HITMEN, INDUSTRIAL ESPIONAGE & HACKING

Robert Hansen

We are going to have to go slow for the audience. They may not know these words. I just realized we didn't explain what DFIR is, and they're probably not going to know what social engineering is. So let’s try that.

Karim Hijazi

Yeah. At least with social engineering, as it may sound, it's the ability to convince people methodically through a series of trust exercises effectively to get them to believe you. It's what intelligence agencies do to build assets, you may hear those terms.

Robert Hansen

Professional lying.

Karim Hijazi

Professional lying. There we go. Let’s get right to it. When you get very good at that, you can elicit an immense amount of information. And a lot of it is pivoting on human conditions like ego and getting people to talk about themselves and sharing a lot of information, just like I'm doing right now.

Robert Hansen

Shame is another big one.

Karim Hijazi

Literally, what RSnake is doing to me right now. I’m sharing all these details of myself. But basically, that's what that is. And shaming is a good one. The whole plan there was to essentially collect information, collate it, index it, organize it, and then deliver that to the client so they can make a really powerful decision for profit really.

Robert Hansen

Then you decided that from there, “This is cool. I'm going to start doing this.”

Karim Hijazi

Yeah. Oh, it’s a dream. I fell into a project that led me down my first operation that allowed me to get a hold of a bid for a large project for a client against their competitor, allow them to win a deal. And I was hooked. I was in heaven.

I didn't know necessarily how I was going to beat that. I knew that the process was very unique and specialized and took a lot of thinking and ingenuity. I'm sure you would agree, many of us find a natural proclivity to be able to do these kinds of things. And I just went with it.

Robert Hansen

I don't think a lot of people are going to really understand what that means. Can you spend a little bit more time on that? What do you think it takes to do what you do that most people either just don't have or don't know that they have?

Karim Hijazi

Absolutely. What I thought I was going to be when I was very young was much more of an artistic, some sort of creative. I did pursue that angle. Professionally, I have a degree in photography, out of all things. No one would ever guess that now. I have followed up on it now.

Many years later, I’ve bought a cool camera. And I've been taking cool pictures. Ultimately, that creativity is what's made me really good at this job, unbelievably. But it all came very naturally to me because I think very much like what an adversary might think like. I'm fast forwarding dramatically to where I landed now.

In the early days, it was very natural for me to think about all the ways that things could be thwarted or circumvented. And I'm not talking about just on a computer front. In fact, you're far more of that type of individual than I am, in my knowledge.

The human condition and the fact that there's always chinks in the armor or kinks in the armor, depending how you pronounce it, allows you to get into these things. I was in the Middle East when I was doing this. I was in places like Dubai. I was in Europe.

Laws were not there for this kind of thing. You could go around, and you could ask people information very fluidly. And you could then leverage it. It was just an exciting thing for me. So I had a natural ability to pivot from one thing to another very quickly and say, “Well, that worked. Let's try this.” And that worked, “Let's add to this.”

It kept building and building and building. Eventually, I was able to formulate a fairly cohesive system that I could then get other people to help me with. And I built a small team. The initial team that I had was probably about four to five people that all had a unique skill set in the process.

Ultimately, I enjoyed that. Team building is another part of this that I found interesting and inspiring people to run down a path and collectively pursue an angle. All those heist movies and crews going together to get something are what I think motivated me in a big way.

Robert Hansen

It's a lot like magic, the actual magician type magic. There's the pledge like, “Oh, I'm here to do this thing.” Then there's the turn where you have this, “Oh, this little sleight of hand thing happened.” And then the prestige where you've just stolen all of this information in the exact same way, where if you know enough of these tricks, it really starts feeling like magic like, “How is this happening? How is this person just totally destroying our company?”

Karim Hijazi

Yeah. That's exactly what it was for a lot of the folks that, unfortunately, were victims of our efforts back in the good old days of competitive intelligence work because they had no idea how it could have possibly gone from a closely guarded secret to ultimately being in the hands of the competitor.

Little did they know over the course of multiple weeks and through various interactions with different people and the process that I put in place where one person would gather enough information to share with another person that would then use that information to get even more information that would then be leveraged to even a third, those things become very hard to track pattern. You know this very well, from an electronic standpoint.

Robert Hansen

Yeah, absolutely. In my world, it’s pivoting. You take this little piece of data or this little access point, and then you start just going around the edges. It's like, “Oh, well, I have access to this thing now. Because I've accessed that, I have this access to this other thing.” It just keeps growing and growing and getting worse and worse.

On the human side, it's almost worse because there's the, what logs?

Karim Hijazi

100%. It's all femoral. It’s gone once it comes out of a bar or someone's been drinking too much or been coerced into drinking too much.

Robert Hansen

I remember reading somewhere about the CIA, this is obviously 20-30 years ago, but they said that every single beer was worth one supercomputer. In terms of their computational power and being able to break into stuff, it turns out the NSA’s budget could just buy someone some beers at the CIA.

Karim Hijazi

Yeah, it’s scarily similar today. Ultimately, humans are still the most hackable thing that we have to work with.

Robert Hansen

Everything's pretty hackable too, on top of that. But yes. We'll agree to disagree a little bit on that one.

Karim Hijazi

Yeah. I agree, in part. Good point.

Robert Hansen

Why don't you tell us a little bit about your run-ins with Anonymous. I think it’s particularly interesting for all kinds of reasons. Partly because I don't think people really understand what they are. And I would like to get your take on that.

Also, I don't think they realize how they actually impact our world. They think about them impacting companies and governments, but they don't really think about how we interact with them.

Karim Hijazi

Yeah, it's a great question. It deserves a little bit of a segue from where I left off where competitive intelligence was obviously, in most people's worlds today, nowhere near cybersecurity or intelligence or anything along those lines. But I made the transition. We can certainly talk about it, if it's of interest. I literally shifted from being essentially the spy to being a spy hunter on purpose.

I went and said, “Hey. You have to believe, Mr. client, that there's another Karim and team on the other side trying to get your information just like I've gotten the information on your behalf from your competitor. How about I tell you what I would do to get it from you? That way I can help you essentially build the countermeasures, the means to protect yourself from people like me.”

They agreed. It was unbelievable. They were like, “Yeah, that's a really good point.” We thought about it. But they were like, “You're probably the best person for us to ask how this might happen to us. If you were to come at us, what would you do?”

That led me down a really interesting path, ultimately, into cybersecurity and fast forwarding, into the 2011 timeframe. I'm now at the helm of a company that has devised a way to collect information from companies that have already been infected by malware.

What that allowed me to do was share that information back to these organizations, unbeknownst to them that they were hacked. And then they could take action on it and clean up.

Now, the part of this apparatus or this piece of the puzzle that we were going after was called a command and control. And I'm sure the listeners maybe have heard of denial-of-service attacks.

Robert Hansen

For those who don't know, why don’t you just do a quick primer on command and control and denial-of-service?

Karim Hijazi

Absolutely. They are just very relevant to the Anonymous piece, which is interesting. Command and control is literally what sounds like a military term for where it's an operator or someone that gives commands to an army of, originally, people. But now machines that are infected with some sort of virus, those machines are now zombified and effectively under the control of these command and control servers.

If you get that, that's a one to many attack from a good guy side. Because if you get control of the general leading the army, you now effectively have control of the army, which is fascinating.

Denial-of-service is very much getting control of many of these computers. This is what adversaries like to do to be able to shut down systems of interest that they want to go after. And they essentially inundate the machines with a bunch of requests to where the machine simply can't respond.

It's essentially me calling RSnake’s cellphone incessantly from many numbers all at once to where he just eventually turns the phone off.

Robert Hansen

That's distributed denial-of-service.

Karim Hijazi

Thank you. DDoS. Well said.

Robert Hansen

I think these are names that people might have heard but don't quite understand.

Karim Hijazi

Yeah. It doesn't resonate clearly. You bring up a good distinction because what we were interested in were the distributed ones, which were ones where machines or computers all over the world were all being leveraged and pointed, if you will, training their crosshairs onto a single environment of some kind.

That distribution makes it very hard to manage. That’s something that really is still a challenge today, in many cases, because you don't know whether the incoming call is legitimate or malicious. And so they essentially have to shut everything down, which then shuts out good guy requests. It's a massive impact on the business.

Anonymous, guys wearing the Guy Fawkes masks. I think that's what people know them as from the media. Hacker collective. I'm venturing to guess that we're careful, I'm careful about using that term. Because not everyone is part of this group or would consider definitive hackers.

There's certainly some talented folks in the mix. I think there's a lot of what we'll call script kiddies, people that are a little bit more like wannabes that want to be part of something. Then there are people that have no idea what they're doing, and they're downloading kits and watching YouTube to do things. And they consider themselves part of this.

This non-cohesive group that doesn't seem to have a proverbial leader and it has some, I guess, base tenants and I suppose some ethic and code is what they are. Now, I certainly know a lot of folks at Anonymous. And I agree with some of their methodology because they're very definitive in their pursuits. They're all for things like pursuing pedophilia, and I think that's wonderful.

Now, I'm not a big advocate of vigilantism. But I do think there's value in being able to disclose and unearth some of what's going on to then have more of an authority pursue it.

Then there are the more weaponized contingents of these groups that get a little bit blood drunk, in my opinion, with the power that they maybe feel like they have; LulzSec which was that subset, splinter cell, however you want to term it. That's who I ended up tangling with in 2011.

Robert Hansen

Ditto.

Karim Hijazi

Yes, exactly. Which I didn't know, actually, until one of your other podcasts.

Robert Hansen

I know. There's a couple of stories I have been careful not to telegraph too much over the years. I'm getting in that place now where enough time has elapsed. Things have calmed down. A lot of people have been arrested so it's like, “What are they going to care now? So much time has elapsed.”

LulzSec, for those who don’t know, were specifically targeting security people. Almost entirely. They were also trying to take down the FBI and CIA and that kind of stuff. Pretty silly. They actually did launch a denial-of-service attack against the FBI at one point, if I remember.

Karim Hijazi

They did. Yes.

Robert Hansen

Yeah, unwise.

Karim Hijazi

Yeah, not very bright.

Robert Hansen

Eventually, they compromised Stratfor, which is how our worlds collided on that side of the fence. Although, we didn't know it at the time.

Karim Hijazi

No, I had no idea.

Robert Hansen

Then the main guy, Hector, I forget his last name.

Karim Hijazi

His handle was Sabu.

Robert Hansen

Yeah, Sabu. I forgot his last name, Hector something. Someone can put it in the comments. Sabu got flipped by the FBI, caught and flipped. And so he was telling people what to go do, which sounds a little like entrapment. But I don't know, maybe not. And he effectively, more or less, got his entire crew busted. How did you get involved in all of that?

Karim Hijazi

Three or four months before, it was Super Bowl Sunday of 2011. I'll never forget, my phone exploded. I'm not a massive football fan, but I was sitting with my wife watching. My phone exploded. About four different people in the community were hitting me up going, “Did you see what happened? What's going on?”

It turned out that was when HBGary was hit. I think we all remember that pretty clearly. Poor Greg. Greg Hoglund, a friend of ours, I think, obviously, who we both know very well. I remember watching this going, “Oh, that's awful. That'd be horrible if it happened to me.” I remember saying those words out loud to my wife.

We lamented, and I think I called him with some support as best I could and then moved on. Then lo and behold, May hits. In May, our business was doing what it does best, which was looking for these command and control environments and pursuing them.

We did it indiscriminately. We weren't overly focused back then. Today, for example, and we'll get to this, I have a litany of targets in the morning. We pick the ones we go for by the afternoon, and off we go. Then, it was first come first serve. It was like whatever we could get on the menu that day we'd go after.

To the best of our knowledge, even today, all these years later, what we figured out happened was that we took down a command and control environment that happened to be the single command and control for a denial-of-service attack on Sony run by this LulzSec group that was running that up.

Essentially, we took down the threat against Sony temporarily. They did get up and running again through a variety of methods but then went looking for blood to figure out who actually thwarted their plan and found us. Now, the way they found us was pretty clever.

They did some reverse lookups on some DNS and some of the things that I don't want to bore people with on this podcast. But when they figured out who owned the company that did this, they found my company. And this is the worst part of it.

They went and did indeed hack into Atlanta's InfraGard to get my information there. They specifically went in to go dig me out of that for some reason.

Robert Hansen

So basically, they hacked the FBI-

Karim Hijazi

To get to me. Unbelievable.

Robert Hansen

It’s dedication right there.

Karim Hijazi

It wasn’t dedication. Admittedly, they were able to get into an email account that I had had that was a private email account. Grabbed a couple emails, things like where I get pizza and really horrible stuff and threatened me with it.

I knew exactly what they had gotten into. Well, I'll fast forward to how I learned about this. This all happens. I didn't know that they were going through these iterations of hacking into InfraGard at Atlanta to find me. No clue.

I’d just had a child. I'm up at night late with the little one, my wife. And all of a sudden, one night, my email starts to ding, ding, ding, ding, how we get emails through the night. But not in an assessment fashion. It turned out one of the emails had one of my passwords in the subject line.

You know some of the cardinal rules we all live by in this business. It's like, “They're jokes, there's pranks.” I'll tell you what, you and I are really good friends. But I'd be mad at you if you put my password in the subject line now.

Robert Hansen

“All right, I’ll stop that email from going out.”

Karim Hijazi

Yeah, I tore that off. It was interesting because it said, “We should talk.” The body of the email. And I thought, “Okay.” I went through my head a litany of people that I knew could do it. But they wouldn't have. And so I replied and said, “What do you want to talk about?”

Then they came back, and they didn’t identify themselves. This was simply very vague and whatnot and asked me to jump on an encrypted chat. I think it was like Lemon chat or some obnoxious little thing back in the good old days.

They started threatening that they had gotten into an email account, they had a bunch of information they were going to dox me with that they claimed would infiltrate all of-

Robert Hansen

Dox being?

Karim Hijazi

Sorry. Sharing information that is effectively private out to the world with the intention to embarrass, reputationally impact, blah, blah, blah. They claimed they had gotten into our company's infrastructure. What was fascinating about their issue with us, and this is where the story tends to shift from the usual story of their extortion tactics, is they wanted access to our database.

They wanted to see what command and controls we had taken over so they could then have them force multiply their capabilities. And I'm like, “Nope, you're not getting that.”

Robert Hansen

It's clever. It’s a good try.

Karim Hijazi

It was a good try. And then they said, “Well, if you call the FBI, we're going to dox you.” So I promptly call the FBI and everyone else I could probably get my hands on. We had a litany of people in the house, sitting and listening.

Then they said, “Look, I need you to continue the conversation and see if you can help extract some information.” So they basically said, “Look, keep going with this. Keep it going. You're the only one right now that's ever been able to have somewhat of a dialogue with these people before.” And not even dialogue, frankly, everything's usually a monologue through Twitter that they would use. They’d use it as threats.

I'll tell you what, if nothing else, they were phenomenal Twitter jockeys. They were really good at stoking the fires and getting people excited about everything. It was soap opera for most people watching this.

We did end up locating Hector in New York through a variety of channels and passed some of that information on, which then apparently got utilized to flip him.

Robert Hansen

Yes, apparently.

Karim Hijaz

It was amazing because I was petrified as any company owner would be, especially for being an intelligence and security company, to have any kind of smudge of a reputation. But unbelievably, what it actually did do was I had a media strategist that was incredibly helpful.

He said, “Look, big guys like Sony and others and PBS and CIA are not going to respond. They're not going to go on the news and talk about it. They're going to let these guys yammer on and ignore it. It's policy. You're too small to do that. You've got to talk about this. You can't not talk about it. You're too small, and they're trying to smudge your reputation.”

I actually did go on the news about it, and I was pretty aggressive about it. I'm like, “Yeah, they tried to do this. They're not particularly very skilled. It's like a baby with a gun. It's unfortunate, but it is where it is.”

Ultimately, it drew a hell of a lot of interest into the little company that I had that eventually resulted in the exit that we had later on. So unbelievably, a really horrible event resulted in a very good thing for me.

Robert Hansen

Very mixed blessing.

Karim Hijaz

Very mixed blessing and nothing I could have predicted.

Robert Hansen

No. Or could you have?

Karim Hijaz

No. These days perhaps. I’m wiser and smarter now.

Robert Hansen

This is 3D chess here. I think that people have a very strange opinion of what hackers look like, how they act, the kinds of things they do. I'm always surprised when I see yet another Hollywood movie. I'm like, “What are they doing?” I know people who look and act like that, and they don't know anything at all.

One of my favorite stories, did you ever read the story of the guy who wrote TrueCrypt? Does this ring a bell?

Karim Hijaz

It rings a bell. I didn't read it.

Robert Hansen

Okay, this is a very interesting story. For those who are not aware, TrueCrypt is a type of encryption software you can install on your computer. It's heavily used by the security industry or was at the time.

It basically allows you to have something called plausible deniability encryption, which basically says, I have the nuclear codes and someone comes and starts beating me up and says, “Give me the codes. I want the codes.” You're like, “Okay, here's my password.”

When they go and type in the password, it's your tax return. They are like, “No, no, no. Not that password.” And they start beating you up. It’s like, “Oh, now it's my porn collection.” “No, no, no. Not that password.”

It just keep getting more and more levels, but you never give them the real password. Eventually, it's plausible. It's like, “Well, I could see why they wouldn't want us to have his naked photos or whatever. I could see why they wouldn't want us to know about the mistress or whatever.” Some real shame.

Anyway, the software existed for years and years. And everyone was using it blindly. No one knew who wrote it. It was just out there. It was heavily used.

Karim Hijaz

Very Satoshi Nakamoto.

Robert Hansen

Yes. Right. One day someone asked a question, “What is this? Where did this software come from? We all use it. Has anyone ever audited this thing?” Everyone went, “Oh, I guess we haven't. We probably should do that.”

Someone did an audit on it, and it turns out there was a couple of semi-minor vulnerabilities. Nothing really bad. You had to be a user on the box to exploit it. Nothing really bad.

Yet, everyone went, “Okay, it's time to update the software. We all use it. We should all have a better version of it.” So they came up with a better version called VeraCrypt. And they went along.

It died down again. No one went back and go, “What's going on with this software? Where's the origins of it?” Well, it turns out some investigative journalists slash a whole bunch of security people started researching what happened.

It turns out there's this guy, his name was Paul Calder Le Roux. Le Roux was this security guy, just like you and I, going through life. And he wrote some little piece of software. I think it's called like EA or something, whatever it is, that was eventually bought by a company or part of it was bought by the company. And he was brought on to go work with them.

Turns out he was basically stealing information he was learning on the job and putting it back into this software. And so eventually, they came down with a lawsuit. They were going to go sue the guy, and he fled. He's like, “I don't want to deal with it.” He just leaves.

He didn't stop building the software. He just, more or less, renamed it and put a different skin on it and turn it into something called TrueCrypt. Now, you're like, “Why does this matter? Why does this guy do this?” It turns out this guy ends up becoming one of the largest drug and arms dealers in the world.

He's arming every single nation states who's trying to overthrow their dictators or drug cartels or whatever. And he has multiple assassinations under his belt. He's no-nonsense, a very interesting character. On top of the fact that, he's a security guy. So he takes all these normal precautions that you would expect.

One of the reasons why the software is so important to a guy like him and why he doesn't care about owning it, he's fine with VeraCrypt taking over, who cares? He really just wants his stuff to be secure. So if someone ever comes in and starts pounding on him with a hammer, he's got multiple layers of defensibility.

To me, although that is an extreme example, this is exactly the kind of person I would expect to see at a security conference.

Karim Hijaz

No doubt.

Robert Hansen

Exactly. Maybe not exactly a cartel member or maybe not a spook or maybe not whatever but so closely related to those things, you would not be able to tell the difference. In Le Roux’s case, he ended up working with the government and eventually then busted.

Now he's in jail and probably will stay there for the rest of his life bouncing between countries and extraditions and all that stuff. I'm sure he will spend the rest of his life in jail.

When I go to a security conference, I look around. And I start really probing into why people are there, what's going on in the hood, it's quite often something two or three levels deep. What's your experience about all that?

Karim Hijaz

No, I couldn't agree more. It's a great story. The archetype, what you started this conversation with, I think is so important. Because I still look around the room at the security conferences or frankly, like you said, film or TV shows. And I'm like, “Is that still what I think people think this is all about?”

It's changed so tremendously from the days of someone that looks like this deviant or a little pimply-faced six-year-old that likes to play on his computer in his grandma's basement.

Robert Hansen

They exist.

Karim Hijaz

They do.

Robert Hansen

Those people do exist.

Karim Hijaz

They do all the piercings and blah, blah, blah. But you know what, the funny part about this is that the thread of the story that's super important is that there's profiteering there. And that's what we're dealing with in today's world in a very mainstream way. The amount of money being made now is unbelievable with this.

I think that, fundamentally, when I look around the room now, I'm looking at these people going, “Okay, motivations. Follow the money with these things, and you're going to find some extremely interesting motivations.”

We all know the world moves in such a way where now everything is memorialized effectively in some sort of digitized fashion. And if you have the wherewithal or you can hire the wherewithal and commission it to do something at your bidding, you're going to win big.

Robert Hansen

I remember a conversation I had with one guy in a conference, and he didn't trust me at all. Not even a little bit. I asked him, “How many people are working with you in your company?” “Oh, it's just me. I’m just a consultant.” A whole year goes by. Now this time, he's very drunk. I ask him the exact same question and almost in the exact same location, even.

I'm like, “How many people do you have working for you?” He's like, “Oh, I've got about 100 people. They're all consultants. They don't know what each other do. They are all in one tiny, little, compartmentalized thing. They don't really know who they're working for, what they're doing. And then I just have one or two guys who put it all together for me. I don't do anything. I just hand out checks, tell them what I want to do, and they do everything that I want.”

I think a lot of people don't even realize that they're part of the cog. They're part of this thing that's happening. They’re like, “I'm just developing this little robot that goes off and makes a request to these types of websites” They don't realize that you start adding A plus B and all of a sudden, that's a weapon.

Karim Hijaz

That's right. It takes those people that can see the forest through the trees. Usually, and at least in my experience, they're not necessarily very technical people.

Robert Hansen

No, he wasn't.

Karim Hijaz

You talked about the stuff we were referring to before. We didn't use the word botnet, but that actually is the mixture of the command and control and the zombie machines that we were referring to earlier. The botnets, well, even better, the virus or malware, I'm using virus safely here to get everyone aware. Everyone was anti-virus.

Malware is the next iteration or evolution of things like viruses. But effectively, the authors of some of these tools are not the perpetrators many times. They're just building it and saying, “Well, highest bidder, can someone buy this and use this?” It's the weapon maker, and then there's the person that uses the weapon.

It's a very hot topic with everything, whether it's physical or digital or cyber. What I find fascinating is that many of the folks that seem to have the grand plan and the real business scheme around it don't know the first thing about how this stuff works, but they're phenomenal leveraging it.

Robert Hansen

They have enough capital to start doing the thing. Oftentimes, it just takes a little bit of vision. This is why I think what you were saying earlier about you can see what the bad guy is doing, well, the only difference between you and I and as somebody who's doing this professionally on the adversarial side is not technical ability. It's just they decided, “Hey, I can make millions of dollars. Screw it, I'm going to go do that.”

Karim Hijaz

That's exactly it.

Robert Hansen

Maybe they never bothered to figure it out, but it doesn't matter. Once you've made that decision, as long as you have the creativity, you can make it happen.

Karim Hijaz

Interestingly enough, I think we've all been indoctrinated into this idea that a lot of these groups that are doing evil, we'll call it that broadly, are in these places like over the pond and Balkans and Russia, we're talking about a Russian nation state, government hackers or criminal enterprises and all that.

We can't forget that a lot of these folks don't have many options, other than that. There's some extremely poor areas in those regions. These are not the oligarchs doing it. Now, they may be funded by them today. But the point is that they themselves are extremely talented, with very few options other than to do crime.

Robert Hansen

I totally agree with all of that. One of the conversations I had when I was overseas getting courted by a foreign military to go work for them-

Karim Hijaz

As we do this daily.

Robert Hansen

It's happened quite a few times now. It was a conversation about attacking nation states, nation state versus nation state type conversation. It was fairly early in the part of the conversation they were trying to onboard me. But you can gather they're trying to see the conversation, battlefield.

They're like, “Well, what we really want to do is protect ourselves from you.” That made my head explode a little bit. “I'm like, Oh, geez. I never really thought about United States being adversarial to you. I just don't see it that way, personally. But I can see why you'd be very concerned about the NSA or TAO.” Which is the Tailored Access organization.

I think that seeing it from their perspective gave me a lot of perspective. For the very first time, I stopped looking at the world as binary good and bad and more as adversarial. How do you think about it?

Karim Hijaz

Well, it's interesting. When I first heard you say, “We're scared of you.” I internalized that as their fear of someone like our snake in the wild unbridled by a US government apparatus could be far more dangerous than even the government.

What's interesting is that there's even worse repercussions for them when you're a free agent. Not that you don't have a very strict code personally, but they don't know that you're even more terrifying than the government.

Robert Hansen

Also back then, I don't think it was quite clear to anybody where I was, basically. That was by design. I wanted to make sure that I could float between all the different parts.

Karim Hijaz

Allowed you fluidity.

Robert Hansen

Exactly. But now I'm quite clear about where I stand on all these things. No, they were definitely talking about the United States government. But in context of, “This government worries about RSnake coming and doing something.” Absolutely a valid concern. Absolutely.

I've written tools specifically to target governments where I don't speak the language. Because I know there's certain things I won't be able to do if I can't speak Arabic or whatever. I just won't be able to do it. So I have the right tools that can work around the fact that I don't speak the language.

I never actually got to try that one out. But I think it is interesting to think about free agents, truly free agent. Somebody who is not beholden to any nation state is actually probably the most terrifying of all.

That's where you get somebody who's just off making tens of millions of dollars doing weapons buying and arming whoever, just don't care.

Karim Hijaz

That's right. That's exactly right. To now answer your question a little bit more about what I feel, look, I lived all over the world. As controversial as this may sound, one man's freedom fighter is another man's terrorist. It's just the reality of the way things are, be it kinetic or cyber.

I think what's fascinating is I'm, speaking for myself here, not blind to the fact that we are probably we being now a US government type of apparatus, which is proclaimed to be the best in the world, which many think it is in many ways what limited its own laws. In many cases, for better or worse.

I'm not really here to argue one way or the other on that. I think we touched in the past conversations about things like corsair and privateer work and whatnot, which is similar to what you talked about with free agents. I think foreign governments have every reason to be concerned because at the end of the day, this is a battlefield that is still fairly free of any kind of Geneva Convention at the moment.

I'm talking about under wraps, where it doesn't get broadcast out into the public domain. So there's a lot of danger for these other countries to consider, even if we don't hear about it or consider it to be a possibility.

Robert Hansen

Sure. A lot of people get roped into it, even if they don't really realize they are part of the machine. You had a company, and you sold it. You moved to Hawaii. And you're like, “This sucks. I want to start another company.” How did all that happen?

Karim Hijaz

That's a good nutshell version of it. I was there, and I sold my company. I moved to Maui and started doing the classic thing where I had a little notepad and a pen. I started to scribble, and then the scribble turned into a sentence. The sentence turned into a paragraph.

Then lo and behold, there was this little MVP of something that I, candidly, never really intended it to turn into another company. These are the best companies. It was an idea that was founded in a problem that I was like, “Is anyone solving this?”

Fundamentally, the problem was supply chain, a word we hear every day all day now. What's funny about that is that this is again, 2017, just to give some context. We're not talking about certain events that have happened since then that would have made everyone think supply chain security would be a good idea.

I really was like, “Well, this is something I've seen consistently. It's something I personally leveraged in the past for successful access. Who's solving this problem? Because it's an incredibly untenable one. You're relying on trust, you're relying on truth, meaning, “Hey, RSnake. I'm going to let my kids come over to hang out your house. Is your alarm system working really well?”

Robert Hansen

Yeah, it's Chinese made. Why do you ask?

Karim Hijaz

Oh. Well, then they're actually not coming over. In other words, companies have to trust each other for their, what we call, operational security. And that's the issue that really exists when it comes to supply chain.

If there is no clear understanding of how that partner is doing, you have no business interacting with them or having any faith that your data is secure, either in their clutches or allowing them to have access into your environment.

I thought, “Okay, this could be really interesting. What if I could help organizations see how their partners were doing without any kind of incursion, without ever any scanning, using a similar methodology that I had with my last company?

Lo and behold, I built it. And it was startling. The problem that I miscalculated a little bit with all of this was that people were not ready for this.

Robert Hansen

They rarely are.

Karim Hijaz

Never.

Robert Hansen

One of my business partners, Jeremiah, who you know, he's constantly coming up with ideas that are at least a decade too early. And so I feel you. But yet, you decided to do it. You're like, “Okay, this is an idea. I think the timing is right.” Are you okay explaining how it all works?

Karim Hijaz

Absolutely.

Robert Hansen

I think it would be very fascinating for people who have not heard about this.

Karim Hijaz

Happy to do that. It's good because we already gave a little bit of a primer around this with the whole LulzSec, Anonymous mess. In a very similar capacity but a little bit more advanced, a little more clandestine user cohort, we are still able to, actually even more robustly than ever, identify and infiltrate.

He broadly stated about these hacker networks. We get into them and become part of the fabric of their infrastructure. And they don't know where they are. If they do know or if they think something's wrong, they assume it's a misconfiguration.

The one thing we rely on very interestingly is still greed and laziness. It's wonderful.

Robert Hansen

Laziness is great.

Karim Hijaz

Best thing ever. We're able to lurk and loiter in these environments and essentially watch who they've affected. So we've essentially been able to figure out where the bottlenecks are and the choke points for these communications that come back from the malware they've deployed out into the world. So I think ransomware is a pretty safe bet, people have heard about this by now.

Robert Hansen

Maybe. Worth spending a minute now.

Karim Hijaz

Ransomware, just like it sounds, is software. There's a process to this, but I'm going to just be very concise. Software that's deployed into a company by threat actor, by whatever method, we don’t have to get into that, that eventually finds all the critical machines and computers and backups and servers that exist in these companies that keep them operational. And they encrypt it.

In many cases, they'll steal the information first and use it as an extortive method. Then on top of that, encrypt this and say, “Pay me X amount of money. And I'll give you the key to unlock it.”

Robert Hansen

And if you don't?

Karim Hijaz

If you don't, you'll never get the key. You're going to be hobbled forever. And then even worse, we're going to sell your information like the deep and dark web another fancy schmancy term.

These groups spend a lot of time building tools to go and do a lot of reconnaissance. They like to go loiter around and look through these networks and figure out where things are.

They want to find RSnake's computer because they want to get the guy that really needs to be hobbled in the company. Because if you get the janitor, you're not exactly going to hold the company hostage. They take their time to kind of do that. We collect the information about where these things are all around the world.

And what's fascinating about it is because of where we're getting it, that choke point or that sort of central convergence point of where all these communications land, we get to see global levels of compromise. And where we get controversial, which is I know where you want to go with this.

Robert Hansen

Absolutely.

Karim Hijazi

Because we can see it and because we actually are indeed at that endpoint of where all these things call back to, we essentially become the owner of those systems.

Robert Hansen

Okay. So many questions about that specifically.

Karim Hijazi

Yeah, absolutely. I'll pause there. Good stopping point.

Robert Hansen

This is a great place to start really digging in. So first of all, where's the ethics in being part of a crime? I mean, you're not stopping the crime. I mean, you could theoretically inform someone to stop the crime, but you're not doing that.

You're clearly aware of it happening, so how does that, for someone who has no background on this, they might be going, "Wait, wait, wait, wait." How do you justify that? How do you think about that?

Karim Hijazi

That's a very good question. So think of this as long-term coverts from say the DEA that put agents into cartels. Those agents have to do some pretty heinous things sometimes just to continue to collect the intelligence so they can finally get to the underlying leaders and drug lords and all that.

There's a fair bit of effort to go in and work your way up the chain effectively to get to where something can be curative rather than band-aiding a cancer. So we've had that question every day, all day since we started this company.

Robert Hansen

People do ask the question?

Karim Hijazi

Yeah. Well, why don't you just take it down while you're in there because we're just taking down a small portion of this thing. We see it actually happen from a law enforcement perspective. Every now and then you'll hear, if you're in the industry for the most part, I don't think you hear about it mainstream-wise.

Every now and then, something may hit mainstream media that the feds took down this big operation and it's gone. They've managed to go and get US marshals to march into data centers and they pulled these machines out of racks.

It's very, very dramatic and very fireworks. We kind of all sit there and go, "That's good. I wonder where the adversaries already set up somewhere else." Because that's what happens and then low and behold, a couple months later they're back up and running.

Probably even more effectively than before because that telegraphing, really? Like think about it from a boxing match. That telegraphing is exactly what makes the bad guys better.

Our ability to loiter and stay in a surreptitious state inside their environment actually instills a level of concern and fear for them because if we can unearth and illuminate their whole operation from the inside at the right time, then we actually are curative and not simply addressing the symptom.

Robert Hansen

I remember once upon a time there was some malware, I think it might have been code red or something back in the day. It had infected a lot of machines at that point. It was probably one of the most destructive pieces of code out there. It's either that or SQL Slammer, one of the two, can't remember now.

Karim Hijazi

Both horrible.

Robert Hansen

Both horrible. But anyway, The Senate mail server was compromised and I could see it from where I was located. There was a lot of people like, "Well we could easily reverse this. Just write a piece of code that goes and infects everybody and patches them."

And my take on it and I vehemently told them, "Do not do this." Is you have to be really clear on what you're doing with this patch if you're going to do this. Like really clear because if you accidentally run a patch that that patch accidentally deletes everything. You've just deleted all of The Senate's email, Which I have a feeling they'd be a little annoyed with.

Karim Hijazi

It's so funny. I have a parallel story and I wonder if it was the same piece. Well you said core flood and SQL Slammer. This one is core flood. And core flood had gotten into hospitals and it had infected old Windows machines that were not updated that were running life support systems. And they had done exactly what you said.

They had found a kill switch to have it remove itself and it was actually part of the software that was written by the actual adversary because what they built it for was so they could, when they got the job that they wanted done, they could remove all traces of it.

What was problematic here was that no one reviewed the kill switch code. They just trusted the adversary wrote it well. Not a good idea because what it did was it removed the network stack of the machine that it was on and took the machine offline entirely, which actually in turn could kill people on life support systems.

So yeah. This is an issue that's still today a challenge. This whole lawful intercept into the environment. I mean, it's a great idea in principle, but to your point, unless you know all of the ramifications and all the permutations of what could happen, you're really running a really risky operation.

Robert Hansen

On the flip side, there was someone anonymous compromised 1.5 million routers using, I think this was Carna botnet. Carna basically was just, they tried three or four or five just random passwords and it worked 1.5 million times. So these are not machines, these are entire networks. They've compromised.

Karim Hijazi

Oh yeah. Bottlenecks again.

Robert Hansen

And then, they ran an analysis from that location wherever it was. Basically, just enormous ping sweeps, I think is what it was doing on the entire internet. Made these beautiful graphs like these wonderful, you could actually see the machines coming on and off and at nighttime. It was just really beautiful. A lot of really interesting research. Really beautiful artwork.

And then, they reversed the whole thing. Just turn the whole thing off. That to me strikes me as like, okay, there is a way to do it, maybe we feel uncomfortable with it but maybe there is a way to just say, "Pull the plug." And just make everybody secure all at once. Not that it would permanently make them secure in all ways, but that's sort of the counterpoint.

Karim Hijazi

Well, yeah. And it's interesting because hearkening back to our story about LulzSec wanting to get access to what we had controlled at that time. And I mentioned that term force-multiplying capabilities. That idea didn't fall flat with everyone else. This is exactly what everyone wants with our capabilities.

Well, let's put it this way. If we figure out there's an adversary that is set up shop to impact critical infrastructure within the US and we're able to identify that infrastructure and deliver those access points to that, to the appropriate authorities, they can throw the proverbial digital grenade down that pipe and destroy whatever's on the other side of it in theory.

There's a lot of complications, again similarly, but to your point there's value in being able to loiter and lurk inside something for an extended period of time because it illuminates the entire network. Excuse the pun that's there.

There is a bit of a greater good play. I wanted to kind of continue that answer. Which is, there's a lot of casualties in the interim between the time that we identify something and when we ultimately maybe deliver the information for actioning, and sometimes we never do because there's no one to take that action to your point.

There's so many people that are so reluctant to actually take action on something that's deployed because of legal reasons, technical reasons. It's just very, very complicated issue.

But where this lands with my company, what I wanted to do was when I started to explain this to my friends in the industry, and they had that same question of like, "That's pretty rough men. You're going to start talking to companies about other companies and their failures, their dirty laundry, you're really going to do that?" I'm like, "Hey, do you watch the Walking Dead?" And they're like, "Yeah." This was back when Walking Dead was kind of big. And I said, "Okay."

Robert Hansen

Film here in Texas, by the way. Largely.

Karim Hijazi

Exactly. Some in Georgia, I guess, too. And then I said, "Okay, when you watch that show, are you vying for the people that are not infected to continue to get away and get away from all the zombies or are you trying to heal all the zombies in the show?"

I agree both are very valiant and noble causes. But what are you really doing here? And they're like, "Oh, well, every time the good guys get away, or the humans, sorry, get away, we're like, "Oh, stay safe. Stay here." I'm trying to keep people from getting infected from partners that have become zombies.

So there is a really noble cause here. Now, am I being a little heartless about the zombified organization? Yes. But in order to protect non-zombified organizations, I have to let them know about the zombie that's right by them.

Robert Hansen

That is a great answer. But if I'm looking at you, the adversarial part of me I'm saying, okay, why isn't the government just siphoning up this data? Just say, give me a license to Russia. Give me a right license to Ukraine. Give a license to all these nation states. Like you must get approached.

You have to get approached by some very senior people who are just drooling over this data.

Karim Hijazi

Yeah. Those that are just listening and not watching the YouTube versions probably seeing my face right now. Yeah, it is not an uncommon situation for me.

Robert Hansen

And are you willing to talk? How does that conversation end up going? You're like, "Okay, here's the keys to this entire subnet, or?

Karim Hijazi

Obviously, I'm an American citizen. I'm patriotic to this country.

Robert Hansen

And company

Karim Hijazi

And company. So obviously I certainly work with my chosen path here, which is indeed a patriotic pursuit. However, even there, there are limits to what I feel is appropriate because in many cases, I'm not entirely sure which agenda is one that is appropriate, because as I think you maybe know, you certainly know but people listening, the government is not as simple one track focused. They all have their mission all collectively agreeable on what they want to do.

Law enforcement doesn't know what the intelligence community's doing. The intelligence community doesn't know what each other are doing sometimes. And I get requests from various groups at different times.

And in many cases, I can say, without getting into too much detail, I've probably helped one intelligence community member probably find something that maybe another intelligence community member actually set up to make it look like it was an adversary and ruined operations. And they'll not share back with me. They won't be like, "Look, that's my operation. Don't touch it." Never in a million years will they tell me this. I

Robert Hansen

It seems like you need an intermediary who's just all these requests go through and they can route them properly.

Karim Hijazi

Absolutely. And judge whether or not it's something that we should actually comply with or is it something that's suspect that could represent a risk to us as an organization.

Robert Hansen

Or them.

Karim Hijazi

Or them. I have yet to find that person that can navigate those waters effectively between all of those groups because rarely do you get someone that really crosses the boundaries between LE or law enforcement and the intelligence community.

Robert Hansen

Seems like Homeland Security has got to be someone over there.

Karim Hijazi

You'd hope so. The problem is when you start getting into groups like DIA.

Robert Hansen

And the sadists like to share.

Karim Hijazi

Yeah. And like you said, TAO and those groups. Even other portions of the same agency don't know what some of these groups are up to.

Robert Hansen

Because they can't necessarily trust each other at all. Because one thing that audience may not understand is we have spies on American soil who live and breathe and work right next to us. So they might have an operation going that will end up uncovering exactly this person. So you can't trust even people in your own organization necessarily.

Karim Hijazi

That's right. It's very similar to what you were referring to when you talked about TrueCrypt where he had built this thing in a compartmentalized fashion where one group had no idea about the other group.

Robert Hansen

E4M was the original code.

Karim Hijazi

There you go. And if he didn't invent it, he stole it from the government's method of building things. No one group knows everything. And that's part of the problem that we have as a private sector organization that runs intelligence operations sort of on our own.

We're tasked mastered by ourselves, which is really challenging because sometimes we get it right and we go after the right stuff that everyone's thrilled about, and sometimes we get it wrong and everyone's really upset about why we chase something. We're like, "Why are you upset about that? We can only guess."

Robert Hansen

So I have run across a buddy of mine was actually, "Hey Robert, you should check this thing out. It turns out I can break into just about every company on earth." And I'm like, "Okay. That's usually an interesting way to start the conversation. Let's take a look." And it basically was one of the free VPN providers.

They have two businesses. One is giddy you a free VPN, and the other is sell access to your company to whomever wants to have access to your company's IP space. And typically what they're doing with it is just clicking on Google a bunch. We're scraping Google more or less, and by virtue of you giving access to your server on your personal desktop at your company or at your house or whatever, you're effectively just giving.

I wouldn't necessarily call it an adversary, but maybe just somebody who has counter interests access to your connection through the browser. Well, all he has to do is say, "Okay, give me one of these IPs." Which happened to be at some megacorp somewhere and connects in, and now he has browser-level access inside these companies.

And as you know, but maybe the audience doesn't know, once I'm inside a browser, inside some company, I'm effectively unstoppable. I mean, I'm going to pivot and break its stuff pretty quickly. It's going to be bad. The problem is that's 'legitimate software'. No one installed malware. That's not what's happening there.

In fact, the people who built it may not even realize what it's capable of doing, but it is definitely being utilized by, at minimum, one of my friends who figured this out. And turning this thing into a real weapon doesn't strike me as particularly complicated.

Karim Hijazi

No, it's genius.

Robert Hansen

Expensive or whatever. How do you deal with these sort of weird edge cases? Do you just like, "Look, we don't touch that kind of thing." Or you're like, "No, we'll find any time this happens."

Karim Hijazi

So very good question and something extremely important as it relates back to the ransomware conversation, which is just top of mind of government and industry today. I mentioned this reconnaissance capability that they need to have. They need to send a spy in to find out where those areas are that need to be essentially encrypted to sort of hobble the company.

Those tools that I was referring to, those spy tools are not always malware. They're indeed things just like you're talking about. There's one in particular that we know about very well in the industry. It's called Cobalt Strike. And that is an incredibly powerful tool that is good. It's meant to be used by security practitioners to test the integrity of the organization.

Robert Hansen

Absolutely.

Karim Hijazi

Unfortunately, bad guys have figured out that we can use legitimate tooling, just like you explained, to get our objective, which is to do reconnaissance in these environments and then go after things. Answer your question is we absolutely go after those things too. And we're one of the few groups that can actually figure that out, because what we do is we get a copy of the version of that particular tool that the adversary's using.

We run it in our own little sandboxing environment essentially. We run it as if it we're trying to get it to do what it would do in the wild, which gives us visibility into where it's going to call out to. And then we attack and infiltrate those endpoints that tool uses. Whether the tool is intended to be good or not is beside the point in our mind.

We're watching for those communications that come out, and we've been able to draw these similar, what you said before, beautiful maps, if you will, of global pictures of exactly where these beacons are coming out of. It's startling how much is out there. That's actually malicious communications from good tooling.

Robert Hansen

I bet. So you have a Podcast, which we'll get to a little bit later, but one of the things that struck me as I was listening to it is, you have had run-ins where people have wanted you dead. I too have had some of those and I'm happy to talk about one of them anyway. I'd like to talk about yours, specifically the one about the oil industry. I think that's a useful conversation to kind of tee up the next part of this.

Karim Hijazi

Yeah, that's a good one. And it's a good segue because it's not technical. It's my early, early days doing competitive intelligence work in between gigs that were definitively information harvesting on behalf of my customer client. I was doing some consulting work and I was in a Middle Eastern country. I think I even stated it very clearly. It was Kuwait. Old times, just like you said, we're past, past many years of hopefully the same person running around chasing me.

Robert Hansen

Let's hope.

Karim Hijazi

Let's hope. And I was invited to be part of a project that was there to help stifle an oil piracy operation that was actively happening on a regular basis. And this is a particularly unique way of stealing oil and making money off of it. And the committee that was formed to address it was part of the governmental ruling groups in Kuwait.

So they had hired, I think several large consultancies that in turn hired smaller, more boutique consultancies that eventually I became part of even a subgroup to that. So I was kind of three layers deep, very insignificant in the grand scheme of things.

Robert Hansen

A low man on the totem pole.

Karim Hijazi

Low man on the totem pole. But what I was privy to was the, I got to go to the refineries, I got to see exactly what they were talking about. And what was going on was oil was siphon out of the ground, which is considered upstream operations, which I learned many, many eons ago.

And it flows into these refineries and then ultimately from refineries in multiple products produced from crude oil or the crude oils were refined just enough to go into these big tankers that go off the coast of the Arabian Persian Gulf, or whatever you want to call it. And these super tankers are massive.

We've all seen them, I think on TV. They are unbelievable that humans make these things. And they have to turn engines off, multiple, multiple miles offshore before they can like cruise on in and it's millions and millions of dollars to have them even sitting at the port.

So all these parameters that go into having these things function and the oil flows through what is called a custody meter. And it's termed appropriately because that is when the custody of the oil leaves the nation state that it's from onto a vessel.

So now, the custody and the temporary ownership essentially of this oil is now in the hands of the ships. And the ships are not necessarily owned by the other oil companies that necessarily lease them. There's all these ecosystems that exist. I didn't know all this then, but I learned it very quickly.

The custody meter that was being used was something called a PD meter, a positive displacement meter. Literally, my coffee cup right here that I'm drinking out of has a certain volume of liquid in it. You take the liquid, you pour it out, you take the liquid, you pour it out, you now know you have two cupfuls. All wonderful and great when there's no other parameters involved, like heat and sludge and viscosity and cooling.

Robert Hansen

Bubbles in it.

Karim Hijazi

Yeah. Exactly. And you juxtapose the inaccuracy of the PD meter with the oldest law in the world, which is maritime law. And the ship captains had total dominion over what gets put on their vessel, which makes sense even today it's the case. If you put too much oil on, it could affect the leveling of the ship, inappropriate...

Robert Hansen

Explosives. All kinds of things.

Karim Hijazi

Millions. And these ship captains knew this, and they had total control. The refinery guys would say, "Well, we've already loaded X number of millions of barrels or hundreds of thousands of barrels on the ship. This is what the quota was." And the captain goes like, "Nope, I needed X number of thousands more, otherwise I'm not leaving." And it's expensive to have them there, like I mentioned.

So the people onshore had no option but to comply with the demands because of the reasons that these PD meters were inaccurate. So the project was find some solution to stop this excess oil from being siphoned onto these ships, or being bullied into putting more oil on. Because what these ships would do was they would leave port.

Once they got their excess amount, they would turn off their satellite transponders out in international waters. Some little Nigerian or Somalian, or God knows what vessel would come out there, siphon off the oil, and they'd flip the transponders back on. They'd go to their destination with the exact amount of oil they were supposed to deliver. And they would pocket the amount of money that they would get from these little pirates out in the middle of the water.

Robert Hansen

And you made the mistake of talking about it.

Karim Hijazi

Yes. And I also made the mistake of finding a proposed solution. So I found this little company, believe it or not, in the little town of Corpus Christi, Texas, many, many moons ago.

Robert Hansen

Oh, really?

Karim Hijazi

Yeah. And it was a meter that was called an MVTM, I'll never forget this. A multi viscosity turbine meter. And what this meter did was it had, it looked like a turbine, it had blades, and there was all these physics that went along with the fact that it could handle all the different viscosities, because oil in the Middle East is not like oil in your kitchen.

In the summer when it's 150 degrees in the middle of the desert in Kuwait, oil flows like water. And when it's winter, which is 50, 60 degrees Fahrenheit, it flows like sludge. These meters had the means to be extremely accurate with what was actually flowing through.

So it actually would be a way to dispute what the captain was suggesting. So I put this whole thing together. It was probably like a four or five and a half week project. I presented one day to this panel, was very excited, young guy. I'm like, "This is my time." And they couldn't care less first clue. All sitting there.

I think this is back when cell phones were just coming out effectively, giant bricks. And they were just tooling around with them and pagers, no interest. And I thought, "Huh, okay." Well, make a very long story short, this is in Kuwait and there's no alcohol there publicly. You have to go to the American Embassy to have a decent drink on a Friday night or something. And they had a happy hour back then.

I got to know a gentleman there who was part of the State Department quotes in the air right now, as I do that. Didn't know that then. And who I'd lament my stories to, and crying my beer a little bit with them about life and Kuwait and all that. And presented. Nothing happened. I called a week later, nothing. They were like, "We're taking under advisement. Thank you. We're good." I'm like, "I worked hard on this. I want to know that this is going to be implemented. I mean, this is incredible. We found a solution to this."

The gentleman that I knew at the embassy I had shared the story with, the next time I had met with him to have a drink. He goes, "Hey, how's that going?" I said, "I'm just frustrated. There's no response to this. Doesn't seem like there's any implementation. There's no questions." And he goes, "Yeah, you just let that ride." I didn't think much of his comment.

About a week later or So I decided to call one more time. I was like, "I need to get some clarity on this." And I called and I got a different individual. It was some subcommittee member who was extremely rude. And is like, "Look, we appreciate your help, but this is a non-issue. We're not going through with it. Please don't ask us about this anymore."

Pretty pissed. I wasn't taking any hints. I think I ended up in the embassy that week and met up with that individual and he asked me about it, saying, "Hey that whole thing about that project, you really ought to just leave it alone." And I was like, "Why would you tell me this? You're in no part in this whole thing. I'm just telling you the story. How would you know anything?" And he's like, "Seriously, man. I see you troubled by this. You just need to let it ride."

I ended up talking to several other people about the issue. And I can't remember honestly if I called one more time, probably did knowing me, like an idiot. And he called me and said, "Can you meet out at one of the hotel lobbies and chat with you about something?" And I was like, "This is bizarre. He never does this. This is just my beer drinking friend."

And I went out and I met with him and he said, "Look, they're really agitated with your pressurizing of this whole thing. I wanted to meet you off effectively so I could tell you these guys have no interest in having this resolved." And I said, "You mean the committee that hired me to do it?" He goes, "Yeah, the committee that hired you to do it, hired you to do it because they figured there would never be a solution found because they're benefiting from this man."

I had no idea that the very people that hired me had hired me, because they're like, "This is perfect. We'll get someone that can play the role of a consultant. And I can put it on paper that we tried and it didn't work." But because we actually had something that did, they were like, "This is going to be a problem." And then, he let me know the really scary news, which is that they had commissioned my removal. As he put it. So I left.

Robert Hansen

You're liability, not an asset anymore.

Karim Hijazi

I'm a liability, not an asset. And I left the region probably about two and a half weeks later for a very, very long time. I've been back since, but it was terrifying because the issue was that you don't just leave things like this, especially when you talk about the kind of wealth that you're messing with.

And this is part of what we talked about a minute ago, whether it's cyber or otherwise. When you start interfering with that level of money, you're extremely dispensable. Seriously, human life is just not a non-issue for many of these folks. This isn't really about ethics, it's more about the fact that there's greater powers at play here and you're just tasked as a problem.

Robert Hansen

I have similar terrible stories as I'm sure you're aware. But I wanted to highlight one just as a counter conversation. So in your case, they were putting a hit out on you?

Karim Hijazi

Right.

Robert Hansen

So for those who aren't familiar, Silk Road was a very large drug marketplace on the Darknet. And I never even went to the site. I heard about it. I actually, I think I might have gone there once just to see visually what it looked like to see what kind of thing, but not perusing it or whatever. Just like, "Oh that it is a real thing." Literally just that once.

So to me, it was sort of one of those, "Oh, that's something that happens." I'd never really thought about it. And then, it turns out that the guy who started it, Ross Ulbricht, who used to live in Austin, by the way.

Karim Hijazi

I didn't know that.

Robert Hansen

Yeah. A long time ago. He got busted. Now, the way he got busted was he shipped drugs to himself and he shipped fake passports to himself. The mail service caught him, basically. They busted him with his notebook open with the passwords in it. I mean they really nailed this guy.

There's no way it could be even more open. He was literally logged into the admin console on the computer. I mean, it was definitely him. But there's a lot of conspiracy theories about that, like, "Well, that seemed too easy. He would be smarter than that." Like all this stuff.

Again, didn't really pay attention to it. Didn't really care. Just more like, "Oh, here's another bunch of people who are flaunting it in front of the FBI. Eventually they're just going to go down." I kind of just really, really didn't process it beyond that. I started getting an email thread from this guy.

Karim Hijazi

Ross?

Robert Hansen

No, from some random person from the internet. Ross is in jail. And he says, effectively, "I know that you are the real dread pirate Roberts." Which was his handle. "I know you're him." I'm like, "Well, I'm not. I'm sorry, you got the wrong guy. It's Ross Ulbricht. He's in jail. They have him. He's like fully in jail." And the website's down. I mean, it's the guy, right? And he's like, "Well we know it's actually you."

Karim Hijazi

We?

Robert Hansen

And I'm like, "Well, that's news to me." The more I was like, "It isn't me." The more like, well, that's what you would say if it was you, right?

Karim Hijazi

Of course.

Robert Hansen

And I'm like, "Okay, why do you think it's me?" Like I'm getting kind of frustrated this conversation. And they had several good reasons. So one was Ross Ulbricht lived in Austin. I lived in Austin. So like, "Oh, well, that's how you met him originally.

So he's your patsy." I'm like, "Okay, well that sort of makes sense. Although I never met the guy." I didn't meet his roommate years later though, which is kind of interesting. Just kind of a random party with a mutual friend, but I'd never met him.

So that's not a good answer, but no one would know that. It's plausible enough. Second thing was he was a web application security expert. I ran the web application security lab. So that would make sense. Number three my second to last blog post on my old website that's now down basically said something like, "I had considered having the dread pirate RSNAKE." As in someone could come along and utilize my name and just kind of keep going it forward.

Karim Hijazi

Sure. The Princess Bride.

Robert Hansen

The Princess Bride reference. Right. And so I was like, "Oh, you could just keep going forward." But I always thought that was kind of a clever, but also pointless. No one's going to do it the same way I'm going to do it. And there no point. There's plenty of other researchers out there who can do their own thing.

But since I had said dread pirate, and he's dread pirate Roberts, and my name is Robert they drew a big circle around that. And then lastly aside from doing the murders and stuff that he had sanctioned, he also used a tool called Slow Loris to attack website. I wrote Slow Loris.

So I'm like, "That sounds pretty good. I mean, it's not true but if you're hearing it and it's coming from the press or whatever and you're just like reading it in The Times or something...

Karim Hijazi

It feels irrefutable.

Robert Hansen

Right. That's pretty solid evidence, actually. I'm like, "Okay, well, all right, I get you. So what do you want?" Like, "Well, we want you to come back and build Silk Road two. Just do the same thing. Do the same thing all over again." And I'm like, "Okay. And if I don't?" And like, "Well, we'll release this information. We'll totally screw your life over. It's basically game over for you kind of thing." I'm like, "Okay, give me access."

So they gave me access and they had already built up an infrastructure for it. And so as soon as I got in there, I completely destroyed them and figured out who they really were and all the terrible things they didn't expect me to be able to do. Actually had to find an exploit in Tor to do it.

Karim Hijazi

Oh, wow. There you go. That's a juicy one.

Robert Hansen

When I'm motivated, I'm very motivated.

Karim Hijazi

That is awesome.

Robert Hansen

You really don't want to mess with me. But anyway, the end result was I gave the information over to the appropriate authorities and now he has a job. So this character who was part of a cartel or something, now found himself a job and working for the government, I'm sure.

Karim Hijazi

My goodness.

Robert Hansen

So my point in bringing up that story as a counterpoint to your story is, they were using, like, "We're going to literally murder you." In my case, they're not going to murder me. That was never on the table. That was never even mentioned. They were just going to make my life hell.

I think these are the tools of the future. I think, mass coercion through death threats, through messing with your life through doxing or straight up lies. It doesn't really matter as long as it messes your life up. These are very valid and powerful tools than an adversary has in their disposal.

Karim Hijazi

They really are.

Robert Hansen

How does that strike you?

Karim Hijazi

Oh, I couldn't agree more. That's an interesting story. I didn't know that one actually.

Robert Hansen

I've not sold that one publicly until today.

Karim Hijazi

That's incredible. And what I find really interesting in terms of the parallel of my story and yours, I was utterly useless as a person for them, honestly. I mean, they hired me because of the reason I was a super young kid, that they just counted on not being able to do anything fruitful. And what I did wasn't something they were like, "Oh, well now this is a very useful being. We're going to keep them around." Unlike yourself where they were like, "You have a unique ability to build something very powerful for us, it would be a shame to destroy this work of art." I was a patsy by definition that did good.

Robert Hansen

Accidentally,

Karim Hijazi

Accidentally. So effectively the interesting thing about this is that, and kind of a two-pronged answer, having skills may keep you alive, interestingly enough, because you're now useful. It also makes you more coveted by good guys and bad guys, like we talked about a minute ago.

So there's some sort of this blessing and a curse there, but that's a really interesting warm blanket to have to know that I won't be quite as dispensable as maybe I once was, because now I could be probably very useful in certain events. But that in itself, starts to draw fire. You start getting attention for that, just like you did.

Robert Hansen

Yeah. Chris Nickerson's story about going to China always strikes me as one of the most hilarious... I don't know if I want to tell that story. I think we should just get him on the Podcast and have him do it.

Karim Hijazi

That would be a good one.

Robert Hansen

He's an incredible character, but I always look at these nation states and criminal organizations like this, that are highly financed. They don't want to kill guys like you and I until we pop our head up and just make just hell.

Karim Hijazi

A mess.

Robert Hansen

Just make a mess at the operation because frankly, I think everyone's happier that the security industry exists because there's a nice cover of like, "Oh, well, we're an anti-spam company. Oh yeah, we also spam." There's all this underbelly of the security industry that just I don't think normal people are familiar with but is very present as far as I'm concerned. It doesn't take long to walk down the hallway at a security conference and bump into somebody who's doing something nefarious.

Karim Hijazi

No doubt about it.

Robert Hansen

And they're pretty open about it.

Karim Hijazi

Yeah. Well, and I think what's interesting is that people get blood drunk on their own skill at times, and they sort of start nudging the limits and the aperture of what they consider to be ethical out. Especially if there's extenuating circumstances, they need money, there's whatever, they get greedy, they're young.

There's a million reasons why they maybe do that. But I think you're referencing really fascinating. I was having a conversation with a group about Costa Rica, which for those are not privy to it, this certainly not the first time. But one that's fairly well publicized that a ransomware group took the government essentially by hostage.

Now, it's a little overblown of a story, but it's interesting because the demands of this group are regime changes. They're asking for political changes, they're not asking for money. They may be asking for money too, but I don't know. But I know that what made the headlines is they're asking for...

Robert Hansen

They'll get money either way.

Karim Hijazi

They'll don't get money either way. Exactly. There's a good chance that the incoming leader is very much possibly motivating them to do this. But the power they're wielding is very powerful. And I think that what's interesting is the common person, you said that no one really feels like this is going to hit them.

It's all about the big companies. Well, these groups are getting so effective in their methods, like this whole democratizing and affiliatizing the access. Think about this RSNAKE. Imagine if you were on the wrong side of this and you had all the access you had ever found in the course of your career now and maintained those back doors and you are now brokering those back doors for money.

Robert Hansen

I'll be unstoppable.

Karim Hijazi

Right. And that's exactly what's happening now. Maybe not the scale that you would've done it or could have done it, but you're talking about an aggregate group that's now starting to do it.

So it's getting to be a pretty prolific amount of access. That's part of what I talk about a lot in the industry as you know. I'm like, "I'm not as wrapped up in the vulnerabilities that is the domain of RSNAKE who's going to find that and exploit it and show you where you should have patched something or you should have done something or another.

I'm talking about implants, I'm talking about things that probably got there that had nothing to do with the vulnerability other than back to our original conversation. Hacking the human. Sending a business email compromise that allowed Martha to click it in HR.

And now all of a sudden, fluffy bunnies just turned into another employee in the company that has full rights. Those are the ones that scare me because those implants stay latent. And then, what they can do, and I don't mean to make this such a menacing story, but now they can implant whatever they want on that machine. They can put CP on it. They can put all kinds of stuff and say, "Who's going to prove it wasn't you."

Robert Hansen

CP being child pornography.

Karim Hijazi

Thank you. I didn't know if you wanted to throw that out there.

Robert Hansen

I like talking about child pornography apparently.

Karim Hijazi

Well you certainly did some good. You get damage to those guys pretty well. So you deserve a lot of credit on that.

Robert Hansen

I've definitely done my, my damage. So I want to change a topic a little bit about what is wrong with our industry. I want to do it from my side and then I want you to repeat on your side.

Karim Hijazi

Perfect segue.

Robert Hansen

Because I think this is a fun little game we can play about how broken our respective sides of the industry are. So I primarily focus on web applications and browsers. So websites and Internet Explorer or Firefox or Chrome or whatever somebody might be using, those are browsers.

So the number one problem out of 10, this is a litany of 10 separate things all leading to the same problems. It seems to me that when I talk to vendors these days and talk to companies these days, the average level of talent within those organizations has gone down.

The average person I speak to is less capable than they were 10 years ago and far less than 20 years ago. Although there's more of them, much many more of them. They just don't know things that you would expect them to know. Things that we've known for 20 years, they still don't know even today and they've had this job for five years or whatever.

Karim Hijazi

That's right.

Robert Hansen

That's bad because what that means is, whoever you're talking to in these companies or you're expecting to protect you, they don't know enough. They probably shouldn't even have this job at all. They really should be doing something completely different because they just don't have the skill level necessary.

Karim Hijazi

Is this number 10 or number one?

Robert Hansen

This is number one. This is the very first problem.

Karim Hijazi

Okay, good. Because if it's in order, this is a magical one, because I was about to use that one, but keep going.

Robert Hansen

No. You might see threads throughout. So I'd say that's number one. Number two is that, and that's related is that the CISOs can't hire anybody good enough. I mean, think about it, if you're like a random car manufacturer.

Now that's probably a bad example. It's kind of interesting. Like you manufacture tractors or something. You're a jam company or something. Like no one really wants to work at that. You're not going to get the kind of talent you need despite the fact that your security is exactly the same as any one of those other companies.

I mean, you have the same vulnerabilities and same interest to nation states and same money transacting or whatever. These CISOs have a very hard time finding people and they're kind of disincented to spend a lot of money.

So they end up just finding whomever they can. They literally go to the colleges and pick people out, "Oh, you do CS. Great. You can do security.” It's like, what is security? They know nothing.

I'd say that they can't find it. They can't nurture it because the people above them aren’t good either. Like as everyone throughout that organization, average is down. So you can't really nurture them up to where they need to be. That's number two.

`

Number three would be, no one really wants to know what assets they have. This strikes me in my part of the world, which is, what I do is find hidden assets, things that people don't know that they own. The reason they don't want to know it is because that's just more liability. They already have tons of liability that they can't manage because their people aren't very good.

Now you're just saying you want more of that. That seems like a bad deal for a CISO — Chief Information Security Officer for those who don't know that term. It doesn't seem like something the average executive would say, "Yeah, let's get more vulnerabilities," when you can't even manage what you've got now. That seems counterproductive to their business incentives.

Next is people don't want to run scans everywhere. First of all, running scans is expensive. Extremely expensive. They're already limited budgets. If they could spend the money on anything, they would be on better talent. But they can't do that. For compliance reasons, they have to scan. But they don't want to scan everything. What they really want to do is scan three or four machines. These are representative of our environment.

Karim Hijazi

Sample set.

Robert Hansen

But that's not at all a sample set. I mean, their environment is weird and dynamic. They have air conditioners. They have websites on them. They have printers with websites on them and all kinds of stuff out there. Right there, you can't get them to do it.

But worse, even if you wanted to, there is no scanning company on the planet that could actually scan every single website on the planet. I've talked to a lot of very large security companies who do scanning. They shrug their shoulders like, "No, we'd have to scale out to a level that we've never even contemplated."

The amount of data and bandwidth. There's just no company on earth that can manage it even if you wanted to do that. Then you get a whole bunch of vulnerabilities back and they're all this red light, green light. Everything is high, medium, and low.

But the problem is a medium vulnerability on your primary big website might be way worse from a damage potential than a high on something sitting under someone's desktop somewhere that's got no access to anything. It's totally isolated or out in the cloud, just a test thing that no one ever installed anything on.

Without the prioritization, there's no way to know what a high, medium, or low even means in that context. So you're missing the context of it, which means that people are really just rolling the dice. Fix it whatever random order makes sense, which means they're not really applying true business risk to it which is terrible. So they're fixing all the wrong things.

Let's say you want to fix the thing. First of all, your people aren't good enough so you're not going to be able to do that. But let's say you got prioritization in order. Let's say you've scanned all the things and you know where everything is. Let's say we've managed all that.

What you really probably need is something called a web application firewall. It’s this device that sits in line and blocks traffic. Stuff comes in, it blocks it. Then you're off to the races. The problem is you need someone to configure it.

We've already said that your people aren't good enough so that's not going to happen. Which means you may need to use a third party web application firewall like a Cloudflare or something who have all kinds of other issues like taking down websites.

Let's say that you've decided to do that. There is no WAF on Earth that can handle all of the traffic on the entire internet. None. None of them can get even close. So forget that. But even if you wanted to do it, the people aren't good enough anyway.

What you need is a company that manages all of these rules for you and does all the work. You can probably find a company that's cool enough to get all the good talent and pay them appropriately. They can just sit there all day making these rules.

But that's the only way you're going to be able to get in front of all those problems leaving only the vulnerabilities that are hard left over for your staff. Now, they're not qualified to do those so the last step would be insurance. You have to have the cyber insurance necessary to take over the remaining subset of things that your people are just not good enough, or there's maybe too many bones to handle.

That litany of 10 things strikes me as completely untenable. There is no way we're going to get through that list. No way. How about you?

Karim Hijazi

I could add insult to injury here. I couldn't agree more with everything you said. In fact, I would even go in the exact same order for the most part. I would interstitially add compliance. That being the motivator for them to even bother most of the time, the fines are cheaper than buying the security talent, technology, or process, to begin with.

It's just easier to pay the fines. So that doesn't motivate anyone, especially if that's the main reason that some of the management team cares to even think about this.

Secondly, cybersecurity they keep talking about is finally going to reach being a business problem, not a cybersecurity problem. We hear that a lot, which means it has to get to a board level. They're talking about getting someone at a board level that can communicate these concepts to a business group.

You just said it better than I could ever articulate it. You can’t even get the talent to do the job much less someone that can take complicated concepts like what we're talking about, and bring it down to a level that we can put into a podcast like this for people to understand.

Guys like us are extremely rare that have this cross-trained, all-star approach to things because of all the years. We talked about 26, 27 years of time that give us the ability to communicate highly complicated things into fairly simplistic terms but salient enough for a board to actually take action on.

So education is grossly, and not even talking about operational education. I'm talking about business decision education. Then coming closer home to me with what I do, as you said, you zeroed in heavily on the vulnerabilities, patch management, and the prioritization of patch management and all the things that go into it.

When you're left over with even the most critical ones, who the hell is going to do it? What about the stuff that's latently persisting and lurking and laterally moving inside your network that requires a threat hunter and a sock team and all those?

You're adding a layer of no one's getting an alert that your web server is out of date when malware gets into your environment through some back-to-social engineering method. So you're talking about upping the ante so much so that when a guy like me comes along and I deliver exactly what you said in the beginning, "Here's more. Aren't you happy? Here's more that you don't have budget for."

Robert Hansen

I think the audience largely we'll be surprised by that. Maybe not everybody but I think a lot of people will. It's like, wait, they don't want to know? They don't want to know. They do not. And they're not happy when you force it down their throat and say, “Here, you're vulnerable.” It’s never a fun day.

Karim Hijazi

No, it's not. This is where it's interesting. I loved your last point on the insurance play because there's a really cool coup de gras on this whole thing.

The Chief Information Security Officer is effectively our customer when we are a solution provider or a product developer of some kind. In my case, that is the very person that is going to have their job security threatened by what I have to sell them. That paradox is rough.

By definition, they're going to mitigate, relegate, blame me. Oh, my goodness. I've gotten with the FBI so well over the last 15 years doing what I do, man, which has been a blessing in some ways. Because they're like, "Oh, it's just crazy." So to your point, you couldn't be more accurate.

I think this is sad because all of that, those 10 things with some of my extra cartilage added, really just enable the adversary tremendously. It just facilitates it. It gives them complete leverage to test and try and all that.

Then the snake oil, a little bit with some of the stuff that's being sold today. It really isn't, and I'm not knocking the entire vendor community out there. Because there are people that meaningfully want this to work. Actually, you mesh together good tech with good talent, and it will. It's just that we're missing a lot of that talent to run some of the stuff that actually needs... It's a F1 Ferrari and no Schumacher.

Robert Hansen

I had dinner with Dan Geer once. He’s a very prolific security guy in our industry. He's got a couple of one-liners that I just love. One of them, he was talking about operating systems. He said when you first have an install on a laptop. It's just sitting there and the laptop’s closed, you know what's on that. Everything is known about that.

The second you turn on the internet, open it up, press the power button and it starts working, you have no idea what's going on in that. No one on Earth knows what's going on on that thing. No one.

I think that is part of the problem in your path of the industry. Not so much my side but definitely on your side. Well, now there's just some new DLL running. It's going to do some random thing every 28 minutes for some reason. Then it's going to cause some malware to be able to infect in this weird way.

Karim Hijazi

My favorite line ever along those lines, which is going to be funny for people listening, "We're good, we've got an air-gapped network." It’s my favorite. I'm like, cool. I'm not trying to be snarky. I'm like, “That's pretty amazing. Does it get updated?" “Yeah.” “Okay.”

Robert Hansen

With the malware that you dragged in.

Karim Hijazi

Yeah. Now it’s updated. It's unbelievable. But there's this misperception of things in many cases. I think that's the other thing. You brought up the fact that 10 years ago, people were more Odyssean-like. It's true. I have not met, in conversation recently, an IR professional that subscribes to the same methodologies that I knew the guys did do back at the Mandiant era that I was part of in the last 10 years. Something happened.

Robert Hansen

Something happened.

Karim Hijazi

I don't know what it was actually.

Robert Hansen

Explosion of the industry. I think a lot of commercialization. There suddenly was this massive influx of cash. That meant that everyone was interested in it because there was money in it. Instead of it being devoted to it because it was something that they enjoy. As soon as you're there for the dollars, it’s a lot easier…

Karim Hijazi

Quality goes down.

Robert Hansen

Or quality. We talked a little bit about the supply chain earlier. I think this is also a time to start talking about balkanization. We talked a little bit about this on your podcast as well but I think it's worth doing here as well. I see the future, and certain security experts that I talked to also see it the same way. I'm curious to see how you see it.

The future is, there's a Facebook for Italy. There's a Facebook for France. There’s a Facebook, for Russia, etc. Different company owns these things. A different company manufactured it. Maybe some companies sold their code to it multiple times. But everyone's going to have their own social network. Everyone's going to have their own firewall manufacturer. Everyone's going to have their own cell phone manufacturer. Everyone's going to have their own search engines, et cetera, et cetera, et cetera.

Because if you don't have it that way, you really are very much at risk of every one of these other countries deciding to come and attack you. Because they're the manufacturer. All they have to do is change the code ever so slightly. It's funny because a lot of people were like, the Apple ecosystem, which I think is better than the Google for multiple reasons. They were like, well some app can't do the bad thing. Signal, for instance. They can't do blah, blah, blah.

What do you mean it can't? Well, right now it can't. But the second anyone chooses to push an update down from Apple, they can sign it with whatever they want. It'll get on your phone and do whatever it wants. Yeah, absolutely. They can read whatever data is on there. It's like, yeah, it's ephemeral until they decide it's not ephemeral.

I think if you're serious about security, and I think all these, the larger countries anyway are very serious about it. They're going to have to build everything themselves. Where do you see that going? What's your take on that?

Karim Hijazi

Yeah, I agree. When the sanctions came about for Russia, I had a really interesting conversation with some geopoliticians that wanted some opinions from a cyber perspective. What I referenced was Iran. I said, “When's the last time you guys were in Tehran?”

“No, never.” Alright, when you go to Tehran, even for me it was, I don't know, over 10 years ago. I was staying in a hotel. The coffee mug said made in Iran. The table said made in Iran. The nightstand and the TV said made in Iran. Everything was made in Iran because they've been under that same pressurization and restrictions. It's a little like the Jurassic Park. Nature finds a way. They will.

Now what's interesting about this, and immediately leaping from the fact that that is inevitably the evolution of how it'll go - they will find a way, they will make things themselves - immediately makes the former incumbents’ solution, whatever that may have been, the cloud provider that was global that now is just simply Western, a target. They don't need it. This is my worry about Swift. The banking network that was being used as leverage with Russia.

If you no longer, if you no longer make it important to them, what compunction, what limitations do they have from attacking it now? If they have no benefit for it anymore. The only reason something doesn't get attacked broadly is because they're benefiting. The minute it's no longer of use to them. It's a Sun Tzu proverb, the enemy of my enemy is my friend, concept here.

If I can take down something that effectively benefits my adversary, well then, I'll do it. I think that the balkanization concept is indeed likeliest, very likely scenario. The scary part about it is that it opens up the opportunity for all-out war in a much broader sense because there's true compartmentalization. There's true fiefdoms and camps that now can pillage and attack and strike each other much more overtly than they do now.

Because right now, we'll take some of the cloud providers. Everybody around the world uses these cloud providers generally speaking. I mean, within reason. I mean, we know there's some countries that are walled garden off from that. But if you start to really do it the way I think we're talking about this, now we're going to have to have defenses far more effective than they are today even. We're already grappling with it. Where people are still attacking you with the benefit from it. But imagine when there's no reason to not.

Robert Hansen

I want to talk about the future of where you think hacking is going. I have one theory that I think is still early. We're not quite there yet but I think it's going to happen. You mentioned patching a little bit as one of the issues. Web application firewall patching. But we also have traditional patching as well. Just any, something that might be publicly accessible like a firewall needs to get patched etc.

I developed as a prototype a little piece of code. It doesn't actually work. But it more or less does everything I'm talking about here. It reads a new vulnerability as it comes in. Off the wire let's say. Either through access logs, email, RSS feeds, whatever. Sees, okay, this thing looks like command injection. It looks like SQL injection or whatever. It takes it, rips out the actual payload. Replaces it with its own payload.

Then it already has a prior knowledge of existing targets that look like the things that it could attack. Let's say it's a known WordPress type vulnerability says WPAdmin in the URL or something. Well, I already have a list of all the WordPress sites ahead of time. I know where they all are. Or any ones that I'm curious to compromise let's say. Maybe not everything. Maybe I'm very targeted.

Then basically, all it does is it turns it around and fires it back immediately at all the target lists that it currently has situated. Now it doesn't care about the response. It doesn't need anything back from it. It just needs to fire the payload off. You don't need command and control. In fact, it turned out that the more I tried to write command and control the more I realized it wasn't a good idea that actually.

Karim Hijazi

You didn’t telegraph.

Robert Hansen

Well, it was too slow. It added multi-millisecond latency. I was able to get my code to run in 0.02, I think, seconds. Attack 100 targets on the internet from EC to micro instance. Very, very tiny, free thing that Amazon will just give you. The cool part about that is I'm able to attack so quickly that patching literally could never work. Because let's say you have a patch come out and the exploit come out the same time. The time it takes you to log into the machine is multi-second.

Even if you programmatically make that happen, that's still a couple of 100 milliseconds. I can be on the box and still have almost 100 milliseconds left over. There's just no way. Let alone installing the patch however long that takes. Let alone queuing it, making sure it works without taking down your environment. I talked to web application firewall vendors. I said, “Okay, well, what would you do if I gave you the patch and it's trying to attack you at the same time? Could you update your backplane within the time necessary to get in front of this?”

They said, “No, the backplane is too slow.” It would update. It was multi-second update. You'd be on there with seconds to spare. I don't think patching is going to work anymore, which means we've got to completely rethink how we're doing defense. Now, granted this is early days. I don't think any adversaries are actually doing this. But I think cutting down the time from which a new 0 day, zero day or just came out that day type exploit hits the world and the time in which it is utilized.

Right now it's about a day, sometimes less than that. As soon as it gets into a tool called Metasploit, it tends to speed up. I think it could get down from a day on average, let's say, down to hundredths of a millisecond.

Karim Hijazi

That's menacing because when you cross-pollinate that, and I was going to ask you a little bit about the command and control. Because the only reason you'd be interested in the command and control obviously is so you can alter its directives. If you can preload it with a very specific task like Stuxnet eventually got to be where it was a lone commando without any real connectivity.

But in early days, I don't know if you remember this, it did have it. It did have C2 but then subsequent versions of it. I do like where you're going with that because I think that the future is that there are these very well preloaded tools. Plus if your agenda is things like wipers, it is a little mini-suicide bomber. That's what it is. I think that that's a terrifying concept.

Because if you're facilitating access in milliseconds the, and for listeners, RSnake is the guy that opens the door. I may be a guy that knows about the grenade that gets thrown through that door and all the other subsequent flash bangs and everything else that can go in there. If you're talking about milliseconds to open the door that can simply never be dead-bolted fast enough, the combination of the two worlds is going to be horrific.

Robert Hansen

That's exactly what you hear, my friend. Another version of this, which I am really surprised I've not seen this before, you are in a perfect location to actually enact such a thing. But a lot of times people will say, “Well, I'm going to rent out my botnet.” They rent out a million nodes, let's say. It usually just does one thing; sends out a bunch of spam or runs a denial of service attacks just like you mentioned.

But I don't fear the guy who wants a million bots. I fear the guy who says, "I want that machine right there. I only want that one. I don't care about any of the others. That one running at that company. That's the one I'm after." And the amount of money I'm willing to spend to get that one box compared to your millions, I'll pay a lot more because I know exactly what I'm getting.

I am really surprised no one's tried to broker individual-specific compromises. Have you seen anything like that? Do you feel like that's the way things are going?

Karim Hijazi

A little bit. There's effort in that because there's still a level of recon to do that. Then it's a little bit like the equivalency of a looting effort versus a cat burglar. The skills of a cat burglar obviously are elegant and beautiful. It's like movies. They're wearing black. They cut through the window. It's really cool. I think that those are the things that are in the domain of extremely high net worth folks that know exactly what's going on.

A little bit like the movies. It probably exists. I don't think it gets broadly, it only gets broadcast in such a way. It's a little bit like stealing a Ming vase out of some museum and then trying to broker it on eBay. No one knows what the hell that is. They're not going to believe it's even real. The credibility factor is tough with that. You always have to have the marketplace already established for it before the action is taken.

Robert Hansen

See the way I would say it is, I'm buying it from you. I'd say, okay, here's the IP space that I'm interested in. Send me a request from one of those IPs to prove that it's real, that you compromised it, and then I'll pay you.

Karim Hijazi

Sure. I mean, look, the ideal targets for things like this, what you're talking about are pharma or defense. Because if you've got intellectual property, that's where that starts to become very, very interesting. To answer your question a little bit, I have seen some of that. But it's been a little while oddly enough. It was primarily Chinese in origin. It was primarily on universities and environments where there was intellectual property around. Things like quantum.

That's where, that's where I saw most of that. It was very specific. It was primarily around business email compromise of professorships and groups like that looking for very specific access to servers, iCloud accounts. Things like that. Where there were sadly, papers that were completely not guarded. Funny enough, the stuff that was extremely valuable to these groups really didn't have any security around it to begin with.

Robert Hansen

You and I have talked a couple times about, I think this is going to be your last rodeo.

Karim Hijazi

Likely.

Robert Hansen

I bet you probably said that last time though. But I don't think it's any less important. Even if you might get your third wind in Hawaiian, come back raging after the next, you want to do one more. I keep telling people, “If you ever hear me say I want to start another company, just please remind me how hard it was so I'll remember.”

But in your case, maybe you have a different experience. I don't know. I'd be curious. What about this industry drives people away from it?

I mean, it is one thing to say we're hanging on. Like, both of us are hanging on. I wouldn't say my best days are past me. But this has been a rough ride. This is all great for a reason. I have a feeling you're feeling a similar sense that this industry has beat the crap out of you. How do you feel about it?

Karim Hijazi

I agree. You're right. I say this. My wife and I joke about it. She claims I have pregnancy brain with this but I don't remember the pain of having that baby, otherwise known as a company.

Robert Hansen

As an entrepreneur, what is it? There has got to be some word for it.

Karim Hijazi

Entrepreneurial brain. We should coin it right now. But you're right. And I will say that I remember distinctly one of my challenges and my frustrations with the last company was that there was ego of the industry. The level of one-upmanship and all that, was an issue then.

Not as much anymore. That isn't as much of an issue. Now it's the lack, like you said, of education. I think you nailed it, which was that there's such an influx of cash. That part’s alluring because it's like, “Wow we should just go right back in and do this. We'll just kill it. We'll do it in a couple of years.” Very much what my thought was.

Robert Hansen

10 years later.

Karim Hijazi

Yeah, exactly. I'm a little frustrated. I'm a little, I'm disappointed that the artisanship, because I'll take the egos now all day long as long as they're capable. It's the idiocracy quality of people now that's going on. Sorry for the movie reference. But it’s…

Robert Hansen

It's the third time it's come up on this podcast well.

Karim Hijazi

No way. Well, good. Keep checking those off. But that is what's really the most exhausting and frustrating. Part of why I feel more assured in my commentary about it being the last one I'm going to do. I say last one probably meaning product firm.

I think I'll do, I'll probably do a consultancy again. But very bespoke. Meaning something I just want to do. I don't think it's going to be where I want to go and make a ton of money with it. It's more of keep my mind active.

Robert Hansen

There's a lot to learn. It just keeps growing.

Karim Hijazi

Exactly. I think that's where someone like myself can stretch my legs a bit and look at the new stuff that's out there. Really interesting stuff around, dare I say, security for other avenues of business. Things like blockchain. And I'm not talking about crypto. I'm talking about blockchain specifically being something of interest.

Because eventually that will become an ecosystem for all stuff. A giant ledger like that in the sky? I mean, is that not the dream for us back 10 years ago? Talking about ripe for attacks and a variety of other things that can happen.

So I find it interesting to look at it as one of the areas. High net worth individuals I think are fascinating because they're targets unto themselves. Big corporates has been exhausting. Government's been exhausting. I think that there's life ahead. It's just in a different format.

Robert Hansen

I came up with the word startup amnesia.

Karim Hijazi

Beautiful. Well done.

Robert Hansen

I guess I think that's exactly, that's how I feel about it. I started up several companies now. I just keep forgetting. I'm like, I'm getting so excited by the concept of my idea, or where things could go or how this could impact people. The cool thing about my company now is I know I have probably already impacted maybe a billion people or more with this tiny little startup. It's alluring. It makes me want to keep going.

One thing that helps me go past this point, it helps me push through is oftentimes I'll find myself being a little scared of technology. Which I know sounds crazy. I deal with it all day long. But I'll go, oh, that sounds daunting. A new thing to learn. I'm going to sit down. I'm going to have to learn this new language. I'm going to have to learn some new syntax or whatever. It's just enormous, enormous amount of work.

I'm never going to get ahead of it either. It's just another thing out there that I got to go learn. Then I'll just say screw it. I'll just take a day. I'll just power through and learn four or five things that have been in the back of my mind, hearing a lot about. Then I learned it. Now I have it. It's an arsenal. Now I'm much more deadly or useful or whatever. How do you deal with that? How do you deal with the daily pressure of constantly falling behind?

Karim Hijazi

Yeah, absolutely. That is the bane of the existence. When you're trying to run an operation of a company that's supposed to be focused on an initial idea that was very exciting. But then four years later, there's other things that we probably could be doing. Or I could be doing that I'm not doing. Because I'm trying to still foster some scale and growth.

Everything that an investorship and everyone would expect of the company. What the money needs, which is counter to guys like us that want to expand our aperture and interests, Leonardo da Vinci things.

Robert Hansen

I mean, money definitely is useful. It’s extremely useful. I mean, it's, and motivating too. But I'm not that worried about my future in terms of money by much more concern which I realize is a huge point of privilege. Just FYI. But also, I know that I'll be okay even if I lost every penny. I know that I would be able to dig my way out just by virtue of working hard and good ethic. Also being useful. Having the knowledge.

But the thing that I think pushes me away from the industry probably almost more than anything else is the state-sponsored niche of it though. It's very gross. I mean, I won't go into all these crazy stories. But I've got a number of very crazy stories around that. I think it's, from someone on the outside. If you're just looking at it. You're like, wow, that's so cool. It's a dagger.

It's very alluring especially if you don't know what it's like. But after a while it gets awful. Really, really terrible. It makes it hard to sleep at night sometimes. It makes it, you have to rethink what you're doing and why you're doing it. Are you really doing what you should be doing for you and your family? How do you, how does that feel?

Karim Hijazi

Yeah, entirely. I mean, I think when we went through the litany of things that are wrong with this industry. One of the areas that I brought up was that I'm having to go tell someone that they have issues that they don't want to hear about. They certainly don't want to buy from me. They want to hear about it but much less pay for it. All this effort for a very awkward conversation that usually ends poorly. Likely something towards…

Robert Hansen

No one wants to hear their baby is ugly.

Karim Hijazi

There's very little victory on a daily basis, weekly, monthly basis with this type of effort. It's really ultimately the end game. That's all that we're living for, which is not a pleasant experience for my team and I, both. It's not just me. It's my entire company that, these Spartan warriors with me doing this every day. Day in and day out.

Because I've been able to foster a belief that this indeed has an outcome that's amazing. Because I've had one in the past. A lot of this is based on that. A lot of this faith and belief in me personally as the CEO and founder of a company is that, well he did it before. He probably knows what he's doing. It probably will work again. The likelihood it will work again with him is higher than if I just find someone that has never done it before.

Yeah. I can't promise them any of that. Then when it doesn't go according to my plan. Or it doesn't take off in the way that I thought it would. It's, it’s worrisome. You know the burden of being a founder. It's a terrifying place to be because not only do you have your own aspirations and goals that you're trying to manage and grapple, and somewhat temper. You got your family on the other side that are entrepreneurial with you whether they like it or not. Poor things.

Then you have your whole team that are now looking up to you going, you do know what you're doing. Then you may have some, if you're blessed with a board with investors, you've got that. I'm glad we can laugh about that word. Yep.

Robert Hansen

Blessed. Is that what we are calling it now? I think cursed is the correct word.

Karim Hijazi

There you go. You didn't sense any of that sarcasm. But I got to say that, that is extremely debilitating. Because there's no more of that early excitement that I once had and fire. I don't mean to sound so bleak. Because look, I'm very grateful to the point of privilege. I mean, look, we're sitting here as founders of companies that have sold you multiple times phenomenal experience so far. I'm in the throes of one that may very well have a wonderful exit or who knows what.

But going forward, you're right. I think that it's going to be heavily slanted toward, like you said, the new technology piece of this. I use the Idiocracy example. I can't go there now. I can't start limiting myself and going down into that world. Reducing down things so I can just fit into and shoehorn what I have to offer going forward. I'll just, I'll be miserable.

Robert Hansen

Yeah. I know you're a hacker, but that doesn't count as the fourth reference to Idiocracy. No, sir. I know your tricks. Tell me about your podcast. I have been listening. I'm a faithful listener. I think it's great. It's audio only, for those listening. But tell us a little about…

Karim Hijazi

Starting to get stuff on YouTube. Starting? I'll get those up there and show you where to where to look at.

Robert Hansen

Cool, great. Why don't you tell us, how did you decide to do that? We came up with almost the exact same time, within weeks of each other.

Karim Hijazi

Yeah, it's a great story. Not overly exciting. I mean, we talked about Hitman and podcaster is good. I had started, I've never listened to podcasts before admittedly. I'm not like some long term, longtime listener, first time creator guy. Never. I mean, maybe loosely one or two over the years. Then you can't ignore it.

Podcasts seem like they're the new media. The new method of marketing. I thought, okay, well, I guess we should look into this as a company. Frankly, it was originally a company motivated endeavor. I actually tasked them when in the company to go run with it. I said, “Okay, dig this up, figure out how to do it. Let's go create one probably for a company.”

Robert Hansen

Somebody had listened to a podcast.

Karim Hijazi

I hope so. I’m like, “who's listened to podcast?” I was like, “How do we create one?” Variety of things never got done. In January of this year, I'm like, “Well, I guess I'll do it.” Typical founder story, I’ll do it.

Robert Hansen

That was my Hooper's as well.

Karim Hijazi

I started looking into it. I started to listen to a few of them. Quite candidly the first I think three or four, I'm like, “This is awful. I don't know why people listen to this crap.” Then found, then I found some good ones. I found ones that actually I was like, “Oh, wow, this is actually not bad. I actually want to keep listening.” I was like, “Okay, I see now where this…”

You have to find your brand. You have to find the style that maybe works for you. I originally started thinking, okay, well, I'll do this. I couldn't get comfortable no matter how hard I tried doing a podcast for the company. I was like there's something wrong.

There’s something fundamentally wrong with that. Because I'm not really a hyperbolic character. I don't like to show boat and big glossy teeth. Done it. Sell the product every turn I can get which is not great. But I just don't like doing that. I'm one of these guys that I feel like, if the product is good enough it should sell itself. Frankly, why do I need to constantly, why do I need to have it on the side of a bus?

Robert Hansen

I'm telling you got to have it on the side of the bus man.

Karim Hijazi

I learned that unfortunately. Such a true statement my friend. Ultimately what happened was I chose to just make it a personal thing. That's where the naming convention of it came from. The Introverted Iconoclast was an interesting dichotomy and paradox and a little bit of an oxymoron.

Robert Hansen

I like the alliteration as well.

Karim Hijazi

Yeah, the alliteration is a big one for me. I am an introverted character oddly enough. What was funny is a lot of my life, I've had to find ways to fake being an extrovert. Well it's a persona that I've been able to manifest for my jobs.

Robert Hansen

Works for you.

Karim Hijazi

Thank you. But I'm really naturally not that way. I tend to be very quiet. I like to be alone. I’m very introspective. I'm not suggesting extroverts are not introspective. But you get my point. But then I do want to change the world. I want to have an impact. I want to be a change-maker which usually comes with ruffling feathers.

The Introverted Iconoclast was very much my conflicted personality of wanting to be a big change-maker but not wanting to ruffle feathers too much. That’s how that's worked out for me.

The stories are a combination of my memoirs, effectively, my life interstitially peppered with some interviews of people that I find interesting like yourself. It's come along really interestingly. It's an experiment is the best way for me to put it. I didn't really follow anyone else's model. I just went with what I thought was good.

So far, it's been an interesting ride. It's going to evolve. Into what? I have no idea. We'll see. It's interesting because when you started, you're like, “It's going to be here any minute.” And when it came out, I'm like, “Oh, man, I can't wait.”

I literally was on the beach in Maui listening to these and I went through them. I'm like, “No, this is good stuff.” It was so cool because you used to have a trailer at one point. I think it's gone.

Robert Hansen

No. It’s still there. It’s buried.

Karim Hijazi

Is it still there? Okay. I have to dig it up. But it was cool because we hadn't talked to each other. But what you said in the trailer was, this isn't just going to be about RSnake, ironically, cybersecurity RSnake, which this specific…

Robert Hansen

The name of the show.

Karim Hijazi

Then, ironically, this particular episode, we did get into some juice here. But fundamentally, you wanted to get into geopolitics. You wanted to get into controversy. You wanted to get into things that were going to really evoke a lot of thought.

Robert Hansen

Hopefully show the audience the kinds of conversations that happen behind closed doors.

Karim Hijazi

Hugely important.

Robert Hansen

I wouldn't say that the conversation we had today was really any different than all the other conversations we've had. Different words, maybe we went different paths or whatever. But this is the thing the audience needs to hear. If they don't know that this stuff is happening out in the world, they're just missing a huge chunk of how things work under the hood.

Karim Hijazi

Well, the smoke and mirrors are so strong. You brought this parallel up in the conversation we had with my podcast and now this one. The magician aspect of this. But it's now corporatizing that magical story so much so that it's becoming cellophane-wrapped and plasticized. People have no idea what is going on.

So I think there's probably going to be some shock and awe with what we talked about. People not understanding why the hell companies wouldn't want to go and fix things. We didn't even get into the untenable nature of most things that just simply can't be fixed like critical infrastructure.

Robert Hansen

A lot of snake oil, too. There's a lot of technology out there that people will sell that won't do anything. Or will even do the opposite of what they want. Maybe get into it at some other time. Where do people find you? How do they get in touch with you or your company, the podcast?

Karim Hijazi

Sure. I'm not a massive social media guy. I'm getting back into it. I'm on LinkedIn, Karim Hijazi on LinkedIn. You can't miss me. I have a uniform avatar or picture everywhere. A nice black and white, very Rembrandt-looking.

Then my podcast is on the usual suspects. It's on Apple and Spotify. It is The Introverted Iconoclast. I also have the domain theintrovertediconoclast.com

Robert Hansen

Good luck spelling it.

Karim Hijazi

Yeah. It's a mouthful.

Robert Hansen

Well, there have to be a certain level of intelligence just to find you.

Karim Hijazi

I leave it like that, Cicada 3301. If you can find my podcast, you win the next prize to get the next puzzle. But yeah, those are the main areas. I do have an Instagram account for it as well. I think it is @introvertedicon. Same with Twitter. Twitter, that one is actually my name. It's Karim Hijazi. Those are the main areas.

Robert Hansen

Well Karim, thank you so much for doing this. I know this is kind of a slog to hike all the way up to Austin, Houston.

Karim Hijazi

My pleasure. It’s a joy man. I’ve been meaning to catch up with you in person. This was a perfect way to do it.

Robert Hansen

Yeah. Thanks so much.

Karim Hijazi

My pleasure.