Cybersecurity in 2026: AI, Steganography, and Securing Legacy Systems with Jacob Anderson - To The Point - Cybersecurity

Summary6 min read

Podcast Summary: To The Point Cybersecurity

Episode: Cybersecurity in 2026: AI, Steganography, and Securing Legacy Systems with Jacob Anderson
Date: February 17, 2026
Host(s): Rachael Lyon, Jonathan Knepher
Guest: Jacob Anderson (Founder, Beyond Ordinary Software Solutions)

Episode Overview

This episode explores the intersection of emerging technology and cybersecurity, focusing on how AI is enabling new steganography techniques, the ongoing challenges of securing legacy systems, and the evolving tactics in threat detection and defense. Guest Jacob Anderson brings over three decades of experience in software development, working across finance, defense, and insurance, and offers insights into both current realities and the road ahead.

Key Discussion Points & Insights

1. Modern Steganography and Covert Channels in 2026

What’s Changed?
- Steganography, once limited to rudimentary data hiding like images, is now supercharged by AI: “AI has come along and you have access...to a very sophisticated tool that can tell you how to do extremely sophisticated steganography techniques.” – Jacob Anderson (01:49)
- Data can now be hidden across varied media including images, audio streams, word documents, and even live deepfake video.
AI as a Double-Edged Sword
- AI democratizes advanced attack methods: “The more sophisticated actors have realized that these tools can help them...do even better techniques of data hiding.” (03:43)
- Increased complexity of hiding can lower data rates and functionality—a tradeoff between being covert and being practical.
Emergence of Streaming Media Threats
- “Anything that’s streaming now, like...deepfake streaming...are perfect for this, right? Because I can create this deep fake audio and deep fake video and inside of there I can encode all kinds of crazy stuff.” (04:28)
- Deepfakes serve not only as misinformation threats but also as powerful covert data exfiltration channels.

2. Everyday Impacts and AI Assistants

Authenticity Challenges
- “It’s crazy times that we live in. It’s trying to navigate what’s real, what’s not, and then how to avoid...stepping in it just inadvertently because you’re like, I want to be entertained for a second.” – Rachael Lyon (05:14)
- The increasing sophistication of outreach (e.g., scam texts or AI chatbots) blurs the line between real and artificial interactions.
The Role of AI as a Gatekeeper
- Potential for AI assistants to help manage authenticity and trust, but these systems can themselves become threat vectors or privacy risks.

3. AI-Driven Bug Hunting and Open Source Risks

AI in the Open Source Ecosystem
- Use of AI to rapidly find and fix software bugs is rising: “I was looking at one of the bug tracks recently...one company’s got like 50 bugs that it fixed...that’s obviously an AI.” (11:46)
- Dilemma: Many projects are overwhelmed by a flood of low-quality or fake bug reports generated by AIs.
Balancing Innovation and Security
- Popular, widely-distributed open-source tools face unique threats, requiring greater caution and responsibility from maintainers: “There is a consequence to being popular and being a celebrity sort of open source tool. You’re in everyone’s world...” (14:08)

4. Democratization of Advanced Capabilities via AI

Raising the Baseline
- “Every single human out there...they have a great start for something better now. Yes, right. And so they have enabled themselves to do all kinds of things, wonderful things...” (16:42)
- AI enables rapid prototyping and personal automation but also ups the ante in arms race between defenders and attackers.
Trust and Expertise in the Age of AI
- “We used to rely on experts, right? And now you don’t need that. You’ve got a pocket expert. Right? But do you really have a pocket expert?” (16:42)

5. Cryptanalysis: Defense & Offense

Breaking Ciphers
- “Crypto analysis is a lot easier now because you’ve got these tools that will help you with it, right? So AI tools can help you understand what to do.” (20:07)
- Fundamentals of cryptanalysis have not changed, but manual skills are increasingly augmented by algorithmic tools.
Defensive and Offensive Perspectives
- Defensive cryptanalysis is about ensuring reliability and trust: “It’s a measure of reliability. What’s the assurance that I’m sending data out that...Joe Blow is not going to...intercept it and decrypt it?” (22:50)
- Offensively, attackers can exploit weak key exchanges and outdated encryption standards (e.g., DES), often still in use due to hardware compatibility and inertia.

6. Securing Legacy Systems

Risks of Outdated Infrastructure
- Legacy systems, particularly in insurance, aviation, and some Fortune 500s, may provide reliable uptime but poor security: “The security on it, I don’t know. Because you never really update it...it requires so much time.” (26:54)
- These systems often run critical functions but are hard to patch, creating tempting targets for sophisticated attackers.
Best Practices for Legacy Security
- Employ “big old perimeters,” strict segmentation, firewalls, and proxies.
- Regular staff training, monitoring, and leveraging AI for tabletop security exercises.
- “Put in the firewalls...using the software available today for monitoring stuff. There’s a lot of it out there now...” (29:54)
- Emphasize strong operational discipline over technical modernization when upgrades are impractical.

7. Industry Trends and Getting Ahead

Sectors Most At Risk
- Insurance and airlines are most reliant on legacy infrastructure. Banking has largely modernized.
Forward-Looking Advice
- “Get your staff...trained up, expose them to these tools, you know, so they use them regularly. And then you gotta use AI constantly...” (29:54)

Notable Quotes & Memorable Moments

On Deepfake Steganography
- “In the audio side of this bot that’s talking, I can embed all kinds of data...streaming, you know, military plans, but you won’t even know it...it’s pretty amazing what you can do right now.” – Jacob Anderson (08:37)
On Detecting Data Hiding:
- “There are telltale ways of knowing...that’s supposed to be noise, and it’s no longer following that noise Gaussian profile, like, that’s obviously someone’s putting something in there.” (09:00)
On Legacy Systems:
- “It’s bulletproof to everything, but an upgrade.” – Jonathan Knepher (26:54)
On the Future of AI and Roles:
- “I don’t know that anybody really needs a commercial software developer anymore. We got AI.” – Jacob Anderson (36:23)
On Personal Cybersecurity Beginnings:
- “I used to crack software because I grew up poor so I couldn’t buy anything. So I used to just crack stuff, take off the copy protection stuff...” – Jacob Anderson (31:58)

Timestamps for Important Segments

Steganography & AI’s Role – 01:49–05:14
Deepfake and Streaming Threats – 04:28–07:07
Open Source & AI Bug Hunt Challenges – 11:46–14:08
AI as a Double-Edged Sword for Innovation – 16:42–19:41
Cryptanalysis Explained (Defense & Offense) – 20:07–25:33
Legacy Systems & Industry Examples – 25:53–29:31
Security Best Practices for Legacy & Modern Threats – 29:54–31:29
Jacob Anderson’s Cybersecurity Origin Story – 31:58–34:55
Future Plans & Industry Predictions – 35:31–36:23

Actionable Takeaways

Modernize perimeters and use layered defenses around legacy systems.
Regularly train and expose staff to new tools and AI-driven tabletop exercises.
Treat AI as both a productivity tool and a constantly-evolving threat vector—test your defenses by simulating attacks with and against AI.
Be cautious of AI-generated bug reports and control the integrity of open source contributions.
Recognize that legacy crypto hardware is rarely patched and thus particularly vulnerable—segment and closely monitor.

Conclusion

Jacob Anderson’s wide-ranging expertise highlights a cybersecurity landscape where the boundary between defender and attacker is increasingly blurred by rapid advances in AI and automation. The challenge for organizations is not just adopting powerful new solutions, but building durable processes, responsible controls, and a culture ready for threats both old and new.

For more episodes and resources, visit forcepoint.com/podcast.

Loading summary

Transcript66 lines

[00:01]
A
Welcome to to the Point Cybersecurity podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the Point. Hello, everyone. Welcome to this week's episode of to the Point podcast. I. I'm Rachel Lyon here with my co host, John Neffer. John, hello.
[00:32]
B
Hello, Rachel.
[00:33]
A
So have you been following this Mult book news? With the AI social media platform only for AI agents and they're plotting humans demise. Do we feel like this is real or not?
[00:45]
B
Well, I think they think that they can do that.
[00:50]
A
That was crazy. There was a wonderful Wired article if folks want to go look that up. But I, I just thought that was quite entertaining. Really excited for today's guest. Joining us is Jacob Anderson. He is the founder of Beyond Ordinary Software Solutions. Really is a team that builds custom platforms for the DoD, federal agencies and insurance companies. Projects where security, scalability and reliability are critical. With over 30 years in software development, he's worked across finance, defense and entertainment, and has founded several SaaS and gaming ventures. We love serial entrepreneurs on our podcast. Jacob, welcome. Welcome.
[01:30]
C
Thank you. Thanks for having me. Excellent.
[01:33]
B
Well, welcome, Jacob. I was thinking of kicking it off here with talking about COVID channels and data hiding and what does steganography and covert channels look like in 2026?
[01:50]
C
Right. Espionage stuff. Right? Yeah. So it's fun that you started off with AI because before AI, people they would romanticize about cryptography because most people didn't understand how to do it and they certainly didn't do steganography. Right. You would talk about that. They would always think, oh, it's a picture. And you put data in a picture. Yeah, sure. Okay, think that way. We love that. But the truth reality now is AI has come along and you have access, you know, the average Joe, to a very sophisticated tool that can tell you how to do extremely sophisticated steganography techniques. Right. It's not just putting data in a picture. Right. It's the picture has the data in it. Or you could embed data in all kinds of things. Word documents, audio channels. There's all kinds of things. You know, pretty much steganography is really about trying to put useful information in a covert channel that is obvious and hidden in plain sight. Because if it's hidden in plain sight, it's almost invisible. And that's kind of the power of steganography.
[03:06]
A
So I'm kind of curious. I love steganography, that idea because I Think it was some engineer at GE that had done that. It was like a vacation photo and had somehow embedded, I guess, designs for an airplane or some kind of engine of some sort in there. It just looked like a picture from Hawaii. But are you seeing, I guess now that we have more of advanced tools, are you seeing some kind of trends emerging of people finding new vectors with which to exploit that are quite unexpected, or are you seeing it's holding steady A lot of the same, but maybe just more of it?
[03:43]
C
Yeah, right now it's still a lot of the same because the actors haven't really figured out that these tools can really do that. Some of them have. The more sophisticated actors have realized that these tools can help them to be even more sophisticated and do even better techniques of data hiding. But as the data hiding channel gets more complex, it becomes a lot lower bit rate. And so there's like a trade off between how useful it is versus how covert it is, you know. So.
[04:16]
B
Are there particular ones that folks should be looking out for? Like what's. What might be in use today? What might folks be under underestimating the dangers of?
[04:28]
C
Yeah, I don't know. I would say anything that's streaming now, like a lot of this, like the deep fake streaming and whatnot. So those are perfect for this, right? Because I can create this deep fake audio and deep fake video and inside of there I can encode all kind kinds of crazy stuff. But you know what, it's okay because I'm creating this whole like animated, you know, pretend fantasy video that people are going to consume thinking like, oh yeah, it's entertainment, la la la. But really it's actually a side channel for all this espionage. Right. Very easy to do now. Right. We got tools that'll do all that stuff almost real time. And it's very scary if I were in the state department, but I'm not. So.
[05:15]
A
It is scary, isn't it? I think even just lower level stuff like text messages, I don't know who's reaching out to me. A lot of times it's like, hi, are you coming tonight? I'm like, I don't know, you know, even if I do, I'm not sure I know you, you know, and it's crazy times that we live in. It's trying to navigate what's real, what's not, and then how to avoid, you know, kind of stepping in it just inadvertently because you're like, I want to be entertained for a second.
[05:46]
C
Yeah, right, you want to be entertained, but you also want to have Friends. And you want to be able to meet new people who could be your friend. And you never know that one random text might be that one person you met the other day at this, you know, mixer for work, and you forgot their phone number or, you know, all these things. So you never know, right? And so maybe, maybe an AI assistant can help you with that, right? Maybe they can be your gatekeeper, so to speak, right? Your little nanny, you know, and they keep track of everything, you know, and you just, like, follow along and live your life, you know, and they manage all the rest of it. Now, that is a possibility. You know, there was somebody who created an AI for doing that, right? You know, and unfortunately, you know, the Internet got a hold of that, you know, and other people tried to set it up, too. And, you know, it became very permissive about things, and it would send other people, you know, your email, your inbox, you're this, you're that. Because, you know, you. You've. Once you realize that you're talking to an AI, like, hmm, what can I do? Right? You know, I was on a phone call the other day talking to an AI. The first time, I'm like, you know, I know it's an AI because of how it kind of circles back on topics, you know, but I'm like, what can I do? Should I play with it? Should I push it? You know, like, what's going on here? Right. Yeah, it's funny times.
[07:08]
A
It's crazy to hand over your life, too, to kind of this, you know, this amorphous thing, whatever that might be, you know, and you just don't know where the information is going to go, how it'll be used. And I love to talk about this article I read about in Wired where this fellow stood up a company, software company, of just him, plus a bunch of AI agents. And his AI agent was lying to him, you know, said it had done all of these things and, you know, done this code, did this campaign. And the guy's like, wait, no, no, you didn't. And. And the AI agent was like, oh, yeah, you're right, I didn't. Right, That's. That. That. That makes me nervous, Jacob.
[07:53]
C
Yeah. You know, and I have only seen that with one AI, one particular AI. You know, we won't talk about which one it is. We don't want to make any enemies. Right? But there's one AI that has a tendency to. To claim that it does stuff, right? Like, why did this? I did that. I'm gonna make this and that. Like, I like the Enthusiasm. But. And I ask you, like, where is this stuff at? Oh, it's over here. Well, that doesn't even exist, you know, like. Interesting. Yeah. But I also use that AI because it's. Because it's like that, right. It's very grounded. Right. And it's very honest with me, and it never tries to be my friend. It tries to be very honest with me. So I like that, you know, But I also know that, you know, it can be a little daydreamy and flighty.
[08:36]
A
As long as, you know they're going in.
[08:37]
B
Right?
[08:38]
C
Yeah, yeah, exactly. Right, exactly. Yeah. You know, and what's really. I was just thinking as our conversation was evolving, is that, you know, one of the other side channels that's going to evolve is these interactive bots. All right? So it's not just like, I can generate a deep fake video and, you know, output streaming data and stuff. Now I can have a bot that does it, right? So in the audio side of this bot that's, like talking, I can embed all kinds of data. It could be just streaming, you know, military plans, but you won't even know it. Or. Hey, you mean you do it in real time? So it's. Yeah, exactly. Wow. It's pretty amazing what you can do right now. And all the ways that you can, you know, exfiltrate data without ever being detected. So it's not. I mean, you can. You can actually detect when it's happening. Okay. So, you know, that's my little specialty, so to speak. You know, when I was doing all this back at Los Alamos, is finding ways, like, how do you know when someone's embedding stuff in an image? How do you know they're embedding stuff in your audio channel? How do you know when someone's trying to use this I channel, you know, things like that, right? And it turns out that there's. There are ways of doing that, right? There's. There are telltale ways of knowing that that's supposed to be noise, and it's no longer following that noise. You know, Gaussian profile, Like, that's obviously someone's putting something in there, right? And then it's like, was it a bug? Could be a bug, I don't know. And is it periodic? And that's like we're trying to find, you know, ET they're doing the same thing, right? All these signals out there that are noise, like, which one is the civilization wall? Like, we got the same thing, like, which one of these is the civilization? You know, coming across as fixed as a side channel. But it's fun, it's really fun to try to dig into that, you know, and using all these tools to try to figure out like is that really noise or is that signal at what level? And then you hand it off to somebody else who's a lot smarter to figure out like what that is. Right. I can say that it is something interesting and then they'll pick it apart, say this is what it is, you know, and sometimes that somebody smarter is AI. So I did that. You know, I get emails from random people, right. You guys know, get spam and stuff, right. And so one day I was like, I'm gonna track this guy down. So I went into the headers, got all the gobbledygook in there, ran through chat GPT and it decoded everything. There was like an address to his house and all these things. How about that? And it was like instant bang, you know, I figured it out like, okay, that's very normalizing. Wow. Yep.
[11:24]
B
What, what's the, what's the prevalence that you've seen for this type of activity especially too like not just in the government space, but in the, in the civilian space too. Is, is this something that like normal people need to be concerned with? Or is, or is this really only, only your top level spies are worrying about exfiltrating data this way?
[11:46]
C
Yeah, right. No one's doing it yet. Right. Thank God no one's doing it yet. So most people over there just using like chatbots and stuff for their own personal interactions. Yeah, but it's starting for sure. You know, we're starting to see people using the AI is to first off find bugs. Right. I just saw, you know, I was looking at one of the bug tracks recently of some open source software and there's like one company that's got like 50 bugs that it fixed. I'm like, well that's obviously an AI. It's like. And they're all solid, they're real bonafide stuff. It's not noise. So that's happening now. It's going to be across the board. Right. Right now that's the first step of them like, well, now I can fix a bug. I can find the bug. I can find the bug, then I can then weaponize that bug. I can do that stuff with it. Right. That's a little more scary. And that's starting to happen. And yeah, but the whole like side channel crypto sticking RV stuff, they haven't really pushed that envelope yet, you know, because most people when they you know, the average Joe. Anyway, when they want to actually exfiltrate data, they do tend to think in terms of simple ways of moving data. Like I want to, how do I hide this in my email, how do I hide this on my, my USB stick and sneaker, net it somewhere, you know, things like that. So. And you know, it's going to get a little more sophisticated later on when people start to realize that these AI bots can do a lot more for them and on the fly, right. So it's like JIT espionage, right? Just in time espionage. You know, hey Chatbot, make this code that does this for me that encodes my thing in this so it doesn't, you know, so someone can't see what it is and so I can exfiltrate it to this. There's your Python script. Go just like that. Yeah.
[13:34]
B
I think it's interesting too. Like you brought up the open source supply chain issues, right? I think that's been something that's been very concerning with the notepad thing that just came out the last couple of days. How do we find the right balance? Because other open source projects are, are just flat out getting fed up with AI driven false bug reports, right? Coming in and trying to sift through what's real and what's not. How do we reconcile that kind of as an industry?
[14:09]
C
I don't know, John. So when I worked on monogame and cocos 2D back like 13 years ago, you know, I had, I'm kind of grumpy about this kind of stuff. So I told them, you know, like you got, you know, these are games right on your phone, that's everyone's phone. And you know, model game is everywhere. If you've got a game on your phone right now, it's mono game, more than likely it's on everyone's phone. So you guys gotta be super careful about this. You gotta lock this down because you are, you have access to everyone, the worldwide because they're on consoles too and all this stuff, you know. And so a lot of times the fever and the excitement of doing something is overwhelming and you forget that there is a consequence to being popular and being a celebrity sort of open source tool. You're in everyone's world, you know, and so long as you slow down and remember that, then yeah, you know, you can probably be reliable maybe. But it's the ones that are just kind of like reckless. Like the guy that made the little chat bot, you know, that controlled his whole life and he gave it out to the world. You're like, time out, bro. You know, you got to think about the consequences here. I mean, it's not your responsibility, Right? You're not responsible for anybody, but you got to be responsible to them. Let them know that there are consequences for putting this thing on your phone and letting it control your life. Yeah.
[15:31]
A
It's almost like you have to think.
[15:34]
C
About.
[15:36]
A
Like, the Internet, right? It all started seemingly innocent enough. We just want to share information, right? We all have the good intentions. And like this Bellow, he had good intentions. I want to help. I want to be efficient. You almost have to think 20 steps ahead. Okay, and before I share this with anybody, what are all the ways that it could run amok and ruin somebody's life and that, you know, does that then become an AI question to solve the AI problem or, you know, what. What is that path forward? It's. There's another article I read recently, and it was Sam Altman, and he was talking about. He'd been coding an app or something like that, and he had asked the AI for some ideas, and he was really struck because some of the ideas were actually better than his own. And he was really bummed, right, because it's, you know, getting smarter, getting more intuitive or whatever the case may be. And he's, you know, he's like, wow, I'm gonna have to like up my game. And so the AI is getting smarter and smarter 20 steps ahead. Then how do we do? You know what I mean? It's off to the races, and how do you get a handle on it?
[16:42]
C
Yeah, and that's an existential question for humans right now, right? Right. Because, you know, we used to rely on experts, right? And now you don't need that. You've got a pocket expert. Right? But do you really have a pocket expert? Because the thing about the expert, right, is that there's a level of trust, right? Because I can filter stuff out. And, you know, even though I'm not an expert in quantum cryptography, I can filter some things out. When I talk to someone who is an expert, right. Want to talk to an AI, it's a little bit different. And I'm like, well, my, my, my. I want to say natural prejudice is that the computer's going to be right. But that's me because I've been doing this for a long time, right? So computers have never let me down, so to speak. But other people don't trust computers at all, right? And so those people are, you know, are smart enough to say, like, well, that's a bunch of, you know, hui. And we're not going to follow that. Right? And so on the Sam Altman side, you know, you look at that, you're like, well, are you sure that's right? I mean, it seems right, Sam, right? I mean, I've been in this case too where I've been looking at something. Chat tells me this. I'm like, it seems like a pretty good idea. And then I go dig into a little bit like, well, it's not quite, you know, it kind of misses the edge just a little bit, but it's a good idea and it was a good start for a better idea. And that's what I really like about where we're going. And that's for everybody. You know, every single human out there, like, they have a great start for something better now. Yes, right. And so they have enabled themselves to do all kinds of things, wonderful things, right? You can, you know, I just saw an article, there's some media gal on Twitter or X sorry, who said that she woke up one day and decided that she wanted to make an app. And the app is going to be Monday. I love that. I'm like, yes, yes, please do that. And she's like, I don't think it's going to work. Right. But sure enough, she did it. Bang, zoom. And she got Monday, her own version of Monday, just like that. It probably took her like 10 minutes to get it right. And. But think about this, guys, think about this. So that. So, you know, Monday is this big, you know, consolidator of all this multi user data, right? But now let's throw all that away because how I can make Monday for me and me alone, the cyber is just me. It always knows it's me because I program it for me, but I got everything from that, but for me and like cyber's done. Like, yeah, I love that because now I have control of all that. I mean, that's like my perfect dream as a cyber guy. Like, yeah, I want everything be siloed for the individual and nothing else. I don't have to worry about, you know, leakage of data or anything like that for anybody else. No one's gonna come after me because it's siloed for just me. So if Microsoft, if you're listening, that's your business plan. Stop doing AI. You guys aren't good at it. Just do that, enable that, right? Because that's just in time me kind of stuff like that's the future that's happening and that's beautiful.
[19:42]
A
Yeah, yeah.
[19:45]
B
So I, I Have some questions here too about, you know, some of the stuff you've been doing around cryptanalysis and breaking crypto and, and so on. I was wondering if you could talk us through kind of what does that look like as, as you go about trying to analyze things and breaking things without the keys and so on?
[20:07]
C
Yeah, yeah. Now cryptanalysis is fun, right? That's the part that the government, you know, our government anyway, especially is very sensitive about. And so if you try to do cryptanalysis, for instance, like in France or in China, you get put in jail, but in the U.S. you know, you can do it. You just, you know, just saying, yeah, no, you just got to be careful, right? But the thing is, crypto analysis is a lot easier now because you've got these tools that will help you with it, right? So AI tools can help you understand what to do. You know, first step, of course, trying to find patterns, patterns in the data that always repeats. And once you get that pattern repeating and you know that you can probably get some plain text and that repeated pattern and you can decipher some of the key bits and then from there you can decide if that, if the cipher is, you know, poorly made or not, if it's, if it's actually weak, and if it is weak, you can probably, you could probably get a key out of it. But you know, unfortunately in order to do that, you can't go to the chat GPT and say, hey, you know, extract the key from this. It'll laugh at you and say, no, you can't really do that. You're going to need this and this and this, right? And then if you try to get an algorithm for it, you know, you got to be a pretty good whiz bang math guy or gal, right? Because it requires a level of sophistication that's currently beyond 99% of the humans that are on the planet. Yeah, I've known some really, really good cryptanalysis people, you know, and they're, they're very esoteric, super smart, brainy math people, you know, and that's all they do. And they see patterns in like everything, you know, and yeah, that's not me. But you know, if anyone's out there defending, you know, crypto analysis is important, right? It's important because you gotta understand like key exchange protocols and how do I know that the key is gonna be exchanged in a secure way? Are you using like a cheapo cipher that's, you know, easily exploited and so someone else can intercept to get the key, right? And then, and then you got data, right? And you got your text data. Are you encoding it properly so that, you know, someone can't just derive the key from it? Is it a naive cipher, like an XOR cipher back in old days? You just do Xor with your key? You know, you're like, woohoo. Nope, I can crack that all day long. Right. So can chat.
[22:21]
B
And it works great if you do it twice in a row, right?
[22:23]
C
Twice, that's right. And three times, man. Three times. The crypto. Oh, yeah.
[22:32]
A
So is when you talk about the cryptanalysis, is this kind of like a defensive versus offensive type strategy? I mean, if you want to kind of think about these things in the context of, you know, cyber defense and, you know, kind of attackers, you know, how should people be looking at this?
[22:50]
C
Definitely a defense, right? You're looking at how do you protect your data and how do I know? So this is a. This is a measure of reliability. What's the assurance that I'm sending data out that, you know, Joel Joe Blow is not going to just get it and intercept it and decrypt it and then get my keys and then get everything Right? You know, I want to make sure that I can send stuff securely to Susie every time. Yeah. So it's a defensive mechanism.
[23:17]
A
Could we make it offensive? I love a good offensive cybersecurity discussion. I'm a big fan. I'm a big fan of poking the bear, but I would love your perspective there.
[23:28]
C
Right on. Let's go down that hole. Right. So if I want to make crypto analysis an offensive measure, right. That means I'm trying to get data from people. Right. So the first step, of course, is, you know, standing in between the gatekeeper of a key and the actual user of the key. Right. That's my first step. If I can do that, then I can get the key all day long. Right. So I can't get the key. All right, well, the next step in is I got to get a known document. So I'm going to try to bait them somehow, right. Cryptanalysis, Like, I'm going to give you a document that I know, right. What's the content? And so you're going to give me back the cipher, right, the encrypted data, and I'm going to look for patterns. I'm going to keep doing that. I'm going to give you another document, another document to feed you. Right. You know, you're going to think you're talking to, I don't know, someone like a bank or something. Right. You know, and eventually I might be able to figure out the key that you're using because the cipher you're using isn't that good, right? And so it's got all these repeated stuff in there, ciphertext in there. And so like you can then predict what the key is, right? So that's, you know, that's the naive way of using cryptanalysis on an offensive way, right? And then there's the whole, well, I'm just gonna get your data and, you know, do the math on it because I know what the algorithm is, right? Let's say you just use, you know, naive des, plain old block cipher DES with nothing special. Well, we can crack that all day long now. So, you know, you pull it out, you look at it, you know, like, I know the S boxes, I can do the Xboxes, you know, and I can get you key. You know, all I need is like one or two pieces of plain text, you know, and from there I can probably drive a key, you know, and, and then the best part of using that is now I can fool you into thinking that you're, you know, encrypting your data securely because you think it's ds, man, it's data encryption standard. It's got to be trustworthy. So I'm like, yeah, but I got your key. So. And you're not going to cycle your key because with private key stuff, right, people don't cycle the keys very often. And so there you go. You just like, you know, I weaponized my ability to exploit a very weak cipher. I mean, you can't do that with an AES, right? That's a lot harder, right? Yeah.
[25:33]
B
Okay, so you've kind of opened the door to the older things, right? Yes. Like, are you, are you still seeing like legacy encryption, but also like whole legacy systems out there and are those still relevant and, and targets that, that you're seeing kind of actively pursued?
[25:54]
C
Yeah, people still do use the, the des. The DES is very easy to use, very easy to implement, and there's hardware for it. And that's the key part right there. You can buy hardware that implements the des, so it makes your crypto super fast, and so people still use it. But then as far as, like legacy systems and the older big iron systems, you know, people always use those because they've been around for decades and they're very solid, right. You just put them in a box and let them run and they never break down. And you can, you can do things to them. You can take them apart while they're running. I love my IBMS man. Because, dang, you can. That thing's running all the time, 24, 7. I can pull cards out, put new cards in, change memory. I can put new CPUs and stuff, and it's still going. It's never down. Never. Love it. But the security on it, I don't know. Because you never really update it, right? Because it's so hard to update. It requires so much time. The thing's got to go down for like six hours, you know, and you're just like, so what do you.
[26:54]
B
It's bulletproof to everything, but an upgrade.
[26:56]
C
It is exactly right, right. Yeah, that's exactly right. But then you got to just put a big old perimeter around it, you know, like make sure that that thing is just on its own. And there's gates up everywhere, there's alarms. Because, you know, like, there's only a certain number of functions, certain kinds of functions that are going to go on that thing. And there's anything outside of that, you know, it's someone doing something wrong. And so just every trip where you can think of. So that the minute it happens, you just get on it. Yeah.
[27:29]
A
Are there particular industries that you're seeing that are kind of more facing this kind of, you know, significant legacy infrastructure, trying to connect to modern infrastructure? You know, are there. Are there any kind of industries struggling? And I do a sidebar, I think of that outage, remember? And it was Southwest Airlines was the only company that was not impacted by that particular outage because they were on such old legacy software. You know, Maybe your Commodore 64 that you learned to code on, but it actually insulated them. But I'm just kind of curious, are there some kind of trending industries that are struggling with this a little bit more than others?
[28:11]
C
Well, the insurance industry has always been that way. They've always been back in the old IBM days kind of stuff. And they really love their IBMs, just because for them, they have to be up all the time. Right. If there's a claim that's going to come in, they have to be able to process that claim. That's the law. They have to do that. And so if there's a hurricane, the IBM is going to be up. That's kind of the only machine that you can buy that's going to be, you know, good likelihood in a hurricane still running. Everybody else is going to be down. Yeah. So, man, I think the airline industry is also that way. You know, they've got some pretty old systems. They tend to reuse their systems quite a bit. You Know, they buy it from some struggling old airline and bring it in, adopt it and do whatever to it, you know, like, they tend to do that. Yeah, I don't know. Banking used to be that way, but they've definitely modernized. Yeah, so they've come a long way. But the really, really big enterprises out there, like the Coca Cola's, the Pepsi's, you know, the Giant guys, they still use big, giant IBM mainframes, you know, Gotta love them for that. But they also have intense fences around these things. Right, right. So like the NSA in Coca Cola. Yeah.
[29:32]
B
So let's bring this kind of full circle for our folks who are listening. Like, what are the actions that they need to be thinking about to securing their environments, whether it be these legacy cores or against these newer AI threats we've talked about. And how do they do that without. Without breaking the things that are important?
[29:55]
C
Right, right. You know, you got to make sure that the plane doesn't have to land every time you make a change. Right. So, yeah, it's putting in the perimeters, right. Put in the firewalls, you know, and it's using the, the software available today for monitoring stuff. There's a lot of it out there now, but, you know, it doesn't. So the older systems don't have the ability to be monitored like the newer systems do. And that's why you got to put, you know, perimeter systems out there, which are proxies for that. Right. So if they had these events, you know, you know, the same events would happen on the inside system, the legacy system. So you got to put those proxy systems in place, you know, and then you got to have staff, Staff that understand what's going on. Right. You know, they have to understand how to, how to use all the tools, the SIEM tools and the SOAR tools and whatnot. You know, they could be certified, but certifications are very good in terms of, like, being able to filter out people who can do something, can't do something. But, you know, that's not the end game, right? I mean, these. You just have to have people that understand how to use these tools, that have experience with them. So get your staff, you know, trained up, expose them to these tools, you know, so they use them regularly. And then you got to use AI constantly, all the time. Use it to do the nefarious things. Right. You know, doing an AI like tabletop, for instance. Right. You can tabletop your security with your AI, you know, talk to it and see what happens. That's a good way to just get an Introduction to Tabletop exercises. Right. And then go from there and hire somebody to help you with the tabletop.
[31:30]
A
Yeah, that's important. So I like to kind of bring this full circle and I always and fascinated how people found their way to the cybersecurity world. And I read this article, was it Information week I think. But it was talking a little bit how you as a tween or 11 year old kind of found your way to a Commodore 64 and then it just kind of took off from there. But I'd love for you to share with our audience kind of your path to cyber.
[31:58]
C
My path to cyber. So when I was a teenager with my Commie 64, I used to crack software because I grew up poor so I couldn't buy anything. So I used to just crack stuff, take off the copy protection stuff, you know. Well, it's fun, you know, it's interesting learning how all that worked. You know, they did some pretty interesting things back then on those floppy disks. And then I went to Los Alamos out of college and there I got on a team that was doing cyber. My specialty was the data hiding part of it, you know, being able to detect when people do data hiding and whatnot, you know, and a little bit about platform exploitation and understanding like what the vectors are for exploitation. Like how do you know, like what things can you, what things can you take advantage of? And then I went to BBN for a year, worked on gccs, which is the global Command and control system in there. I didn't really do any cyber, I was just doing mostly software but monitoring how the government, the, the we'll say DARPA does cyber, right? Back then, not as, not as much. Um, and so that's back then was this is around like 1996, right? And that's when we first heard of someone using like USB stick to infiltrate a network, right? Because that was kind of like a hot thing, you know, back then, the whole like removable media and being able to inject code. Right. And then I went to work at a little like startup company, you know, to do some online entertainment kind of stuff, you know, Fox NFL game tracker. And that was really fun because you know, you go from small little company to Giganto, you know, Fox Sports and those guys are serious, right? I mean they were just on top of everything, you know, stressed almost to death. But man, they knew everything that was going on all the time. Super serious. And they did not have a sense of humor about security, right?
[33:56]
A
I imagine not.
[33:57]
B
Right.
[33:57]
C
It was a fight every day for Them, you know, it was great. Learned a lot there. Really fast, right? Really fast. And they went on my own, went into the insurance industry where there was no cyber at all. Nobody did anything there. People were loud, laughed at me when I told them that they should, you know, have passwords. Like, why do we need a password? This is just, you know, policy information. No, you know, no one was encrypting anything. You know, they had no idea how to do any of that stuff, you know, and so I was just trying to get them to start to do that kind of stuff, push towards that, you know, more and more, you know. Yeah, that was really hard. But it's paid off, you know, and you see that everywhere now. Like in the insurance industry today. Everyone does it now. Nobody doesn't do it, Right. It's a de facto thing. So. Man. And I just, you know, I took a break for a while and then, yeah, did some. I tried to do games. You know, when I was a kid, I used to write games all the time. So I went back around to try to do games. It was interesting. People in the game industry have a very unique personality. So.
[34:56]
A
Yes, yes, they do.
[34:58]
C
Not quite compatible with my personality. I went back to cyber and software with the insurance industry. It's focused on that, built that back up, and that's where I am today.
[35:12]
A
That's wonderful. It's always kind of seeing that need, right, and solving that problem. So what does the path ahead look like? I mean, do you see yourself standing up another company? Are we not allowed to talk about that while you're still at Beyond Ordinary? But, you know, what are you thinking about the future?
[35:31]
C
So right now we're focusing on doing DoD work with the Navy, trying to get on with some Air Force stuff and some DTRA stuff. Defense Threat Reduction Agency. Dtra. Even though people don't really know that much about them. So we're trying to get on with them doing that kind of stuff. So, you know, just trying some options. I'm gonna stick with the government. I think I would prefer that, you know, moving away from the commercial industry, you know, I'm not gonna say no. We are trying to help some people out with their cmmc. We are certified. So, you know, we help people out with that, you know, get them up and running really, really fast. Well, for the most part, we're moving slowly away from commercial software. But then the industry is moving that way anyway. I don't know that anybody really needs a commercial software developer anymore. We got AI.
[36:24]
A
Well, there's a lot of interesting government work. I used to work with iRobot, and they had their kind of packbot, the military robot division. And it was always so fascinating, you know, DARPA grants and all of that, to develop technology. But there's a lot of interesting things happening in government, and I can imagine you guys get some really interesting projects. I hope so, to work on.
[36:50]
C
Wonderful.
[36:51]
A
Well, Jacob, thank you so much. I really appreciate your time and all this interesting perspective, particularly on AI. I mean, there's so much to talk about. I mean, we could go on for days, I think, on that topic anytime.
[37:05]
C
Yeah, we do it here every single day, doing stuff with it every day. So. But thank you for having me. It's been a pleasure.
[37:11]
A
Wonderful.
[37:12]
C
Thank you, John.
[37:12]
A
To all of our listeners.
[37:14]
C
Yes.
[37:15]
A
And to all of our listeners, Jacob, I don't know if you want to contribute to our drum roll, please. But to all of our listeners out there, John, we like to do a little drum roll.
[37:25]
B
Smash that subscribe button.
[37:30]
A
And you get a fresh episode every single Tuesday. So until next time, everyone stay secure. Thanks for joining us on the to the Point Cyber Security Podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast.
[37:52]
C
And.
[37:52]
A
Don'T forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.