Top Security Geek Jeremiah Grossman Hacks Microsoft, Google, Yahoo and is also a Jiu Jitsu Black Belt who rolls with Forest Griffin
https://www.linkedin.com/in/businessvoip/
Our guest's LinkedIn profile
Top Security Geek Jeremiah Grossman Hacks Microsoft, Google, Yahoo and is also a Jiu Jitsu Black Belt who rolls with Forest Griffin
https://www.linkedin.com/in/businessvoip/
Disclaimer: The views, thoughts, and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views or positions of their employers, affiliates, organizations, or any other entities. The content provided is for informational purposes only and should not be considered professional advice. The podcast hosts and producers are not responsible for any actions taken based on the discussions in the episodes. We encourage listeners to consult with a professional or conduct their own research before making any decisions based on the content of this podcast
3 Key Takeaways
Episode Show Notes
Transcript
Speaker 0 | 00:01.684
Hello everyone my name is Phil Howard your host of Technology with a Beard extravaganza and this is the place where you come to learn but also hear random stories of awesomeness where extra ordinary people have become extraordinary and today I’m warning everyone right now that what you are about to hear is top might-be secret security stuff so if you are listening you to this show, then be prepared to go into hiding for at least one year. We have Jeremiah Grossman with us today. Jeremiah, welcome.
Speaker 1 | 00:39.599
Thanks for having me. And yeah, I usually bring a fear wherever I go. Now,
Speaker 0 | 00:45.825
to be honest with you, I don’t even know, you know, I don’t even know where to begin, because you have been thanked publicly by Microsoft, Google, Facebook. correct me if I’m wrong, and many others for privately informing them of weaknesses in their systems. So in other words, you have hacked these giant companies. But, you know, before we even get into that awesomeness, what’s even cooler is that really, you could have just walked through the door and started poking people out. But I know, I know you wouldn’t do that. But you were a black belt in Brazilian jiu jitsu. And I don’t know what actually what deserves more deserves to be raised higher up i mean i know the black belts would say definitely jiu-jitsu but i know that the hackers out there would say come on man he hacked microsoft so how i found you i actually wanted to find a jiu-jitsu guy in security because you know we talk a lot about sports and sales and people are always talking about golf it’s golf is it’s the next golf tournament everything’s golf sponsor my whole sponsor this uh i mean i I’d really like to sponsor like an inner city kids who did do club. But long story short, it’s, you know, I literally, I’m looking at my Mizuno golf clubs right now, but I could turn, you know, I’m looking at them to the left and I could turn to the right where my D, you know, is usually hanging over like the trash can drying out. It has blood on it. And so Mizuno, you know, it could be Mizuno geek. So anyways, I’m very happy to have you on the show. And so I’ll let you start off, man. Which one do you think is harder, being a black belt in jiu-jitsu or hacking Microsoft?
Speaker 1 | 02:29.878
Oh, I have no idea. Both are pretty hard. But, you know, it’s funny. It’s, you know, when you’re telling that story, it’s like, you know, which is more cool, the hacking part or the black belt in Brazilian jiu-jitsu part? And it kind of reminded me that, you know, when I go into the academy, you know, and train jiu-jitsu, everybody is very interested that I act for a living. And then when I’m in my hacker circles, everybody’s like really impressed that I’m in jujitsu black belt. So the other side is always interested by the other one. I remember this one time I was training, my first time ever training with Forrest Griffin, former UFC champ. And I got it on video. I’m training with him, right? And he’s like all over me. He’s a big dude. And we’re going back and forth for like five, six minutes. And he has this comment. He goes, you’re like, you’re the toughest nerd I’ve ever seen. And, yeah. And I just, like, in the middle of the match, I just started cracking up, and I, like, lost position, got, like, choked. But it was just so, it was awesome.
Speaker 0 | 03:27.402
Oh, it was like, it was like a trick for him, you know? Like, sometimes people say, like, you know, like, hey, stop tickling me. You can do that.
Speaker 1 | 03:34.384
You know, but, you know, when we learn about fighting and self-defense, you know, if you’re at, well, on the ground, we know jiu-jitsu wins. Jiu-jitsu and wrestling wins. If you’re in a clench, we usually think wrestling and judo wins. It’s the most proficient. And for your striking range, usually Muay Thai wins. Any further than that, I’ll take the computer and hack it.
Speaker 0 | 03:57.676
Yeah, I actually, I was looking at some of your followers the other day, and I can’t remember who, some of the guys got like a really big beard, and I think like I might be like a one-inch short of his, but he’s going on about how like the Boeing airplane was like hacked the other day. Have you been following that? Is that a big thing?
Speaker 1 | 04:13.742
I did, and most of the details of how they did it are classified right now. But apparently, the plane is sitting in front of them. They didn’t need any special access. It was a remote compromise, which means they were able to remotely take control of some important parts of the plane. And that part, for the insiders, isn’t the most impressive part or the scariest part. It was later on in the article where they said how the planes are put together, the tension towards computer security, and how much it costs to actually make a change and improve this stuff. It was said something like any time you change a line of code on the plane, because these planes are flown with software, it’s going to cost them $1 million. So if you’ve got a little problem when you’re hacking it and you have to fix it, it’s going to cost them $1 million per line. That’s significant.
Speaker 0 | 05:02.936
Yeah, and then it’s like, I don’t know how many billions it would be to go just from like four-digit to five-digit flight numbers.
Speaker 1 | 05:11.064
Yeah, the systems that they designed for airline travel, I believe, date back to the 70s with a whole lot of upgrading, a whole lot of upgrades. So yeah, our whole world is built on legacy systems and software, and it’s very difficult and expensive to upgrade at this point, which is really… Probably the number one issue we deal with in technology, at least when it comes to security, it’s not so much that it’s not difficult to find problems and exploit things and have things. Defense is really hard because it’s expensive.
Speaker 0 | 05:43.275
So, all right, I need a story. I need a back story. Did you used to be, did I read today that you used to be 300 pounds?
Speaker 1 | 05:51.217
I did. My first day of jujitsu, I weighed about 305.
Speaker 0 | 05:55.438
So, I mean, that’s crazy. How, I mean, it’s not crazy because, you know, jujitsu, like jujitsu nerds, we get really into the sport and we don’t understand why no one wants to do it. And we’re always trying to recruit people. Like we’re out there proselytizing people to become, to come into jujitsu. At least I am. I’m always trying to say like, hey man, come on, you got to go to jujitsu. It’s like, you know, it’s awesome. It’s life altering. So you came in, you were 300 pounds. What kept you coming back? Because you’re a black belt. Well, first of all, how many years have you been a black belt? I mean, how many years did it take you to become a black belt?
Speaker 1 | 06:33.452
Oh, it took me about nine years. Nine years.
Speaker 0 | 06:37.393
Okay, so that’s, I mean, I would say that that’s actually below the curve. I mean, I would think the average would be like 14 years or something greater. Yeah,
Speaker 1 | 06:45.636
convention says it’s about two years for a belt, you know, something like 10 years if you’re consistent. So I was training, you know, three, four days a week, every week for as long as I can remember, and just grinded it out. I never really had any lulls, so I was able to complete mostly on time.
Speaker 0 | 06:59.622
Did you ever have like a dull drums moment or like they say people get stuck in the blue belts like myself? Like I’ve been a blue belt for, I mean, on and off for like four or five years. It’s ridiculous, you know, but I would like to tell myself I’ll never give up because, you know, I’ve moved and I’ve had kids and work got a hold of me and I’ve got seven kids and, you know, that can get in the way. But you know what I’m saying? What was kind of like the, what kept you coming back? Because to me, that’s an amazing story.
Speaker 1 | 07:24.091
Well, what kept coming back is the same thing that got me started in the first place. So a coworker, you know, I was always a big UFC fan, like back to UFC 1 or 2. I was always a big UFC fan. And I heard about this jiu-jitsu thing, you know, Hoist Gracie was just kicking the crap out of everybody on the ground, this 180-pound, 6-foot-1 guy. And I was thinking to myself, I want to learn this stuff. I’m 300 pounds. I’m used to being physical, but I want to learn this stuff. So a coworker and I, we go down, and he finds me. We walk. I’m a big dude and I’m from Hawaii and it’s a very fighting culture. And I grew up kickboxing, so I’m not experienced when it comes to fighting. It’s just growing up is kind of how you do it here. And so I get on the mat, I have standard jiu-jitsu class, you do some warm-ups. I barely got through it because I was completely out of shape. And then you do some drills, you learn some moves, and then you spar. And I’m the white belt in the big 300-pound game. fit well and I don’t know how to tie my belt, you know, all that sort of thing. And the instructor, you know, as you know from day one, they throw you in the man, you’re sparring. So at the end of the class, it was time to spar and he puts me with a 150 pound brown belt woman that was half my size. She was about 50, 55 at the time, half my size, twice my age. And I’m thinking, they must be screwing with me or something, you know, maybe making me feel good or whatever. So… As we started doing that, you’re sitting there. I’m looking at her going, okay, I don’t want to hurt her. We shake hands and go. I don’t really know exactly what to do, but I know I don’t want to hurt her. And I don’t even remember the move she did on me. Probably some kind of arm drag. She arm drags, goes right to my back, and proceeds to choke me mercilessly. And I am, like, stunned. I’m bewildered. I’m, like, tapping on my neck, like, fiercely trying to get her to stop. And in my head thinking, like, oh, man, she took advantage of me. I was being nice. You know? And I’m like, stop.
Speaker 0 | 09:22.907
Yeah,
Speaker 1 | 09:23.787
yeah, yeah. We’re going to go on a journey, right? So, like, okay, I’m going to miss the nice guy. I’m going to put her in her place, that sort of thing. We shake hands and start going. Swear to God, in two and a half seconds, she’s on my back again with the exact same move choking me unconscious. And my eyes got really big. What just happened there? And this proceeded to happen over and over again for all of, like, the four minutes of stamina I had left in my body before I was completely spent and my ego was sufficiently hurt. And so I leave the academy and I go and sit in my car, demoralized, frustrated, confused. And I sit there thinking. I have to keep training. You know, this is interesting. It’s good. It’s probably going to be good for me. But more than anything, I have to, I can’t go through my life as like, you know, male. You know, my man card was just confiscated. I have to come back and learn it to kick her ass. Like, they can say, anybody wants to say it’s sexist or whatever, but that’s just what I was feeling in the moment. So I come back day after day after day, and I’m training with her and others, and I’m learning. And it took me about a year and a half later, you know, to tap her. That’s really what happened. And that was a big thing. And I remember telling her, and she just started cracking up hysterically. We’re, like, great friends today. But that’s really when, at least getting to, like, very near, I think it was getting near to the blue belt by then. But, yeah, that’s kind of what kept me coming back was that motivation. But over time, it was just, I didn’t really care a lot about the belts. I think the purple belt was meaningful to me. And so was the black belt. But after that, I didn’t care. I just wanted to get good.
Speaker 0 | 11:03.978
Yeah, like a lot of people, like I was talking the other day because, you know, I’m like in the master, like I’m 41. So if I go to a tournament, I can actually like sign up to be in the master’s, you know, tournament part, which is like, you know, 41. But when you become a black belt, it’s like everything starts there because there’s however many thousands of black belts now. There used to not be a lot, but there’s more now. And you could be going up against. any number of black belts that has like seven stripes on his belt that’s just going to murder you and and especially in the masters ones because these are grizzled veterans they’re only masters because they’ve been doing it for 20 years it’s not like did they really lose a step since 30 probably yeah yeah have you ever had to use in real life have you ever had and now that you you know you’re a black belt and you get to have you ever had like a really like kind of a scary situation that was like an awkward situation where you couldn’t have been out in the back alley somewhere and actually had to use it
Speaker 1 | 11:57.509
Not normally. I’ve only really had, you know, since my jiu-jitsu career early, I had two bad experiences like that. And both were actually in a jiu-jitsu academy. So my work requires me to travel a lot. So I like to say I travel the world, meet new people. I feed them. I do my work. But I visited literally a hundred academies around the world. And usually I try to stick to the jujitsu academies where they wear gis because there’s usually less ego problems and things like that. This one time I was in Atlanta and I had to go to an MMA gym. I’m not opposed to an MMA gym. It’s okay. If somebody’s world class, they’re probably not going to hurt you. It’s the ones that the muscle heads and the MMA fighters that maybe have two years of experience, the ones that you have to worry about. And, you know. Culture is a big deal in the academy because it’s an injury prone sport to begin with and you need really good training You don’t want to fight you. They want to train with you and treat you as a training partner But an MMA place isn’t always like that So I got paired up, you know, because I was doing you know The instructor was not terribly attentive which is a telltale sign Culture but he pairs me up on purpose because I’m an outsider with a I guess one of his one of his fighters the stereotypical MMA guy, you know ripped 220, you know, gnarled ears, tats everywhere, that sort of thing. I guess he’s used to, you know, rolling people over. So I’m looking at him, right, and I’m sizing him up going, wow, he looks strong. He looks bubbly in terms of muscles, ribs. He probably doesn’t have a lot of stamina because it takes a lot of oxygen to run that amount of muscle. So I’ll just see what he’s got, and I’ll just take it easy. So he comes forward real fast with, like, almost like a double leg. And I just want to, you know, just like him. brown belt showed me when on my first day just arm dragged him and put his neck on the way by and I had him with a room naked and about five seconds flat which uh I guess really annoyed him you know and so he was really uh blue belt level and no more you know also just gonna be cool but during our next session he was really trying to hurt me he was like grinding his elbows in face you know you know doing all those you know chin and eye sort of crap right and like I’m not going to tap to it. He’s just trying to hurt me. So I decided to run him into a steam room, you know, to cause him to exert more than I was. Then I started dropping me on stone into his ribcage to make sure he was suffering the whole thing. And I was pulling eyes at him and pulling his head just to make sure he was fighting vitamin attack. But I could see he was in the next option, but there was going to be a problem. Because I let him up again. He goes right back to his same tactics. And you know, I can just feel it. There’s going to be a fight. So I’m doing the whole risk management thing in my head going, okay. While I’m training with him, the clock’s ticking down. I’m looking where my stuff is because it’s time for me to leave. Because he’s really paying attention. So, you know, when the time is right, I slip right to his back and I put him to sleep. knowing he’s going to wake up in about 15, 20 seconds. He’s going to be a little disoriented for 30 seconds after that, but he’ll be fine. He’s not going to be hurt. So I put him to sleep. I stand up and walk directly over my stuff. And now that he’s sleeping, so he’s no more of a threat. And I’m not mostly worried about the instructor and the other students. So I’m keeping up with the instructor as I’m walking out the door. And I can see the instructor look at me confused. He’s going like, where are you going? We’re not done yet. And he sees me.
Speaker 0 | 15:29.755
I’m out.
Speaker 1 | 15:30.736
Yeah, he sees this guy sleeping on the mat, and he looks back at me, and I kind of give him a look like, you can let me leave because you knew what you were doing, or we can escalate. What would you like to do here? And most people like the quick back-and-forth look. And he goes and attends to his guy, and I grab my stuff, and I was out of there. So that was probably the closest to a real encounter.
Speaker 0 | 15:50.366
Yeah, the egos can get crazy. When I walk into my school, there’s a nice little laminated sign right before you jump on the mat that says, number one. every dog has his day so yeah so uh my my coach is dan simler he was on he was on the ufc on the show but um anyways it’s great school man you we’d love to have you anytime now yeah i mean please you know fly out here it’d be great or you know i can fly out there i’d love to go now is it all right if i pigeonhole you and throw some stereotypes into the mix i mean you’re in hawaii um uh do you surf you
Speaker 1 | 16:30.096
Yes, it’s kind of like pickup basketball. Everybody in Hawaii surfs a little bit.
Speaker 0 | 16:35.398
You got to, man. I mean, you know, my parents have a house in Maine, so I grew up on the ocean in Maine, so I surf every now and then, but it’s great.
Speaker 1 | 16:44.322
You would absolutely love it here. Paddleboarding is a big deal. Just go out there and do it. There’s a hundred beaches. Go for it.
Speaker 0 | 16:53.266
Man, I got to figure that one out. Okay, so, you know, to get on to something, this is supposed to be a technology show, to get on to something very important, you know, you two came after, I mean, you were a hacker first, give me just, did you grow up with computers, or, you know, first of all, let’s talk about something more important, how did you hack into Microsoft and Google, because I think a lot of people have this stereotype of a hacker being this, you know, like what you see, like a guy in a hoodie, sweatshirt, and it’s… dark and he’s sitting in front of a computer and he’s you know running all these algorithms and numbers and he’s hacking into like a mainframe system and I would imagine that the majority of people hack in due to human error but you know I’ll let you answer that question how did that happen like how did you hack into to the Facebook or you know just pick one of them um yeah that’s a great question I think first thing to point out is that uh there
Speaker 1 | 17:51.519
really are you know like the The stereotype of the hoodie in the basement and that sort of thing of the stereotypic out there, it absolutely exists. And some of them are good. But predominantly, there are no whiz kid hackers like that. Just like jujitsu, the true skilled professionals, it takes a long, long time. Usually guys that are really good are going to be in their late 20s, early 30s, or even older, because they’ve been doing it for 20 years. Because here’s the thing, hacking to something like Facebook, Google, or Microsoft, it’s against federal law. I mean, everything that I do, a lot of what I do outside the public speaking stuff, it’s against federal law. And what happens is it makes it very difficult in order to practice without going to jail. So what happens with a lot of the young kids, unfortunately, is they act and they’re experimenting and they’re trying things. They don’t really do any harm, but they do commit a federal crime and they get busted and they can no longer own their craft. So there’s been a few of us along the way that have been found. managed to find work in a way to practice on these large systems and hone our skills over the last 15 20 years until we get really really good and so, you know, you know my got my starting career kind of in hacking kind of like I Flew coincidence when I was about 19 I you know, there was new stories that broke that somebody had found, you know Long time ago had found vulnerabilities in Yahoo and eBay. I wanted to learn how they did it but also what the defense mechanisms were. So one day, you know, when I was 19, I signed up myself with a brand new Yahoo mail. This was like a nine and proceeded to try to break into it. And the way I did it was, is it’s a tiny bit difficult to describe, but you’ll get the chance. It’s a, you know, web pages are made up of HTML and JavaScript, the coding behind it.
Speaker 0 | 19:42.506
Yep.
Speaker 1 | 19:43.186
So I put in a little bit, a snippet of my own code. Into my email and I sent it to another user. It was it was my account still on the other side So when you read the message in your browser in Yahoo the code would run and it would hack you would actually give your your account information and send it automatically to me behind the scenes where I could break into it. So what that meant was, as long as I had this code, and I can say, I’m going to send you an email, and the moment you read it, I know your account, it was mine. And it was just a very simple way to show what was possible. So yes, I did hack Yahoo Mail, quote, unquote, I hacked into any one of 120 million users. My experimentation was what, you know, what was the new technique? What could I do? What could I learn? And then how could I communicate it over to Yahoo so they’d fix the problem and everybody can have, you know, a better experience using the web.
Speaker 0 | 20:37.368
That’s awesome. So what did Yahoo say?
Speaker 1 | 20:44.710
So it was an interesting dialogue. So I sent it over to Yahoo and I sent my note to them anonymously because I had a good job, you know, I was going to school and all that sort of thing. I didn’t want to jeopardize anything because I didn’t know what I was doing. It was a federal. And it’s certainly not a conversation you want to have with a federal prosecutor. So I get back and somebody from Yahoo had emailed me back saying, you know, thank you very much for letting us know the problem that you submitted. We have a few questions about it. And we know that you want to be anonymous, but let us know if we can send you a t-shirt. And I can tell you right now, that was the greatest day ever. I got to Yahoo in my spare time. I got to Yahoo in my spare time. They thanked me for it. And, you know, they took it seriously. And I was going to get a T-shirt. This is like the most amazing day to me ever. And so I’m having this back and forth dialogue with Yahoo. And they’re saying, if you know any more issues, let us know. So I took that as permission to act mercilessly, which I did. You know, pull anything. I sent them issues. And I couldn’t find out later. The person I was communicating with was one of the two founders of Yahoo. And, uh… That led to someone on their security team in recruitment saying, we would like for you to come up and interview. Subsequently, they offered me a job. So that started my career in hacking. My job there when I got to Yahoo was to hack everything that Yahoo had in sight with the community. So I had the quote-unquote license to hack anything that they wanted.
Speaker 0 | 22:12.138
That is awesome. Yeah, there’s kind of that general, I don’t know where I heard it, but I’ve heard people say, hey, if you want a really good, you know, federal government job, like, you know, hack the government, but don’t do anything, because then they’ll call you and give you a job. You hear that a lot.
Speaker 1 | 22:30.763
Let’s say that’s how it used to be. It used to be that way. But now they actually have this new thing in the last two years called Hack the Pentagon. And it is a game you can play where they open invite anybody who really wants to, to hack the Pentagon. They have a set of systems, and I think it’s in like the thousands now, you can go after it. start finding problems and report them and they’ll pay you for the for the issues that you find and if i imagine if you impress them enough they may hire you or others might hire you because they see that you really do know what you’re doing that’s all and oh yeah and and the payments can be anywhere from as low as a few hundred dollars per problem but i’ve seen other people make five six figures for things that they’ve been reporting okay let’s talk about general business folk you
Speaker 0 | 23:19.450
I’m a telecom guy. I sell telecom, okay? People hack telecom by getting into someone’s voicemail password and then like, you know, rerouting or getting into someone’s portal and rerouting ship trunking to, let’s not pick on Nigeria because they get picked on a lot, so like wherever to do calling cards and do, you know, various different call routing stuff. That aside, I have a lot of various different hospitals and medical facilities and To me, the security and just the migration with EMR records and all these different companies over the next five years, to me, I just see a huge gap. There’s just going to be so much consolidation. What would it take? And first of all, do hackers want to hack into, say, a hospital? So let’s say my local hospital, like Worcester Memorial Hospital. It’s a huge network of major hospitals. There’s a lot of research going on. There’s a medical school. There’s a bunch of hospitals. How long would it take someone to hack into a hospital and get patient records or, you know, take whatever the heck they want in a kind of a regional, maybe non-NFL city area?
Speaker 1 | 24:28.910
So I’d have to ask a few more questions. So just the average hospital and remotely over the Internet?
Speaker 0 | 24:37.853
Sure.
Speaker 1 | 24:39.313
And is it? Are we talking actual adversary or something like a test, like if you wanted to see if somebody could do it? Like which one?
Speaker 0 | 24:47.941
Well, first of all, I want to see if someone could do it. But yeah, an actual adversary. And first of all, because I was looking up, you know, some of your bullet points and HIPPO was one of them. Do hackers want to hack into a hospital and get patient information? Just curious. Is that like a big, yeah, okay.
Speaker 1 | 25:03.784
For two reasons. The first one is that hospital records are fairly accurate with respect to personal and private information that they can monetize with identity theft and other things. So that’s, the data itself is very valuable to them. The other one is that they’ve been making a lot of money on holding hospitals down. They encrypt all the data on the network. until the hospital pays money to unlock the system, as we call it, ransomware. And hospitals have been, all over the world, have been compromised that way over the last two years. Some have had to pay somewhere between $50,000 and $100,000 on up to make sure operations get back in shape. So yes, they’re definitely a target. So to answer your question, it depends on what the attacker’s motivations are, what their goal is. but it’s going to be under 12 to 24 hours normally.
Speaker 0 | 25:58.401
Now, let’s say they bring in someone like yourself. What can you do to prevent it?
Speaker 1 | 26:05.865
It’s a difficult one. So when you break into a system, your mode is, I’m just going to find one way in, one very, the fastest, easiest way in to get what I want. When you’re playing defense in that environment, what you’re trying to do is you’re trying to find and identify. all the ways in so you can patch them up. So what a lot of things, what the process really is, is understanding what it is that you want, where all your servers, computers, and data is, figuring out what it’s worth, what’s on it, its value, what are the ways into all those things, and then you proceed to try to lock it all down. Maybe it requires patching or reconfigurations or turning systems off or redoing the network. So it’s hard to give any guidance or any generic guidance to any one organization. But it’s that same, it’s a very straightforward common sense process. Find out what you, what is it worth? What is it at risk to? And once you find out the gaps there, then you can proceed to lock down anything that you want.
Speaker 0 | 27:03.169
Now, I would imagine human, general human interaction and training would be part of that equation as well.
Speaker 1 | 27:10.151
It has to be. But what you’re trying to do with technology and the right systems is make it so it’s forgiving on the user. for mistakes because people are fallible and they’re going to make mistakes. And if somebody misclicks something, you don’t want the whole hospital network to go down or patient records going. So it has to be a bit more forgiving and resilient to human error. So we train the users or the, you know, the employees as best we can, but then we still have to make sure the system is secure in the event of mistakes.
Speaker 0 | 27:39.749
Awesome. So basically go through hierarchy of what things are worth. I would assume, you know, start with the stuff that’s the most valuable first, lock that down, and go down that path.
Speaker 1 | 27:51.096
Yes. And then, you know, as your litmus test is where you bring in, not so much me today, but guys like me that are trying to connect the system, they call them penetration testers or vulnerability assistants, and they’re constantly battering your system to find the weak. So, anytime you mess up, it’s better that they find it first and communicate with you than somebody less desirable. So, at the end of the day, you need that litmus test. You need that.
Speaker 0 | 28:19.296
going after you. How does a layman, and when I say layman, they might not be a layman, they might be a CTO of a major, you know, maybe medium enterprise level company. How does a layman sift through and even know where to begin with security? Because I can tell you right now there is a ton of white noise. It’s like talking about the cloud. It’s like you’ve got to move to the cloud. It makes no sense. We call it the fog. We joke around. We call it the fog, right? Because like, well, which part of the cloud are you talking about? Are you talking about your Gmail account? Because that’s in the cloud. You know, like it’s such a talk about security. Like, hey, we’re going to worry about security. Now, obviously, the IT director is going to know a lot more specific kind of like where his weaknesses are. But how does someone in a larger, you know, network where it might be, you know. there might not be a lot of clarity around really the network and what’s going on. There might be multiple parts patched together, and then there might be a merger, and someone gets fired, and another guy comes in, and it could be. Where does someone begin, and how do they even know how to evaluate or go get a good security company?
Speaker 1 | 29:33.157
Sure. It’s a complicated question, but I can just tell you the way that I would do it if I was in those particular roles. First, you have to understand the business that you’re in. You know it. whether it’s healthcare or whatever else. And this job of a CTO or head of security is twofold. They have regulations and… obligations compliance really which have nothing to do with security like we mentioned HIPAA earlier you have to do the stuff that HIPAA says otherwise the business will suffer financial harm but just because you’re HIPAA compliant or compliant to anything has absolutely nothing to do with your security posture i can’t tell you how many companies have been hacked even though they were compliant on whatever the standard so just like i said before the guidance i would give to everybody is first figure out what you own Get your network topology down, where all your data lives, to the most accurate degree that’s possible. Now that you know what you own, you can start figuring out where your gaps are. And you just run through the process. What do you own? What is it worth? What is it vulnerable to? And so on and so forth. And that’s really all that you need to do. It doesn’t necessarily need to be any more sophisticated than that. But when it comes to actual defenses, then you can play the risk-reward game. Because certain defenses and activities, security controls can be kind of expensive. So if you can see how difficult it is for the hacker to break into a certain area, you can say, well, I could put this defense in place, or I could put that defense into place. Which one makes the most sense? Which is the cheaper one? Which is going to give me the more bang for the buck? And that is the right conversation.
Speaker 0 | 31:12.347
Gotcha. Now, so right now, you’re the chief security at Sentinel-1.
Speaker 1 | 31:19.060
Chief of security strategy. So I help customers strategize their defenses. I tell them what the bad guys are up to, what they’re after, and some of the things, just like we’re doing now, that they can do to protect themselves.
Speaker 0 | 31:33.586
Gotcha. And now you guys basically put together the plan or the roadmap. You don’t actually come in and do it, or do you?
Speaker 1 | 31:41.850
It’s certainly one that’s a very narrow scope. Most of the time in… In security, you can bring in a security company, a big integrator that has a whole lot of vendors that they work with. So they bring in their bag of tricks for all the vendors. But I’m a product vendor. So most of the security companies are sole solution. So in the case of Sentinel-1, they are what we call a next generation endpoint protection. It’s kind of like antivirus and steroids. It’s more than just antivirus. It’s a whole lot more. So our job is to protect computers from getting infected with viruses. It’s at the end of the day as simple as I can. And so when I communicate with CTOs, CISOs, CEOs, I go, okay, this is what the world of malware looks like. This is who’s behind it. This is the tactics that they’re using. Our product is X, Y, and Z to stop that. And this is what I think you have to do in order to not get infected.
Speaker 0 | 32:35.076
Are you guys like a license-based sales model, like per license?
Speaker 1 | 32:38.838
Yeah, it’s licensed on a per endpoint or per computer model. We like working with small businesses all the way up to the megacourse. It is, the technology is absolutely fantastic. I wouldn’t have, I wouldn’t have joined otherwise because I founded a very large company beforehand. And, but I wanted to get into the anti-malware space because it really needed help. We’ve been, we’ve been doing antivirus for 20 years and the problem has only gotten worse. And there’s very good reasons for that. And this company just had a better mousetrap, a better way of going about it. And furthermore, they were willing to guarantee that their results. So one of the reasons I was brought in was to design a product warranty for them, which is pretty much unheard of in security. Meaning if you buy the product and use it as recommended and you still get infected, there’s a $1 million warranty standing behind it. It’s completely unheard of in the industry, but that’s how confident we are in our metrics and our stats that the product does work.
Speaker 0 | 33:34.752
That’s a pretty good warranty. Unless someone like wires out by mistake at 1.2 million due to some, you know, malware thing. So, well, why don’t you explain again for the layman listening to this, what, I think we all know, like, you know, malware bites or download this for free. I mean, I think most people have done that, but they’ve just kind of done that to prevent like, you know, pop-up ads on their computer from back in the day when we used to use Netscape or whatever. But do you want to give me like a general, like malware today, what is it? If you’re going to explain that to someone in like, you know, one or two sentences, what do they need to hear to know?
Speaker 1 | 34:07.312
Malicious malware is short for malicious software. It’s software that does something to your computer that you really don’t want it to do. It might encrypt your files. It might steal your passwords and liquidate your bank account. It’s any software that you really didn’t want on your computer. And it spreads very fast. It spreads very, you know, very easily all over the place. And for consumers, here’s the real for the consumers, 90, I can’t even could even give you a good product for consumers that works. So if I was telling a consumer like, guidance on how not to get infected with viruses, I would tell them, one, install an ad blocker. That’s huge. Make sure your machine is up to date on patches. Uninstall Flash and Java, because that’s a major harbinger. And install two-factor authentication on all your online accounts. And with that, you’re going to be safer than 99.99% of everyone.
Speaker 0 | 35:03.555
My dad said to me the other day, he’s like, hey, he calls me PJ. Hey, PJ, he’s like, is it normal that I’ve had to replace my credit card eight times in six months? I’m like, no, dad. Would this have stopped the old crypto virus, you know, the fear of the Russians, like logging in and locking all the files down, like you said, and then charging you $50,000 to get your business back online?
Speaker 1 | 35:27.675
There’s no guarantee. So if you’re running a small business.
Speaker 0 | 35:31.686
But there is a guarantee. But let’s be honest, there is a guarantee with you. A $1 million guarantee.
Speaker 1 | 35:36.128
With me, there is a $1 million guarantee. I know the math very well. I’ve had to deal with these guys a long, long time. So I know what they’re capable of and their tactics. So if you’re a business and you’re able to invest in security, then there are really good products out there that you would enjoy. I’m one of them. But the consumers are in a tough spot. The only other one I would add to that, the piece of guidance for both, use normal everyday consumers and businesses is to deactivate or disable word and office macros those little automatically running programs in Excel or Word those are amazing to it for viruses these days and most people just don’t know that if you can disable that in your computer you’ll be light years beyond it and that feature most nobody uses anyway so you don’t need it so uninstall Java flash deactivate macros install an ad blocker use two-factor authentication those four or five things whatever it is and you’re you’re good it’s just highly unlikely okay so in order to summarize the amazingness of this show number one go
Speaker 0 | 36:48.574
down the street find a jiu-jitsu studio where the instructor pays attention to people and there’s not crazy people that are going to you’re going to have
Speaker 1 | 36:58.342
choke out and flip out the back door number one uh number two if people wanted to get a hold of you sure if uh if people want to reach out to me directly by searching my name on google or go to jeremygrossman.com there’s tons of ways to hit me up there whether it’s email twitter facebook linkedin whatever so i’m always available like that um or you can do the same thing directly to the sentinel one website um you’ll do a search for sentinel one and you They have many different ways to get in touch with them to get a product they know. So we can help you do that. They can help you directly. But either way, we definitely have people to try out the product. We have hundreds, if not over 1,000 customers now, and the company is only like two and a half years old. So it’s been a wild ride so far. I’m enjoying this.
Speaker 0 | 37:45.430
So if anyone wants to get a hold of you, they can certainly contact me as well. Obviously, you can get a hold of Phil Howard at phil.howardsales.com. You can find me at thehowardstrategy.com as well. Just enter in your information, put down, hey, I heard the show. I’d like to talk with Jeremiah or talk about security. Enter your information. I’ll certainly put you in contact with him. Jeremiah, if you had one other message to deliver to the public, what would that be? And it can be two messages too, or it could be something about Jesus too. It could be about security. What is that?
Speaker 1 | 38:21.910
You know, I think what I’ve learned most in my time as being in computer security was in jujitsu. And I’m sure somebody said it before, but it’s embracing that grind. It’s at 1% better every day. Very little of what I’ve learned in hacking is technically, is technically, is cerebrally challenging. Meaning it takes a real intelligent person to grasp 99.99% of it. You just break it down into small chunks. You learn that thing and you learn a bit more. next day and a little bit more the next day and jiu-jitsu is the same one or two moves every class one percent better and you just keep doing that every single day and maybe that works in every walk of life but if you’re willing to put in the time and grind it out and be consistent and disciplined and humble that’s going to take you so far probably more than most anything else that anybody could ask for it’s just that determination to not stop and improve every day that was the mind-blowing moment i was looking for
Speaker 0 | 39:20.474
1% better every day. Really, if people could just wake up every day and do 1% better, it’s just a tiny bit more. There’s no fallback.
Speaker 1 | 39:30.462
You just keep going after it, and you keep going after it. And in jiu-jitsu, I mean, you’ve probably experienced this. I’m not terribly concerned about the guys that are bigger, stronger, even better. I’m always concerned about the other guy who will not stop, who comes in every day, gets his ass kicked, and comes back. and does it again and again and again because i know there’s going to be one day he’s going to be he’s going to he just has that drive and i’m never going to beat him again because he’s going to keep doing it that most of the people you fear the ones that do that do not
Speaker 0 | 40:04.546
Oh, man, they’re upset because you’re tapping them to begin. They keep coming back and you’re like, no, this guy is going to tap me someday, and that’s going to be it. I know exactly what you’re talking about.
Speaker 1 | 40:13.948
It’s going to be the last time you tap them. Like, they’re gone. Like, it’s the self.
Speaker 0 | 40:21.511
So true, man. Hey, this has been a pleasure, man. Thank you so much for being on the show. I may have to ask you back for another show sometime if something comes up. I was thinking maybe we’d do a demo someday of you hacking into something crazy, and we can post that at you.
Speaker 1 | 40:37.124
We should definitely set that up for next time. It’s been a pleasure. And can we sort out some kind of a cool hacking demo for the audience of some or some kind? I have a few tricks up my sleeve.
Speaker 0 | 40:48.088
All right, man. Hey, thank you so much for being on the show.
Speaker 1 | 40:50.589
My pleasure.
Speaker 0 | 00:01.684
Hello everyone my name is Phil Howard your host of Technology with a Beard extravaganza and this is the place where you come to learn but also hear random stories of awesomeness where extra ordinary people have become extraordinary and today I’m warning everyone right now that what you are about to hear is top might-be secret security stuff so if you are listening you to this show, then be prepared to go into hiding for at least one year. We have Jeremiah Grossman with us today. Jeremiah, welcome.
Speaker 1 | 00:39.599
Thanks for having me. And yeah, I usually bring a fear wherever I go. Now,
Speaker 0 | 00:45.825
to be honest with you, I don’t even know, you know, I don’t even know where to begin, because you have been thanked publicly by Microsoft, Google, Facebook. correct me if I’m wrong, and many others for privately informing them of weaknesses in their systems. So in other words, you have hacked these giant companies. But, you know, before we even get into that awesomeness, what’s even cooler is that really, you could have just walked through the door and started poking people out. But I know, I know you wouldn’t do that. But you were a black belt in Brazilian jiu jitsu. And I don’t know what actually what deserves more deserves to be raised higher up i mean i know the black belts would say definitely jiu-jitsu but i know that the hackers out there would say come on man he hacked microsoft so how i found you i actually wanted to find a jiu-jitsu guy in security because you know we talk a lot about sports and sales and people are always talking about golf it’s golf is it’s the next golf tournament everything’s golf sponsor my whole sponsor this uh i mean i I’d really like to sponsor like an inner city kids who did do club. But long story short, it’s, you know, I literally, I’m looking at my Mizuno golf clubs right now, but I could turn, you know, I’m looking at them to the left and I could turn to the right where my D, you know, is usually hanging over like the trash can drying out. It has blood on it. And so Mizuno, you know, it could be Mizuno geek. So anyways, I’m very happy to have you on the show. And so I’ll let you start off, man. Which one do you think is harder, being a black belt in jiu-jitsu or hacking Microsoft?
Speaker 1 | 02:29.878
Oh, I have no idea. Both are pretty hard. But, you know, it’s funny. It’s, you know, when you’re telling that story, it’s like, you know, which is more cool, the hacking part or the black belt in Brazilian jiu-jitsu part? And it kind of reminded me that, you know, when I go into the academy, you know, and train jiu-jitsu, everybody is very interested that I act for a living. And then when I’m in my hacker circles, everybody’s like really impressed that I’m in jujitsu black belt. So the other side is always interested by the other one. I remember this one time I was training, my first time ever training with Forrest Griffin, former UFC champ. And I got it on video. I’m training with him, right? And he’s like all over me. He’s a big dude. And we’re going back and forth for like five, six minutes. And he has this comment. He goes, you’re like, you’re the toughest nerd I’ve ever seen. And, yeah. And I just, like, in the middle of the match, I just started cracking up, and I, like, lost position, got, like, choked. But it was just so, it was awesome.
Speaker 0 | 03:27.402
Oh, it was like, it was like a trick for him, you know? Like, sometimes people say, like, you know, like, hey, stop tickling me. You can do that.
Speaker 1 | 03:34.384
You know, but, you know, when we learn about fighting and self-defense, you know, if you’re at, well, on the ground, we know jiu-jitsu wins. Jiu-jitsu and wrestling wins. If you’re in a clench, we usually think wrestling and judo wins. It’s the most proficient. And for your striking range, usually Muay Thai wins. Any further than that, I’ll take the computer and hack it.
Speaker 0 | 03:57.676
Yeah, I actually, I was looking at some of your followers the other day, and I can’t remember who, some of the guys got like a really big beard, and I think like I might be like a one-inch short of his, but he’s going on about how like the Boeing airplane was like hacked the other day. Have you been following that? Is that a big thing?
Speaker 1 | 04:13.742
I did, and most of the details of how they did it are classified right now. But apparently, the plane is sitting in front of them. They didn’t need any special access. It was a remote compromise, which means they were able to remotely take control of some important parts of the plane. And that part, for the insiders, isn’t the most impressive part or the scariest part. It was later on in the article where they said how the planes are put together, the tension towards computer security, and how much it costs to actually make a change and improve this stuff. It was said something like any time you change a line of code on the plane, because these planes are flown with software, it’s going to cost them $1 million. So if you’ve got a little problem when you’re hacking it and you have to fix it, it’s going to cost them $1 million per line. That’s significant.
Speaker 0 | 05:02.936
Yeah, and then it’s like, I don’t know how many billions it would be to go just from like four-digit to five-digit flight numbers.
Speaker 1 | 05:11.064
Yeah, the systems that they designed for airline travel, I believe, date back to the 70s with a whole lot of upgrading, a whole lot of upgrades. So yeah, our whole world is built on legacy systems and software, and it’s very difficult and expensive to upgrade at this point, which is really… Probably the number one issue we deal with in technology, at least when it comes to security, it’s not so much that it’s not difficult to find problems and exploit things and have things. Defense is really hard because it’s expensive.
Speaker 0 | 05:43.275
So, all right, I need a story. I need a back story. Did you used to be, did I read today that you used to be 300 pounds?
Speaker 1 | 05:51.217
I did. My first day of jujitsu, I weighed about 305.
Speaker 0 | 05:55.438
So, I mean, that’s crazy. How, I mean, it’s not crazy because, you know, jujitsu, like jujitsu nerds, we get really into the sport and we don’t understand why no one wants to do it. And we’re always trying to recruit people. Like we’re out there proselytizing people to become, to come into jujitsu. At least I am. I’m always trying to say like, hey man, come on, you got to go to jujitsu. It’s like, you know, it’s awesome. It’s life altering. So you came in, you were 300 pounds. What kept you coming back? Because you’re a black belt. Well, first of all, how many years have you been a black belt? I mean, how many years did it take you to become a black belt?
Speaker 1 | 06:33.452
Oh, it took me about nine years. Nine years.
Speaker 0 | 06:37.393
Okay, so that’s, I mean, I would say that that’s actually below the curve. I mean, I would think the average would be like 14 years or something greater. Yeah,
Speaker 1 | 06:45.636
convention says it’s about two years for a belt, you know, something like 10 years if you’re consistent. So I was training, you know, three, four days a week, every week for as long as I can remember, and just grinded it out. I never really had any lulls, so I was able to complete mostly on time.
Speaker 0 | 06:59.622
Did you ever have like a dull drums moment or like they say people get stuck in the blue belts like myself? Like I’ve been a blue belt for, I mean, on and off for like four or five years. It’s ridiculous, you know, but I would like to tell myself I’ll never give up because, you know, I’ve moved and I’ve had kids and work got a hold of me and I’ve got seven kids and, you know, that can get in the way. But you know what I’m saying? What was kind of like the, what kept you coming back? Because to me, that’s an amazing story.
Speaker 1 | 07:24.091
Well, what kept coming back is the same thing that got me started in the first place. So a coworker, you know, I was always a big UFC fan, like back to UFC 1 or 2. I was always a big UFC fan. And I heard about this jiu-jitsu thing, you know, Hoist Gracie was just kicking the crap out of everybody on the ground, this 180-pound, 6-foot-1 guy. And I was thinking to myself, I want to learn this stuff. I’m 300 pounds. I’m used to being physical, but I want to learn this stuff. So a coworker and I, we go down, and he finds me. We walk. I’m a big dude and I’m from Hawaii and it’s a very fighting culture. And I grew up kickboxing, so I’m not experienced when it comes to fighting. It’s just growing up is kind of how you do it here. And so I get on the mat, I have standard jiu-jitsu class, you do some warm-ups. I barely got through it because I was completely out of shape. And then you do some drills, you learn some moves, and then you spar. And I’m the white belt in the big 300-pound game. fit well and I don’t know how to tie my belt, you know, all that sort of thing. And the instructor, you know, as you know from day one, they throw you in the man, you’re sparring. So at the end of the class, it was time to spar and he puts me with a 150 pound brown belt woman that was half my size. She was about 50, 55 at the time, half my size, twice my age. And I’m thinking, they must be screwing with me or something, you know, maybe making me feel good or whatever. So… As we started doing that, you’re sitting there. I’m looking at her going, okay, I don’t want to hurt her. We shake hands and go. I don’t really know exactly what to do, but I know I don’t want to hurt her. And I don’t even remember the move she did on me. Probably some kind of arm drag. She arm drags, goes right to my back, and proceeds to choke me mercilessly. And I am, like, stunned. I’m bewildered. I’m, like, tapping on my neck, like, fiercely trying to get her to stop. And in my head thinking, like, oh, man, she took advantage of me. I was being nice. You know? And I’m like, stop.
Speaker 0 | 09:22.907
Yeah,
Speaker 1 | 09:23.787
yeah, yeah. We’re going to go on a journey, right? So, like, okay, I’m going to miss the nice guy. I’m going to put her in her place, that sort of thing. We shake hands and start going. Swear to God, in two and a half seconds, she’s on my back again with the exact same move choking me unconscious. And my eyes got really big. What just happened there? And this proceeded to happen over and over again for all of, like, the four minutes of stamina I had left in my body before I was completely spent and my ego was sufficiently hurt. And so I leave the academy and I go and sit in my car, demoralized, frustrated, confused. And I sit there thinking. I have to keep training. You know, this is interesting. It’s good. It’s probably going to be good for me. But more than anything, I have to, I can’t go through my life as like, you know, male. You know, my man card was just confiscated. I have to come back and learn it to kick her ass. Like, they can say, anybody wants to say it’s sexist or whatever, but that’s just what I was feeling in the moment. So I come back day after day after day, and I’m training with her and others, and I’m learning. And it took me about a year and a half later, you know, to tap her. That’s really what happened. And that was a big thing. And I remember telling her, and she just started cracking up hysterically. We’re, like, great friends today. But that’s really when, at least getting to, like, very near, I think it was getting near to the blue belt by then. But, yeah, that’s kind of what kept me coming back was that motivation. But over time, it was just, I didn’t really care a lot about the belts. I think the purple belt was meaningful to me. And so was the black belt. But after that, I didn’t care. I just wanted to get good.
Speaker 0 | 11:03.978
Yeah, like a lot of people, like I was talking the other day because, you know, I’m like in the master, like I’m 41. So if I go to a tournament, I can actually like sign up to be in the master’s, you know, tournament part, which is like, you know, 41. But when you become a black belt, it’s like everything starts there because there’s however many thousands of black belts now. There used to not be a lot, but there’s more now. And you could be going up against. any number of black belts that has like seven stripes on his belt that’s just going to murder you and and especially in the masters ones because these are grizzled veterans they’re only masters because they’ve been doing it for 20 years it’s not like did they really lose a step since 30 probably yeah yeah have you ever had to use in real life have you ever had and now that you you know you’re a black belt and you get to have you ever had like a really like kind of a scary situation that was like an awkward situation where you couldn’t have been out in the back alley somewhere and actually had to use it
Speaker 1 | 11:57.509
Not normally. I’ve only really had, you know, since my jiu-jitsu career early, I had two bad experiences like that. And both were actually in a jiu-jitsu academy. So my work requires me to travel a lot. So I like to say I travel the world, meet new people. I feed them. I do my work. But I visited literally a hundred academies around the world. And usually I try to stick to the jujitsu academies where they wear gis because there’s usually less ego problems and things like that. This one time I was in Atlanta and I had to go to an MMA gym. I’m not opposed to an MMA gym. It’s okay. If somebody’s world class, they’re probably not going to hurt you. It’s the ones that the muscle heads and the MMA fighters that maybe have two years of experience, the ones that you have to worry about. And, you know. Culture is a big deal in the academy because it’s an injury prone sport to begin with and you need really good training You don’t want to fight you. They want to train with you and treat you as a training partner But an MMA place isn’t always like that So I got paired up, you know, because I was doing you know The instructor was not terribly attentive which is a telltale sign Culture but he pairs me up on purpose because I’m an outsider with a I guess one of his one of his fighters the stereotypical MMA guy, you know ripped 220, you know, gnarled ears, tats everywhere, that sort of thing. I guess he’s used to, you know, rolling people over. So I’m looking at him, right, and I’m sizing him up going, wow, he looks strong. He looks bubbly in terms of muscles, ribs. He probably doesn’t have a lot of stamina because it takes a lot of oxygen to run that amount of muscle. So I’ll just see what he’s got, and I’ll just take it easy. So he comes forward real fast with, like, almost like a double leg. And I just want to, you know, just like him. brown belt showed me when on my first day just arm dragged him and put his neck on the way by and I had him with a room naked and about five seconds flat which uh I guess really annoyed him you know and so he was really uh blue belt level and no more you know also just gonna be cool but during our next session he was really trying to hurt me he was like grinding his elbows in face you know you know doing all those you know chin and eye sort of crap right and like I’m not going to tap to it. He’s just trying to hurt me. So I decided to run him into a steam room, you know, to cause him to exert more than I was. Then I started dropping me on stone into his ribcage to make sure he was suffering the whole thing. And I was pulling eyes at him and pulling his head just to make sure he was fighting vitamin attack. But I could see he was in the next option, but there was going to be a problem. Because I let him up again. He goes right back to his same tactics. And you know, I can just feel it. There’s going to be a fight. So I’m doing the whole risk management thing in my head going, okay. While I’m training with him, the clock’s ticking down. I’m looking where my stuff is because it’s time for me to leave. Because he’s really paying attention. So, you know, when the time is right, I slip right to his back and I put him to sleep. knowing he’s going to wake up in about 15, 20 seconds. He’s going to be a little disoriented for 30 seconds after that, but he’ll be fine. He’s not going to be hurt. So I put him to sleep. I stand up and walk directly over my stuff. And now that he’s sleeping, so he’s no more of a threat. And I’m not mostly worried about the instructor and the other students. So I’m keeping up with the instructor as I’m walking out the door. And I can see the instructor look at me confused. He’s going like, where are you going? We’re not done yet. And he sees me.
Speaker 0 | 15:29.755
I’m out.
Speaker 1 | 15:30.736
Yeah, he sees this guy sleeping on the mat, and he looks back at me, and I kind of give him a look like, you can let me leave because you knew what you were doing, or we can escalate. What would you like to do here? And most people like the quick back-and-forth look. And he goes and attends to his guy, and I grab my stuff, and I was out of there. So that was probably the closest to a real encounter.
Speaker 0 | 15:50.366
Yeah, the egos can get crazy. When I walk into my school, there’s a nice little laminated sign right before you jump on the mat that says, number one. every dog has his day so yeah so uh my my coach is dan simler he was on he was on the ufc on the show but um anyways it’s great school man you we’d love to have you anytime now yeah i mean please you know fly out here it’d be great or you know i can fly out there i’d love to go now is it all right if i pigeonhole you and throw some stereotypes into the mix i mean you’re in hawaii um uh do you surf you
Speaker 1 | 16:30.096
Yes, it’s kind of like pickup basketball. Everybody in Hawaii surfs a little bit.
Speaker 0 | 16:35.398
You got to, man. I mean, you know, my parents have a house in Maine, so I grew up on the ocean in Maine, so I surf every now and then, but it’s great.
Speaker 1 | 16:44.322
You would absolutely love it here. Paddleboarding is a big deal. Just go out there and do it. There’s a hundred beaches. Go for it.
Speaker 0 | 16:53.266
Man, I got to figure that one out. Okay, so, you know, to get on to something, this is supposed to be a technology show, to get on to something very important, you know, you two came after, I mean, you were a hacker first, give me just, did you grow up with computers, or, you know, first of all, let’s talk about something more important, how did you hack into Microsoft and Google, because I think a lot of people have this stereotype of a hacker being this, you know, like what you see, like a guy in a hoodie, sweatshirt, and it’s… dark and he’s sitting in front of a computer and he’s you know running all these algorithms and numbers and he’s hacking into like a mainframe system and I would imagine that the majority of people hack in due to human error but you know I’ll let you answer that question how did that happen like how did you hack into to the Facebook or you know just pick one of them um yeah that’s a great question I think first thing to point out is that uh there
Speaker 1 | 17:51.519
really are you know like the The stereotype of the hoodie in the basement and that sort of thing of the stereotypic out there, it absolutely exists. And some of them are good. But predominantly, there are no whiz kid hackers like that. Just like jujitsu, the true skilled professionals, it takes a long, long time. Usually guys that are really good are going to be in their late 20s, early 30s, or even older, because they’ve been doing it for 20 years. Because here’s the thing, hacking to something like Facebook, Google, or Microsoft, it’s against federal law. I mean, everything that I do, a lot of what I do outside the public speaking stuff, it’s against federal law. And what happens is it makes it very difficult in order to practice without going to jail. So what happens with a lot of the young kids, unfortunately, is they act and they’re experimenting and they’re trying things. They don’t really do any harm, but they do commit a federal crime and they get busted and they can no longer own their craft. So there’s been a few of us along the way that have been found. managed to find work in a way to practice on these large systems and hone our skills over the last 15 20 years until we get really really good and so, you know, you know my got my starting career kind of in hacking kind of like I Flew coincidence when I was about 19 I you know, there was new stories that broke that somebody had found, you know Long time ago had found vulnerabilities in Yahoo and eBay. I wanted to learn how they did it but also what the defense mechanisms were. So one day, you know, when I was 19, I signed up myself with a brand new Yahoo mail. This was like a nine and proceeded to try to break into it. And the way I did it was, is it’s a tiny bit difficult to describe, but you’ll get the chance. It’s a, you know, web pages are made up of HTML and JavaScript, the coding behind it.
Speaker 0 | 19:42.506
Yep.
Speaker 1 | 19:43.186
So I put in a little bit, a snippet of my own code. Into my email and I sent it to another user. It was it was my account still on the other side So when you read the message in your browser in Yahoo the code would run and it would hack you would actually give your your account information and send it automatically to me behind the scenes where I could break into it. So what that meant was, as long as I had this code, and I can say, I’m going to send you an email, and the moment you read it, I know your account, it was mine. And it was just a very simple way to show what was possible. So yes, I did hack Yahoo Mail, quote, unquote, I hacked into any one of 120 million users. My experimentation was what, you know, what was the new technique? What could I do? What could I learn? And then how could I communicate it over to Yahoo so they’d fix the problem and everybody can have, you know, a better experience using the web.
Speaker 0 | 20:37.368
That’s awesome. So what did Yahoo say?
Speaker 1 | 20:44.710
So it was an interesting dialogue. So I sent it over to Yahoo and I sent my note to them anonymously because I had a good job, you know, I was going to school and all that sort of thing. I didn’t want to jeopardize anything because I didn’t know what I was doing. It was a federal. And it’s certainly not a conversation you want to have with a federal prosecutor. So I get back and somebody from Yahoo had emailed me back saying, you know, thank you very much for letting us know the problem that you submitted. We have a few questions about it. And we know that you want to be anonymous, but let us know if we can send you a t-shirt. And I can tell you right now, that was the greatest day ever. I got to Yahoo in my spare time. I got to Yahoo in my spare time. They thanked me for it. And, you know, they took it seriously. And I was going to get a T-shirt. This is like the most amazing day to me ever. And so I’m having this back and forth dialogue with Yahoo. And they’re saying, if you know any more issues, let us know. So I took that as permission to act mercilessly, which I did. You know, pull anything. I sent them issues. And I couldn’t find out later. The person I was communicating with was one of the two founders of Yahoo. And, uh… That led to someone on their security team in recruitment saying, we would like for you to come up and interview. Subsequently, they offered me a job. So that started my career in hacking. My job there when I got to Yahoo was to hack everything that Yahoo had in sight with the community. So I had the quote-unquote license to hack anything that they wanted.
Speaker 0 | 22:12.138
That is awesome. Yeah, there’s kind of that general, I don’t know where I heard it, but I’ve heard people say, hey, if you want a really good, you know, federal government job, like, you know, hack the government, but don’t do anything, because then they’ll call you and give you a job. You hear that a lot.
Speaker 1 | 22:30.763
Let’s say that’s how it used to be. It used to be that way. But now they actually have this new thing in the last two years called Hack the Pentagon. And it is a game you can play where they open invite anybody who really wants to, to hack the Pentagon. They have a set of systems, and I think it’s in like the thousands now, you can go after it. start finding problems and report them and they’ll pay you for the for the issues that you find and if i imagine if you impress them enough they may hire you or others might hire you because they see that you really do know what you’re doing that’s all and oh yeah and and the payments can be anywhere from as low as a few hundred dollars per problem but i’ve seen other people make five six figures for things that they’ve been reporting okay let’s talk about general business folk you
Speaker 0 | 23:19.450
I’m a telecom guy. I sell telecom, okay? People hack telecom by getting into someone’s voicemail password and then like, you know, rerouting or getting into someone’s portal and rerouting ship trunking to, let’s not pick on Nigeria because they get picked on a lot, so like wherever to do calling cards and do, you know, various different call routing stuff. That aside, I have a lot of various different hospitals and medical facilities and To me, the security and just the migration with EMR records and all these different companies over the next five years, to me, I just see a huge gap. There’s just going to be so much consolidation. What would it take? And first of all, do hackers want to hack into, say, a hospital? So let’s say my local hospital, like Worcester Memorial Hospital. It’s a huge network of major hospitals. There’s a lot of research going on. There’s a medical school. There’s a bunch of hospitals. How long would it take someone to hack into a hospital and get patient records or, you know, take whatever the heck they want in a kind of a regional, maybe non-NFL city area?
Speaker 1 | 24:28.910
So I’d have to ask a few more questions. So just the average hospital and remotely over the Internet?
Speaker 0 | 24:37.853
Sure.
Speaker 1 | 24:39.313
And is it? Are we talking actual adversary or something like a test, like if you wanted to see if somebody could do it? Like which one?
Speaker 0 | 24:47.941
Well, first of all, I want to see if someone could do it. But yeah, an actual adversary. And first of all, because I was looking up, you know, some of your bullet points and HIPPO was one of them. Do hackers want to hack into a hospital and get patient information? Just curious. Is that like a big, yeah, okay.
Speaker 1 | 25:03.784
For two reasons. The first one is that hospital records are fairly accurate with respect to personal and private information that they can monetize with identity theft and other things. So that’s, the data itself is very valuable to them. The other one is that they’ve been making a lot of money on holding hospitals down. They encrypt all the data on the network. until the hospital pays money to unlock the system, as we call it, ransomware. And hospitals have been, all over the world, have been compromised that way over the last two years. Some have had to pay somewhere between $50,000 and $100,000 on up to make sure operations get back in shape. So yes, they’re definitely a target. So to answer your question, it depends on what the attacker’s motivations are, what their goal is. but it’s going to be under 12 to 24 hours normally.
Speaker 0 | 25:58.401
Now, let’s say they bring in someone like yourself. What can you do to prevent it?
Speaker 1 | 26:05.865
It’s a difficult one. So when you break into a system, your mode is, I’m just going to find one way in, one very, the fastest, easiest way in to get what I want. When you’re playing defense in that environment, what you’re trying to do is you’re trying to find and identify. all the ways in so you can patch them up. So what a lot of things, what the process really is, is understanding what it is that you want, where all your servers, computers, and data is, figuring out what it’s worth, what’s on it, its value, what are the ways into all those things, and then you proceed to try to lock it all down. Maybe it requires patching or reconfigurations or turning systems off or redoing the network. So it’s hard to give any guidance or any generic guidance to any one organization. But it’s that same, it’s a very straightforward common sense process. Find out what you, what is it worth? What is it at risk to? And once you find out the gaps there, then you can proceed to lock down anything that you want.
Speaker 0 | 27:03.169
Now, I would imagine human, general human interaction and training would be part of that equation as well.
Speaker 1 | 27:10.151
It has to be. But what you’re trying to do with technology and the right systems is make it so it’s forgiving on the user. for mistakes because people are fallible and they’re going to make mistakes. And if somebody misclicks something, you don’t want the whole hospital network to go down or patient records going. So it has to be a bit more forgiving and resilient to human error. So we train the users or the, you know, the employees as best we can, but then we still have to make sure the system is secure in the event of mistakes.
Speaker 0 | 27:39.749
Awesome. So basically go through hierarchy of what things are worth. I would assume, you know, start with the stuff that’s the most valuable first, lock that down, and go down that path.
Speaker 1 | 27:51.096
Yes. And then, you know, as your litmus test is where you bring in, not so much me today, but guys like me that are trying to connect the system, they call them penetration testers or vulnerability assistants, and they’re constantly battering your system to find the weak. So, anytime you mess up, it’s better that they find it first and communicate with you than somebody less desirable. So, at the end of the day, you need that litmus test. You need that.
Speaker 0 | 28:19.296
going after you. How does a layman, and when I say layman, they might not be a layman, they might be a CTO of a major, you know, maybe medium enterprise level company. How does a layman sift through and even know where to begin with security? Because I can tell you right now there is a ton of white noise. It’s like talking about the cloud. It’s like you’ve got to move to the cloud. It makes no sense. We call it the fog. We joke around. We call it the fog, right? Because like, well, which part of the cloud are you talking about? Are you talking about your Gmail account? Because that’s in the cloud. You know, like it’s such a talk about security. Like, hey, we’re going to worry about security. Now, obviously, the IT director is going to know a lot more specific kind of like where his weaknesses are. But how does someone in a larger, you know, network where it might be, you know. there might not be a lot of clarity around really the network and what’s going on. There might be multiple parts patched together, and then there might be a merger, and someone gets fired, and another guy comes in, and it could be. Where does someone begin, and how do they even know how to evaluate or go get a good security company?
Speaker 1 | 29:33.157
Sure. It’s a complicated question, but I can just tell you the way that I would do it if I was in those particular roles. First, you have to understand the business that you’re in. You know it. whether it’s healthcare or whatever else. And this job of a CTO or head of security is twofold. They have regulations and… obligations compliance really which have nothing to do with security like we mentioned HIPAA earlier you have to do the stuff that HIPAA says otherwise the business will suffer financial harm but just because you’re HIPAA compliant or compliant to anything has absolutely nothing to do with your security posture i can’t tell you how many companies have been hacked even though they were compliant on whatever the standard so just like i said before the guidance i would give to everybody is first figure out what you own Get your network topology down, where all your data lives, to the most accurate degree that’s possible. Now that you know what you own, you can start figuring out where your gaps are. And you just run through the process. What do you own? What is it worth? What is it vulnerable to? And so on and so forth. And that’s really all that you need to do. It doesn’t necessarily need to be any more sophisticated than that. But when it comes to actual defenses, then you can play the risk-reward game. Because certain defenses and activities, security controls can be kind of expensive. So if you can see how difficult it is for the hacker to break into a certain area, you can say, well, I could put this defense in place, or I could put that defense into place. Which one makes the most sense? Which is the cheaper one? Which is going to give me the more bang for the buck? And that is the right conversation.
Speaker 0 | 31:12.347
Gotcha. Now, so right now, you’re the chief security at Sentinel-1.
Speaker 1 | 31:19.060
Chief of security strategy. So I help customers strategize their defenses. I tell them what the bad guys are up to, what they’re after, and some of the things, just like we’re doing now, that they can do to protect themselves.
Speaker 0 | 31:33.586
Gotcha. And now you guys basically put together the plan or the roadmap. You don’t actually come in and do it, or do you?
Speaker 1 | 31:41.850
It’s certainly one that’s a very narrow scope. Most of the time in… In security, you can bring in a security company, a big integrator that has a whole lot of vendors that they work with. So they bring in their bag of tricks for all the vendors. But I’m a product vendor. So most of the security companies are sole solution. So in the case of Sentinel-1, they are what we call a next generation endpoint protection. It’s kind of like antivirus and steroids. It’s more than just antivirus. It’s a whole lot more. So our job is to protect computers from getting infected with viruses. It’s at the end of the day as simple as I can. And so when I communicate with CTOs, CISOs, CEOs, I go, okay, this is what the world of malware looks like. This is who’s behind it. This is the tactics that they’re using. Our product is X, Y, and Z to stop that. And this is what I think you have to do in order to not get infected.
Speaker 0 | 32:35.076
Are you guys like a license-based sales model, like per license?
Speaker 1 | 32:38.838
Yeah, it’s licensed on a per endpoint or per computer model. We like working with small businesses all the way up to the megacourse. It is, the technology is absolutely fantastic. I wouldn’t have, I wouldn’t have joined otherwise because I founded a very large company beforehand. And, but I wanted to get into the anti-malware space because it really needed help. We’ve been, we’ve been doing antivirus for 20 years and the problem has only gotten worse. And there’s very good reasons for that. And this company just had a better mousetrap, a better way of going about it. And furthermore, they were willing to guarantee that their results. So one of the reasons I was brought in was to design a product warranty for them, which is pretty much unheard of in security. Meaning if you buy the product and use it as recommended and you still get infected, there’s a $1 million warranty standing behind it. It’s completely unheard of in the industry, but that’s how confident we are in our metrics and our stats that the product does work.
Speaker 0 | 33:34.752
That’s a pretty good warranty. Unless someone like wires out by mistake at 1.2 million due to some, you know, malware thing. So, well, why don’t you explain again for the layman listening to this, what, I think we all know, like, you know, malware bites or download this for free. I mean, I think most people have done that, but they’ve just kind of done that to prevent like, you know, pop-up ads on their computer from back in the day when we used to use Netscape or whatever. But do you want to give me like a general, like malware today, what is it? If you’re going to explain that to someone in like, you know, one or two sentences, what do they need to hear to know?
Speaker 1 | 34:07.312
Malicious malware is short for malicious software. It’s software that does something to your computer that you really don’t want it to do. It might encrypt your files. It might steal your passwords and liquidate your bank account. It’s any software that you really didn’t want on your computer. And it spreads very fast. It spreads very, you know, very easily all over the place. And for consumers, here’s the real for the consumers, 90, I can’t even could even give you a good product for consumers that works. So if I was telling a consumer like, guidance on how not to get infected with viruses, I would tell them, one, install an ad blocker. That’s huge. Make sure your machine is up to date on patches. Uninstall Flash and Java, because that’s a major harbinger. And install two-factor authentication on all your online accounts. And with that, you’re going to be safer than 99.99% of everyone.
Speaker 0 | 35:03.555
My dad said to me the other day, he’s like, hey, he calls me PJ. Hey, PJ, he’s like, is it normal that I’ve had to replace my credit card eight times in six months? I’m like, no, dad. Would this have stopped the old crypto virus, you know, the fear of the Russians, like logging in and locking all the files down, like you said, and then charging you $50,000 to get your business back online?
Speaker 1 | 35:27.675
There’s no guarantee. So if you’re running a small business.
Speaker 0 | 35:31.686
But there is a guarantee. But let’s be honest, there is a guarantee with you. A $1 million guarantee.
Speaker 1 | 35:36.128
With me, there is a $1 million guarantee. I know the math very well. I’ve had to deal with these guys a long, long time. So I know what they’re capable of and their tactics. So if you’re a business and you’re able to invest in security, then there are really good products out there that you would enjoy. I’m one of them. But the consumers are in a tough spot. The only other one I would add to that, the piece of guidance for both, use normal everyday consumers and businesses is to deactivate or disable word and office macros those little automatically running programs in Excel or Word those are amazing to it for viruses these days and most people just don’t know that if you can disable that in your computer you’ll be light years beyond it and that feature most nobody uses anyway so you don’t need it so uninstall Java flash deactivate macros install an ad blocker use two-factor authentication those four or five things whatever it is and you’re you’re good it’s just highly unlikely okay so in order to summarize the amazingness of this show number one go
Speaker 0 | 36:48.574
down the street find a jiu-jitsu studio where the instructor pays attention to people and there’s not crazy people that are going to you’re going to have
Speaker 1 | 36:58.342
choke out and flip out the back door number one uh number two if people wanted to get a hold of you sure if uh if people want to reach out to me directly by searching my name on google or go to jeremygrossman.com there’s tons of ways to hit me up there whether it’s email twitter facebook linkedin whatever so i’m always available like that um or you can do the same thing directly to the sentinel one website um you’ll do a search for sentinel one and you They have many different ways to get in touch with them to get a product they know. So we can help you do that. They can help you directly. But either way, we definitely have people to try out the product. We have hundreds, if not over 1,000 customers now, and the company is only like two and a half years old. So it’s been a wild ride so far. I’m enjoying this.
Speaker 0 | 37:45.430
So if anyone wants to get a hold of you, they can certainly contact me as well. Obviously, you can get a hold of Phil Howard at phil.howardsales.com. You can find me at thehowardstrategy.com as well. Just enter in your information, put down, hey, I heard the show. I’d like to talk with Jeremiah or talk about security. Enter your information. I’ll certainly put you in contact with him. Jeremiah, if you had one other message to deliver to the public, what would that be? And it can be two messages too, or it could be something about Jesus too. It could be about security. What is that?
Speaker 1 | 38:21.910
You know, I think what I’ve learned most in my time as being in computer security was in jujitsu. And I’m sure somebody said it before, but it’s embracing that grind. It’s at 1% better every day. Very little of what I’ve learned in hacking is technically, is technically, is cerebrally challenging. Meaning it takes a real intelligent person to grasp 99.99% of it. You just break it down into small chunks. You learn that thing and you learn a bit more. next day and a little bit more the next day and jiu-jitsu is the same one or two moves every class one percent better and you just keep doing that every single day and maybe that works in every walk of life but if you’re willing to put in the time and grind it out and be consistent and disciplined and humble that’s going to take you so far probably more than most anything else that anybody could ask for it’s just that determination to not stop and improve every day that was the mind-blowing moment i was looking for
Speaker 0 | 39:20.474
1% better every day. Really, if people could just wake up every day and do 1% better, it’s just a tiny bit more. There’s no fallback.
Speaker 1 | 39:30.462
You just keep going after it, and you keep going after it. And in jiu-jitsu, I mean, you’ve probably experienced this. I’m not terribly concerned about the guys that are bigger, stronger, even better. I’m always concerned about the other guy who will not stop, who comes in every day, gets his ass kicked, and comes back. and does it again and again and again because i know there’s going to be one day he’s going to be he’s going to he just has that drive and i’m never going to beat him again because he’s going to keep doing it that most of the people you fear the ones that do that do not
Speaker 0 | 40:04.546
Oh, man, they’re upset because you’re tapping them to begin. They keep coming back and you’re like, no, this guy is going to tap me someday, and that’s going to be it. I know exactly what you’re talking about.
Speaker 1 | 40:13.948
It’s going to be the last time you tap them. Like, they’re gone. Like, it’s the self.
Speaker 0 | 40:21.511
So true, man. Hey, this has been a pleasure, man. Thank you so much for being on the show. I may have to ask you back for another show sometime if something comes up. I was thinking maybe we’d do a demo someday of you hacking into something crazy, and we can post that at you.
Speaker 1 | 40:37.124
We should definitely set that up for next time. It’s been a pleasure. And can we sort out some kind of a cool hacking demo for the audience of some or some kind? I have a few tricks up my sleeve.
Speaker 0 | 40:48.088
All right, man. Hey, thank you so much for being on the show.
Speaker 1 | 40:50.589
My pleasure.
Share This Episode On:
Are You The Nerd We're Looking For?
ATTENTION IT EXECUTIVES: Your advice and unique stories are invaluable to us. Help us by taking this quiz. You’ll gain recognition good for your career and you’ll contribute value to your fellow IT peers.
Hosted by IT Leaders... for IT Leaders
Resources
Recent Episodes
Company
© Dissecting Popular IT Nerds INC
All Rights Reserved | Terms and Conditions | Privacy Policy