HACKING THE PENTAGON, BLACKHAT SECURITY AND US DEFENSE

Alex Romero

Well, it was domains as well, wasn't just IPs but yes.

Robert Hansen

Anyway, so I found one issue and I uploaded it and it was kind of a nothing burger. It was end of lunchtime and I was busy doing other stuff.

So, I got back to my hotel and I was kind of bored because I was supposed to be going to this dinner thing and it didn't end up happening.

So, I'm like, "You know what? I should log back into that thing. So, I logged back in and I saw that it was accepted, but also for that exploit to work properly, I had to find another sub-domain with an issue on it. The way the issue was related to. I had to find something else.

Alex Romero

It was a scoping issue.

Robert Hansen

Yeah. Scoping issue. So, I looked into my dataset that I had and I found 137,000 sites that could potentially be vulnerable. Whether they were or weren't was kind of irrelevant.

And so, I uploaded that list and then I'm like, "What am I doing? This is such a waste of time."

So, I uploaded, well over a million things that I knew about the DoD and the military into the system and I found like Minecraft servers and firewalls that weren't made anymore and printers.

I can't remember if I put it in the ticket or if I sent it to you directly, just like, "Look at this stuff." Or something like that.

Alex Romero

I remember one specifically, I was curious. It was coffeepot.hq.af mil, I believe. I think that was one of them. That was in the list. And it was like, "What is that? Why is that out there?" The Minecraft server as well.

Robert Hansen

On the 10th Fleet. And so, at that point, I was kind of just done. I'm like, "I've spent too much time on this already kind of deal."

Alex Romero

And by the way, none of this stuff was in scope.

Robert Hansen

Not at all. Not even vaguely.

Alex Romero

You went completely off the wall. Way off scope. Like you could not have gone more off scope.

But still, I had asked you to join because we knew this was going to be a thing and we were trying to change behaviors and we were trying to make them wake up to the fact that there might be more out there than just these five websites that were at the initial scope. And you sure as hell did that. You sure as hell woken up to the fact that maybe there's some other problems out there.

Robert Hansen

See, I like myself to being a painter. If you say like, "Here's this 2 inch by 2 inch square painted exactly the shade of blue. Like, "No, no, no."

Alex Romero

You even won't paint in the square, it will be everywhere else.

Robert Hansen

I'm painting down the street on the car next door.

Alex Romero

That describes you well.

Robert Hansen

So, fast forward, I don't know, month or so. No, actually this, this is all within a couple of days at this point still.

So, I got a letter from the Bug Bounty program company, the company that ran the system. And they're like, "Well, this one issue is a real issue, but the other one, we can protect you if you stay within bounds." And this is nowhere in bounds. Like, you are not even close to being in bounds.

And frankly, I was very annoyed, not at you guys, but at them. And I'm like, "Does this mean that I'm going to go to jail over this? I feel like I've just actually improved national security." And so, I get home and my wife at the time was pissed and I was pissed.

Like, "Am I really going to go to jail over this of all the things to go to jail over?" And so, I remember talking later on.

So, the digital services came back into town and I remember having a conversation, I believe it was with you. We talked to General off the edge. He's not going to put you in jail. That kind of thing.

Alex Romero

There's definitely some conversations that were had about some people did not take kindly to that because we had to be very careful. It was a pilot and we wanted to show that these hackers can be trusted. They can paint within the box.

And you had like this crazy painter, who was just beautiful paintings, but not different linings. But it was useful.

Robert Hansen

So Eric Fanning, Secretary of the Army was in town. And this was actually the day he announced he was quitting because of Trump. He was openly gay and he didn't feel comfortable with the Trump administration, so he was stepping down.

But he also was interested in this program. And so, I'm backstage before all this in the green room, talking with the digital services people and their conversation with me went something like, "Oh, everything was so great with it." I'm like, "No, no. Things did not go great.

Hold on." I said something like, "Do you really think it'd be good to put RSNAKE in jail for hacking the Pentagon during Hack the Pentagon?"

And they're kind of hedging, kind of humming and hawing a little bit about it. I'm like, "No, it's, it'd be like dropping a nuclear bomb on the Pentagon. It'd be open season, it'd be terrible. Think about the negative publicity.

It'd be awful. And if you just rolled up with these black vans..." I'll never forget to this day. This makes me laugh. They're like, "Well, first of all it would've been camo vans, not black vans."

Alex Romero

Obviously digital camo.

Robert Hansen

And so, later on I was talking with Eric because he was in back in the green room after his presentation. And again, I was the only person there other than Katie Moussouris, who had ever broken in anything. And so, I was dressed like this. Kind of non-descript, business-looking person.

And he's like, "So what do you do?" And I'm like, "Oh, I'm one of the guys who hacked into the Pentagon." He's like, "Oh, you don't look like that." And it suddenly occurred to me that he was gay. And I'm like, "Maybe I can make sure that I don't go to jail."

So, I'm chatting him up and I start telling them about this. Like, "What happened?" And one of the digital services people, I forget who she was. One of the top people over there. She's like back there like, "Stop talking Robert. Stop talking, Want to make sure it goes well."

Alex Romero

It was the first one. They had to make sure everything was...

Robert Hansen

At that point, I knew I was safe. Once I was getting protection from inside, I was like, "Okay, all right. I think everything's all good to go." So, that's my version of the story.

Alex Romero

I hadn't heard all that. That's actually somewhat new to me. Parts of it, absolutely. On the other side, were about wanting to make sure this first... It was a pilot. In any pilot, you're trying to prove out what works, what doesn't work.

We wanted to show how researchers could stay within the lines. And in this instance, you obviously didn't at all. Not even a little bit. But it started another conversation. A conversation that needed to happen, which was around compliance checklists and scope being a thing.

A hacker never said like, "Oh, that's not in scope. I'm not going to go after it." A nation state never was like, "Oh, well that's not in scope. I'm not going to..." No, they're starting to go after that thing.

And so, we need to start thinking about really our adversaries and also using the program like this in the same way. And so, it really actually helped to kind of get a wedge in a door to start a conversation.

Well, we didn't have a vulnerability disclosure policy at the time. We had ways of taking information and securing systems, but no way for the public to really just tell us about it.

And so, at the time there's this notion of we needed to see something, say something. We really needed a way for folks to just be able to freely tell us about our vulnerabilities and then not worry about going to jail, getting wrapped up in a carpet or whatever.

Robert Hansen

Oh, there was going to be a carpet?

Alex Romero

Maybe, I don't know. I literally heard some other researchers tell me that, like, "I don't want to participate in this program. We're all going to get rolled up in a carpet taken away in the digital camo van."

Those are some of the concerns. That you're doing this to create a list of names and I don't know what you're going to do with those names.

So, there was concerns on both sides. Absolutely, Pentagon had concerns. Not that I'm speaking for them, but hey had concerns internally just from the perspective that I was operating from. But the researchers, my friends, folks I knew like you had concerns also.

And so, it was trying to sort of attenuate on both sides what those concerns were and just kind of bring friends to a table in a sense to improvement.

Robert Hansen

Well, for one, I'm very glad you did run it because I think that that... So, now it's a policy.

Alex Romero

Yeah. I mean, me with a whole bunch of other folks, I don't claim just that I did.

Robert Hansen

No, I know. But now it's a policy. Like one guy went deep and I went wide.

Alex Romero

Well, that is true. There was one other issue that was found that essentially was a bypass. Basically, they couldn't get through the front door.

One of the issues was on the defense.gov and they couldn't get to it because we had really good protections on the front end through our content delivery network. And they kept going through the front door and they couldn't get to it.

So, they found a way completely around the front door. And it was fascinating the way that their minds worked, essentially.

That was another one of those instances where like, we didn't even write the scope to consider that there could be something that was that far around the backside that they could get in that way.

Again, all these things sort of highlighted deficiencies in our ways of thinking, and they helped to actually have conversations around how to really do security in a way that was different than what we were doing at the time. So yeah, nobody got taken away in vans.

Robert Hansen

No. Not that I'm aware of. Here I am. At least for a few more hours.

Alex Romero

There were conversations around like, "Well, we don't think this was the right thing." Or if folks got out of scope.

But then, we had conversations both with those researchers and we were able to mediate and get to a better answer than anything that actually caused long-term impacts to our relationship because all this, at the end of the day, was way to build relationships. And I think it worked.

Robert Hansen

I think it did too.

Alex Romero

Took a long time, but I think it worked.

Robert Hansen

And now you have multiple programs. It's not just one. It was just hacking the surface area of the Pentagon, but now it's all kind of... Like satellites was one I saw you do.

Alex Romero

Yeah. I think it raised awareness. This was a mechanism, this is a tool and a toolbox. There's many different tools that you could use. This is one.

And so, Hacker Sad event that was started out of... Well, it has a little bit of a longer story, but essentially we started with wanting to test out more things.

So, every time I ran one of these bounty events, I really wanted to play around with the different parameters around how you run one of these things.

One, I get bored pretty easily, so I didn't want to be bored with just running the same business system test over and over.

So, I wanted to run new tests on new systems and then just change parameters around scope, size, types of assets, complexity. And so, each one of these tests, at least for a good number of them, were all kind of different.

Robert Hansen

Can you name some of them just so the audience knows?

Alex Romero

Oh, sure. Well, multiple Hack the Air Force events. We did Hack the Marines, Hack the Army. We did this thing called through Hack the Machine with the Navy.

That was an interesting one where we actually took 3D printers that were going to eventually end up on Navy ships. And they wanted to test out whether or not these things could be trusted. Long story short, no.

You could do all sorts of really fun things with 3D printers that would blow your mind. I'll tell a quick short story on that one because it was really fun. Because I hadn't even considered this to be a problem. This one researcher, this is a day and a half long event, and this one researcher ensuite from another research company. He proved that he could basically print out...

The idea was you print out like a serrated knife on the inside of this 3D printer, and then you use that knife to sort of cut into itself and you overdrive the motors in the wrong direction to destroy itself. And you could do other things like getting into the Cloud service that this 3D printer sort of operated from and then pivot across. You can do all sorts of really fun things with 3D printers.

Actually, another really fun one, in that same event, this happened in a day and a half. A researcher found that he could actually keep the CPU in such a state that it actually caused it to catch fire. And so, have a picture of the CPU actually where it started catching fire.

Robert Hansen

Smoking.

Alex Romero

The magic smoke came out of the box. And that was just fascinating that in such a short period of time these researchers were able to find stuff and then at least give us a sense of what the risk would be if we put them onto ships.

The TADS, the trusted aircraft download system, I think was another one. These are all public things that people want to go look them up. They can. I call it sort of a hard drive toaster. And essentially you would take these hard drives and they would take sensor data either to or from F15 fighter jets.

And we wanted to make sure that this device that was built for and with government requirements was actually secure. And this is when we started getting into more hardware stuff because again, I wanted to keep, not pushing the limits, but really testing how far you could actually use this idea of bug bounties.

We started with, these websites and then you helped push limits and the bounds, what was okay there and we kept going. But with hardware and this TADS device, it was cool because the government made something that was supposed to be secure by design.

And then, when we asked researchers to take a look at it, and I'll have to be careful here with how talk about this. But essentially they were able to find issues.

And then it turns out, even in our design with how this thing was built, there were some problems that were found within a week of having researchers take a look at like hardware devices. They were able to find and get to the essence of like, is this thing secure? Could you actually use it as a way to then get further into a more sensitive system?

That was pretty enlightening. And then, in 2019, I want to say, so that was the first test of that device, the TADS device. We actually brought them to DEF CON. Brought one to the DEF CON floor, and we wanted to sort of show folks at DEF CON in the air.

At the time it was the aviation village. It became the aerospace village. That we also needed to start thinking about the security of our aerospace and aviation.

That was a fun year because we actually brought a F35 simulator to the DEF CON floor, which it sounds trivial to bring a simulator, but when it's in 15, 800-pound boxes and you have to assemble it with like Lockheed people, it was not a trivial thing.

It was a fun event to actually raise awareness that we're doing these things in the DoD. But the real thing that we were trying to show was we're bringing in hackers. We're having them test out components to very sensitive systems, but they were not classified. Keep that in mind.

There were just parts that could eventually go into potentially sensitive systems. And so, we tested these things out a second time after the manufacturer was supposed to fix the issues and they still found more things.

So, I think what we learned from that is hardware is hard. It's in the name. It's just really hard to get it right. I'm getting to the Hack of Satellite thing because the chief of acquisitions, probably getting his title wrong.

But Dr. Will Roper, who's head of acquisitions for all of Air Force, and he managed $60 billion worth of the Air Force's budget. And he was in the room, he's the one who helped us get the F35. He helped us get this hardware piece of equipment for F15.

And then, we went up into the room. It was actually at the Cosmo, they rented a room out to get all these hackers in one space so they could hack on these 15 boxes altogether. And when he went up there and he had a conversation, a chat with these hackers to see like, "What are you doing?

Tell me about your research. Tell me about what you've done in just the last day and a half." And they really open up to him. They had never had the opportunity and normally don't get an opportunity like that to speak to somebody that high up in government in the DoD and actually have an open conversation around security stuff.

And they were very open with him. They're like, "Why did you design it this way? Why didn't you bring us in the room beforehand and we would've told you maybe a better way to do things." And I think he really took that to heart.

I know there's some conversations afterwards where he's really thinking like, "How can we go bigger?" Him and my previous director, Brett Goldstein, they were thinking, I think about how do you go bigger than aircraft?

And then, that year everybody was talking about cyber moon shots and what's the next cyber moon shot? And so, I think they actually, it like stuck in their head or cyber moon shot. What could we actually do to take a picture of the moon?

The quest was on literally at that moment, as soon as DEF CON ended to find an asset where they could take a picture of the moon, have hackers get onto a satellite on orbit, hack into it, and then regain control of a spinning tumbling satellite in order to slow it down, slow it spin, take a picture of the moon.

If they could do that, if they could hack their way all the way to this thing. And there was a long story behind it. But if they could do that, then they would win the challenge. And there was one team that actually made their way all the way up to this thing in a very careful way.

I have to tell you because Kessler syndrome, if you know about what Kessler syndrome is, where you have satellites smashing into other satellites and it locks you out of space, that's a thing. We didn't want to do that.

Robert Hansen

Space debris.

Alex Romero

Space debris forever and 10,000 years, you can't get into space, whatever. Didn't want that to be a problem. So, there were these cells that would essentially look at the code before it was allowed to run on satellite.

But genuinely allowed them to essentially get onto these systems so we could learn essentially about what their techniques were and kind of what we were missing maybe. And there was a team Poland into space, I think was the name of the team that won.

That was able to essentially show they could slow down the spin of this tumbling satellite, take a picture of the moon, and then beam it back down. And they won that.

Again, sort of proving that we trying to expand what we could do with this whole idea of, not just a bug bounty, but a mixture of bounty in a CTF.

And how we could just prove that there are weaknesses in space too that could be putting us at risk. Because this is a controlled environment.

Imagine if this actually were done by a nation state that wanted to do something evil or nefarious and then actually lock us out of space. So, sorry. That was a long answer to your question.

Robert Hansen

Crazy story. No, no. I asked it and I'm glad I got the answer. So, I think it's probably worth saying before we get too much further. There's certainly going to be things that I won't ask or if I do ask, I wouldn't expect an answer.

And due to the nature of what your do. You've actually held a number of titles. I try to write them all down the more interesting ones. Chief of enterprise security at duty, CISO, Cybersecurity directorate, digital services expert, DDS at the Pentagon. Those are some meaty titles doing some pretty crazy stuff.

Alex Romero

Yeah, I've been all over the place.

Robert Hansen

Yeah, you sure have.

Alex Romero

I don't really like titles. Man, they don't really describe well what you do.

Robert Hansen

I certainly don't describe what you do.

Alex Romero

Yeah. I'm guided by my curiosity and I just want to know how the world works really. I don't know if that answers the question that you're asking, but I've had multiple titles that don't reflect...

Robert Hansen

Well, I just think for the audience to say it's probably worth noting that we're doing a dance right now. This isn't as much as much as I might normally go down. If I really could ask any question I'd be asking about the aliens, obviously

Alex Romero

All right. We'll go do that for a second.

Robert Hansen

I don't mean legal ones.

Alex Romero

So part of the Defense Digital Service, we like to have fun, right? Because that's part of having a very difficult job is wanting to have fun at the Pentagon.

So, one of my colleagues Rena Staley, she actually was able to change one of the rooms at the Pentagon. Because apparently if you submit any form in the Pentagon, you can get basically anything done. It has to be the right form.

So, she found the form to change the name of a room, one of our rooms, and she changed it to alien autopsy rooms. And to date, I think because I was there a couple weeks ago, the placards still there. So, if you want to go look for it, they're still at the Pentagon.

Robert Hansen

They just let anyone in there now.

Alex Romero

No, actually they don't. But it's funny, some people who have retired, they've requested as one of their retirement gifts to just see what's in the room.

And I heard about this, so I went on eBay and I actually got a big alien with a little laser gun thing.

For years, like the first thing that you would see when you opened the door was this little alien guy looking at you with a little laser gun. So, that's the alien autopsy room.

Robert Hansen

That really funny. So, as I said earlier, we're at Black Hat.

Alex Romero

Yes. We are.

Robert Hansen

So, for people who've never been here, and I would say the vast majority of people watching this have no context what this is. It is sort of an amalgam of the absent loop creme de la creme of the security industry, and a lot of analysts and people who are just vaguely interested and are getting into it, who are trying to become professionals in it.

A lot of senior executives who are in charge of making things secure, very large companies. And you are going to be speaking tomorrow. Would you give us a little bit of an idea about what you're going to be speaking about?

Alex Romero

Yeah. I think I've touched on some of the topics here. Where this notion of like decentralized security, where does it ultimately end? Sort of what have I seen in the over 40 bounties that have been run at the Pentagon? The things I can share but also we're seeing the world change very quickly.

And I think this whole idea that we can sort of outsource some things, like some portions of cyber security to hackers that are willing to do things for money, for pride or for whatever reasons. I don't think it actually just ends with bounties.

I think if we take what we're looking at in Ukraine right now with the Ukrainian IT Army and whether they're trying to essentially find vulnerabilities in their system so Russia can't go after them or potentially find vulnerabilities in Russian systems. And the Belarusian cyber partisans, same sort of deal.

Robert Hansen

Which is also comprised of people who are outside of those countries as well.

Alex Romero

That's right. So, essentially putting a number on vulnerable assets and then putting a pricing on it. It's a pricing, essentially vulnerabilities that can be exploited and then exploiting them essentially for whatever reason, for your nation state that you're in or for someone else's purpose.

This is a trend that I think is continuing. And I think just recently with LockBit we've seen some of that as well, LockBit ransomware. We've seen the rise of ransomware. Ransomware is a service, now they're even offering bounties within LockBit on personal information.

So, if you're a criminal, and I like to make the distinction routine hackers and criminals because hackers, I think as more of like my friends in the community and we used to say black hat and White hats.

I think if you start thinking of it in those terms like the black hat hackers, the white hat hackers, the good ones that comes from the West.

Robert Hansen

Spaghetti westerns.

Alex Romero

Spaghetti westerns, right? There's no other meaning. But if we want to actually delineate more and further we say criminals. So the criminals that are trying to actually find and expose ways of making money. There's always been bank robbers or ways of trying to find and exploit folks who are vulnerable.

Robert Hansen

Yeah. You remind me a little of, going back to the Hack the Pentagon thing for a second. I had a conversation with a good friend who went over to CISA. And he was all excited.

He was going over there and he was all proud of himself or whatever, and he is like, "Let's talk about what we can do." And I'm like, "I don't think you're going to get anything done when you're over there." And he's like, "No, that's not true."

Alex Romero

It's tough.

Robert Hansen

And I'm like, "I'm telling you right now, you're not going to do the one thing I would have you go do, and if you can't do that, you're probably not going to get much done." He's like, "Well, okay, instead of just being a naysayer telling me what I should go do."

I'm like, "All right, go around and make some sort of legislation that makes it so all the state agencies have to describe how many assets they have. Just the number. Just to just have a number. It could be rounded even. I don't care.

But at least get them thinking maybe we should have tally of these." And then, the next year you go, "Okay, give an exact number and tell us how you got those numbers." And then, the next year, tell us what vulnerabilities are on there. And that's it. You don't have to fix them.

And then, the next year say, "Okay, what vulnerabilities are on there that should be on there because you've accepted them and which ones haven't you accepted?"

So, at least now this is all just in their head and they have to go do it. And he's like, "No man, that's never going to happen. We could never get that passed." And that's exactly my problem. It seems like we can have 500 awesome people like you, but if we don't have policy to back them, how the hell are we going to get anything done?

Alex Romero

I think it starts with stories too. So, I think that's one of the big benefits to something like Hack the Pentagon. It wasn't just the events themselves. It wasn't just that single fix, that single bug that was found. That was the important piece.

And if you can't fix the issues, you shouldn't run a bug bounty. But the other part of it was a cultural aspect. It was like, "Here's a story that we can tell. This is something that shows that we didn't even know this asset was out there.

We didn't even know that this thing was out there." Let's say the dot mill space. It wasn't in the .gov space. It was actually an edu. That was tangentially related. But it was still belonging to us in some other way.

And then, a researcher brought it to our attention. We realized it was this. That actually happens often. So I think yeah, assets, knowing where your stuff is, like any good enterprise...

Robert Hansen

I mean, I know I'm speaking to the choir on this one, but the same time, it doesn't matter if you agree with me, you know what I mean?

Alex Romero

Yeah.

Robert Hansen

Obviously it helps. But the real problem is we're not kidding. We're not getting congressmen to say, "Yeah, we should probably sit down and write a bill to make this happen."

Alex Romero

This gets to policy. Which I think is actually another thing that I've kind of woken up to. I think there's almost like a Maslow's hierarchy of cybersecurity stuff.

I've been trying to think about this actually. Like what would that pyramid look like for folks in our field? I don't know what's in the middle, I'm still figuring it out, but at the top of it I think is like policy, awareness. Where you are self-actualizing.

Robert Hansen

Research.

Alex Romero

Yeah. Like research and all the rest of it. I think policy's probably there as well because you start realizing at a certain point you cannot write enough code to fix all the problems unless maybe you write an AI to write more code. It probably that's ways away, but I think policy does help.

So, actually I attended the Aston's Institute Tech policy hub right before the pandemic kicked off in January to March of 2020.

Robert Hansen

Yeah. And you have a fellowship there, yeah?

Alex Romero

Yes. Fellow there.

Robert Hansen

Which is what exactly? What does that mean?

Alex Romero

Well, so basically they take sort of engineer types and they teach them policy in this policy hub thing. And I was sort of aware of how policy worked, but I think through the vulnerability disclosure policy and all the work that went into that, I became more interested, just because I saw it work.

I saw this one policy, this one like little sliver of a policy in the Department of Defense actually have an impact, right? Just like you were saying, can you do just one thing? Can you pick a thing, go with it, and see how it works out. I saw success.

Robert Hansen

Yeah. That one change of policy that you made or your team made after that. The Pentagon thing is possibly one of the most important things that was ever done for national security in that realm of things.

Just saying, "Give us bugs if you have them." That's great. I mean that's huge. But we need a lot more thinking along those lines.

Alex Romero

You have to start small. And I think that helped and it actually led to conversations where the Department of Justice actually came out with a framework around how to think around vulnerability disclosure programs.

And later on actually recently it led to a decision, a policy change from the Department of Justice that said that they're not going to be going after good faith researchers. That took years, right?

It took years from when you were acting in good faith as a researcher and you submitted something to us and we had an agreement that we weren't going to go after you to where now that's actually a policy in government. But we had to start with the story and it ended with a change and a document.

Robert Hansen

I remember I had a similar conversation with somebody at the White House one time and met him at a conference and we were chatting and I'm like, "What would happen if I just decided to start scanning everything in the government all the time, just probing it and whatever?"

I'm not 100% sure that's legal, but the current laws as they stand knowing full well that I wouldn't actually be doing anything bad intentionally, right?

I mean, I might accidentally take a machine offline, but never intentionally. I said, "I'm pretty sure I'd just end up in jail if I did that." And he looked at me deadpan, zero irony in his voice like, "It sucks to be first." Like as if I would just have to be just this example that people use to just define better policy. That's not great

Alex Romero

It's not great, but that was the pilot. So that was the Hack on Pentagon pilot.

Robert Hansen

No, that was even before that though. And things have changed now.

Alex Romero

My point is, that's what the pilot was there to prove out, was in sort of a constrained and sort of careful way. It led us sort of crack that policy door open to have the conversations around how to change those things. It worked, it just takes a lot of time.

And so, I look at other examples of this. I don't know if you know who Alan Friedman is. But he works on software bill materials.

Robert Hansen

SBOM's

Alex Romero

SBOM, right. And so, he's the SBOM guy. And SBOM sort of existed as an idea and like Josh Corman and other people beforehand.

Robert Hansen

But just for the audience, just explain what that is.

Alex Romero

Okay. So, let's say you have anything that you were building, bill of materials is usually the thing that you get with it. You get a list of the things that went into that. I don't know, let's talk about cake. An ingredients list if you will.

And if it has gluten, well you can sort of figure out what has these things in it. And it probably has gluten and then you can decide to not eat that thing or not use at a place where somebody might have gluten sensitivities or nut allergies or whatever.

So, think of a software bill materials as something that's very similar. Let's say you were allergic to Apache or some application that would not work well in your environment or you later find out is vulnerable to something. You at least know at that point that, in the bill of materials, in the software bill materials, there is something that is potentially putting your systems at risk.

So, that's SBOM. That's another thing that's sort of coming. It's actually in the executive order. I think last year.

Robert Hansen

That Biden put out.

Alex Romero

That Biden put out that essentially talks about wanting to move us in that direction. So, this is like baby steps to getting us to a better place in cyber security.

Robert Hansen

But how are you going to do that if you don't where your assets are?

Alex Romero

That's true. You kind of need to know where your stuff is at in order to categorize it, right?

Robert Hansen

Yap.

Alex Romero

In order to know what's inside of it. Like how many cakes do you have out there in order to know what's inside of them? How many bakers do you have? This is all good things.

Robert Hansen

I know I'm speaking the choir here on this one, but still, I think it needs a couple more adults in the room to drive these policies in the correct direction.

Alex Romero

I was mentioning Alan because he's been at it for years and he's made some successes to the point where now there's an executive order on this.

So, I think what you find is that to have good policy changes in government, you have to have a shepherd. You have to have somebody who is there that is unwavering in their dedication to getting that thing changed, otherwise, it just won't happen.

If somebody's just there for a couple years, that's not long enough to get these policies changed. You really have to want it and move it along.

Robert Hansen

So, what do you think the government wants to achieve by coming out here beyond just the ingratiation themselves to individual hackers? How does the government want to work with companies, let's say? Is there public-private partnerships that you guys look for, want to cultivate, or?

Alex Romero

Yes. I can't speak on behalf of the government, but I know what government's doing. But from a personal capacity, I know that CISA, they've got this thing called JCDC, which is essentially kind of an outreached hand to...

Robert Hansen

How can you not speak for the government? Aren't you the government? You are my tax dollars. What are you talking about?

Alex Romero

So, for the audience, kind of know just my position because it is a little strange.

Robert Hansen

You have the weirdest life of almost anybody I know.

Alex Romero

I wish that were true. So, my day job, I am lucky enough to work at a large chip manufacturer. You can guess where that's at.

And I can sort of go into why I decided to work there. I think it's super important to think about our supply chain, literally where the sand is melted into trust.

All of these things, things, this microphone, like the RF that's receiving it, the cameras that this is being filmed on, the computers that folks are watching this on and their devices. Everything has a chip in it. It has some intellectual property that is shared. How do we trust any of that?

And then, how do we build applications? How does the rest of the stack become trusted? And so, I became sort of enamored with the idea, like, how far down does this rabbit hole go?

Robert Hansen

All the way.

Alex Romero

Yeah. Well, yes.

Robert Hansen

And there you are at the very bottom.

Alex Romero

Eventually end up on a beach somewhere and you're just looking at the sun and you're like, "I don't know what to trust." You're at a campfire and you're like...

Robert Hansen

I can't trust this sand. Who made this sand?

Alex Romero

Who made this sand? This is native to this beach. Did they push it here? And it's kind of true, right? Like where's the SBOM for the sand? I don't know.

But the sand itself, when it's melted into silicon, when you have these, call them bullies. Ingots sand. They slice them into wafers. They use these extreme ultraviolet lithography machines to then blast essentially the prints of the CPUs onto them.

There's a whole process there. Like how do you trust the machines that do that? The ASML's, the large manufacturer of machines that goes into making the CPUs themselves. That's actually really a secret. It's not like any of the companies you normally hear.

It's ASML who makes the machines that allows the other companies to make the CPUs. How can we trust them? How can we trust any of these things, right?

And there's trust all around that eventually goes into the CPUs that then go into all the Cloud services that then go also into all of our phones and devices.

I wanted to explore that, especially after I saw Solarens happening. Again, how far does this rabbit hole go? And also, can I help a little bit with that? Can I take some of the lessons learned in government and apply that in industry?

Robert Hansen

And vice versa.

Alex Romero

Yeah, but I couldn't let go of this other job. So as a digital service expert, that was my job
for years within government. After being a CISO, I switched over to this other job. I worked for US Digital Service, and then I switched over to the Defense Digital Service.

Essentially, I did all these bug bounties. I did a whole bunch of other work as well. But bounties are what folks know me for, I guess.

Robert Hansen

Well, lately, yeah, anyway.

Alex Romero

Lately, yeah. But there's such weird stuff in my head, and they couldn't quite let go of me. So I still serve as a special government employee. And I'm honored to do that. It's pretty cool to be able to have both sides trust that I can do that.

Robert Hansen

Back to my question, what does the government want to do when it's working with these companies? What could it do?

Alex Romero

What could it do?

Robert Hansen

If you could have your druthers and have some company who's volunteered to do X, what's the X?

Alex Romero

JCDC, if we’re going to stick with that, I think what they're trying to do is build those relationships. Although I'm not a good example, like I said, because I have an interesting set of roles, especially government playing on one side, you have to keep that separate.

Then on my other day job with the chip manufacturer, I'm trying to take some of those lessons learned just with how to establish more trust in DDS.

Robert Hansen

How do you repeat, rinse, and repeat that? Are you going to have more government employees go into other-

Alex Romero

No, but I do think that there is some of that. With the US Digital Service as an example, they do try to bring folks in from the industry and just show them how the government works, take the best talent in the industry and bring them into the government for short tours of duty. That's what they call it.

I'd recommend anybody who's listening to this podcast, just take a look at the US Digital Service, usds.gov, or any other digital services that exist out there. Because if you don't actually know what your government's doing, you have an opportunity to actually participate. If you have the technical skills and the talent, why not?

Robert Hansen

That way, you can find the aliens.

Alex Romero

Yeah. But I think what they're trying to do, because that's a really broad question, by the way, is form relationships with the industry where it makes sense to in order to just enhance security.

If there's information sharing that can happen on both sides, if there's things that the industry knows about that the government can benefit from, there's various ways to share that information.

Robert Hansen

I find that a lot of those conversations tend to be just like two people in a room, and they're talking. One says, “Oh, I'm working on this problem.” “Oh, well, have you thought about this?” Then suddenly, there's a partnership.

It's nothing more complicated than that. It's truly just a friendship conversation and nothing truly formalized. I was just curious if there is any sort of formalized programs.

Alex Romero

Sure. Yeah, especially CDC. There's InfraGard with the FBI. Folks are part of that.

Robert Hansen

That's an interesting one. Actually, it was not InfraGard. It was, what's it called, the IT-ISAC.

Alex Romero

There’s ISACs as well.

Robert Hansen

Yeah, the ISACs as well. I remember I was at the very first formalized meeting of IT-ISAC when they were very first coming around to being a thing. These people showed up in my office. They came in and were very shadowy individuals. They had these cards with just their name on it.

Alex Romero

Shadowy?

Robert Hansen

Extremely. Multiple of them just had a phone number. And that's all. No explanation about who they are. I remember before the meeting even started, the guy who was leading it was like, “I realize everybody in this room has worked for these multinational, not just national, organizations. So you have to be very careful with what you're doing here. Because you have different things happening in different parts of the world.”

That really opened my eyes just watching this room trying to interact, both trying to be helpful but also knowing that they can't be that helpful because of the fact that they operate in many different countries, which I thought was interesting. I don't know.

Alex Romero

There are ways to share information when needed. But oftentimes, it comes down to personal relationships. I think that as humans that's how we act. We interact with each other as we know that somebody can be trusted if you can look into their eyes. Ultimately, it comes down to that.

Robert Hansen

Let's talk about your background a little bit. You are a former Marine because once a Marine always a Marine.

Alex Romero

That's right. Yeah.

Robert Hansen

You’re never an ex-Marine unless you really messed up. What made you go from that to this? How do you find your way through that path? I almost can't think of anything less congruent.

Alex Romero

It is though, if you think about what a Marine does and what they're there to do. I remember lessons learned from my senior drill instructors, and I was all the way in boot camp days. I’d be a consummate professional.

I would just try to do whatever it is that you're doing, do it the best. All those kinds of lessons. But also the whole train like you fight, fight like you train thing. I see that applying actually very much in cybersecurity. It actually tests your defenses.

This whole idea of bug bounties, also, is very similar to that. I don't want to just play around with testing. I want to actually test myself. So I think that is very similar. It engages the same part of the brain. I think it’s the basic part of marine brain.

Robert Hansen

Marine brain?

Alex Romero

Yeah, in the Marine Corps. I guess I can tell you a little bit about that. I was an electro-optical ordnance repairer. I worked on lasers, night vision goggles, electro-optical ordnance stuff. So things that you'd look through, shoot at stuff and with high precision have to hit your target. TOW missiles, Javelins.

Robert Hansen

That’s all the rage right now.

Alex Romero

They are all the rage right now. They are all the news today for all sorts of reasons, Yeah, I worked on all those kinds of things. I actually got my first job at the Pentagon when I was a kid, I was 15 years old, as an intern. I got a job there.

I was just enamored with the whole idea of service. I came from a family of immigrants. My family was new here. It was interesting to see them interact in a place that didn't feel like their home. For me, it was the only home that I knew. And I wanted to give back in some way.

A life of service was one that I felt like I was born into, in essence. Everything from mowing my neighbor's lawns when I was a kid. My mom was like, “Just go mow everybody's lawn, the whole street.” It's like, “Okay, Ma.” And just helping them out.

In whatever way, I was always trying to be as helpful as I could. So it was almost natural for me to want to join the Marines and give back. But then they found out that I was good with electronics, one of my first jobs, where I was actually paid, I think I was 13.

But I loved electronics. I loved the secrets that they were trying to hide from me and exposing them. It was at a VCR/TV repair shop back when VCRs were a thing. I just really did it myself. Cathode ray tube TVs, the big ones.

Robert Hansen

Those were actually pretty dangerous.

Alex Romero

They were super dangerous. Yeah, 50,000 volts in the back of this thing. You touch the back of it, you get shocked. I learned that the hard way.

Robert Hansen

That explains a lot, Alex.

Alex Romero

Yeah, I got shocked a lot as a kid. But I wanted to learn what was inside of these things. It was just a way for me to learn more about the world but from a very small, microelectronics perspective.

Then getting online even expanded my world more in finding communities, so folks that thought like me as well. Anyway, in the Marine Corps, they found out that I was good with electronics.

It was funny because I had been trained to work on lasers and night vision and all these weapons system things. Then this one sergeant of mine was like, “Oh. But you type good, Marine.” And I was like, “Well, yeah, that's one of the things I could do.”

I used to work on computers, too. Back when I was 16, I had started a little computer repair shop. I worked on what eventually became Comcast on the fiber optic stuff as a kid. And so they were like, “Okay, we're going to put you in the battalion.”

It's called the S-6 shop. They are like computer IT shops. I was like, “Okay, that has nothing to do with my job in the Marine Corps. But sure, why not?” Other duties as assigned in the Marines is a thing. You're just going to do whatever it takes to get the mission done.

I eventually ended up helping to run my battalion's IT shop. Then I started really becoming interested in how the networks were set up and how I could just traverse the networks in places that maybe that I shouldn't be in. I was like, “Why is this open to that place over there?”

Actually, when we were deployed, I was in Kuwait. And this was before the war, it kicked off in 2003. I remember I had AIM on a computer for AOL AIM. It had this little port scanner thing, so you could go find open ports.

I ended up finding out that I could do a scan of a network. I probably don't know if I should be saying this at this point.

Robert Hansen

The statute of limitations was well over by then.

Alex Romero

I’d do a port scan, and I’d just find all these open ports. I found out that I could essentially get an open port through a microwave transmitter in Bahrain on a ship to then bounce, basically to get an extra signal through a ship that was in Bahrain over to somewhere overseas so that I could just message my mom that I was doing okay.

But then I wasn't doing okay because there started to be a whole bunch of planes that were flying overhead because then we had started actually going to war. I was like, “Okay, Ma. Got to go.”

Even back then, I became aware of like, “Oh, there's other things I can do with these computers.” Even as a kid, actually, I think the first hacking group that I joined, again, statute of limitations.

Robert Hansen

Yes, of course. I stopped every bad thing I was doing seven years ago

Alex Romero

I wish kids nowadays didn't have to have everything recorded. Because if I did as a kid, I don't know if I'd be here right now. But I did all sorts of fun stuff like hacking groups and whatnot.

It was nothing bad per se. I just wanted to see if I could get somebody's CD tray to open up on their computer just to see if I can have an impact on the physical world across the internet.

Robert Hansen

Nowadays, it seems very obvious you could do that. But back then, it was a theory you could impact somebody across the internet physically.

Alex Romero

Physically. I wanted to see if I could just open the CD tray or print something on their printer.

Robert Hansen

We weren't really sure you could do that. Maybe in a lab environment, you could do it. But could you actually do it? And then I think we started proving it pretty quick.

Alex Romero

Pretty quickly and becoming aware that we're all pretty connected.

Robert Hansen

All right. What keeps you up? Now that you have a world of experience, quite literally as well as figuratively, what keeps you up? What's got you thinking?

Alex Romero

What keeps me up? Well, pretty soon it's going to be my newborn. He’ll be here in a few weeks.

Robert Hansen

Is this your first?

Alex Romero

It's my second. The first one was born at the same time as Hack The Pentagon, a Hack the Pentagon baby.

Robert Hansen

Perfect timing.

Alex Romero

Literally, as we launched a program, I also launched a baby. So she's my Hack the Pentagon baby.

Robert Hansen

Are you launching anything good right now so at least you can have two awesome something baby?

Alex Romero

Yeah, let's see here. I don't know.

Robert Hansen

You better come up with something quick.

Alex Romero

Yeah. My day job, we're actually launching a different program. It's called project circuit breaker. Circuit breaker maybe.

Robert Hansen

There you go.

Alex Romero

There we go. I don't know. What keeps me up at night? I have to think about that. A lot of things. I think we are so incredibly intimately connected to things that we don't understand like how dominoes can fall. It's terrifying to me how we don't understand how those interactions go.

Robert Hansen

Is that because of the Ukrainian supply chain?

Alex Romero

Everything from COVID and increasing our awareness around supply chain things. Well, as we move to microgrids, there's going to be some really cool stuff at DEF CON as well that I think folks are going to be able to see and play around with that the Defense Digital Services is bringing also over there.

Robert Hansen

DEF CON, for those who don't know, is just another security conference. It happens right afterwards.

Alex Romero

This whole week here is called Hacker Summer Camp, for the folks that don't know. It's all these conferences at the same time.

Robert Hansen

Bsides is another one.

Alex Romero

Bsides, yep. So I'm also helping with security operations there. I help in security, as they call it, at Bsides. I’m also helping with the policy department at DEF CON, which is basically trying to bring in policy makers and hackers together in the same room, to our conversation earlier.

Robert Hansen

Yeah, that's great.

Alex Romero

What keeps me up at night is a quick progression towards using things that we don't understand. We're becoming more dependent on things that we don't understand how they're connected to our lives.

Robert Hansen

I think one of the ways I like to describe computer security is or vulnerabilities is probably a better way to phrase it. A lot of people think it's a deficiency of software, it's really the opposite. It's really an extra feature that you didn't think was there.

That's the part, that's what we’re talking to. We don't understand the software. We don't understand that it's got these extra capabilities. We don't really know how it's going to be used because we don't really know how we're going to use it.

Alex Romero

Yeah, I think more than that because those are maybe not quite existential threats. I think the things that are scary more than that are the biological threats where we don't actually control them.

There was a summit that I attended on modern conflict and emerging threats at Vanderbilt. And it was mostly on cybersecurity. But then there were a few discussions, and I think online folks can find talks.

Robert Hansen

Synthetic biology?

Alex Romero

Yeah, how are things progressing when it comes to biological threats? Just natural threats even and their ability to escape because of either climate change. Or us pushing into places that we haven't been before. That is scary. Because things are starting to emerge that hadn't before.

Robert Hansen

There was something that just came out, maybe a couple of months back, where somebody had created some AI algorithm to basically come up with compounds that were deadly.

They started off with something like VX gas or something, and they just told what makes it deadly and then just let it run overnight. They figured it would basically come up with maybe one or two extra compounds. They came up with 10,000 different compounds. All varying levels of maybe doing the bad thing

If we extrapolate that to biological type issues and it's like, “Well, this DNA just modify ever so slightly to do this. And here are the parameters I want.” We're not that far away from people being able to do this in their garage.

Alex Romero

In fact, we're not. When COVID kicked off, I don’t know if you remember this, but the largest exascale computer was generated by just the community of people using the Folding@Home app or on their home computers.

It was amazing to see just people everywhere. I don’t know if you know or if your audience knows, but Rob Joyce, head of an NSA, had tweets essentially that went out. There was like, “If you want to participate in trying to find potentially a solution to COVID, download this screensaver.”

Then as it's running in the background, it's using our CPU to help find out how this protein folds and potentially you can use your computer to help in this global problem. Your CPU can actually go towards solving this problem.

Yes, it's basically just computationally difficult problems to solve. But if you have enough compute, you can basically figure out anything from a beneficial perspective or maybe not too beneficial.

Robert Hansen

Then when you're done you can mine Bitcoin or something.

Alex Romero

Yeah. Right.

Robert Hansen

What do you think of the media, Hollywood, movies, etc.? What do you think of the news? What do you think they get wrong about the military? When I look at computer security in general and just every single time a hacker’s on TV, I'm like, “Oh my god, it doesn't work like this at all.”

If you're a racecar driver, you're like, “This just isn't how cars drive.” What is it for you that stands out in your mind about the military that is misrepresented?

Alex Romero

There's tons of dedicated folks, and there's not just any one way to describe it. There are centralized areas where there are certain things where there's an arc that folks can see what's going on across certain segments of the network.

I think it's far more distributed in a way that Hollywood makes it seem as though it is a movie, “No, they're coming in this way. All right, stop them here.” I don't know.

Hollywood has to do things because of time, make this short in how they describe what's happening on the screen. I understand that for sure. But it's a difficult problem that is not one that is easy to condense down into little Hollywood snippets.

In fact, I helped out with this project last year that I think is going to maybe be airing sometime soon called the DEFRAG Film Festival. And what we're trying to do is actually show this exact thing.

Through Columbia University and Jay Healy and Beau Woods and a bunch of other folks trying to show with the interviews, what is it that Hollywood's getting wrong about our community? I also like the diversity problem as well. This community is actually far more diverse. It's just who you see in shows and whatnot, it's not always the same thing.

What did they get wrong? It's not always just this and then hence and then this and hence. It's not that way in the military, either. There are some really great tools that exist. There are some great people that are doing really hard work. But they have the same problems that everybody else does, I think, in terms of getting the authority to operate.

That's a big one. Whenever you have a tool that you want to use and it's a new thing, you have to make sure it's safe itself. If you're buying or you're building at the buy versus building, should you spend more money to try to build it or just use it from someone else that you're going to just buy it from?

If you just buy it from somebody else, can you trust where you're buying it from? And also, what does their supply chain look like? Those are the kinds of things that you don't see Hollywood talking about because you just see the end effect.

Robert Hansen

It seems like I talk to people a lot who say there's certain jurisdictional boxes or boundaries, and they just pop up all over the place. “Well, we're not allowed to touch blah, blah, blah.” It's not that they couldn't, they have the capability. They just won't.

That seems like something I just don't see Hollywood explaining enough. The only place you see that is when they're talking about police officers arresting somebody across borders or whatever like, “No, that's my jurisdiction.”

But the military and governments have very specific boundaries and things they can and can't do. And that seems like it's lost on Hollywood.

Alex Romero

With everything from things you wouldn't even think about like fiber wire compliance, making sure something is accessible to, let's say, the visually impaired. Is that really fancy visual screen good for folks who are visually impaired? Probably not. Then the contracts that then have to go into place to then buying the thing to then make it happen.

Realistically, what's happening behind the scenes before that Hollywood scene is like a year and a half worth of contracting officers in a room trying to figure out how to buy that fancy thing that you saw on screen and fighting it out and duking it out with contractors who are trying to save money by not providing exactly what it was that the government needed. Stuff like that, you don't see.

I don't know, I wouldn't want to watch that show though. It could be a really boring show.

Robert Hansen

I remember I was at the Pentagon, this was many years before I met you. Two floors down underneath the Pentagon in some hall somewhere. I walked into this room, and it was one of the critical whatever rooms.

I don't know what they were exactly doing because I’m sure they were quick to close down whatever apps as I was walking in the room. But the thing that stood out to me is this looked like I was walking into an internet kiosk or something.

Machines that were old, they were highly patched and secure and whatever. But they were old, and the furniture was shaky and crappy. You could tell the chairs were bought in lots of 10,000 at a time. There's the same squeaky chair, and everyone's got the same one. It seemed very different than the movies you want to make, like glass screens and all.

Granted, this is many years before I met you. So I'm sure things have improved somewhat. I see. Okay. But I always thought that was interesting because my interpretation was I was going to be walking into a normal network operation center that you'd see in any data center, let's say.

It looks a little like the movies, at least. A cross between NASA Mission Control and a modern-

Alex Romero

There are some places like that. I don't think you'd get invited to them.

Robert Hansen

Yeah, I'm sure. I'm sure they do exist now. But I just remember looking around the room.

Alex Romero

That sounded mean.

Robert Hansen

No, it did not sound mean.

Alex Romero

They would have to put on a little light, and they would have to shut all the things down. There would have to be special invites and stuff.

Robert Hansen

Exactly. But it was the furniture that stood out to me.

Alex Romero

The rippy furniture held up by little pieces of paper underneath so it doesn't wobble.

Robert Hansen

Yeah, this looks like it's something you'd go to Home Depot and buy for picnics or something. Buy like 20 of them or whatever.

Alex Romero

When you think about it, it's always going to be like the lowest bidder. And then things deteriorate over time as they're moved. They're moved often because they have to make do with whatever space they have.

These are common problems in government. Just from what I've seen, you have these really great people that are working in really austere conditions. And they still try to make it work.

Robert Hansen

Yeah. Clearly, they were all busy doing stuff. So it wasn't inhibiting them. It just totally broke my perception of what I was-

Alex Romero

Enhanced.

Robert Hansen

Yeah, enhanced. None of that. Okay, changing the topic a little bit. I don't know if you know who Tim Kennedy is. He's a famous Green Beret guy hunting Hitler and a famous MMA guy. Anyway, he is quite famous.

He was in Austin, and we just started chatting. He's like, “Oh, we'll grab a coffee at some point.” I'm like, “Oh, great.” So I got in my car. He never called. And I'm like, “Oh, that’s a little rude. But whatever.”

Alex Romero

Was he behind you?

Robert Hansen

No, I was looking at the news a couple of days later. And he was in Afghanistan, part of Pineapple Express pulling people out with a team of Green Beret. A fairly big team. I think it was maybe 100 of them or something or at least 20. It was a pretty big group. They had a photo somewhere, and he was in there.

“That was an enormous mess. We left in a hurry, and we did not take the people out that we wanted.” I'm like, “Okay, fine.” He's allowed to be-

Alex Romero

His coffee.

Robert Hansen

That's a little bit of a different story. How was that whole thing seen, do you think, amongst your peers?

Alex Romero

It was heartbreaking, especially if you had been out there in that environment. You knew some of the people that were affected or the translators, etc.

There were lists of folks who either in the process maybe needed to fill out some extra forms, etc. And they had really worked to help save Americans’ lives either as translators or through either being informants or whatever. There's networks of folks that were really helpful to Americans.

They were in the pipeline. They were the ones who were probably the most at risk, once you could see what was going to happen at that point. It was absolutely heartbreaking.

You could see some of the reports that were coming out at the time like, “Things are not going well. They're not going even faster than we thought.” I think parts of the government were aware where it was going but maybe not as fast as it happened, I suppose.

Robert Hansen

The way I understand it, that is still an ongoing thing. There's still things happening or we're still withdrawing people even to this day.

Alex Romero

Yeah, I don't know if I can talk too much to that.

Robert Hansen

Fair enough.

Alex Romero

What I can say is I think, actually, part of what DDS helped out with is public and was actually talked about by certain folks on the Hill. They called it out.

The secretary of defense in his testimony as well, I think, called out what some of that work was, basically just trying to reach out to certain folks in as careful of a way as possible to let them know where to be in certain places and certain times so that they could be pulled over.

Robert Hansen

That sounds like a nightmare.

Alex Romero

You have no idea. Yeah, it was difficult.

Robert Hansen

How do you even know you're talking to the right person?

Alex Romero

Yeah, exactly. It took many parts of the government actually working together to make that happen. And it was actually quite interesting to see where you have all these different folks trying to work together in this austere environment during COVID trying to figure out like, “How can we work together all remotely to make this happen?”

Robert Hansen

Except for Tim Kennedy, of course. He just goes in guns blazing.

Alex Romero

Yeah. On the logistics side, there’s the physical side of it. There's families. And what do you do once they're actually here? So there were these lily pads that you would drop people off at.

There was logistics of like, “How do you feed and get them all their basic needs met and all that stuff?” They were bringing them into places like Quantico temporarily.

Robert Hansen

Yeah, because you can't necessarily trust these people. You’ve got to make sure that they are who they say they are.

Alex Romero

There's some vetting, of course. And so there was checking of the records, checking their names. It turns out when you're looking at the records, it makes sure they are who they say they are.

Oftentimes, how they wrote down their name in one place is not how they wrote it down in another place. Or they may sometimes go by their father's name.

There was a whole bunch of weird things like that that we actually had to use some algorithms to try to figure out and parse through that. That was a huge effort over a very short period of time.

Robert Hansen

I imagine. That means that whole thing unfolded in a week or two.

Alex Romero

Yeah. You could never have done enough, frankly. Actually, my day job was nice enough to let me take off a limited time to help out with that directly full time. So, that was good.

Robert Hansen

Awesome. I want to talk a little bit about social media. Specifically, the consolidation of power of social media. I don't know another way to phrase it, it's almost its own nation state. It's getting to be so powerful, so prolific, and so able to affect change.

Mark Zuckerberg on a whim could just decide he does or doesn't like some political candidate. Or he could decide that he does or doesn't like some conflict or some policy or whatever. More or less, he can design an algorithm, if he felt like it, to do all kinds of crazy things.

Quite a while back, I was able to get the code for Facebook's mood manipulation study, where they basically picked about 400,000 people and just only gave them either positive content or negative content to see if that could affect them. And it had enormous effects.

The code is horrible, super sloppy, very easy to replicate and make much better. But the point stood. They were able to prove it, which is terrifying if you realize they're doing studies on actual people in the wild like that without their consent, etcetera, etcetera.

How are you seeing this? Are you going to let your kids on social media? How do you see this?

Alex Romero

Yeah, it's tough. Because it's almost like you're ripped out of a part of society when you're not participating in it.

Robert Hansen

Especially going forward. Especially as a teenager, let's say.

Alex Romero

Yeah. Years ago, once I realized what was going on, I just stopped participating in it when it was just sharing pictures and whatnot. So I'll do it directly with folks that I know through media that I control and through mechanisms that I control.

I don't know, it feels so dirty participating in some of these things when you know what's happening on the back end. I know how the algorithms are choosing content. If you haven't been around for a while, it promotes your stuff. And then it tries to stoke certain ways of thinking and reward systems.

Robert Hansen

There's a company called Dopamine Labs. You know what I’m talking about?

Alex Romero

I’ve heard about it. Yeah.

Robert Hansen

Well, go ahead.

Alex Romero

Well, basically, you're tying into a reward system to check for kids in games, I think, as I recall. Essentially, every time you get to a place where you're not using the app, it gives you some extra points. And so then it just gets you back-

Robert Hansen

For a prize box or whatever. So it's like, “Oh.” And it gets the dopamine up. Click the button. You may or may not win something, doesn't matter.

Alex Romero

Don't Be Evil, I think, was a book that talks a little bit about this. Anyway, the question is whether or not I'm going to let my kids on it. I think it's inevitable that there's going to be social media out there that we have to participate in in a way. If you're going to be part of modern society, you almost have to be part of it. But you can meter your access to a regular user.

Robert Hansen

What happens when the social media companies decide they just don't really like the United States anymore? What level of power are we going to give these things? Because they're wielding an awful lot of power right now, whether they're choosing to use it in that way or not.

Some people would argue that they are suppressing certain voices or certain lines of thinking or deciding what's truth. And a lot of that's done through algorithms. It's not even done by people. So who's designing these algorithms? Or where are these algorithms getting their baseline data, the ground truth data?

I talked about this with a couple of AI people, and no one seems to have any clue at all how do you do this well. Everyone's like, “Well, as long as a lot of people aren't complaining, that's good enough.” But that doesn't seem very good to me.

Alex Romero

It's an impossible promise because we're all different. What one group of people might find positive or not, another may just completely be put off by it. And so we cannot come up with an algorithm from-

Robert Hansen

Some things are not true until they're true. Or some things are not true and then you find out, “Oh, my gosh, that is exactly what happened.”

Alex Romero

I don't know if I can answer that question directly or want to because I'd be wrong. But I think what I could say is, what would you do if you were coming up with your own social media platform? How would you actually meter content in a way that actually allowed everybody to feel as though their voice could be heard?

Robert Hansen

First Amendment is if it's illegal, it's illegal. That's a different story.

Alex Romero

Well, that's the thing. You always have an F. So when there is an F, then you have to have a statement there that, “Remove some.”

Robert Hansen

Yeah. But that seems like a much easier thing to do, then. I don't agree that the person’s lying.

Alex Romero

But how do you actually determine legality?

Robert Hansen

That's what lawyers are for.

Alex Romero

Are you going to have lawyers write algorithms? Those are the worst people to write algorithms.

Robert Hansen

Is it though?

Alex Romero

I don't know. Maybe, maybe not. Maybe you're right. Well, at least they would be covering their own butt. They don't want to write something that's going to get people blocked when they know it's illegal.

Robert Hansen

I think they would be very careful. I'm not saying literally write the algorithm. I'm not saying hands on the keyboard. But I am saying if you are actually committing a crime and it looks like this, that's a clear violation. Get rid of it.

Alex Romero

If your things are always on the line, then-

Robert Hansen

Give me an example.

Alex Romero

Oh, I don't know. I think yelling “fire” in a theater is the classic one. But how do you do that on the internet, and say that I'm going to attack this place?

Robert Hansen

One would say that that's not on the line. Either you're doing it to incite a riot or you're singing a song about maybe put out my fire. And you're yelling at a theater. I don't think that’s on the line at all. I think it's very clear, legally, and I think it's clear to win a case in a court of law.

I think there is a little bit of a problem here, if we let social media companies just decide willy-nilly. Or if they're not, then they should not have the protections that we're giving them. And then they should be open to lawsuits. If you're blocking my content and I didn't do anything wrong, then you get sued.

Alex Romero

I think that that is, in and of itself, an open debate. What are the ramifications for having caused some kind of harm to society? I don't know.

Robert Hansen

Removing COVID completely from this conversation just so we can have an objective one. Let's say there is a vaccine that is actually going to stop Ebola from taking over the entire world or something, totally weaponized version of Ebola.

You know you have to do it, 99% chance of you dying or whatever. And someone online says, “No, that thing’s tracking people or whatever. It’s all a conspiracy or whatever.”

You could say that the social media company has a moral objective to protect people. Or you'd say if a First Amendment right to allow them to say whatever they want, who wins? I think this is actually a really complicated topic.

Alex Romero

That's my point. That's exactly my point.

Robert Hansen

But I think in broad daylight, bad ideas die, if you make them go underground.

Alex Romero

You hope they do.

Robert Hansen

No, I think they do. Look at the flat-Earthers. They just got crushed. Everyone just loves making fun of them because it's a bad idea. I was on a plane today. I didn't see a single part of the curvature of the Earth. So I'm pretty sure they're right.

I think there's something in there. I think there's something about spraying Lysol on bad ideas. I've been in forums that are very private. They're full of just crazy people, really crazy. And the only reason they're there is they feel like they can't talk on these other social media platforms. It's just a breeding ground of these weird conspiracies.

Alex Romero

Yeah, I've learned I don't need to have an opinion on things that I'm not an expert on. And this is an area that I realized that I'm not an expert on. It's actually really quite difficult to have a strong opinion. I have strong opinions, obviously, personal opinions. But how can you ever know exactly what to do with any sort of platform like this?

They are organisms, in and of themselves. So how can you control any organism that is almost like a hydrate, cut off one side, and it's going to just grow back anyway? You can try to say, “Well, just ban the whole platform. Some other ones are going to come up.”

It may be worse or better in a different way. But I think if there is a monopoly happening, and that's one thing, where there cannot be other options out there, maybe that's not a good thing.

I think in society, the best tend to come to the top. And then the others tend to die off. But right now, it's just the biggest. And if not the biggest, are the best. And I think that that can be somewhat dangerous.

Robert Hansen

All right. This leads into my next question. So there's this whole concept of Balkanization.

Alex Romero

Oh, yeah. We had a conversation about that a year ago.

Robert Hansen

Yeah, we did. I think this is something you are uniquely qualified to talk about. At some point, the government could say, “No, we don't feel comfortable with the idea of a social media platform being owned by some foreign government. We want our own.”

I could see another government saying that same thing, and another government saying that same thing. Now every government has their own social media platform, but they're also going to need their own chip manufacturers. And they're also going to need their own toaster suppliers.

Every single part of everything you'd ever buy that’s part of the DDS bomb or part of daily life and just uploading photos, all has to be decentralized from the entire globe but centralized in a given country.

Do you think it's going that way? Or do you think we're going to end up in some utopia where we have just one platform that rules the entire world and whoever's there, wins first? That's all it takes to be first to the trough.

Now suddenly, everyone's using it. Because I see people Balkanizing. We already have the Red Star operating system in North Korea, a perfect example. An entire operating system. They've got their own browser, Naenara browser.

Alex Romero

If we think back to when maybe we were kids or younger, the internet was balkanized, if you think about it really. There were no platforms really. We were running our own servers on our own systems at home on BBS’s or on FTP servers or on whatever.

There was no centralization in the way that we think about it today. Everybody was running their own thing. It was small enough that we could just like, “Oh, you want this file? Let me set up a server for you. You want to have a chat thing, let me set up my own chat server. Just put yourself to this server over here.”

It was hyper Balkanized, in a way. And it worked out all right. But you had to be somewhat technically competent for it to work. I feel as though we were slightly more technically competent early on because you had to be. There was no choice.

Robert Hansen

I don't think slightly, I think much more.

Alex Romero

It was amazing because it allowed us to be connected in ways that nobody had ever experienced before. It was new. It was a brand new way of being connected. It wasn't like picking up a phone. It wasn't just like talking and sending messages out.

You were connected live with somebody else. You could be in their system, you could be in their server. It was Balkanized.

Robert Hansen

They had their own rules.

Alex Romero

Their own rules, where you'd get kicked off their server if you didn't behave. But it was very segmented to the point where there were servers everywhere. Nowadays, we've gone to single platforms.

These platforms have their own rules, and they have to then comply with the rules of the countries that they're in. If they don't, they may get kicked off.

But today, nothing stopped somebody from setting up their own server, on their own system, on their own cloud platform, on their own Raspberry Pi in space, if they wanted to.

Literally, nothing stops people from doing it except their own wish and will to do it. The technical capacity exists. There are communities that will help them.

Robert Hansen

Yeah, it doesn't take much anymore.

Alex Romero

It doesn't take a lot. There was one thing called the outernet. Or what was it called? Yeah, I think it's one of those places where you can have the internet on a Raspberry Pi. If everything goes down. If the whole internet shuts down for some reason, there's some solar flare that takes out all of our computers, you can put in the Raspberry Pi in a Faraday bag, bury it, and then have at least a portion of the internet that's saved. If you needed to have that right.

You could have your own copy of the internet, that’s what I'm saying, for a really rainy day. I think that can exist. Just people aren't aware of it because they haven't needed it. Because they've just been spoon-fed this version of the internet. Balkanization has existed. We're trending towards it based on what countries want. Because centralization is more convenient.

There's this pendulum swing that has happened over the years on mainframe computers to then more client-based computing. Edge computing. I think it's just interesting. Because I really like distributed computing. That's one of the things that lights up my brain waves.

Robert Hansen

That is niche. I think everything's going to get balkanized. It's just a matter of time. But to a weird degree I think. Maybe not Facebook or maybe not Instagram. But every security company. Are you really going to trust a security company that lives in another country? I just think that's going to eventually go away.

Alex Romero

You saw what happened with Kaspersky and others. It may be for good reason.

Robert Hansen

I would say, probably most of the time it isn't a good reason. But occasionally definitely a good reason. How are we going to know which one is which?

Alex Romero

Yeah. Sometimes you just have to trust what people are telling you.

Robert Hansen

But also we have supply chain issues. With Taiwan for instance. If China were to invade. They've certainly made aggressive overtures due to Nancy Pelosi’s visit. What are we going to do? Are we just going to not have chips? Are we going to rely on other countries who have similar issues or other issues? Are we going to start bringing chip manufacturing back to the United States?

Alex Romero

The chips act, I'm not sure when this is going to air. But that recently passed. I think there is obviously a lot of interest in wanting to expand production at home for not just chips but for other things. When COVID kicked off, we didn't have enough masks. We didn't have enough PPE for people that were working here. In fact, the stuff that we were getting from China at the time, if you remember this, it was the leftovers. It was the stuff that rats had eaten through. It was gross stuff. It was not stuff that we could actually use.

I think that we have to really think through. What it is that we want to outsource? What is it that we are okay not having in this country if the supply lines and supply chain actually does take a hit for whatever reason? I mean doesn't necessarily have to be for nation state conflict reasons. Although those are real things. Could be for natural disaster situations as well.

Robert Hansen

A couple of weeks ago, I was talking with another guest, Russ Bodnyk, about something Ukrainians are using called GIS Art for Artillery. Have you heard of this thing? Whether you have or haven't, I'll just re-explain it to the audience. This software is very interesting. Because it essentially is Uber for dropping an ordinance on this target.

For those who didn't watch the previous episode, they figured it out by accident. Some guy is like, hey, there's this weird centroid issue where it's probably related to old radar systems on some Su aircraft that had bad targeting data. But all the bombs dropped in the exact right place from different places. Some guy dropped a mortar. Some guy shot a howitzer. Someone shot a missile. They all landed in the exact same spot. Which means that they had good coordinates, just bad targeting data which is interesting.

He did a bunch of research and figured out it was the software. Which has got to be one of the worst named pieces of software ever seen. Could have come up with something snazzier. But I'm curious what you think about the future of taking something like that, which I think is really, really clever. A simple piece of software, if you really think about it under the hood. Then hooking it up with some basic autonomous warfare.

All you have to do is have something that's loitering over that looks for a capital Z printed on the side of a whatever, and then it is targeted. The Howitzer, it knows it's got rounds. It points itself over there and shoots and scoots. You don't need to have any humans at all in any part of that.

Alex Romero

I mean, come on. You and I know how bad an idea that is.

Robert Hansen

I know it's a terrible idea. But also, don't you think it is coming?

Alex Romero

Oh, yeah. For sure. How would you defeat that? How would you mess with that? How would you play with that idea? I get your point. I think that is something we have to think about. Within the DOD, this thing was created called the Joint Artificial Intelligence Center, I think. JAIC. Which is now actually part of what is called the Chief Digital Artificial Intelligence Office Because it has to have a long name. It’s important.

Robert Hansen

Is there an acronym?

Alex Romero

CDAO. The CDAO is this new office. Actually, now Craig Martell, he was the head of AI for Lyft. He's now leaving that up. He's the lead with the DoD. It is actually the Defense Digital Service, now the director of Digital Services, it falls underneath that group within the CDAO. I think that is one of the things that they're trying to figure out.

What are the ethics around AI and AI use? What are the rules? If you actually look up within the DoD, they have some published rules around how AI should be used. They've got some really smart people that are thinking through: what are the parameters? What are the ways? What are the things that we should be thinking about just as a society around how AI is used?

Robert Hansen

One thing Charlie Burgoyne said that I thought was really clever is, you've already had a human in the loop when they decided that this is the targeting data. Because this happens naturally. It happens all the time. You say, “I want to shoot that thing.” Then there's a huge delay because they're somewhere in the United States.

They're sending stuff over a satellite, over encryption and it takes a while to get there. The software on the other side has to actually make the final firing solution. They just said, that's a valid target. We're already moving in that direction anyway to some degree. It's just the delay maybe way longer.

Alex Romero

I was thinking about a book as you were talking. I can't remember the name off the top of my head. But essentially, it's the premise that it is sci–fi, near-future thing where we tried to get rid of that latency. We get rid of latency by just taking human consciousness and putting it in the robot. But then, we accidentally lose the link and then the person becomes the robot. That’s the idea of latency. Oh, my new body is in this robot form.

Probably not the best idea, we remove consciousness from the human. I think there are some decisions probably among AI experts by any means, who have spent a lot of time thinking about this that could be automated. But then certain decisions maybe really should not be, right. I think when it comes to life and limb, those are things that are probably best reserved for even if there's latency.

Robert Hansen

Is there any difference between laying a mine on the ground, and saying, “Well, people who travel over here who are in tanks should go away?” I mean, it's a very similar autonomous setup. Maybe different types of sensors. Maybe it's not true AI. It's just a binary switch that turns on or off based on the magnetometer going off.

Alex Romero

Yeah. In terms of kill decisions.

Robert Hansen

Or a claymore mine. Or some trip mine. All these booby traps. Aren't they really the same thing? If you're okay with that, why wouldn’t you be okay with a howitzer shooting?

Alex Romero

That's an excellent question. I think because there is no intent behind it. It can get good and bad results. I think those are also now not used anymore because it is non-discriminatory there.

Robert Hansen

Well tell that to the Russians.

Alex Romero

Yeah. All right. It's not a good thing. But I think there are reasons where you would want to have still a human loop in some way. I remember when I was still in the Marines. They were talking about this mule thing that would be essentially an AI driven, a bull sort of thing that was autonomous. It could carry your gear. It would just walk with you. It'd be smart enough to know to stay next to you. If you were taking fire, it would get in between you and the incoming fire.

That's pretty nice. I'd love to have some AI that at least takes some rounds for me. That's a pretty good use of technology. Then for a while, they were talking about using enhanced soldiers. Where you can get into a suit and do some other things. Where if somebody gets injured on the battlefield, and they're incapacitated in some way, the suit can take them home. I think those are interesting. Where it's just enhancing at least the mind that is inside of this.

Robert Hansen

You could easily do the same thing with a drone that flies in. You throw the wounded in there, and it takes them off. Why have any humans in the loop in any part of that other than saying, “I need a drone here?”

Alex Romero

But I think it comes down to ethics. It really is, what is warfare? Ultimately, at the end of the day, are we just going to play it in some CG thing, and it's whoever has the better computers behind this? Like an animated battlefield.

Robert Hansen

If that's the case, what are we going to do about that? Then what's China going to do about that? Then what’s Russia going to do about that?

Alex Romero

I think ultimately, war will stay in the physical meatspace for some time to come. If it does, then these questions still remain relevant.

Robert Hansen

Okay. That leads me to something we talked about a little bit. The idea that you can patch something and have a patch be a proper defense. True first line set of defense, as opposed to a thing you do later. Seems to me like a paradigm that doesn't really work in the distant future because software is going to get so good and so fast with exploitation.

I know you agreed with me on this. But I think it's worth stating that this is the thing where once AI gets involved, you don't have that option anymore. You don't have the option of running around with CDs and updating old computers that happen to be out there. It's not possible. You’re never going to get there in time.

Alex Romero

Yeah. I think we're quickly moving away from that. If you looked at how quickly Log4j was starting to be exploited. This is a recent example. I’m sure your audience would know this. But a recent vulnerability that was found. A way to look at logs on machines. It was used everywhere. You could have a computer look at something, get passed to some logs. Then normally, it should just look at the log and not do anything.

It's just passively printing stuff, if you want to think of it that way. It should not do anything with the information that it's getting. Well turns out if you pass a certain type of string, it would actually take that information in and then do something else. Start processing information. It's very dangerous. It's not a good thing to have something that was supposed to be just passively looking at something, now get activated and get turned on.

Robert Hansen

This is what I mean. It's not a software deficiency. It's an extra feature we didn’t know it was there.

Alex Romero

It's a great feature. That’s the feature they wanted. All right. Very quickly that started getting exploited. It was around within weeks, days of that being announced. I think we're already seeing that. Even if it's not automated. Automation just makes it a little bit faster.

Robert Hansen

Maybe a lot faster.

Alex Romero

Actually quite a lot faster. You go from 0-day. You don't really need 0-day. At that point, you just need to have…

Robert Hansen

Access to a vulnerability.

Alex Romero

You need 1-days. You need 1-days. Actually I talk about this in my talk tomorrow.

Robert Hansen

For the audience, no one is going to follow any of that.

Alex Romero

An 0-day is a brand new vulnerability that hasn't been seen yet. Just out in the wild. There is no discussion about it. There's no fix for it yet. Just being exploited publicly. There's no mitigations. Probably even fewer by figuring out how to fix that thing. That vulnerability in a computer system somewhere.

The idea is that, if you're an attacker, you don't necessarily need to have that information, that knowledge of some new vulnerability that has been developed just to go to attack your adversary, whatever that adversary is. You just have to wait long enough for that target, whatever that target is, to have a vulnerability that is out in the wild then exploit it faster than they're able to patch it.

Robert Hansen

Because most people are patching within days or weeks. You just have to be faster than that. It's very easy to be faster than that.

Alex Romero

Think about the last time your car had a recall. Usually they'll say, bring your car in. There's been a recall. We got to update. We got to plug in a USB to patch it. That's usually the timeframe that we're talking about. It is weeks sometimes for these systems. Some enterprises have gotten better. When it's critical, they'll patch within maybe days.

That's still a day's worth of a window of opportunity that can be exploited. That time is gold for an attacker. That gives them time to test and develop and deploy an attack on a system that is their target. If all they have to do is to right click, deploy their attack payload to that system, they're faster than your patching.

Robert Hansen

I think this is why we really have to not just double down and invest in AI. But if we're not on top of this. Humans aren’t fast enough. They just aren't. They just can't do it. The next best thing we've got is AI. I understand all the deficiencies and all the problems. Yes, yes. I get it. I just don't see any other way we're ever going to get in front of the problem.

Alex Romero

DARPA, the Defense Advanced Research Projects Agency in 2016, at the DEFCON conference. They actually launched this thing called, it was the cyber grand challenge. It was actually exactly what you're talking about. It was this idea of, can we create an autonomous system that will automatically go out and hunt for vulnerabilities on systems and actually turn into a game, where they're looking for vulnerabilities automatically on systems.

Then trying to also patch these systems on the fly while retaining the application in such a way where it was still doing the same thing that it was supposed to do. Let's say it was a Word application. It still had to operate as though it was a Word application, for example. It was both attacking in an offensive way other systems that were on that network, and it was also trying to defend itself and self-patch.

It was a good test. Much like we have self-driving cars today. That was, a lot of it, because of the research that DARPA did back in the early 2000s that led to some of the autonomous vehicles that we have today. That took 20 years or so to where we're now. You can get into a modern vehicle and it has some level of autonomousness in it. It takes a little while. But that went from a physical, in technology called meatspace, in the real physical world. Taking software applying that to physical problems. It took about 20 years.

If we are talking about where we saw the cyber grand challenge in 2016, and applying it towards projecting forward how we can take that AI maybe in the next 10 to 15 years. Maybe we'll shave five years off of this. The next 10 to 15 years, we'll probably see something like that. Where either there will be automatic attack and defend capabilities that some organization will have. We're starting to see some of that.

Robert Hansen

I think we need to go way faster than that my friend.

Alex Romero

I think we will. But I think we'll make mistakes along the way. Because we've seen mistakes that have happened with autonomous vehicles. I don't know if we can afford as many mistakes.

Robert Hansen

Good point. I had a couple of questions around hiring at the Pentagon or in the military in general.

Alex Romero

Government in general.

Robert Hansen

Well, yeah. There you go. I think one of the problems that I hear a lot actually from our community is, “Well, how are you going to hire any software security people? They're all on drugs.” It's not 100%. But it is definitely not 0%. I get it to some extent. If you have an agreement where you need to be absolutely on the up and up at all times. And you also had this side agreement with somebody who's working with the cartel, let's say. Maybe that isn't such a great starting point for somebody with clearance.

But that seems like also a huge hindrance given the nature of what we need to accomplish here. As a society, we are going to need smart people doing these things. If they're totally iced out, because they're recreationally doing something on the side. I personally don't do drugs. But I know that almost all of my hacker friends do. I don't know how you get around that.

Alex Romero

In order to serve as a civil servant in the military, especially the military, there just are no accommodations there for that. You are not allowed to do drugs obviously, in the military. That is part of the contract that you sign. People would need to keep that in mind also if that is part of something that they want to do. That's just not in the cards for them. They can maybe help out in other ways.

Robert Hansen

Even if it's legal in your state, let's say?

Alex Romero

Even if it's legal in your state. You're right. It is absolutely a hindrance to trying to get that talent. Let's just say it is some low level thing. Still if it's anything that is listed as controlled in any way then it's still a problem.

Robert Hansen

I mean, they can be on oxycodone. That's fine. Which is weird.

Alex Romero

If it's a prescribed thing.

Robert Hansen

Exactly. Seems a little silly.

Alex Romero

But I think your point is absolutely valid. There's lots of folks that, for various reasons, they are medicated in some way or another. It does limit the talent pool tremendously. I have some of my friends that might smoke a little marijuana or something else. Maybe that's the only thing that they do. That still precludes them from being able to serve.

It really bothers me because they are all so great people. They're doing it for the right reasons. They would want to join. They would want to jump into the fight. They would want to actually help out. But they can't. Because that's the way the rules are today. I think what's interesting about what we talked about previously with bug bounty.

Robert Hansen

They can still contribute from the outside.

Alex Romero

They can contribute in other ways. There’s open source communities they can be a part of if folks want to have code out there. I'm not saying that there is a bunch of entire open source communities for drug people.

Robert Hansen

It’s not exactly a low percentage.

Alex Romero

But my point is, there's people from all backgrounds. All sorts of things.

Robert Hansen

It's a very artistic community in some ways.

Alex Romero

I have no judgment at all, one way or the other. I really don't care. I do think it is very limiting. Because I know it is. They're extremely talented folks that I would love to get interested in government service. This is where I feel okay more recently. I was very not okay talking about any of my government work in the past. I would never do a podcast like this had you asked me a decade ago.

Robert Hansen

I didn’t know you a decades ago. That's why. Maybe I did. That was the problem.

Alex Romero

They were called net casts back then I think. Getting the really great talent into government is something that I would love to do more of. We've tried but it is a limiting factor. Getting them to help out in other ways, I think, is important as well.

Robert Hansen

I had a buddy who's at a three letter agency. He was talking. He's like, “Oh, Robert, you'd never make it here.”

I'm like, “Am I just not smart enough. I don't get what's going on.”

He's like, “No. We have for instance this policy where if you're cleaning up some box from malware, you have to reboot the box three times.”

I'm like, “Three times! What? I mean, I understand twice, why three times?”

“See? That's why you wouldn't pass.” If that's at all even vaguely funny but also true, I think there's a bit of a problem.

I don't know who wrote these crazy rules about rebooting, using it as a very funny but extreme example. I mean, is it also that it's hard for creative people to work in those environments? Or people who are just like, “This doesn't make sense? I'm not going to do things that don't make sense.” You've got to do what you're told to do and that's it.

Alex Romero

I think my experience has been a little bit unique. In the Marines, it was very much you follow the rules. It was very much like, “Take that hill!”

“Yes, sir. I'll take that hill.”

“Take that hill that way.”

“Okay, I'll take the hill that way.” To then later on in government. Also being so very regimented in how I was listening. Being a civil servant. Then experiencing things in a slightly different way with this digital service group. They had a little bit more leeway. They were allowed to think differently, challenging authority and looking at problems differently. For me, it was actually quite fascinating to see.

Bring in experts from the outside into government to see exactly what you're talking about. “Why did you need to press that button three times? What's the third time do?” Just ask the question. “Is it some sort of magic? Where is the magic fairy? Does it come out in the third press?” Then really questioning the logic behind these behaviors.

Robert Hansen

There might be a perfectly valid reason.

Alex Romero

There could be magic.

Robert Hansen

Yeah, that could be. But I don't know it.

Alex Romero

Usually not. There’s only a couple instances where it’s like, “Oh, okay, that makes sense.” There's a thing. There's a thing. There's a reason. Third time's the charm. But often not. Then often it actually wastes money at scale. Think about over hundreds of 1000s of civil servants doing a certain thing a certain way. Becomes a waste. It's challenging. Being given the option, the authority to do that.

Robert Hansen

How about people going in who have to pass background checks. They are asking. The question is, “Have you hacked anything?” Yes. That's literally why I'm here. So I can hack things. Yes, of course, I've hacked things. Otherwise, how would you hire me? I don't understand how it would even work.

Then another version of that. This is one of the reasons I never even thought I would qualify. “Have any interactions with foreign agents?” Of course, I go to hacker conferences. They're everywhere. Of course, they're courting us constantly at these conferences. They're everywhere. Well, some of them are much more obvious than others. Extremely obvious.

But how do you get past all of that gauntlet? When someone's just trying to live their life and be interested in the sport of hacking. Then oh, maybe I should help. I want to do the good thing. How does that work?

Alex Romero

I think the government has become, not speaking for the whole government. I think overall folks have become more aware…

Robert Hansen

No, you speak for the whole government.

Alex Romero

There goes my job. No. I can speak for myself. My concern is I think there's become a growing awareness around just getting more talent in. We need help in government. We need really talented folks to come in and help us out. We need a participatory government. Government was never supposed to be just an us versus them thing. It's supposed to represent the people.

If you don't have a government that represents the people, that's a problem. Bringing in people to help their government out, I think is critical. If they're having interactions with other folks at these conferences, that's fine. As long as they're open about it. As long as they're willing to…

Robert Hansen

If I walked in and said something to the effect, and this is basically 100% true. I might get the number slightly wrong. Somewhere between 11 and 13 different foreign governments have approached me to go work for them. Where do you go? Yeah, cool. You're welcome in. Or would that just be like, this is too much of a liability?

Alex Romero

I'm not a security officer that would handle that. I think you would have a very deep conversation with your security officer. They would do the background check. They would come up with the decision. As long as you were open about everything that you had, and all your interactions, I think they would come up with a decision around that. But I don't think that will necessarily preclude you.

Robert Hansen

That's the problem with these conferences. You're just surrounded. The community in general. You're surrounded.

Alex Romero

I think the government is here now also. Think about that. In the past, they weren't here going back a decade.

Robert Hansen

Yes it’s true. Now they've got some context for it.

Alex Romero

In fact, they're actually participating in these things more than they would have in the past because they recognize they have to be part of this conversation. They have to be where the talent is. Like I was saying, they want to have the folks that are in this community in government as well.

Robert Hansen

One of the biggest detractors I've heard from everybody who's interested in this space is the money issue. It's significantly less money in government than it is in private industry. How does the military go about addressing these hiring issues, and the government in general? Is it just true believers who just want to do the right thing and don't care if they're just getting by?

Alex Romero

It’s also an incredibly impactful mission. You don't get to see the things.

Robert Hansen

I’m not denying that.

Alex Romero

It is the mission. It’s the mission.

Robert Hansen

Can you give us an example of something, a success story? Maybe even half made up so we can get some context of what you mean.

Alex Romero

I'm trying to think of a good one. I mean, things that happen on a daily basis that could potentially affect the security of the country. Thinking of a public one, think of GPS. Just think of that for a second. The Air Force and Space Force, I guess, helped to run GPS. Think for a second if GPS were to go down.

Robert Hansen

Guardians of the Galaxy as they're otherwise known.

Alex Romero

They have an incredibly important job. For just a moment, think about if GPS were to go down. Or had gone down anytime in the past 10, 20 years. None of the apps that we use would work correctly. Entire portions of our economy would go offline. Timing for banks. Timing for Uber.

All of these things would just stop working. There are missions like that, that actually impact all of us. That are critically important to be able to even have a say or be able to be a part of those groups.

Robert Hansen

What about the split position thing that you have? A common path? Or is that acceptable path?

Alex Romero

Fairly uncommon I'd say. I got pretty honored to be able to do that. Because both sides, there's no conflict of interest. I had to check with lawyers in both sides to make sure that I'm…

Robert Hansen

Got to love the lawyers.

Alex Romero

I have to love my lawyers. Yes, they make it possible for me to do what I do. I'm in a fairly unique position where I'm allowed to continue some of the work that I was doing. But it's not super common where you can do some work on the government side, and then continue other separate work. I don't know if I can continue doing that forever.

I'm very much mission focused. I want to continue giving back. In fact, I probably won't continue on the industry side forever. I'm doing this as a short foray just to learn again how manufacturing works in a very specific area. Because I was truly interested to see how you could melt sand into trust, like I was saying previously.

Robert Hansen

You think you're going to just go back full time. What's next for you? What do you think?

Alex Romero

I'm purely driven by curiosity. Like you said, in government you don't get paid a whole lot. You get paid maybe half to a third of what you'd make outside of government. Depends on what the job is. But for me, I think I was telling you early on. That family of immigrants wanting to give back.

It's been more about that for me. As long as I can feed my family and live somewhat comfortably. It's more about that. Because if I don't have a place to spend the dollars that I'm making, I don't think it really matters much more than that

Robert Hansen

How does someone get into the military or the government? Someone hears this podcast. They're like, “Yeah. Bad pay and bad furniture. I’m in.”

Alex Romero

Sounds like a horrible deal. I’m in. Squeaky furniture. Bad lighting. Horrible pay. I'm in. But for the right reasons and for the right mission. For incredible mission. You can contact me. If it's military, you can sure find a recruiter somewhere that's happy to talk to you. Yeah, I think there's many different ways.

Robert Hansen

But they could talk to a recruiter and then end up doing something completely random.

Alex Romero

That's true. The USAJobs is a good place to start looking. There are other programs. One that I actually believe in a lot is called the tech talent project. They actually take folks from industry. techtalentproject.org I think. They're like matchmakers. They pair them up with government organizations that are looking for very specific talent in specific areas.

Cybersecurity folks, developers, other tech folks, and then they interview these folks that are looking for these jobs. They really find out what it is that you really want? Are you looking for a mission? Is it a mission in a specific area? Are you looking for the DOD, Department of Energy? What is it that you're looking for? They're matchmakers essentially. That's a great one.

Robert Hansen

That seems like how it should have always been. It's amazing that’s a new-ish thing it sounds like.

Alex Romero

It is. There's another one called the US Digital Corps. It's outside of the US digital service. It takes folks outside of college. They're just getting outside of school. They don't really have the experience yet. But they want to volunteer their time. They can participate in this thing. I think they have some training. They've actually got some new funding.

The Office of the Federal CIO. They actually just brought in a whole bunch of them to come help out and spread them out across government to give them some interesting challenges. There is US Digital Service like I mentioned. There's 18F at GSA where they do a lot of this work as well. There's lots of great civic tech organizations that exist. Both in state governments as well.

I was working with some folks in Colorado Digital Service. Great folks there. This idea of spreading civic tech. We're living our lives in a more connected way. I think society is waking up to the fact that there was a time where we could ignore how connected we are.

Robert Hansen

UST to me seem like a little bit of a beacon of hope of how this could work in the future. Everyone has their 9 -5. We'll just cut it back. You only work there four days a week. The rest of the time you work this other thing. You're cross pollinating what you can afford. I'm willing to take a little bit of a hit to do this for the mission.

I sincerely think I can help here and here and here. I want to do it. But I can't do this full time. I got a family. I got bills and responsibilities, and also an existing contract or shares in this company. I can't just leave. But I want to do something

Alex Romero

Another colleague of mine at the Aspen Institute, Raylene Young, she’s now at GSA. But she started this thing called the US digital response during COVID. It was specifically to help state governments solve problems like trying to just cut checks. They were running on old COBOL and FORTRAN systems. They had to find developers. They didn't have folks anymore. These systems were going offline. It couldn't cut checks to people to keep them going as COVID was kicking off.

Basically, this whole idea is, can we have a corps of volunteers that, exactly like you're saying, can just jump in? Do you have a couple of hours? Are you retired and you happen to know this really ancient programming language?

Robert Hansen

When it gets to Perl, that's the old one, you know who to call.

Alex Romero

You call this guy. That's right. Maybe when you're in your 80s.

Robert Hansen

There is a Perl bug that's very ancient. We'll see if it comes around. I think 2036 is when it's supposed to hit.

Alex Romero

The turnover time.

Robert Hansen

Yeah. Onto a personal note. I asked a couple people, “What would you ask a guy like you in this position?” One of the best questions I got was, how do you balance all of this craziness? This is a pretty dangerous job in multiple ways. With your life. With your family.

How do you manage expectations? Did you have any special training you put your family through? Or help them think about it or deal with it mentally? Or they've just grown up alongside you and they know it as well as you do?

Alex Romero

Yeah. Well, that's a good question. I've tried to at least make my wife aware of the dangers of just the world in general. Not even just this field per se. But I also try to keep a low profile where I can. This is not helping.

Robert Hansen

This isn’t helping at all. We’ll blur you out and your voice

Alex Romero

Talking head. Just paste your head onto my head. Just use some AI to do that. Generally just staying aware of the threats that are out there.

I always have a saying that I would say when I was running these things. Never poke the bear. Never intentionally go against the community in a way that is hurtful or doesn't actually help enhance the community in some way. The security research community. I still live to that. At the end of the day, we still live in a pretty crazy world. You can't control all the factors. But yeah, I try to just be prepared.

Robert Hansen

Can you comment on how she thinks about it? I mean, is she just as much a patriot as you are? Let's do it. Or is she reserved? What the hell are you doing? Is this never going to end?

Alex Romero

She understands I think. It's funny. She first got to know me, my wife, when I was in the Marines. I think she liked the whole uniform. I look a lot better in the Marine Corps uniform. The dress blues. It was working a lot more back then. That's right. I think she understood even back then I was doing things for the reasons of Mission and Service. Even back then.

It's really hard. I think most Marines even, if you talk to them, they still have that as part of them. It's knit in most Marines. You can't just separate the mission from the Marine. I think she knew what to expect with me. I've done things in our home, they wouldn't come on here, but I think they prepare us for certain things.

Alex Romero

Absolutely zombies. If you are ready for zombies, you are ready for anything. The CDC, I think if you remember back in the day, they actually had a website to prepare for zombies. One of my friends actually helped to run that campaign back in the day. It was great. Because it was, well, although they were doing this tongue in cheek, it prepares you for a whole lot of things.

Have three days of food. Have some water. Maybe some other things. Actually had you listened to that advice that was way before COVID, you’d have been prepared for COVID.

Robert Hansen

You wouldn’t have been prepared to stay home for a year and a half though.

Alex Romero

Yeah, maybe not.

Robert Hansen

Did it say download zoom?

Alex Romero

It was before Netflix. It was off of DVD. True. Zoom was the thing.

Robert Hansen

All right. Well, I figured out what you're going to say. Your previous child was the Hack the Pentagon baby. Yeah. This one's the RSnake show baby. Clearly. Give that some thought. How do people find you?

Alex Romero

How do people find me? They don't.

Robert Hansen

They come to your house?

Alex Romero

It’s blurred out. Good luck. You can find me online. In the hacker community, I go by the name RoRo. They used to call me Romeo in the Marines and I didn't really like that. I thought that was not with the times.

Robert Hansen

You don’t pick your own call sign?

Alex Romero

Not usually. No. But then people also start calling me RoRo. In Action Marines that means roll on, roll off. These big ships that carry lots of stuff. In the Marines I would carry really big guns. Eventually, it was not really good on my body either. I cracked my fifth metatarsal, my foot and my knee.

Anyway, RoRo. Roll on, roll off. A big guy carrying lots of big things. RoRoRah, for Oorah in the Marines is my handle. RoRoRah is my Twitter handle. I’m not trying to promote that. I don't really post stuff there. I just generally like stuff every now and then.

Robert Hansen

But if someone wants to get in touch with you.

Alex Romero

If you want to contact me, that's fine. LinkedIn. I exist there as well. I generally don't post stuff for the reasons that I was talking about social media. I don’t really want them to know how my brain thinks too much. But I'll email people. I'll message them directly on signal. I like more of a personal touch. I reach out to people directly if they are in my trusted circle.

Robert Hansen

No megaphones. Got you. Alex, thank you for coming on the show. I really appreciate it. I know we danced around some topics but I think you did great. I really appreciate it.

Alex Romero

Thank you very much.

Robert Hansen

Thank you.

Alex Romero

COVID times. What do you do? Fist bump into a handshake.

Robert Hansen

We're done.