of course a lot of stuff was there and it wasn't that hard to do. And other people had figured out a lot of the ways to do stuff. So. So the terminology in those days was script kitty. So starting out I was much more of a script kiddie, just doing the stuff that other people had figured out but trying it on our classified networks, even though it was something that was discovered out in the real world. But because I had a cryptanalytic background, one of the things that I enjoyed doing was password cracking. And of course I didn't write the programs. I was using the programs that were available at the time, but learning how to tweak them and, and fine tune them. Password guessing was a thing back then. I was actually pretty decent at guessing passwords. Nobody does that anymore these days. There was a lot of our, a lot of our customers when we were doing these fielded systems evaluations. We were going to military bases throughout the world, world. And they always had like some, you know, real whipper snapper teenager. But he was also, you know, an E4 and E5 now. And he was, you know, because he knew computers, he was responsible for computers. So he came up with an idea of coming up with a random password generator. And so they had all, you know, they knew passwords. Security was a thing back then. So they wanted to come up with ways of defeating the password cracking tools or just making passwords less prone to being guessed. And they inevitably were horrible because, you know, from a crypto analytics, statistical brute forcing perspective, they almost inevitably fell. I mean, I remember one guy, I want to say he was at a base, doesn't matter where he was, but you know, he, he thought he had this program that was really cool. And it was producing really random looking passwords and we cracked 100% of them in minutes. It was that bad. So that's where I kind of like applied the crypto analytics stuff that I'd learned to some aspect of it. And we didn't call it cybersecurity at the time, we actually called it Internet security. But that was something I could kind of focus on as sort of a niche area. It's like, oh yeah, I'll focus on like password cracking and how to come up with strong passwords or random passwords and any of the few types of cryptanalytic things that were associated with operating systems at the time. That was sort of my focus. The other focus I had, I guess was I worked with people both while I was at NSA and then even into the private sector days, years after that, would love to just break into a system, get rid of root. It was all root because it was all Unix back then. And say they were done. And I was more like, well, we've just broken onto a computer or a server, why don't we look at what's on it and see what's there? What kind of information is there? They were all about the hunt and let's conquer another box, let's root another box, right. I was more about the analytical, well, what kind of information is here and what can we learn about our, our, our target or our customers or what, what, what is sensitive here that might give us more of a clue of where to look next? Or, you know, have we found the crown jewels? Or, you know, just whatever it was, but just looking at stuff. So I tended to do more of a analytical deep dive, let's see what we've got, rather than just keep knocking over boxes after boxes after boxes and saying, we're done. Right, Moving on.

Jack Murphy (57:45)

So, so how did that develop for you? Because while all these other people are trying to like get root now you want to get into the system, you want to go through the various, like, you know, file systems and everything like that, right. You know, and move throughout the system like, what does that look like for you compared to what everybody else was focused on?

Jeff Mann (58:08)

So back in those days, the sort of. The methodology, which ironically is based mostly off of a film that came out in the early 90s called sneakers. Robert Redford and Ben Kingsley were the stars. And that was sort of the first movie that showed what people would more commonly refer to as a Red Team exercise these days because, you know, a combination of computer hacking, but maybe physical penetration testing. The methodology was Simply, back in those days, you have a target, you have a company, an organization. Everybody had their own ip, routable IP addresses. There was no masking back in those days. There were no private addressing. Everything was Internet reachable because everything was connected. So you'd find out what the target was, whether it was a class C address or a series of class C addresses, which is 255 potential addresses. And then you do a probe of each IP address, do some sort of rudimentary scan to see what's alive, what's answering. And so once you found live targets, you do a port scan, which is basically, okay, what's, what's this machine talking on? You know, in TCPIP, there's 65,535 potential channels that you can talk on, and there's some commonly associated reserved ports that are associated with specific protocols, specific services. Start with there. And most of the protocols, communication protocols back then, were clear text. There wasn't a lot of encryption going on. So you would find what they were talking on. And then, you know, that's usually when you could, you know, connect to a system, maybe steal a password, maybe guess a password, maybe force one of the programs that was listening to hiccup and give you access, or there's many different methods of doing it. But the goal then was to get access. And it didn't have to be root, it could just be any user account. And then once you had that foothold, that toe in the door, then you try to elevate your privileges to root. And once you're on the system, there was any number of ways of doing that, including reading the password file, which was world readable. Anybody could look at what the password hashes were. I'm not using the word correctly. The encrypted passwords, they're hashed passwords, but you could copy that and run it into your computer tracking program, which conveniently was called crack. So elevating privilege, I mean, that was sort of the modus operandi. The first thing to do is get to root, because once you're at root, you have access to everything, any file system, any folder, any. Anything that was locked down and protected, root had access to. Because root was what we called the God account, it could go anywhere, it could do anything. Which is why we used to say to our clients, if we've got root, we're done. But they would very rarely understand that, comprehend that, and take it to heart. Which is why it became beneficial to say, okay, you're not getting it, that we have root. But would you understand it if I said we're looking at your financials for the previous quarter and we can see all of it, or we can look at the payroll and tell everybody, know what they're being paid and who got what bonus, and the people sitting next to each other, one person's getting made, paid 15% more and he's a guy and she's a woman and we can blow things up or, you know, research data, or we know where the money is. You know, there's, there's any number of things that tends to be something that, you know, I have no idea what you're talking about getting root, but you can do this, right? I mean, when I was, and I'm blurring the lines a little between my NSA days and my private sector days, but when we first started out doing this at NSA and people started, and we started calling it pen testing and we started being asked not by just, you know, our military customers, but like offices within NSA and other classified networks, you know, within the, the community. We started kind of having to come up with processes and kind of formalize a methodology because we had to get permission to do it. You know, I mentioned early on in the interview the church proceedings in the NSA charter. That became an issue, at least early on, because, you know, even though we were white hat hackers, we're the good guys trying to break in. Because we're nsa, we technically weren't allowed to break into computers and networks that were U.S. owned and operated. But as long as it was in the classified world, it wasn't really that much of an issue. But we did have to start talking to our general counsel. And for whatever reason, I volunteered to do that. I was a business major. So finally I was like, oh, we need organization, we need structure. I can do that. My, my friends that I worked with, they were much more into the gears and the weeds of the technology. I'm like, business processes. I got that. I can do that. So I started talking to the lawyers. I tell a story that. Well, to level set everything that we did in terms of our techniques for breaking into computers and networks when we were working within the classified realm, everything we did by rule had to be classified at the level of our target. So naturally, if we were working on top secret systems, everything that we did was classified top secret. In order to get authorization to do top secret stuff against top secret targets, you had to go through bureaucracy and red tape and get all sorts of permissions, which took a God awful amount of time. I mean, we literally would have to wait weeks to get permission to try to break into something that was even, you know, within nsa, like another organization, another office within nsa. And of course, what, nobody, what we didn't tell the powers to be, we'd already broken in, we already knew how to do it. And then we do the paperwork of, you know, this is the way we're going to try it, this is our attack methodology. And, and then we'd have to go off and get permissions, which was on a typed up piece of paper that had to be signed or initialed by every level of management from our branch on up to the group level, over to the group that was the target and down their management chain. And this was paper passing from desk to desk, secretary to secretary. It might sit on a desk for hours or days. So it would take weeks. I tell this story in a talk I've given a couple different conferences, but usually when I'm telling the story about what was our tradecraft, what do we do? I have to qualify and say, technically I can't tell you what we did because it was top secret. And then at some point I said, okay, I'll tell you one. So I have this big, you know, disclaimer banner, top secret. And I say, okay, are one of our primary cyber weapons that we use to get against top secret systems with something called the ping command. Let that sink in. Or if you don't know what a ping command. It's a system level command that comes with every Unix operating system that's basically, and it's named after a submarine sonar, you know, it sends out a signal and waits for a response. Are you there? Yes, I'm here. And it'll ping every single address on whatever your target space is. Very rudimentary, very common part of the operating system. It's a feature, but because the lawyers looked at it and said, well, you're eliciting response from the target, therefore this has to be considered an active attack, therefore it qualifies as a top secret cyber weapon.

Jack Murphy (66:29)

Wow.

Jeff Mann (66:30)

That's the logic that we were dealing with. And that's where I kind of like, okay, we got to fix this. So I started talking to the lawyers and started teaching them about our methodologies. And their idea was, why don't you just show us what you do and we'll pre approve it so that when you get a job request to do an attack, you can just tell us, well, we're going to do a little of this and a little of that and a little of this over here and a Little of this and it'll be kind of like an ala carte menu. And we already know what they are and what they do and what. Just pre approve it and it'll be pretty quick. I'm like, yeah, the problem is you don't know what you're doing until you're in the middle of it, right? And, you know, it starts with the probing. We called it recon. You know, what's out there and, and what's out there, what are they talking on, what you know, how are they communicating, what are they listening on, what are, you know, what are the ports and channels that are open? So I went through a process. I, I would meet weekly with our lawyers and, and just sort of teach them the fundamentals of penetration testing and hacking and how, how do the computer networks work. And I say all this because one time I was showing the lawyer, even though he was sort of on an isolated sub network that he thought was very super secret because he's dealing in all sorts of legal proceedings and investigations, and he had his folders and files on his computer that he thought was completely protected and top secret. I'm like, well, let's look at that. So we were sitting in our office, which was in a physical building that was different, probably 10 miles apart. I said, let's go over to your network. See, here we are. Here's your file system. We're on your system now. We had him log in and I said, let's look at your directory structure. And I'm looking through it and UNIX file permissions. There's this concept of the owner, a group membership, and then the world. And for each category, there's the option of read only, read and write, or read and write and execute. Let's just go with read for now. I was looking at his folders that were supposedly top secret, his eyes only. I'm like, that folder's not only your readable and not only the lawyer group readable. General counsel's office readable. It's set to. Anybody read it. Look, I've just clicked on the folder. Here's all these files. Look, I can click on, you know, this document here and open up. He's like, oh, my God, don't do that. That's all secret stuff. Oh my God. So he got this really great education on how to set file permissions so he could actually lock down his folder.

Jack Murphy (69:06)

And you're not doing anything supremely technically technical right now. You're, you're just accessing his network and he has open permissions like you're not even technically really hacking. You're just showing him how. How much access a knowledgeable person would have, right?

Jeff Mann (69:25)

Yeah. And that's a good way to sort of summarize it. I. You know, I mean, the hackers that are out there these days, the security researchers, they're trying to come up with creative ways of breaking things using a methodology that's similar to what was done back in those days. But in the early days, it was much more just taking advantage of what I would call undocumented features. What can the system do? And taking advantage of knowing more about how it works than the users. Because in the early days, most users didn't really know how it works worked. They could barely get it to work. And they were happy if they could get it to work. And it wasn't anybody telling them to do anything else.

Dav (70:08)

I have a question as. As you describe all of this, it actually reminds me a bit of, you know, Richard Marcinko's Red Cell, which was testing physical security at military bases. And you guys were, of course, doing that in the electronic space. I was wondering, did you guys get any sort of like, push, pushback or political fallout from what you were doing? Like people who are shocked or embarrassed and maybe even angry that you were able to penetrate their systems.

Jeff Mann (70:38)

Interesting segue question. Initially, no. When it was mostly, you know, military targets that they'd asked to do it and then internal targets that. I take that back. We did have one internal target one time that supposedly that they were isolated with internal segmentation, what we would call it these days. But supposedly there's a firewall or some sort of router with some sort of access control list in place. And we were doing initial probing and I think we had a target of either an IP address or maybe an IP address range. But us being us, we just kept going. It's like, what else can we see? Where else can we go? And this particular target, which was an internal office, they did have some sort of monitoring in place and they were detecting our activity. And, you know, we technically went beyond the bounds, but, you know, we didn't break into anything. It was like, well, they. The door was open, you know, everything was answering. You know, we were just. We just kept going. There was nothing blocking us. We didn't subvert anything. We just. This is how far we could go. But there was a point where we sort of got called to the carpet. And I guess I'd been doing a lot of the work and I got called into a meeting with the customer and the Poor guy. I still feel sorry for this guy. The guy that they had assigned to be like the investigator. He was a very, there, apparently some branch of the military police. And he came in with like a stack of notebooks with printouts of all the activity that he'd seen us doing, me doing, and had it all printed out because they thought they'd caught a bad guy. He was like, they're ready. They're ready to throw the book at us. And we're like, well, no, we had this request to do this thing and we just kind of didn't know where the boundary was. And we just kept going. And they're like, oh, thanks for letting us know. We didn't realize it was that porous. And the guy was like, he didn't, he never got a chance to open it. I mean he, it must have been a foot high. Notebooks.

Dav (72:50)

This might be a little sensitive, but I mean, as far as like the attack surfaces that you guys used, I mean, did you have to be inside the NSA to get to even launch this attack or were you guys replicating an outside attack, you know, perhaps a foreign adversary?

Jeff Mann (73:07)

Well, you know, our targets, at least in that case, were internal to internal. And technically whatever we was doing, what we were doing was classified at the level of the target. So technically what we were doing was top secret. But it's probably a safe bet to think that we were doing a lot of the techniques that were publicly available because guess where we were learning how to do it. Probably accessible stuff. So yeah, that's how I'm going to answer that question.

Jack Murphy (73:37)

What, what was your relationship like? Because like I remember, you know, in the late 80s, going to my local game shop to buy DND stuff and there was always a copy of 2600 there and magazine and you know, and for people who don't know, 2600 was like, like the OG, I think, you know, hacker like little booklet, magazine, pamphlet type booklet thing. And then the DEFCON started in the early 90s. So there was this, there was this vibrant hacker community out there that was moving along with times from, you know, Cap' n Crunch, you know, and freaking and all that. How was your relationship with, with them, these people who are sort of breaking the law and on the cutting edge, but also like pushing it.

Jeff Mann (74:33)

Right. I mean, at the, at the time we didn't interact with many of the people in that part of the community. I've certainly over the last 10 years or so had the, had the privilege of meeting many of those folks. Yeah. And comparing notes and so on and so forth. But I mean, we were certainly learning from them. I mean we, we, you know, back in those days it was bulletin boards and mailing lists and you know, you know, our, our best resources was the Internet and, and learning all the places where people were posting stuff about hacking and breaking into things. So we were certainly learning from them. And I, I would even say that we, we felt like we were behind them. I mean, when we were, when we were considering ourselves to be students and learning all this stuff, I mean that they were doing it and we were just trying to pick it, pick up on it and learn from them. So there was, I guess from our perspective, a certain amount of respect. But you know, there, there's a handful of people that kind of went south of the law and got caught and prosecuted. You know, I have different opinions on some of those people. There was, you know, certainly mythology associated with it. You know, there's sort of, you know, the, the elite or elite hackers that, you know, the, the uber hackers is what we called them back then. You know, I, I hope to somebody someday meet somebody, some of them. But we were kind of learning and doing stuff and figuring out stuff. We, we certainly had access to a lot of resources that a lot of people don't have access to. I mean, we had access to Unix source code and this is the, before the days of Linux and, and the Unix source code is something that, you know, that, that the agency, NSA paid, you know, God knows how much money for. So you know, we were able to look at all the internals, all the function calls, all the libraries. So I mean, we, we had a fair amount of opportunity to tear things about. We tear things apart. We had a fair amount of resources that maybe not everybody has, but we still considered ourselves to be students and learning. You know, it's funny because, you know, we'll get to why I left NSA in a little bit, hopefully, but you know, was out in the private sector for, for a few years doing the penetration testing and trying to get, basically trying to convince companies back in those days if you're going to play on the Internet, you really need to have a firewall. You really need to have some sort of secure architecture. You need to have some sort of clue or plan as to what you're doing. So you need to put a security program in place and figure out what it is you want to protect and need to protect. And at some point I got really frustrated with, you know, being hired by clients every six months to bring break in and we'd break in the same way time after time. And we tell them this is really easy to fix. And they didn't seem to want to care to fix it. And at some point I'm like, okay, I'm done pen testing. Because that doesn't seem to be getting the message across. And I ventured into, you know, I need to, I need to just be able to talk to companies and explain it to them and explain why they care and explain why it matters. And about the time I made that decision is about the time that this thing called PCI came along, the payment card industry and I got sucked into that. But it was nice at the time because there were a lot of companies that had to do pci and it's a private sector regulatory security standard that's of buy and for the credit card industry. So it's not a federally mandated thing. So it's voluntary. But if you don't do it, you don't get to take credit cards if you're a retailer or any kind of business that wants to make money. So it was, for me, it was

Reese's Commercial Announcer (78:34)

beautiful because it said everything happens for a reason. But maybe everything happens for Reese's. Take noise canceling headphones. Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (78:49)

You know what? It sucks to be bored. But when I get on my phone and play real casino games on spinquest.com the time flies by. That two hour wait at the DMV seems like 10 minutes. Play your favorite slots, Live blackjack, live preps with a live dealer. New players $30 coin packs are on sale for 10 bucks. Play spinquest.com and you'll never be bored again.

SpinQuest Announcer (79:13)

Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (79:19)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (79:32)

That's where simple Practice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (79:37)

built specifically for therapists with HIPAA compliant tools and HITRUST certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (79:56)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (80:02)

be a huge lift alone. It's no surprise. SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (80:12)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com because it gave me a

Jeff Mann (80:20)

captive audience and I did that for a lot of years. And one of the, one of the people that I worked with at NSA in our little hacking group or pen test, went out into the private sector, became an entrepreneur, started a company and it finally agreed. You know, we finally came to terms and he found a way for me to come work for him. And when I came to work for him, which is, Gosh, it's been 10 years ago at this point, he said, oh, I want you to be an evangelist. I want you to start going to the conferences and start telling stories and do some, you know, you know, talk about the stuff that we did. And, and so I, I, you know, having, I mean there wasn't much of a hacking community in terms of conferences and training and starts, you know, back in the, in the, when did I walk away from the early 2000s, 2004ish. But you know, compared to 2013, 2014, 2015, where there's lots of hacker conferences all throughout the country, there's security B sides, conferences, so on and so forth. So I, you know, I was like, I was kind of nervous because I'd kind of been away, I walked away from pen testing, I was just talking to people for, you know, the better part of 10 years and explaining a particular security standard which to this day is still a decent standard. You know, here's all the fundamental things that you should think about and do. But as I went back to these conferences and started meeting people and over time I've, you know, one of the thoughts I had was, oh, I'm going to meet all these smart hackers and they've had 10 years to keep working and growing. And I've been going to these conferences now for 10 years and I'm still waiting to meet those uber people that were, that my perception was they were so advanced. Not to say that I'm advanced, but I think we were all in it together and we were all at a similar, similar level, which is always learning. I mean, nobody, nobody claims to have the complete understanding of all of this. There's always more to learn and there's always more to discover and there's always layers and layers and layers. But I've had the privilege of meeting a lot of the people that were I considered to be the pioneers and my heroes. Over the last couple years, I've met a lot of people that were members or some of the famous hacking groups and hacking collectives from back in the. Back in the day. And I, I've, I've. I've met a lot of people and they. And I apologize if this. I hope this does not come across as egotistical, but as I meet all these people that are, you know, farm boy from the Midwest, you know, got into phone freaking to get free long distance and then later free cable, and they just kept going and they figured out some. Some things. Nobody's had the experiences that I've had.

Jack Murphy (83:18)

Right.

Jeff Mann (83:20)

Yeah. Which, you know, and for me it was just, you know, the right time in the right place type of thing. But I've never met anybody yet to this day that I'm like, I'm completely in all of an Uber. One or two exceptions, the Uber hackers. Most of them are almost as much as excited to meet me as I am to meet them. I remember before COVID I think, the last Defcon, so it would have been 2019. I was sitting around with some folks, and one of the guys I was sitting with was a guy whose name is Weld Pond. He's a member of the Loft, which became famous back in the, in the, in the 90s for, for figuring producing one of the. The. One of the first, if not the first password cracking routines that would work on Windows passwords. So it was called Loft Crack. And they, they were a hacker collective, a bunch of smart guys out of Boston, you know, Berkeley, Harvard, MIT type people. And I'm sitting there with one of them, and then one of the other guys I was sitting with that I was introduced to, he's one of the original members of Cult of the Dead Cow, and they're famous for other reasons. And I'm like, wait a minute. He's the. He's the Loft. He's called of the Dead Cow. And now is probably when I should mention the. The nickname for our hacking group at NSA came to be known as the Pit. And so I'm a member of the Pit. I'm one of the founders, architects of the first penetration testing team at nsa. And we called it the Pit. So I'm like, it's the Loft, it's the Pit. It's called of the Dead Count. Like, guys, let's get our picture taken together. So I had somebody take our picture, and I was like, you guys don't know this, but this Is really historical because, you know, dark side, dark side, white hat guy, inside of the good. But, you know, smart guys, nobody's, nobody's Uber that I've ever met. Most of the people that, especially from the early days, are all pretty humble. You always hear about all the real elitist, arrogant jerks, and there are some out there, but most of the people that are really serious about this craft, as it were, are pretty humble and pretty eager to share and love to swap stories and share stories. And I've certainly had a lot of great opportunities to do that. One of my idols, you know, one of our motivations back when we were forming the Pit and we formed we. When we were reorganized into this thing called Secure Systems and Network Attack center, the snac, the center of Excellence for Computer and Network security. Back in 1994, we got moved to a new building and we got moved to an office, and we nicknamed our office the Pit. And one of our motivators was a book called the Cuckoo's Egg, written by a gentleman named Cliff Stahl. Cliff Stahl is like a Berkeley astronomer, physicist, smart guy. And he had noticed that by a matter of circumstances that somebody was breaking into the. The university mainframe and stealing a lot of government secrets. Because back in those days, the only thing that was connected on the Internet was mainframes from either, you know, the government and research universities. And he, he set out to track down and find the people that were breaking in. Fascinating story. Sort of invented forensics. And he, and he, and he documented his. His experiences in a book that's called the Cuckoo's Egg. Must read if anybody's interested at all in this discipline. A couple years ago, again, pre Covid. In fact, I'm going back to the same conference where I met Cliff Stahl end of this week. But I was at a security conference up in Canada. He was the keynote. So I'm like, fanboy. I get to meet Cliff Stahl. And he's a goofy, quirky, weird kind of guy. He did a keynote presentation with a view graph projector. That's how quirky this guy is. 2019 guys probably don't even know what a view graph is. Overhead projector. Yeah, his, his. His talk was a transparent laminate.

Jack Murphy (87:50)

Yeah, the transparency.

Jeff Mann (87:50)

A transparency that he laid down on a box that lit up through a lens that would project. Yeah, I mean, old school cool. Totally, totally geeky and quirky and cool. And it was. And I had to go up and introduce myself and meet him, get my picture taken with him, and I told him I was nsa. And he's like, oh, yeah. He visited NSA as part of his tale of trying to figure out how to hack, catch these bad guys that turned out to be East German hackers. And to my chagrin, the only time I've really been nervous to give a talk because my, you know, he did the keynote and I think I was the second or third talk after him. He's sitting in the front row like, holy, you know, one of my heroes. He's going to sit and listen to me give a talk. But that's how cool he was. I've met the guy that wrote pgp, Phil Zimmerman, a couple years ago. I've pretty much met all the pioneers at some point. And what's funny is a lot of those people, because they got into it out of necessity. They didn't start out as computer scientists and they didn't start out as programmers or administrators. They just had a job and computers became a thing. And so they wanted to learn about it and make it work, to get something done. A lot of them went back to their day job. Cliff Stahl is still an astronomer or whatever. He does. A lot of these other guys that were a lot of university professors, university researchers, they went back to their first love. There's very few of the early rounded people that actually, oh, you know, saw the dollar signs and, and went with it and came Uber millionaires to, to

Dav (89:33)

backtrack a little bit. Do you want to talk about, I mean, you mentioned it briefly, why you ended up leaving the NSA after all.

Jack Murphy (89:40)

Even before that, though, you do have. When, when, when we met at a conference, you showed me orders or, or military wise, I'd call them orders. But a, but a document authorizing you to do the. Was it the very first pen test of an outside organization?

Jeff Mann (90:01)

All right, it's the same question to the same story.

Jack Murphy (90:04)

Okay.

Jeff Mann (90:04)

And, and so I'll try to. There's a lot, I have a lot of stories. I apologize. Hopefully people are entertained.

Dav (90:12)

This is a podcast. People love stories.

Jeff Mann (90:15)

Jeff. All right, so I'll keep going and they can play me at 1.5, which makes it go even quicker. So, you know, I'm in the pit. We're doing all these, you know, pen tests of military bases throughout the world and, and NSA facilities and other classified environments. And for whatever reason, and all I can say is because I was the business major, I was sort of the, I became the biz dev person and was trying to formalize what we did. I was the only one that was really interested in talking to you. Know, managers and suits and people other than just talking the tech and doing the stuff, talking to the lawyers. So in doing all that, we were putting together a methodology and we were writing it down so it could be a repeatable process. It was something that had a beginning and end and we take into account all the things we needed to think about before, during and after doing the engagement. And so somewhere along the line I started working with some people from an another organization called disa. Defense. Defense Information Systems Agency I think is what it's called. And they got me connected to some people at the Department of Justice and depart. You know, everybody was just, the Internet was new, everybody was plugging into the Internet and everybody was like, woohoo. All the, all the potential for the Internet. But then they're also saying, oh, but maybe we should think about security. So I went down into D.C. this is 1996. I was probably, the first time I met him was probably April or May. Went down to the Department of Justice buildings, went into some big beautiful conference room, mahogany walls, big, huge table, everything's wood. Meeting with these people. And basically they wanted us to do a pen test of their Internet presence. I'm like, yeah, sure, no problem, we can do that. So I go back and talk to the lawyers and lawyers like well, hello, timeout. It's an unclassified network that's, that's kind of new and different and NSA is responsible for the security of classified systems. But the, the organization that was responsible for the security of unclassified organizations at the time was nist, the National Institute of Standards and Technologies. And at the time that was kind of a tongue in cheek kind of running gag because NIST didn't have a whole lot of capability in the, in any technical respect, similar to the kind of stuff that NSA did. So I'm talking to the lawyers, I'm like, well, can we make this happen? And the lawyer is like, yeah, we can make it happen, but there's hoops that you got to jump through. So we proceeded to go through several weeks and months of hoop jumping to make this happen. And one of the first things he told me was, well, you know, when, when you have this type of relationship, it's got to be sort of a handshake agreement between cabinet level positions. And like, well, what does that mean? He said, what it means is the Attorney General, Attorney General, which is what the DOJ rolls up under, basically has to ask the Secretary of Defense for a favor and say, hey, can you have your guys come over and take a look at our system. So you asked me to look it up. I've got a copy of the. The original email. Not email, I'm sorry. Letter that came from the office of the Attorney General saying, hey, your guys have been talking to our guys, and I'm paraphrasing it. And basically we want you to. Well, I can read it to you. Therefore, I am formally requesting that DISA and NSA work with us to provide a vulnerability assessment on the security posture of DOJ Sensitive systems and network connectivity to include the system network architecture, SNA and virtual telecommunications access method vtam. It's government. Everything's got to have an acronym.

Dav (94:30)

Also.

Jeff Mann (94:31)

The Secure Network Architecture. Did I say that already? I am requesting that the assessment begin with the testing and evaluation of the security configurations in the Financial Management Information System, which is used by several components within the doj. It goes on and on a little over a page signed by the Attorney General at the time, Janet Reno. You got that?

Jack Murphy (94:53)

Yeah.

Jeff Mann (94:54)

Yep. Okay. And it was actually addressed to the person that was designated within the. The. By this Secretary of Defense at the time, the Assistant Secretary of defense responsible for 3C 3I, the Honorable Emmett Page Jr. Wow. Okay. So that was the first step. And then what had to happen was, gosh, hope I get this in the right order. This is a response from nsa, of course, letters by the government. They're all written by peons like me, and they just eventually get up and sign by the people. You've seen the movies where they. They throw papers in front of the president and he just signs them one after another. So this is a draft letter from Emmett Page back to Janet Reno saying basically we're on it. Then there's another letter that I have. This is from somebody at DISA to the Department of Justice saying basically we're on it. And probably then the most interesting one is. And it's had official. Official processing form because it's got to have lots and lots of signatures to approve it. But this is the letter that was drafted by. For the signature of the director of nsa. And if you. You see that.

Jack Murphy (96:25)

Yeah.

Jeff Mann (96:26)

Right there on the bottom line, I am the point of contact for this project, which says, yeah, we'd be happy to, you know, members of the system, the network Attack center will go down and do this. Now, on the COVID sheet, it actually talks about. I think you can see this here. It had a code name Project. The effort is Project Eagle.

Dav (96:50)

So

Jeff Mann (96:52)

this letter, which is, you know, a copy of it, but it's signed and it's dated. You'll see the date?

Dav (96:57)

21-8-1996.

Jeff Mann (97:00)

Yeah, 1996. So that's super. This is what, this is what happened. You know, of course, the letters signed. This is all going back around, getting all the signatures. It had not yet been delivered yet. I think 21st August 1996 was like a Wednesday or Thursday, the weekend before. And it's. Before the letter had been delivered, the DOJ website was popped. First hack of an, Of a Dodge or government website, rather famous. The hackers defaced the entire. Basically replaced the entire website. They replaced Janet Reno's picture with a picture of Adolf Hitler. They had all sorts of more colorful things on it. And this happened like on a weekend, the weekend before this letter was going to be delivered and we were going to be gone. So I get a call Monday morning from my contact at the DOJ saying we had a problem over the weekend. We, you know, we were hacked. I don't know if you heard about it, but help. And so I'm like, well, let me see what I can do. I hung up the phone and I called the lawyers up, the general counsel's office, and I explained to him what happened. And I said, you know, we're. We're this close to being legal, to going down there and doing the work. What do I have to do order to get a team of people down there the next day? I mean, I want to help them out, right? They've had, you know, you know, you know, they, they're desperate, they need help. What can we do for them? And, and they gave me three criteria. They said, well, don't go on your own accord. Make sure you're sent by management. Get the request in writing from the doj, and don't go alone. I mean, that was it. I'm like, okay. I assembled a team. I got, I called back. The DOJ said, send me something that requests this. I got it, you know, hours later. And then we went to our management and said, hey, this is what's happening. Will you let us go? And they said, yes. So Tuesday morning we go down and we're looking at everything. Of course, in those days, everybody had their own servers that were serving up their web servers that were part of their network. Maybe they were outside of their network, maybe they weren't. But when they were, when they discovered the breach, the DOJ admins, they took the systems down, took them offline and wiped them and rebuilt them. So whatever evidence might have been there to begin with. Yeah, I mean, there were no forensic guides. There were no rules back then. This is 1996. Nothing had been written yet about how to do this other than Cliff Stall and the Cuckoo's Egg. But what he was talking about was mostly on phone lines and phone switches and PBXs, public exchange servers, all phone related. So we're there Tuesday, Wednesday. There were other systems that hadn't been affected, but we were looking for evidence of tampering and any footprints as it were, electronic footprints, to see if we could pull anything together. We're there Tuesday, we're there Wednesday. We go down Thursday. Mid morning Thursday. I got a call from somebody back in the pit. And they said, jeff, the shit's at the fan. You guys got to drop what you're doing and come back now. So we dropped what we were doing. We went back and got raided into the deputy director's conference room. And the lawyer that I had been working with for the previous year proceeded to read us the riot act and yelling at me in particular for doing something that was potentially illegal that could get the director not only fired, but prosecuted. And what the hell were you thinking? And I'm like, you knew about it. Well, and technically, when I called the lawyers on that Monday morning, both the general counsel, this guy and his deputy answered the phone and I said, I've got an issue. Who wants to take it? And the general counsel deferred to his deputy. So I did this with the, the deputy general counsel, not the main guy, but it's the main guy that was yelling at me. So I got put on double secret probation since I was the ringleader. And I. First time I've ever heard of the church proceedings is when the lawyer was yelling at me, saying, don't you know you violated the NSA charter? Don't you know you could get the director fired if not prosecuted? I was put on probation. I was investigated internally. I found out many years later because I, I bumped into this lawyer after 20 some odd years at DEFCON. Ironically, turns out they were not only trying to fire me, they were trying to prosecute me as well.

Jack Murphy (101:39)

That is, that attorney or the, the, the, the administration, the director, the, the powers of B. The powers of B.

Jeff Mann (101:47)

This was above him and it was above me. In fact, I learned that, you know, I mean, I'd been pissed off at the, this guy for 20 some odd years for yelling at me when we were buds. And it turns out he was getting a lot of flack too, because he had ultimately sent us, or his office had sent us. Yeah, his deputy, his deputy resigned. But, you know, after going on pro double secret probation, having to talk to internal security and tell the story and pretty much everybody I talked to like that's it. You were just trying to help. It kind of soured me on continuing to work there. We, we eventually were exonerated and we got pulled back into the deputy director's office and a bunch of the senior level management were talking to us and counseling us and they basically said, you know, we like what you guys do, we want you to do it, but if you're going to do it here, you have to follow our rules. And so we said fine. I was gone from NSA by the end of September of 1996. So like six weeks after this all went down I was gone from NSA because it was end of the fiscal year. They had done it. They were doing a buyout to get people to leave. This is one of the fallouts of the Soviet Union and fighting for but

Reese's Commercial Announcer (103:06)

it said everything happens for a reason. But maybe everything happens for Reese's Take noise canceling headphones do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's what's up baby?

Bretzky (103:22)

It's Bretzky and I'm here to tell you that spinquest.com is giving out free sweeps coins. All you gotta do is purchase a 10 coin pack and guess what? They're gonna give you the coins from a thirty dollar coin pack that lets you play all your favorite games like Blackjack, Wanted Dead or Wild. And we're talking real cash prizes baby.

SpinQuest Announcer (103:43)

Spinquest.com Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (103:50)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (104:04)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (104:08)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners, just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (104:27)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (104:33)

be a huge lift alone. It's no surprise Simple Practice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (104:43)

then get 50% off your first three months go to SimplePractice.com to claim the offer. That's SimplePractice.com they were paying people to

Jeff Mann (104:52)

leave and we'd been kind of toying around. A bunch of us were looking for, you know, more, more high paid jobs in the private sector and all that kind of stuff. Stuff. So I, I took the first offer that came along and I was offered money to leave and I got the hell out of Dodge and, and you know, end of September 1996, you know, tried not to let the door hit me on the way out type of thing, which, you know, is, you know, looking back on it almost 30 years later, if, if it hadn't gone slow south. I mean it, you know, there was something cool and fun and patriotic about doing it there. You know, we were thinking we were doing a good thing. You know, there was the allure of more money out in the private sector. But I'll tell you what, when I went out into the private sector, more than, you know, I got an increase in pay. It was the idea that I could be hired by a company to do a pen test one week, do the job for the next couple weeks, take a couple of weeks to write the report, you know, maybe a month later, come in and do present our findings, giving recommendations. And we were done in and out, you know, maybe a month, maybe six weeks where, six weeks at nsa we would have still been trying to get permission to run the ping command. Right. So so much more than the money was the, the lack of the bureaucracy and the more focused, less complicated there, there's a job to do, do it, report on it, give the feedback, thank you, you're done type of thing. That was very refreshing. So, but the reason I left NSA was because I was very much, they, they tried to get me to leave involuntarily, but I, I kind of took the, the opportunity when they, when they, when they gave it to me to get out and go out to the. Largely. I've had a more receptive audience of my clients over the years. You know, not every time do they want to hear what I have to tell them in terms of, you know, how they're insecure and what they need to do differently or what they need to invest in. But, but generally if you, you know, if you can explain it to people. And I, I think I do a reasonable job of explaining to people why they should care, why they should worry, what they need to do to invest in or at least, okay, you've got limited resources, here's your options. You know, here's the pros and cons of what you decide to do or not do. So at least they have, they can make an informed decision, or at least what I believe is a more informed decision about how to approach this thing that we now call cyber security and, and protect your organization. And oh, by the way, we're losing. And it's, nobody can afford to do everything that they need to do to provide that mythical 100 level of protection because it doesn't exist. And yet we have a very burgeoning industry that keeps going and hundreds of billions of dollars are spent on technology where what ultimately causes many companies to fall is a process issue or a failure of people and personnel to do something pretty trivial. Yeah. When it, when you get down to it, how, how. Keep spending your money, people.

Jack Murphy (108:20)

How does you know? When we look at the United States and we are, we are a free country and limits on the government is a good thing, And yet I don't want to say and yet as though we should erase freedoms in any way, shape or form. But how does the nsa, particularly in this infosec environment, how does the NSA compete against countries like China, Iran, country, Russia that do not, not have any moral compunction, any laws that, you know, limit their, their government's reach? How do, how do we compete against that?

Jeff Mann (109:12)

Well, that's, that's a very complicated question to answer and philosophically it does. And I, I just, this came up a while ago in a conversation. I now have the opportunity to say it, so I'll say it, but I think it's, one should think twice about automatically assuming that what we're doing is moral because we're doing it to protect us. I'll just throw that, just throw that out there just to make people think. But generally speaking, you know, we are a moral responsible society and government that does operate under rules and most people take the rules fairly serious. There's always exceptions and because there's rules and there's bounds and more than that, there's just, there's so much that could happen. There's so much that could go wrong and you never know what's going to happen and where and what, where do you, you know, where do you, where do you put your attention and focus and your limited resources? We're almost setting ourselves up as a society, if not pockets of industry within our government, which some would argue, argue that the government should be protecting. It's, it's, it's not really a winnable situation in my, in, in my opinion. Whereas other countries we are certainly told that they, you know, aren't as strict on rules and regulation. And, and, you know, I doubt if Chinese hacking groups, whether they're military or paramilitary or funded by the government, are going through a lot of procedures and bureaucracy and red tape. That's a perception. So, I mean, we handcuff ourselves. And of course, you know, I, I work tangentially. I have relationships tangentially with a lot of people that are involved in, you know, the, the mission of protecting the country, cyber security, national defense, and so on and so forth. To be honest, and if any of them are listening, I apologize ahead of time. But, you know, given my experience working with the government and the private sector, I've, I've always felt that if you're working for the government, it's because you're not good enough to make it in the private sector. So you're kind of second tier to begin with. And there are exceptions. I mean, that's just a very broad, blanket, probably ignorant statement of me to say, but in my experience, the real cutting edge stuff happens in the private sector, and here's why. For better or for worse, in the private sector, everything's driven by the dollar. Everything is financially motivated. Companies exist because they're trying to make money. That's free commerce. That's what we do as a free country. And I often tell my clients in the private sector when they talk about risk, and you hear all these words bandied about like risk and vulnerability and threat security. I tell, I tell my clients and anybody that listen, frankly, you know, when I was in the m. When I was working for the military, when I was working as a civilian, the idea of risk was all computed around loss of human life, troops on the battlefield, citizens abroad, and domestic embassy workers, State Department employees, and stuff like that. But it all had to do with loss of life in the private sector. It's all about money. That's very different. Especially when everything you do comes at a cost or everything you don't do potentially comes at a cost. So it's a different motivational factor. And I'm not saying it's a. Somebody posted on LinkedIn. A little bit.

Jack Murphy (113:23)

We're losing you just a little bit. I think your, your signal's a little low, but.

Jeff Mann (113:27)

Oh, no.

Jack Murphy (113:29)

Yeah, can you repeat that last.

Jeff Mann (113:30)

Can you hear me now?

Jack Murphy (113:31)

Yeah, we got you.

Jeff Mann (113:33)

Okay.

Jack Murphy (113:34)

Yeah.

Jeff Mann (113:35)

How far last do you need to go?

Jack Murphy (113:36)

Just like the last sentence or two. Yeah,

Jeff Mann (113:41)

well, what I'm saying is the, the, the idea of risk, why you do security while you do the Things, it's very different if you're, you know, pursuing the national defense, which is basically loss of human life at some degree versus the private sector, which is how much money are you going to lose or how much money are you going to spend or how much revenue are you going to lose? Lose or how much? You know, it's, it's all a financial basis. And it's not that one is right and is wrong. It's just they're very different. And in a lot of ways in the private sector, it's a lot better to understand. Dollars and cents. Right. You know, that's a pretty easy equation to understand in the national defense concept. It's, you know, how do you put a price on a human life? Right, right. You know, right. That's, I mean, you intuitively don't want to lose anybody's lives. But, you know, I'm sure we've all seen reports or heard, heard people talk about, you know, you know, generals planning battles and, and you know, even the Normandy invasion in World War II. Everybody knew people were going to die. Right. And the calculations that were being done on what was an acceptable level of loss of human life, given the potential gain. I mean, and that's where I defer to the people that do work for the government and do work for the national defense because they do take that very seriously. And it's very hard, but it's also very politically motivated and there's a lot of, there's a lot of stuff, bureaucracy and stuff that goes on with that where maybe I'm taking the easy road out by just working in the private sector and it's all about money.

Dav (115:33)

Questions?

Jack Murphy (115:33)

Yeah, yeah, we do. But, but I want to ask you, so, so in, in your opinion, does you know the government is notoriously cheap, right? The government is notoriously what they pay soldiers, what they pay case officer, what they pay NSA analysts and operators, what they pay their federal law enforcement

Jeff Mann (115:59)

for

Jack Murphy (116:00)

a lot of the jobs, whether it's a soldier or an FBI agent or whatever, there are not a lot of comparable jobs on the outside. So they can pay on the cheap. When it comes to the NSA, though, you guys may be GS12 or GS13 step five, but then you can turn around to Mandiant and CrowdStrike or cross whatever and earn three times, four times what you're making, do you feel that the NSA needs to, that the government in general needs to deal with this new reality and the NSA should pay people what they're worth on the outside side in order to keep that Talent.

Jeff Mann (116:45)

I mean, the short answer is yes, but it's complicated because. And this is where I, I kind of do have a little bit of deference to the people that do, you know, work for the government because they do believe in mission and are patriots and things like that. But there, but there is this stigma at the very least that if, if they were really good, what they did, they'd be in the private. The bigger dollars making them more. But that doesn't mean that everybody out in the sector that's making the big bucks is deserving of the big good of what they. So, you know, it's.

Dav (117:24)

You might not necessarily want them deciding who lives and who dies either.

Jack Murphy (117:28)

Right, right, right.

Jeff Mann (117:31)

I mean, I, I talk to a lot of people, you know, since I go out to a lot of conferences. I was at a conference last weekend and I was, after I spoke, I was talking to probably a dozen college students that had come from one college, and they were just peppering me with questions and refreshingly, they did not ask change. When I talk to students, how much does this pay? You know, how much can you make in cyber security? They're mostly, they have a passion for technology. They have a passion for whatever this stuff is. But I try to tell people, you know, find something you like to do, find something you enjoy doing it. Don't get hung up on money because, you know, you can make a lot of money and that, that arriving and making it. But I, I have yet to meet anybody that's happy and satisfied because they make ugabs of money. But I know a lot of people that are really happy with what they're doing and really satisfied with their job that some do make a lot of money, some don't make a lot of money. Some are in the government, some aren't in the government. But the happiest people I know are the ones that are doing what they love and, and feeling like they make a difference. And I think you can certainly, I mean, I've been doing the credit card industry for 20 years. You know, I, I go home and at night and fall to sleep thinking, wow, I've. I've allowed a company to make money on credit card interest, you know, and contrast that with somebody that good night and fall asleep because they knew they helped save lives or, you know, promote the national defense so that, you know, it's a hard, it's a hard nut to crack. But I, I think there's a stigma that if, at least for me, that if you're for the government, it's because you could cut it in, in, in the private sector where they, they pay the big bucks. Of course, a lot of people put their time in, in the government and then they get the posh job at the big companies out in the private sector. And, and you know, most of the people you know and see. And man, I'm grossly generalizing. I'm not impressed by the people that you see, the public figures, the ones that are always getting interviewed on CNN and all the, the different news channels. Yeah. And, and so on and so forth. The people that really are good at doing all this stuff that, and love it and are passionate about it. You don't know who they are. I don't know who they are because they're just in the trenches doing it and they're doing it for whatever makes them satisfied. And, you know, God bless them because, you know, we need those people.

Jack Murphy (120:09)

I think it's interesting because you talk about the mission and I can see how similar to the military, the people in the NSA have a mission and a purpose. And as you experienced, I think the challenge with the mission and patriotism and that sense of purpose, the only thing that stands between that and bitterness is like one bad manager, one bad leader, and they can steal that entire sense from a person. How is the NSA when it comes to their leadership development and their management development, things like that?

Jeff Mann (120:54)

Yeah, I know when I was there, which was for the better part 30 years ago, there was a stigma between, you know, if you want to advance in your career, go up the pay grade ladder. To get beyond a certain level, you had to get into management. So you had to go. There was either the technical track or the management track. And management track is who made the big bucks. But, you know, if you were good at the technology, and I use that term loosely, technical could be your cryptologist. Technical could be anything but technical. Not management. You know, labor, not management. The people that were really good at it and wanted to advance at some point had to kind of suck it up. And like, if I want to go further, I got in, got to get into management. I don't know that they've completely solved that. I was, I was actually invited back to NSA last fall for an alumni open house because they're basically trying to recruit people that used to work there because they're hiring. There's certainly a need. And we talked about how they don't pay well, and someone like me, whose parents expired over 20 years ago, I simply asked, is there any way to streamline me getting back in? You want me I'm certainly capable, I certainly have a lot of experience. But there's that background investigation. Getting the, again, and the very long winded answer that I really never got a good answer was no, there is no shortcut. But gosh, I was, I think I was at RSA a few years ago and I went to the NSA booth because that's sort of a pilgrimage every time I go to RSA conference. And I met a young lady at the booth and she's like, oh, you're Jeff Mann. I'm like, oh, she knows who I am. She knows my stature in this industry and my background and stuff. And she said, oh, I used to go to school with your daughter. So I'm like, oh, okay. So she had no idea who I was, other than I was the father of a classmate of hers. So, you know, my daughter now is in her early 30s. This woman's in her early 30s. She's senior level management at NSA and she might as smartest person around. But my gosh, I mean, 30, you know, early 30s, probably has been at NSA since college. So she's got maybe 10 years experience and she's in a really senior level role that doesn't give you warm fuzzies. And it's nothing personal against her, right? Not because she's a woman. It's not because she's young. It's because she's got maybe 10 years of experience. And how much of that 10 years has been off on the 2020 program getting more education and training and, and doing this, that and the other. And my impression is they're, they're working with what they've got to work with, right? And, and again, it's nothing. It's not a knock on her personally. I'm sure she's, you know, she seems to be very smart and very wonderful, but she's made comments about how NSA is on top of their game. At this open house, the director was talking about how NSA is on the top of their game. He's a very compelling speaker. But I'm like, yeah. Then I started talking to some of the people. I'm like, yeah, you're still full of it. And that's just my opinion. So that, you know, they talk a good game, but at the end of the day it's still a government job and they've got lots of stupid bureaucracy and rules and regulations and because they're sort of the, you know, only game in town and they, they sort of look inward, they don't see what the big picture and they don't see the outside. I've been trying to offer them. Hey, I've been out in the private sector for 25, 26, 27, 28 years now. I've learned a few things that maybe you, you that say we want to be more engaging to the private sector. Why don't you bring me in to let me tell you how to, to maybe do that because you know, you're, you're me first approach. We're nsa, you should listen to us. That's not going to cut in the real world because people like, yeah, you know, oh yeah, you're nsa, say well, what does that mean at the end of the day? And gosh, I hope I'm not getting fired or arrested after this podcast.

Jack Murphy (125:03)

And, and one last question before we get to like viewer questions I'm curious about, you know, like, you know, when, when back during the naval era when you had the letters of mark, you know, during you, you know, when we've had these times when the government can control and you know, everything we had the idea of sort of privateers. Do you think that the government in this cyber warfare world, in this cyber environment when, when there are 14 year olds who are just brilliant and doing crazy, you know, amazing stuff and, and you know, there are groups out there. Do you think that the government in this one arena should turn to like a person privateer model?

Jeff Mann (125:53)

It's an interesting question.

Reese's Commercial Announcer (125:55)

They say everything happens for a reason. But I suspect everything happens for a Reese's. Like this commercial break. Did you need 15 seconds away from music or 15 seconds to eat a Reese's? Perhaps it's true. Everything happens for a Reese's.

SpinQuest Announcer (126:10)

You know what, it sucks to be bored. But when I get on my phone and play real casino games on sports spinquest.com the time flies by. That two hour wait at the DMV seems like 10 minutes. Play your favorite slots, live blackjack, live craps with a live dealer. New players, $30 coin packs are on sale for 10 bucks. Play spinquest.com and you'll never be bored again.

SpinQuest Announcer (126:34)

Spin Quest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (126:40)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (126:53)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (126:58)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (127:17)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (127:23)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (127:33)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com um,

Jeff Mann (127:46)

I would say I was having a conversation in the last couple weeks with some people at one of the conferences I go to and they were talking about, actually, it might have been on the podcast I do, but they're basically talking about how, you know, there's certain hacker groups out there that are just going after certain, not necessarily nation state actors, but you know, sex trafficking, child trafficking type of groups. You know, there's conscientious hackers that just kind of go after them just because it needs to be done. And it's not technically sanctioned by the government, but sanctioned by anybody, but nobody's really complaining. So I mean, that's my, my most recent frame of reference. I would say. I don't, my bias is NSA or the government puts its fingerprint on it, it's going to get stupid at some point. Could, could, could there be sort of a handshake, unofficial? Well, there's a shadow group out there that's just doing the responsible right thing. That might work for a while, but of course that could go wrong for many reasons too because, you know, absolute power corrupts absolutely. But you know, the serious hackers out there that are socially minded, you know, socially conscious, want to do the right thing and are frustrated at bureaucracy and the limits that go government puts on out of necessity. But it makes it very difficult to do what needs to be done in a, in a fashion or a manner that can and should be done. Yeah, I, I would, you know, I don't know what you would call it, if you would call it privateering per se, or just looking the other way. Does there need to be some oversight? Does there need to be some kind of stop gap? But I could see that happening on the other, on the flip side, do I believe in vigilantism? Not necessarily, that sounds intuitively wrong, but I mean, anything can work for a while and anything can go south when the wrong personality and the wrong motives come into play. People often ask about hacking back and whether that should be done by companies, you know, or leave that to the government. Right, yeah. You know, this is where it kind of, you know, the difference between the private sector, you know, money, that's the risk, and the government protecting, you know, the US And US Entities and things like that. That's where it gets a little bit fuzzy for me and tricky. But I, I tend to want to, like, I'd rather have the government in, in control of the actual war fighting because that's sort of what they're in the business of doing. Because I think it could get real ugly and, and lots of bad things could happen to innocent people if it's done by the wrong people for the wrong reasons, or even the wrong people for the right reasons, but outside of the boundaries of control. Yep. There's a reason why we have a Geneva Convention, which, you know, it doesn't make sense at some level. Like, why do we have people sitting down coming up with rules on how to conduct warfare? At some level it makes perfect sense. In another level, it's a head scratcher. It's the same type of thing for, for hacking and hacktivism and stuff like that. It makes sense at one level, and at another level it's like, man, you don't want to go there. That's very sketchy. And I can go either way, depending on my mood and depending on what the situation is.

Jack Murphy (131:42)

So again, I'm sorry, but one more following question, because you mentioned the Genie convention, and I'm curious, in your experience, if a non state actor, a hacker group, shuts down a hospital over ransomware, should they be considered a viable military target?

Jeff Mann (132:05)

Hmm, it's an interesting question. From a Geneva Convention perspective. And again, this is a conversation we had on our podcast a couple weeks ago with a gentleman named Josh Corman. You know, it used to be that the hackers sort of had her. The bad guys, you know, hackers can be good or bad, but the bad guys, you used to have sort of a code of conduct or ethics that you wouldn't go after, you know, like a children's hospital and, and hit them with malware or ransomware. But the, the perpetrators, the bad guys that are doing this, they're looking for targets of opportunity. They're not looking at who it is as much. So there, you know, there is this idea that, you know, there used to be some idea of responsible crime and, and that kind of can go away at some point. So are they, should they be targeted by a military action. I would tend to say yes. But again, those, that's the situation where there's private groups, there's hacking groups, you know, good guys, groups that are actively targeting those types of organizations and doing what they can to take them down in a, in a logical technological sense. I don't think that it's, it's in a military sense, in a physical sense. But yeah, I, there's certain lines that get crossed that most people will say, yeah, that's something that shouldn't be done, that's not cool. And, and it used to be that there was responsible criminals, it wouldn't do something like that. But that seems to have gone out the window. So, you know, whatever works to get the stuff to stop happening. I'd be tempted to condone that to a degree, if that makes sense.

Jack Murphy (134:01)

I, I, I, I agree with you. I mean, I was just curious. I mean, you're, you're the expert here. But I feel as though if, you know, according to the Judea Convention, if their response for the loss of life, they're a viable target. But I, I don't know, from a cyber perspective, somebody as experienced as you, what, what your thoughts would be. All right, let me get.

Jeff Mann (134:22)

Well, final comment on that. I mean, what's interesting to me is we're, we're, again, we, we talked earlier about some things are kind of coming full, full, full circle or overlapping. Maybe this was off the air, but, you know, signals intelligence is becoming a thing again. The idea that risk now because we're targeting hospitals that can't afford the security, can't afford the ransom, critical infrastructure, you know, the, the idea of the risk being loss of human life is kind of becoming a thing that's more tangible and real in the private sector. So it's, it's not a, it's not a full circle thing, but it is a, it is a blending where more action is required and more action from the government is necessary, even if that means regulation and regulatory compliance, but also assistance. So. Right. It is an interesting time we're living in, but I think it's interesting that risk in the private sector would, which has been money for so long, is now starting to be human life again, which is something that the military understands. So yeah, maybe they should step in.

Jack Murphy (135:40)

So, viewer questions? McOrban, thank you very much. Really appreciate it. Does Bitcoin have a future as a tool for power projection in the future? And also, what is your take on the 2000 US China Hacker War?

Jeff Mann (135:56)

I try to avoid Bitcoin as Much as possible. Does it have a future? No comment. And I haven't heard of the other one. I don't do a lot in the technology realm. I, I focus more on people and processes. That's just a general disclaimer. So try to ask me another question. I'm sorry, I can't answer the first one.

Jack Murphy (136:23)

Johnny, thank you very much for the donation. I don't see a question. If you have one, please throw it in the chat. Oh, I see another one. Global media. Thank you very much. Support the team house. Get those likes up. Yes, everybody, if you haven't liked this, please throw us a like and hit us and subscribe if you haven't. Johnny, thank you very much. I wonder if Jeff thinks CPU architecture can be secure. Intel, Apple, TSMC have been shown to have unpatchable physical vulnerability in chips which leak secure keys.

Jeff Mann (137:00)

Yeah, I had a chief scientist, I believe it was in my early days at NSA. So it would have been in the 80s, maybe early 90s, that used to have a mantra. What can be created by man can be broken by man. So in that context, you know, can CPUs ultimately made, be made 100% secure, unbreakable? No. To me there's, we're having two different discussions that often get lumped under this mantle of cyber security. And that's the idea of securing all the things as much as possible. So securing, creating a secure state, which is kind of a noun. And then the second thing is security. What do you do? Given you can't do the first, what do you do to monitor and detect and respond to your network, your environment, given that something inevitably is going to fall in terms of the technology. So in that sense, what I'm saying is no, I don't think CPUs can be ultimately secured 100%. But given that, what do you do? Maybe you don't invest as much on trying to find a better cpu. What, you know what, what is done to these, these days by the organizations that you referred to is probably good enough for most people, but it's that the few that care and the few that are going to be impacted the most by somebody that figures out a compromise, figures out a way around, to work around what we used to call a feature. They're the ones that need to care about it, but they need to know how to detect it, to minimize the damage, to respond to it. I am a component of the process. Security is something you do. It's not a state that you achieve. There's making things secure and then there's Security, which is the diligence and the monitoring and the, you know, standing guard and standing watch so that you see the attack when it's happening, you intercept it early, you minimize the damage. That to me is the essence of security.

Jack Murphy (139:19)

Do you, do you think that hardware manufacturers and software manufacturers are transparent enough with like, the community in terms of what they think the weaknesses are so that people can be diligent, or do you think they could be more transparent?

Jeff Mann (139:37)

Short answer is no, I don't think they're as transparent as they could be. The podcast that I do Paul Security Weekly securityweekly.com Paul Assadorian the Paul and Paul Security Weekly. He works for a company that does hardware hacking, hardware vulnerability research company. Well, I don't need to say the name. I'll let him do that. Go to Security Weekly, you'll figure it out. But he focuses a lot on hardware vulnerabilities right now. So that's a topic that comes up a lot in our podcast over the last year or so. And he, he reports very routinely on the research that he's doing with his day job on the insecurities of hardware and how hard it is to, to secure hardware. And it's, it's not really the new frontier because it's been around forever. I mean, I worked at NSA when it was all hardware and there was no software. So, you know, it's semantics and blurring the lines. But, you know, hardware is also prone to insecurities and vulnerabilities and bugs and weaknesses and misconfigurations. And they're out there. They typically don't become publicly known until either somebody exploits them or some researcher discovers it. And then it's, you know, the sky is falling. You have to temper it with, you know, the likelihood that somebody's going to go after something like that, going to go to that degree of attack that they're going to try to exploit that. A general principle I'd say is, you know, the bad guys are going to do whatever works, whatever's the easiest. I mean, they, they have their own cost benefit analysis, as it were, so they're going to do what works and what's easy and they're going to hit the targets that are vulnerable. They don't, they don't necessarily target specific organizations, which to me is one of the big 800 pound gorillas in the room, is that we, we have this industry that makes people protect against all sorts of stuff, but most of the bad guys aren't targeting specific organizations. If they did, they sort of have unlimited resources and they could go after them any way they can, and they can take the time. And if it means exploiting a hardware vulnerability, they will. I think the line is drawn when the hardware vulnerability, it can be exploited in a way that is sort of reproducible and it can become something that's, you know, random in terms of let's find somebody who's vulnerable. We don't care who it is, right. Even if it's a children's hospital, and let's exploit it and make money off of it. Commodity, you know, commoditize types of attacks that, that, you know, target anybody, no offense, it's just, we're just targeting whoever's vulnerable.

Jack Murphy (142:42)

Do you think that ransomware as a service has, has kind of like increased that type of tendency? See that, you know, you might have ransomware gangs that do have those codes, but then when it's ransomware as a service, you just have some script kitty out there who's like, ah, it. I'll just find whoever, whoever will pay.

Jeff Mann (143:02)

Well, I mean, it's simple economics and it's, it's. You're not really paying attention to the who the target is. It's whoever's vulnerable that you can make money off of. I mean, ransomware in general, I think is changed the dynamic of cyber security significantly because, you know, the way I was classically taught about this problem, which we back in the early days, we called data security or information security. And most people have probably heard of the CIA triad, The three components of security of data being confidentiality, integrity and availability. So confidentiality, keeping secrets secret, integrity, knowing that the data is valid, you know, it hasn't been altered or tampered with, and then availability. Can you get to the data when you need it? Most of this cyber security industry, which is mostly technology based, focuses on the confidentiality problem. Trying to keep things secret, trying to keep things safe, trying to keep things inaccessible in terms of stealing it. You know, denial of service has been a problem off and on. Distributed denial of service has been a problem off and on over the last 20 years or so. But we sort of solve those problems. Integrity issues, faking the data, do you trust the data? You know, that can kind of come into play with phishing schemes and fraud schemes, scams and stuff like that. But availability, that's something that we haven't really invested a lot of technology solutions in it. And everybody believes that technology is how you solve the problems. And it's even more twisted than that because it's not just ransomware. Where we're going to hold your data and if you don't pay, we don't give it back to you and you lose access to it. But now it's sort of the, the. I don't know if somebody's come up with a good term for it, but holding the data and threatening to release it.

Jack Murphy (145:13)

Right.

Jeff Mann (145:13)

Rather than just sending it back to you. So sort of, I don't know what's a good term for it, but, you know, that's coming up more.

Jack Murphy (145:21)

Yes, the exploitation kind of a.

Jeff Mann (145:23)

Blackmail.

Jack Murphy (145:23)

Yeah, yeah.

Jeff Mann (145:26)

You know that there are no good, there are no good technical solutions to prevent that other than the things that we've been preaching for the last 30 years of sort of basic security hygiene to try to, to, you know, prevent that stuff from happening. I mean, we don't. With all the ransomware attacks that are out there, you don't often hear people talking about how the ransomware attack was launched in the first place, how, how it, you know, got into the environment. But it's usually a phishing attack, which is not a technical failure, although you could argue that it could be. Why am I getting an email in my inbox that's got a, a phishing link in it? Why isn't there technology out there that filters that or, or blocks it? But there, there's that aspect of it, but, you know, we, we don't have a lot of good technology out there that, that prevents people from clicking on a link or, or falling prey to a really, really convincing, clever phishing scam.

Jack Murphy (146:26)

Right.

Jeff Mann (146:26)

Or, or, you know, to date myself back almost 30 years to, to open an attachment of a document in an email that I got from a trusted source that says, hey, read this. And by doing so I've launched, right, a virus or malware. What used to call viruses and Trojans and malware, but what we pejoratively call ransomware these days.

Jack Murphy (146:48)

Right. Well, I mean, in these days and times, it's amazing how many organizations aren't even enforcing a basic, like 2fa, like, you know, a 2fa to, to log into stuff.

SpinQuest Announcer (146:59)

It.

Jack Murphy (147:00)

It's incredible the basic steps that aren't being taken often.

Jeff Mann (147:06)

I agree with that and, and what I often shake my head out is the fact that while there's so many vendors out there that are trying to sell you convincing solutions, there's for, and I'm talking primarily the private sector because that's where I've been most of the last 30 years. Without regulation, without compliance, most companies aren't going to do it because why should they? They don't have to. And until they get popped, until they get breached, they don't get the religion of oh, we really should have done that. You know, I've been doing the payment card industry for 20 years. It's a, it, the pay. The, the PCI data security standard is a pretty decent high level set of rules of things that you should do to secure your organization, your, your network to protect data that you care about being stolen. You know, it specifically, it's credit card information, but you can apply it to anything. Most organizations that I work with are doing it because they have to. And in the early days they weren't saying, you know, even before pci, when I was working with companies in the private sector and even in the, the beginning days of pci, the questions I was, was being asked from, from companies that I worked for was what do we, they weren't asking what do we need to do to be secure. They were asking what is everybody else doing that's a peer in my industry so that, you know, I can do as, as little or as much as anybody else so that when something bad happens, I can say, well, I was doing best practice and therefore not get fined or not, not be held liable or accountable because it could happen to anybody and it could happen to anybody. It, it's a weird, it's a weird dynamic, but most companies out there, if they don't have a reason to do it, they're not going to do it. But you could sort of explain that in a financial model because everything's, you know, money based in terms of the risk model. Well, it hasn't happened yet. Why should we spend something on, you know, spend money to protect against something that hasn't even happened yet. So there's a, there's a, there's a financial logic to it and of course it blows up when the bad thing happens and that's when we get called in and we help them straighten things out and you know, they get religion. But, but you know what, what's in the news these days in the private sector, critical infrastructure, utility companies. I, you know, and people are talk, you know, I hear people talking about, well, there's, there's NIST this and this, that and Miter attack framework and do this and that and the other. And there's all these things. I'm like, they're a utility. Somebody in that company is, is, you know, collecting credit cards to pay for the water bill, the electric bill. So they know PCI is in there somewhere. If you just did What PCI said to do, you'd be, you'd be pretty much okay, but nobody seems to be connecting the dots on that. PCI is this. Oh, nobody likes to talk to pci. That's old. It's stupid. You know, it's, it's not flashy and new and shiny, right? But, but it is today because PCI 4.0 is, is now the law of the land.

Dav (150:33)

Do you have anything else for Jeff?

Jack Murphy (150:35)

How long do you think it will take? Thanks, Jon Jones. How long do you think it'll take for AI based security controls to become as complace in the private sector as layer seven firewalls are today?

Jeff Mann (150:47)

Oh God. AI, the latest buzzword thing that I'm trying to avoid ever dealing with. You could probably map this to other things like you're using the firewall is the analogy. Everybody's got a firewall these days. I'm sorry, they don't have firewalls anymore because their infrastructure is now in the cloud and it's protected by software. 10 years with a little bit of acceleration, I'll say 5 years, that's my guess. And then.

Jack Murphy (151:29)

Roman Corbin. Oh, Justin Zulu, thank you very much. What are some things that average person could do to protect themselves going forward?

Jeff Mann (151:40)

Probably the biggest thing is put what the industry calls multi factor authentication, what we used to call two factor authentication on everything. I'm not a, I'm not a personal fan of password vaults because I'm old school enough to think that you shouldn't put all your secrets online, period. Or rely or trust technology, period. War Games 1983. Don't Trust the Whopper, but use a really, really, really long password. And I would even advocate phrases, poems, song lyrics. Try to think of obscure song lyrics and then apply random uppercase, lowercase, special characters. Everybody knows to substitute the number 4 for the letter A and the number 3 for the letter E. But don't do it on the first letter, last letter, don't do it on every letter. Put spaces in between the words, or better yet, put spaces in between somewhere in between the word and not between the words because that's going to protect against password cracking, brute forcing. But more than that, I would say make sure you're always using some sort of multi factor authentication on everything. There's a lot of, a lot of people talking about using password vaults and you get to use those super long random password generated things that are stored in the vault. But password vault companies have fallen victim to compromise, so they're not a perfect solution. In fact, I interviewed the CEO of LastPass. Last summer at Black Hat, as part of the podcast I do, we did live interviews of executives. That was an interesting conversation. I didn't know the guy wasn't the founder of the company LastPass. He had, he had become CEO like October, you know, two years ago, you know, months before. They had not one, but two major breaches. So I was kind of like, ouch. But I mean, I'm old school. I don't believe that you should put all your eggs in the technology digital basket. I think this is your best tool right here. My, my current domain password for my day job company is like. I think it's like 38 characters long. It's a song lyric. It's, it's a, it's a line of a song that's, you know, a song that I know and I, I mix it up a little bit enough to, just to protect against the cracking. But just the sheer length of it. 38 characters. Nobody's going to guess it even. I would even say, say if you knew what album I was citing a lyric to because of the, the various permutations. Yeah, you could compute it at brute force, but it would take you a while because I, I mix up the, the spaces and the upper characters and lower characters and special characters and stuff like that. So. But because I grew up typing with 10 fingers and not thumbs, I can type my 38 character password in faster than probably most people can do a 10 or 12 character password. They're just doing it like this. But that, that's just me being a, being a crotchet.

Reese's Commercial Announcer (155:11)

It said everything happens for a reason, but maybe everything happens for a Reese's Take. Noise canceling headphones. Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (155:27)

Forget whatever plans you have this weekend because you're staying at home and playing on spinquest and there's never been a better time to sign up than right now. New users get $30 coin packs for just $10. All the table games you love with hundreds of slot games and real cash Prizes. That's at spinquest.com S P I N

Jeff Mann (155:47)

Q U E S T Spinquest is

SpinQuest Announcer (155:50)

a free to play social casino void where prohibited. Visit spendquest.com for more details.

SimplePractice Announcer (155:56)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (156:09)

That's where SimplePractice comes in SimplePractice is an all in one EHR built specific

SimplePractice Announcer (156:15)

specifically for therapists with HIPAA compliant tools and HITrust certification. No juggling systems or cutting corners. Just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (156:33)

practice, Simple Practice also offers a credentialing service that helps simplify insurance enrollment, which

SimplePractice Announcer (156:39)

can be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (156:49)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer.

Jeff Mann (156:54)

That's SimplePractice.com the curmudgeony old Timer get off my loan. Get off my lawn.

Jack Murphy (157:00)

So Jeff, my question, because I do use a password vault, like my question to you would be in this, in this digital world where everything we do requires a password and obviously you don't want to reuse the same password, but how do you manage 30 passwords without a vault? Do you write them all down? Do you personally just remember them all? Like, how does the average person manage that?

Jeff Mann (157:30)

Well, a. I'm not the average person. Yes. For better or for worse. You know, we used to talk about having passwords you care about and passwords you, that are the throwaway passwords. Of course I've talked to developers that, you know, are doing stuff in, you know, Azure AWS where they, they need to know like 300 passwords for all the various different, you know, systems that they got working on. You know, that that can be a little bit excessive, but I guess I'm more of the, of the mindset that you have the throwaway path. You need to make a password have it decent. But have, but I'm okay with repeating passwords for accounts that I don't care about. Now the, you know, the, the, the, the thinking on that is you don't want to use a password multiple cases and use it on someplace where something's going to get stolen, something you care about. So I sort of distinguish the throwaway password. Oh, I've got to sign up for something. I got to create an account. I'm never going to use this again. I need to have, I need to have a password. So I, I have a, I have a, I have a throwaway password that's just something lame. And then the passwords on the accounts that I care about, which are much fewer, they're either unique or they're permutations on a very, very long stream. But there's a couple considerations to be made and I can argue myself out of this because it's not just stealing the hash and cracking it and trying to figure out what the password is. If you're using it in multiple places and it gets compromised in one place, it can be used in many other places. That's another type of attack. There's the, the possibility that, you know, even your best password somehow gets intercepted in, in while you're using it, where it's in a fashion where it can be copied, you know, more, more rare, but still a, still a possibility. But the bad guys don't often do it that way because there's easier ways to do it. So I, I guess I'm, I could be proven wrong. I'm happy to be proven wrong and argued out of it. But I'm, I'm still of a mind that I have throwaway passwords that I'll use repeatedly in many places. And I don't care if you knock over this account and that account and that account and that account because I just set up the account so I could download the white paper, damn it and read it.

Jack Murphy (160:05)

Right.

Jeff Mann (160:07)

But you know, the, I mean, shoot, my, my rental car company that I use and I won't say which rental car company I use when I initially set up the, the password on my first app they asked for, they asked for a pin. So I have a four digit password on my car rental company and I keep thinking I should change it. But then I keep thinking, but I don't really care if somebody rents a car in my name because I could probably sort that out, you know, I'm not going to be ultimately held reliable for liable for it. And who's going to do that anyway? So I have a four digit PIN that is my password in my car rental company to this day. And I said it probably 25 years ago.

Dav (160:49)

Jeff, tell us, tell us about your podcast and where like people can go to find it.

Jeff Mann (160:56)

Sure. I'm on a podcast called Paul Security Weekly. You can find it@securityweekly.com and if you search on all the podcast catchers, and I think we're on YouTube and Twitch, SecurityWeekly.com is the way you'll get there for subscribing. Paul Assadorian is the Paul in Paul Security Weekly. He started the podcast with his friend Larry pesce back in 2007, I believe. So it's one of the oldest security podcasts around and it was Built on the premise of practitioners just sitting around having drinks, talking shop. Paul's a cigar smoker. So much like your studio there, the liquor flows freely, the cigars are smoked. And I met Paul about 10 years ago when I went to work for this vendor that was, was a friend of mine and he got me involved in the podcast. I've been doing it about nine years now. But we're a weekly podcast. Paul actually made it his own company at some point, which was acquired at some point. But it's a, it's a network of shows. We drop about probably 10 hours of content a week. There's Paul Security Weekly, the flagship application, Security Weekly, Enterprise Security Weekly, Business Security Weekly, and twice weekly Security news segments. So lots of content, but people that at the end of the day are practitioners that are in this because they're passionate about it. And we talk shop, we talk about all sorts of things like we've been doing tonight.

Dav (162:34)

And for people listening, we'll have a link in the description to go and check it out.

Jack Murphy (162:39)

And where else can people find you?

Jeff Mann (162:45)

I do a lot of conference speaking to this day thanks to my friend that pushed me out into the, into the, into the conference world. I'm going to be, I'm actually going to be up in Canada later this week at a conference called Atlantic Security Conference. Atlantic Security Conference. I'll be at B Sides, Harrisburg, Pennsylvania in two weeks. End of the month I'm going to be in Boise, Idaho at the Boise Issa Conference. In May, I will be in St. Louis at the Show Mecon Hacker Conference. So a lot of conferences I'll be around for what we call hacker Summer camp. You know, B sides, Vegas and Black Hat and defcon. I'll be out in San Francisco for rsa. I'm on Twitter, although I, you know, nobody's on Twitter anymore. But you can find me there at Mr. Jeff Mann. You can, if you spell my name right, you can find me on LinkedIn, go to YouTube and type in my name and security and you'll find many recordings of talks I've given my NSA days. I my first couple years where I was in the crypto shop, I did a talk and, and I had the marketing team come up with a sticker for it because hackers love stickers. So I did Tales from the Crypt Analyst and then when I did the talk about the NSA Red Team, the first pen testing team, that was the sequel More Tales from the Cryptanalyst. And this year I'm giving a talk and commissions new art. I'm Giving Tales from the Cryptanalyst the afterlife.

Jack Murphy (164:23)

That's talking. We throw stickers up on our door. We want as many. Many. We want as many of those stickers as we. One of each. Yeah, if you have them. We'd love. We'd love to.

Jeff Mann (164:35)

I'm gonna have to get more of these made. Yeah, more of these made because I'm down the last couple. But the, the woman that is responsible for all these stickers, her Twitter handle is One Dark One. She does a lot of graphic art for a lot of the hacker conferences, the B side. So I call her a con artist. She literally is a con artist.

Jack Murphy (164:58)

I have two more questions real quick anyway, and Dee might have some from Patreon, but M. Corbin, thank you very much. Any way to circumvent hackers for hire used by foreign nations.

Jeff Mann (165:10)

Pay them more.

Jack Murphy (165:13)

Mohammed Sivani, thank you very much for the very generous donation. Do you. So there's a couple of questions. Do you like, use Yubikeys for passwords?

Jeff Mann (165:23)

I've not used them, but yes, I think they're a good thing to do if you want to drop the money for them. Yes.

Jack Murphy (165:32)

Seriousness of Quantum. Hold on, sorry, I lost that. Seriousness of Quantum Compute threat and Chinese threat.

Jeff Mann (165:42)

We'll get there, but like any other technology, it'll have the potential for being used for good and bad. So in the old days of the Cold War, it was often referred to the Cold War as a game of cat and mouse. You know, the Soviets would do something that would be devastating, but eventually we'd figure it out and then we'd do something that was devastating and eventually they'd figure it out. So kind of this cat and mouse game, I think the same is roughly true with all the technological advances. Quantum being that what we were talking about a year ago, but of course AI is the thing now that is that everybody's talking about so has the potential for good, has the potential for evil. It's overhyped and not there yet. The quantum thing is becoming real. But, but you know, until quantum is computing is available on the smartphone or reasonably affordable by people that, you know, aren't nation state status, you know, it's not going to be an issue yet. The what's interesting though about Quantum, I will add, is because Quantum has the ability to. To break things when it becomes popular. That is stuff that was even encrypted in the past. That's where you start, have to think about now what you're protecting with the current cryptography, especially for stuff you're storing because it could be cracked in the future by quantum computing. So think about what you're saving and thinking about why you're saving it and storing it. And keep in mind that what you're storing now, based on what algorithms you're using to store it, could become susceptible to compromise. But like everything else security related, maybe the protection isn't just coming up with a stronger algorithm. Maybe it's preventing it from being stolen in the first place. Or if it does get stolen, you catch the people doing it and prosecute them. I mean, there's always more than one way to solve the problem. There are no single point solutions, Quantum included, AI included for. Okay, we've got this, we're done, we're good. We can walk away now and not think about it.

Jack Murphy (168:07)

Right. How best, and this is still from Mohammad Sivani, how best to develop U.S. talent earlier, like Unit 8200. And I think this goes into maybe the idea of when obviously there are a lot of legal things people can do now to develop their hacking skills, unlike the past. But let's say you have a kid who is curious, maybe with a criminal bent, kind of a ne' er do well, but reforms his ways. Is there a way, do you feel like there's a way to bring these, these people into the government?

Jeff Mann (168:55)

Well, not speaking for the government, I would say yes, but you know, the government has rules. I mean, I had, you know, when I was hired at nsa, I had to go through a background investigation. I had to go through a polygraph. They wanted to know all your deepest, darkest secrets. And they, they claimed that they. The time, it wasn't necessarily if you had done something in your past, it would, it would mean you didn't get hired. They just wanted to know about it so you couldn't get blackmailed in the future.

Jack Murphy (169:25)

Right.

Jeff Mann (169:27)

So I mean, I think the government's getting smarter at knowing that they have to sort of cast a wider net and, and not necessarily go after the, the cookie cutter stem person. I mean, I'm the living proof of that. You know, I wouldn't, I was not a critical skill, I was not a stem person and I was hired by NSA and I did some things that were meaningful and I probably wouldn't be, you know, given my GPA and given my, my educational background. If it wasn't for those aptitude skills tests recognizing my potential, I would not have been hired by NSA then or even to this day. So what I'm trying to advocate for is let you know, let's figure out a way to find the people with the potential and the aptitude that aren't necessarily the cookie cutter. You know, they're in a, they're in a STEM curriculum or they're from a certain neighborhood or there a certain skin color or there a certain ethnicity or there a certain orientation. Let's find the people that have the potential and the aptitude because they test well in a certain skill set and let's promote that. That to me transcends all the other issues. And I'm, I'm the living proof of that because I had no business being hired by NSA if all they were looking for was computer scientists, engineers and mathematicians, because I was neither of the three. But I ran circles around the people that they hired that did have those degrees that left after three years with a graduate degree and went off and made a lot more money out in the private sector.

Jack Murphy (171:11)

Right. We, we, we have a couple.

Jeff Mann (171:12)

Yes, I have a chip on my shoulder about it.

Jack Murphy (171:14)

We have a couple questions coming in. So I just.

Jeff Mann (171:18)

Okay.

Jack Murphy (171:18)

I just want to make sure we get to them. Thoughts on Met Matter Most messaging,

Jeff Mann (171:26)

you know, I'm not sure I know what that is.

Jack Murphy (171:29)

Yeah, I think it's a new secure signal like signal style. I'm not sure. But also from Mohammed Savannah how much difficulty, difficulty does a red teamer like you have keeping up with the relentless pace of development and knowledge needed like networks to VMS to OSINT to Cal Linux tool, etc.

Jeff Mann (171:51)

So I don't do the red teaming anywhere anymore. I hung up my, my hat on doing or my gloves on doing that about 20 years ago. I've been for the last 20 years trying to talk to people about the possibilities and what could happen and what could go wrong and what they need to do to prevent it from a process perspective rather than keeping up with the technical stuff. That being said, because we talk about this ad nauseam on the podcast, because other co hosts are actively red teamers when we do get down to it, while the technology has changed and the techniques necessarily change, the underlying motivations and methodologies, the, the foundational principles of security have not and generally do not change. So in that sense, I don't need to keep up with it because nothing, nothing has changed. And then, you know, sprinkle on top of that for all the stuff that's going on. The number the two reasons why companies still get breached the two most common reasons why companies get breached to this day, to this day in 2024 is something to do with weak passwords or stealing passwords, exploiting passwords and the exploitation of trust relationships. And those are two broad terms but you know, very rarely. Or is it, is it technology related? I mean we were talking about vulnerabilities and CVE scores a couple weeks ago and you know the stories statistics for something like only 3% of all the published CVs, CVEs have ever been used by bad guys to steal something, to exploit something. And yet we have an old industry built around driving down the vulnerability count. Driving down the vulnerability count. CVE. CVE, yeah.

Jack Murphy (173:51)

And so the CVE's what you mentioned are the critical vulnerability that come out through the various like Microsoft hazards. There is a CVE Tuesday or Wednesday, I don't remember, but basically, well, it's.

Jeff Mann (174:04)

It's Patch Tuesday.

Dav (174:05)

Patch Tuesday.

Jeff Mann (174:07)

The CVE is common vulnerability.

Jack Murphy (174:10)

Common vulnerability. Okay.

Jeff Mann (174:11)

What's the E stand for? I can't think of what it is but basically, I mean what we're really getting down to is most companies are running a vulnerability scanner of some ilk and responding to the results and the results are ranked critical high, medium low based on some sort of statistical calculation which is called a CVE score. And it's got lots of different factors involved but, and I'm somewhat generalizing but my almost 30 years of experience in the private sector, most companies jump at the scan results, results and not anything else that they do in their security program. And so as the argument and the discussion we've been having on our podcast over the last couple months is what happens when a vendor discovers a vulnerability in. In something that they produce because somebody discovered it and disclosed it whether they got a bug bounty or not, but they told the vendor about it and the vendor decides to fix it but not issue a cve. Right. Does it ever get to the scanner? Does it ever get a finding? Does it ever get a ranking? And do companies ever respond to it by doing the patch or the version upgrade? That I think is a very serious issue from the perspective of most companies. They've had it drilled into their heads that everything starts with what does the vulnerability scanner tell us to do? Because. Because everything we do is associated with driving down the vulnerability count because that's how we manage risk. Overly simplistic. Wrong. And we could go another couple hours talking about that, but we shouldn't.

Jack Murphy (175:58)

Another one. Muhammad S again, thank you very much. Final finally for the lads, how much difficulty do the glowies. I guess that's the new slang for feds have in tracing Monero transactions. Beautiful algo. Lol. Asking for friends, of course. Muhammad, we're all asking for. We're always asking for.

Reese's Commercial Announcer (176:19)

They say everything happens for a reason, but I suspect everything happens for a Reese's. Like this commercial break. Did you need 15 seconds away from music or 15 seconds to eat a Reese's? Perhaps it's true, everything happens for Reese's.

SpinQuest Announcer (176:34)

Whether it's slots or live dealers, Spinquest.com has the fun and action you're looking for with Spinquest exclusives. Blackjack, roulette, baccarat and even live dice. With craps and bubble craps. The games never stop so you don't have to. And right now, new users get $30 coin packs for just 10 bucks. Play now at spinquest.com SpendQuest is a

SpinQuest Announcer (176:59)

free to play social casino void where prohibited. Visit spendquest.com for more details.

SimplePractice Announcer (177:04)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (177:17)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (177:22)

built specifically for therapists with HIPAA compliant tools and HITrust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (177:41)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (177:47)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (177:57)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com friends.

Jack Murphy (178:05)

Sure, but when it comes to crypto, you know, and stuff like that, a lot of people have this impression that it's anonymous, but it's really not. Then. And can you tell us a little bit, you know, from your experience or from your knowledge, like how. How do the Feds track Monero or Bitcoin or anything else like that?

Jeff Mann (178:34)

I mean, I can't speak definitively because I don't work with them or for them anymore, but given what little I know about it, you know, if they're motivated to track it, they can track it. There are ways to do it. I. I would hesitate to say that they're tracking everybody just because because they're financially and economically bound just like everybody else. But if they have a reason to go after you. The, the indicators are there. I mean, if you're asking are you safe to do it and the government's not watching you, you know, I think a certain amount of Big Brother fear is probably healthy. But, you know, I would, I wouldn't lose sleep over either.

Jack Murphy (179:24)

I think, I think one of the, you know, and, you know, it was Dark side Diaries is Jack Riceter who actually, you know, recommended you to me. And in one of his episodes he had meant. They talked about a Department of Homeland Security operation against child pornographers and how they tracked the crypto going in. And the thing is, they may not be able to track crypto in terms of where it's going inside the system, but eventually you got to cash out. And they can follow it to that cash out point. They can follow it from the buy point, they can follow, follow from the cash out point. So, so I think, you know, just kind of emphasizing on your point, if you think you're getting away with something, you're probably not. Well,

Jeff Mann (180:19)

I mean, probably a similar analogy is, you know, encrypting data. And data was encrypted initially for transmission, for communication, and the, the mantra back then, or even if you're doing it in the modern world, for storage. But if you're encrypting data to protect it, sooner or later you're going to want to decrypt it. So you can use it, or you can refer to it, or you can access it. So the attack points are either before it's encrypted or after it's decrypted. So I think that's a similar analogy to what you're painting. Jack Resider saw him at Shmoon. That's probably where you saw him. I'm, I'm episode 83, if anybody wants to go listen to it. I'm the second part, second half of episode 83, it's entitled NSA Cryptologists. I met, I met Jack again at DEFCON a couple years ago and I'm like, oh, you do Darknet Diaries, you should really interview me. And he checked me out and he's like, yeah, I really should. So. But, you know, different elements and aspects of the story I've been telling tonight would come out in the Darknet Diaries episode.

Jack Murphy (181:30)

Yeah, he's a really great, great guy. Andrew, just asked a question. Does the cyber liability insurance run its own penetration testing teams?

Jeff Mann (181:41)

I'm not aware of any that do it directly, but they, but a lot of times the insurance riders are very closely connected to other companies. That do provide some level of assurance that the, the insuree, if that's the right term, is insurable. And, and they would simply do it. But I mean, the first couple years of the insurance, cyber insurance industry was all questionnaires and, and, and you know, that was supposed to magically, you know, validate that you were worthy of the cyber insurance, especially if there was a claim file. So I don't think any of them do it directly, but they certainly because of claims against it and the need, and I'm not an insurance expert, but actuarial tables, you know, figuring out how much you need to charge people that want to have this type of insurance insurance based on how many claims are going to be filed and what's fair and all that kind of stuff. And the insurance companies can still make profit. They're starting to get more responsible. I mean, cyber insurance has been around for almost 10 years. And I remember being asked about it almost 10 years ago and I'm like, people are silly to think that they can skirt or dodge regulatory compliance by just getting cyber insurance. And in this context, it was pci because I'm like, have you ever tried to file a claim against an insurance company? You can be damn sure, right? They're going to come back and say, were you doing all the things that you should be doing? So if you think the, the PCI assessment or audit was bad, wait till the cyber insurance adjuster comes out and starts looking under the hood.

Jack Murphy (183:27)

And a lot of times I think what they'll do is they'll hire like the forensics people to go in and say, well, they didn't do this and the insurance company will have an easy out.

Jeff Mann (183:36)

Right? Yeah, but I have heard of, I mean, partnerships, I guess, or relationships where this, the insurance carriers do have relationships. I don't, again, they don't do it themselves, but they probably have partner companies that will do a little tire kicking, a little bit of vetting of the people trying to get the policy to, to make sure that they're meeting some sort of minimal standards similar to like, you know, I don't think insurance companies hire doctors. They don't have doctors on their payroll. But you have to get a physical to get a life insurance policy. Right. Most of the time. Right. So that, you know, they have partnerships and relationships or, you know, you have to have the notarized signature of a doctor. Heck, I got to renew my driver's license and I'm like, I can do it in the mail. Right. Except for I got to have the back of the form filled out by the eye doctor saying, I can still see.

Jack Murphy (184:27)

Right. So, so, so the insurance companies will hire somebody that'll boot up Cali and say, yeah, okay, you know, we ran port scans are fine yet, whatever. But then if things go awry, the insurance company can also, the claim can also be like, oh, well, you weren't meeting this thing.

Jeff Mann (184:47)

Yeah, it's very complicated. There, there's certainly something to be said for, you know, some sort of minimum level of security which is typically measured by some sort of compliance standard. Yeah. And the cyber insurance companies are certainly getting smarter. But you, you trigger, you triggered me a little bit because there's also this problem. Prevailing attitude in our world and in our industry that the ultimate test is a pen test, which at some level, yeah, if you can afford it, that might be true because that's rubber hits the road, live fire tests. Most companies don't want to pay for that, but they, and I'm, I'm guilty of this. When I first came into the private sector, I started with let's do a, we called it a pen test, but it was really a vulnerability assessment. Let's see what you got. Let's see what we have to work with. Let's see what your holes are, your vulnerabilities are, and let's start by closing them. I kind of thought that the industry would evolve because that was almost 30 years ago. God, that's almost 30 years ago. But when I got back into this talking to red teaming pen testing companies in the last 10 years or so, I'm like, wow, it's become, this is, this is the ultimate test and this is where you start, and you should not start your, your journey of security with a pen test. That's the last thing you should do. Literally, that's the last thing you should do because there's all sorts of more cost effective economic ways to put security in place and test it and stop gaps and check it. And the ultimate live fire test, when you, you think you're ready for it and you're mature enough, is a pen test, a real pen test, not a, not a vulnerability scan, not a nessa scan, not a, you know, somebody running a tool suite or this, that or the other, but, you know, an actual. You want people to try to come after you and you're going to pay them to do it, let them do it again. Which is the methodology that was portrayed in the movie Sneakers, which came out in 1992.

Jack Murphy (187:04)

Right.

Dav (187:05)

Jeff, thank you for spending your Monday evening with us and sharing all These

Jeff Mann (187:11)

heck, it's almost Tuesday.

Dav (187:12)

Secret.

Jack Murphy (187:13)

I know. We've kept you so long. We really appreciate it.

Dav (187:17)

We will be back on Friday with Jonah Mendez. Otherwise, Jeff, any, any final thoughts, any final things you want to put out there before we get going tonight?

Jeff Mann (187:30)

There's no way to summarize this. Be diligent, be smart, be caring, and don't believe the vendor. Thank you, Jeff.

Jack Murphy (187:42)

And again, people can find you on Twitter ealjeffman.

Jeff Mann (187:49)

Mr. Jeff man on. You can find me on LinkedIn. Two Fs, one in, two Fs, one

Jack Murphy (187:56)

N and and the podcast. One more time for everybody, please, Paul.

Jeff Mann (188:02)

Security Weekly, you can find us atsimplysecurity weekly.com.

Dav (188:08)

all right, well, thank you so much, Jeff and we will see all you guys out there on Friday.

Jeff Mann (188:14)

All right. Hey, thanks for taking letting indulging me with all this time.

Dav (188:19)

Absolutely.

Jack Murphy (188:20)

Thank you, Jeff. We really appreciate your time. We had a question from Andrew. I'm going to just ask you real quick and this last question we're going to take. If I'm a Fortune 500 company, what is a pen test going to cost me?

Jeff Mann (188:36)

It's probably a percentage of your, of your revenue. The presumption is a 4 Fortune 500 company is a mature enterprise and so you're going to pay more. But there's a lot of, I mean, last time I looked, nine out of the 10 Fortune 10 companies, 98 of the 100 Fortune 100 companies have to do PCI, at least in some part. And PCI is notorious for taking a very minimal approach to pen testing. So it could cost you a lot, but it's very much dependent on what you want to get out of it. And if you want to do a pen test, the first conversation you should have is what are the goals and the objectives? Because they're, they are legion. And, and you need to understand what you're, what you're asking for before you ask for it. And you should expect to pay a accordingly. Most companies aren't ready for it, even in the Fortune 500. Frankly, I'd say maybe 10% of the Fortune 500 are really, really mature enough and ready for a pen test to really have a pen test. Pen test being no holds barred, can somebody get in by any means to do something? But again, that's the goal or the objective. Are they trying to steal something? Are they trying to gain access to the something? Are they trying to prove a point? Are they trying to, you know, whatever it is, exfiltrate data, lock the data? I mean, I don't know how many pen tests out there that, that emulate a ransomware attack, right? I don't know. I'm gonna have to ask my, my friends and I don't think you talk,

Jack Murphy (190:18)

when you talk about the, like this full scope pen test, you're not just talking about hackers, you're talking or, or like the technical aspect of you talk about social engineering, you're talking about physical like deviant olam and those guys. You're talking about the entire gamut. Correct?

Jeff Mann (190:34)

Yeah, I mean and I apologize because you know, somewhere in the, in the time that I took off from this industry, this term red teaming came about. What I call pen testing is, is comprehensive. Correct. But most people would call what I'm describing as a pen test the, these days a red team. It's deviant Olaf, by the way. That's how you pronounce that. Okay. I said, I said olam. For years I said olam. So we interviewed him, but it's Olaf. But yeah, I mean no holds barred means somebody wants to go after you and they're going to do it by any, any means possible. It's, it's, it's not simply. Now the presumption was when the Internet came along that the path of least resistance, the easiest way rather than physically having to go to a place and try to break into it was like, oh, they're connected to the Internet, let's try to get in over the Internet. But once defenses came came up in terms of the technology and the network perspective, you know, the physical type of thing was back on the table. And you know, the, the irony is if you, if, if you really want to go after a particular company and you're motivated and you have resources, no holds barred means you'll try everything. There was a movie came out, I don't know, in the 2000s, maybe Harrison Ford, it was called Firewall and the, the no spoilers, but the premise of the movie is Harrison Ford's like a, a firewall admin or a network admin at a bank and the bad guys kidnap his family and put guns to their heads and said give us the passwords, give us the UB key, give us the RSA key, help us through the multi factor authentication log onto this firewall. That'll get us into the network, that'll get us to the safe to steal the money because we've got guns to your family head. You know, that's rather extreme, right? But, but for motivated nation state bad guys that are really going after you, that's the measures that they'll go to. Most companies, you know, can't and shouldn't afford to pay for a simulation of that type of exercise. But you ought to kind of at least talk about it. You know, tabletop it. You know, what would happen if somebody did X, Y or Z. But not everybody needs to worry about that because most bad guys aren't going to do that because it's easier just to launch the ransomware attack or send out the phishing attack and just see who bites. And, and they're not targeting you specifically. They'll, they'll, they'll just target whoever takes the bait. And if it happens to be a children's hospital and people die, you know that that's not what they're worried about, right? Problematic world we're living in right now.

Jack Murphy (193:38)

D Did we have anything on Patreon?

SpinQuest Announcer (193:40)

No.

Jack Murphy (193:41)

Okay. Jeff, thank you so much. We deeply, deeply appreciate your time.

Jeff Mann (193:48)

I appreciate you giving me the time in the audience. And yeah, feel free anybody that's listening to reach out to me. LinkedIn's probably the best way to find me. I do honestly try to respond to people happy to give back.

Reese's Commercial Announcer (194:05)

It said everything happens for a reason, but maybe everything happens for a Reese's. Take noise canceling headphones, do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (194:20)

I'm here with spinquest where you can play and win from the comfort of your own home with hundreds of slot games and all of the table games you love with real cash prizes. Right now, $30 coin packs are on sale for $10. For new users, it's all@spinquest.com that's s p I n q U-E-T.com SpinQuest is

SpinQuest Announcer (194:43)

a free to play social casino. Voidware prohibited. Visit spendquest.com for more details.

SimplePractice Announcer (194:50)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (195:03)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (195:07)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (195:27)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (195:33)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (195:42)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com back.

Jeff Mann (195:50)

Happy to answer questions and mentor where I can.

Jack Murphy (195:55)

And check Jeff out on Paul Security

Reese's Commercial Announcer (195:57)

Weekly they say everything happens for a reason, but I suspect everything happens for a reason. Like this Commercial break did you need 15 seconds away from music or 15 seconds to eat a Reese's? Perhaps it's true, everything happens for a Reese's.

SpinQuest Announcer (196:15)

Forget whatever plans you have this weekend because you're staying at home and playing on Spin Quests and there's never been a better time to sign up than right now. New users get $30 coin packs for just $10. All the table games you love with hundreds of slot games and real cash prizes. That that's@spinquest.com S P I N Q

SpinQuest Announcer (196:34)

U E-T.com SpinQuest is a free to play social casino. Voidware prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (196:44)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (196:57)

That's where simple Practice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (197:01)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (197:21)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (197:27)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (197:36)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer.

Jack Murphy (197:42)

That's SimplePractice.com a U L S Security

Jeff Mann (197:46)

Weekly Correct it is. But the website, if you go there

Reese's Commercial Announcer (197:51)

is just simply it said everything happens for a reason, but maybe everything happens for a reason. Take noise canceling headphones. Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (198:08)

Forget everything you had planned for this weekend because you are sitting on your couch and winning from the comfort of your own home. I'm here with spinquest where you can play hundreds of slot games, all the table games you love, and you could even win real cash prizes. New users $30 coin packs are on sale for 10@spinquest.com Spin Quest is a

SpinQuest Announcer (198:30)

free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (198:37)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (198:50)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (198:54)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (199:14)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (199:20)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (199:29)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer.

Jeff Mann (199:35)

That's SimplePractice.com SecurityWeekly.com all right guys, you'll find us there.

Dav (199:41)

We will see you guys on Friday.

Reese's Commercial Announcer (199:45)

It said everything happens for a reason, but maybe everything happens for a Reese's Take. Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (200:00)

Forget whatever plans you have this weekend because you're staying at home and playing on Spin Quests and there's never been a better time to sign up than right now. New users get $30 coin packs for just $10. All the table games you love with hundreds of slot games and real cash Prizes. That's at spinquest.com S P I N

SpinQuest Announcer (200:20)

Q U-E S-T.com Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (200:29)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (200:42)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (200:47)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (201:06)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (201:12)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (201:22)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com care out there.

Reese's Commercial Announcer (201:38)

It said everything happens for a reason, but maybe everything happens for a Reese's Take Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's what's up baby?

Bretzky (201:53)

It's Bretzky and I'm here to tell you that spinquest.com is giving out free Sweeps coins. All you gotta do is purchase a ten dollar coin pack and guess what? They're gonna give you the coins from a thirty dollar coin pack that lets you play all your favorite games like Blackjack, Wanted, Dead or Wild. And we're talking real cash prizes, baby. Spinquest.com Spin Quest is a free to

SpinQuest Announcer (202:17)

play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (202:22)

If you're a therapist listening, you already know your work doesn't magically end when the session does. So there's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (202:35)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (202:39)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (202:59)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (203:05)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (203:14)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com.

Reese's Commercial Announcer (203:28)

They say everything happens for a reason, but I suspect everything happens for a Reese's. Like this commercial break did you need 15 seconds away from music or 15 seconds to eat a Reese's. Perhaps it's true, everything happens for a Reese's.

SpinQuest Announcer (203:43)

Whether it's slots or live dealers. Spinquest.com has the fun and action you're looking for with Spin Quest exclusives. Blackjack, roulette, baccarat and even live dice. With craps and bubble craps. The games never stop so you don't have to. And right now, new users get $30 coin packs for just 10 bucks. Play now@Spinquest.com SpinQuest is a free to

SpinQuest Announcer (204:08)

play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (204:13)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (204:26)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (204:30)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (204:50)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (204:56)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (205:05)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com.

Reese's Commercial Announcer (205:20)

They say everything happens for a reason, but I suspect everything happens for a Reese's. Like this commercial break. Did you need 15 seconds away from music or 15 seconds to eat a Reese's? Perhaps it's true. Everything happens for a Reese's.

SpinQuest Announcer (205:35)

I'm here with spinquest where you can play and win from the comfort of your own home with hundreds of slot games and all of the table games you love with real cash prizes. Right now $30 coin packs are on sale for $10 for new users. It's all@spinquest.com that's s p I n

SpinQuest Announcer (205:56)

q u e-t.com Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (206:05)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups. All of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (206:18)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (206:22)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners, just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (206:42)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (206:48)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (206:57)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com.

Reese's Commercial Announcer (207:12)

It's said everything happens for a reason, but maybe everything happens for a Reese's take. Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (207:27)

You know what? It sucks to be bored. But when I get on my phone and play real casino games on sports spinquest.com the time flies by. That two hour wait at the DMV seems like 10 minutes. Play your favorite slots, live blackjack, live craps with a live dealer, new players $30 coin packs are on sale for 10 bucks. Play spinquest.com and you'll never be bored again.

SpinQuest Announcer (207:51)

Spin Quest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (207:57)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (208:10)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (208:14)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (208:34)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (208:40)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (208:49)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer that's SimplePractice.com.

Reese's Commercial Announcer (209:06)

It said everything happens for a reason, but maybe everything happens for a Reese's take. Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (209:22)

I'm here with spinquest where you can play and win from the comfort of your own home or with hundreds of slot games and all of the table games you love with real cash prizes. Right now, $30 coin packs are on sale for $10. For new users, it's all@spinquest.com that's s p I n q U-E-T.com SpinQuest is

SpinQuest Announcer (209:44)

a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (209:51)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (210:04)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (210:09)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (210:28)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (210:34)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (210:44)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com.

Reese's Commercial Announcer (210:59)

It's said everything happens for a reason, but maybe everything happens for a Reese's take. Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show Everything happens for a Reese's.

SpinQuest Announcer (211:14)

Forget whatever plans you have this weekend because you're staying at home and playing on Spin Quest and there's never been a better time to sign up than right now. New users get $30 coin packs for just $10. All the table games you love with hundreds of slot games and real cash Prizes. That's at spinquest.com S P I N

SpinQuest Announcer (211:34)

Q U-E-T.com Spinquest is a free to play social casino void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (211:43)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (211:56)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (212:01)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners, just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (212:20)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (212:26)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (212:36)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com foreign.

Reese's Commercial Announcer (212:50)

For a reason, but maybe Everything happens for a Reese's Take Noise canceling headphones? Do they block hearing to heighten taste? That sound seems to show everything happens for a Reese's.

SpinQuest Announcer (213:04)

You know what? It sucks to be bored. But when I get on my phone and play real casino games on screen spinquest.com the time flies by. That two hour wait at the DMV seems like 10 minutes. Play your favorite slots, live blackjack, live craps with a live dealer, new players, $30 coin packs are on sale for 10 bucks. Play spinquest.com and you'll never be bored again.

SpinQuest Announcer (213:28)

Spin Quest is a free to play social casino. Void where prohibited. Visit spinquest.com for more details.

SimplePractice Announcer (213:34)

If you're a therapist listening, you already know your work doesn't magically end when the session does. There's scheduling, notes, billing, insurance, follow ups, all of the admin that happens before and after the work you actually care about.

SimplePractice Announcer (213:47)

That's where SimplePractice comes in. SimplePractice is an all in one EHR

SimplePractice Announcer (213:51)

built specifically for therapists with HIPAA compliant tools and high trust certification. No juggling systems or cutting corners, just to keep things moving. Scheduling, documentation, billing, insurance, client communication, even automated appointment reminders. It all lives in one place. And if you're starting or growing a

SimplePractice Announcer (214:11)

practice, SimplePractice also offers a credentialing service that helps simplify insurance enrollment, which can

SimplePractice Announcer (214:16)

be a huge lift alone. It's no surprise SimplePractice is trusted by over 250,000 health and wellness professionals. Start with a seven day free trial,

SimplePractice Announcer (214:26)

then get 50% off your first three months. Go to SimplePractice.com to claim the offer. That's SimplePractice.com what's up baby?

Bretzky (214:35)

It's Bretzky and I'm here to tell you that spinquest.com is is giving out free Sweets coins. All you got to do is purchase a $10 coin pack and guess what? They're going to give you the coins from a $30 coin pack that lets you play all your favorite games like Blackjack, Wanted, Dead or Wild. And we're talking real cash prizes, baby. Spin Quest.com Spin Quest is a free

SpinQuest Announcer (214:58)

to play social casino void where prohibited. Visit spinquest.com for more details.

Danielle Fishel (215:03)

This is Danielle Fishel and Ryder Strong

Jeff Mann (215:05)

from Pod Meets World.

Danielle Fishel (215:07)

As cat parents, Ryder and I know the feeling of being ignored by our cats. I often wonder, does my cat even love me?

Jeff Mann (215:14)

Well, there's only one solution to solve that. Sheba.

Danielle Fishel (215:18)

Feed your cat Sheba and go from feeling ignored to truly adored in 12 days, guaranteed or your money back.

Jeff Mann (215:25)

Sheba has so many incredible products that

Danielle Fishel (215:27)

can satisfy even the pickiest eater, like New Sheba Grilled. Made in the USA with the finest ingredients from around the world, they are savory strips in a succulent sauce that cats are sure to love, and it's 100% complete and balanced with essential vitamins and nutrients for adult cats like my bill. Made without artificial flavors or preservatives, no corn, wheat or soy. To learn more, check out sheba.com from

SimplePractice Announcer (215:53)

the Neon lights of the club to the harsh, buzzing lights of the office, don't let the wear show on your face. Just swipe. Maybelline Instant Eraser Concealer to erase the night before, wherever that happens to be. Instantly cover dark circles and undereye bags for a brighter, more awake look. This doitall formula also contours, corrects and highlights, all while staying lightweight, crease resistant and smooth. It may be the world's greatest eraser. Find your shade of Instant Eraser Concealer at your local retailer.