Measuring Cybersecurity at Home with S2Me

Unsecurity Podcast

Evan and Brad are joined this week by Oscar Minks, who runs the technical team at FRSecure. The three of them recap DEFCON from Oscar’s perspective, and they introduce S2Me—a new platform for people to measure cybersecurity at home.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Evan Francen: everybody and welcome to another episode of the un security podcast. This is episode 41 I’m Evan Francen your host. If this isn’t your first time listening, you already knew that joining me today is my show buddy. That’s why I’m calling, you know, Brad and I can say hi Brad

[00:00:41] Brad Nigh: Heidi ho how you doing? I read the notes.

[00:00:44] Evan Francen: That’s good. At least time. What do you like?

[00:00:48] Brad Nigh: 15 minutes before we came in here.

[00:00:51] Evan Francen: But that’s okay. We publish these things every friday and you’re like, oh I wonder who reads this, Who really cares. But you care.

[00:00:57] Brad Nigh: I do good.

[00:00:59] Evan Francen: Alright. We’re also excited for today’s show because we have a first time special guest joining us. None other than the infamous I don’t know if I’m over from overstepping their infamous Oscar Minks joining us from his home in Kentucky. Oscar say hi

[00:01:14] Oscar Minks: hey everybody. Thanks for having me today Evan and Brad.

[00:01:18] Evan Francen: Absolutely. That’s that’s something similar. Still following the show notes, we’re good here. Oscar you’re the uh you’re the director of technical services at fr secure? Right?

[00:01:28] Oscar Minks: yep, that is correct.

[00:01:30] Evan Francen: Tell us, tell us what that what that means? What do you do?

[00:01:33] Brad Nigh: What would you say? You do

[00:01:34] Oscar Minks: hear Oscar Yeah. What don’t I do? Yeah, primary responsibilities is uh um, manage our pin testing deliveries and services and team um And that’s you know, all of our pin testing deliveries which is physical social, internal external pc red team, purple team, blue team all the phone colours of the rainbow and then also um brad and I worked together to develop our new instant response plan, uh managed services and retainer offerings. And uh he and I together also oversee that service delivery.

[00:02:14] Evan Francen: So he does do a lot of stuff. Yeah, he’s kind of in the shadows being down in Kentucky and

[00:02:19] Brad Nigh: all. I think he likes it that way. I would he’s seen people do here when they when I realized I’m in the office. Yeah. Part of the uh

[00:02:29] Oscar Minks: I do love being up there with you guys though. I love my shadow time but I really do love my time in Minnesota with the family.

[00:02:35] Evan Francen: Heck yeah man, I’m excited. When are you coming up again?

[00:02:38] Oscar Minks: Uh we’re just talking about that yesterday. I don’t think the dates have been confirmed yet, but middle of September probably 3-4 weeks.

[00:02:45] Evan Francen: All right, well you’ll have to let me know as soon as you know so that I can make sure I’m here. We’ll do. Yeah. All right. So he does a lot here. It sounded like he said a bunch of colours. I heard something about pen testing like anybody knows what that is

[00:03:00] Brad Nigh: just made up. Yeah. So

[00:03:02] Evan Francen: it’s like, so you do like an essence,

[00:03:04] Brad Nigh: can

[00:03:06] Oscar Minks: we do it? S a scanner. Yeah, we absolutely do not do an s a scan and check what Vanessa scan tells us as a pin test for everybody. We absolutely absolutely do not do just that.

[00:03:23] Evan Francen: So it’s got to be necessary and

[00:03:26] Oscar Minks: kinetics.

[00:03:28] Brad Nigh: Yeah, it’s free way

[00:03:34] Oscar Minks: youtube and become a master of the medicine point framework and you’re on your way

[00:03:41] Evan Francen: to go Well cool Oscar it’s cool. It’s cool having you here. I know we talked about this a couple of months ago, we’re going to come back to how cool pen testing is because it’ll be a great segue into where we talk to you about, you know, def con and your experience coming back from there. Uh but another thing, you know what I wanted to start the show off with sort of other than introducing Oscar was you guys have heard a best to me? Yes. Oh yes. Uh Have you gotten us to score yet? I have you have a nice to score. Can you share it? Are you gonna share it? 7 90

[00:04:18] Brad Nigh: nine. What?

[00:04:20] Oscar Minks: Oh wow.

[00:04:22] Evan Francen: Oscar, have you done one yet?

[00:04:23] Oscar Minks: Yeah, I did mind a couple of weeks back. My score was into 700. I don’t remember exactly what it was. It was not a 7 99. So when you go brad

[00:04:32] Brad Nigh: hey. Yeah, it’s funny the two lowest areas for me, we’re backing up data and breach an incident response from a personal level and that’s the thing, you reach the money kind of, was it accomplishes. Right? I know what to do. I just don’t have it documented anywhere.

[00:04:50] Evan Francen: Right. Right. So you better be alive whenever incident happened. Yeah. And available. Yeah. I’m not gonna, well, I will tell you my ass to me score. So, but I’ll get there, I’ll get there in a roundabout way. So, uh, and for anybody who’s, everybody should do it. You know, it’s free. There’s no catch involved, just like our mentor program, you know, that we do every spring. There’s no catch uh, in the s to me, uh, it’s a personal information security assessment. And you get there by https colon slash slash s to me dot io that’s the website. Earlier this week. I give your presentation to a very large school district here in Minnesota Minnetonka school district, your kids there. Okay. Uh to their faculty and staff. Right. They had a big offsite thing and what I did was gave them all as to me, yes, organized it into what’s called the S two team. So if you’re an organization who gives out a bunch of smes to employees, Those smes aggregate into what’s called an S two team. So I did that with them. And then we went over the results and I was really surprised how well received it was.

[00:06:08] Brad Nigh: Yeah, because there that could be uh, could go either way where people like I’m not, I don’t want any part of that or they’re really interested in understanding

[00:06:17] Evan Francen: and learning. Well that’s it, right? I mean at the end of the day and the theory here is if I make security personal something like where I’m protecting my own, I’m protecting my own uh financial data on protecting my own privacy. I’m protecting my own safety. Then I’ll be much more motivated to do this. Right? We did a study with, you saw the study, a bunch of

[00:06:45] Brad Nigh: normal people, you know the results of the second? Because you saw the first. Yeah. And then you redid it. Yeah. I remember if I saw the second. Alright. Well anyway, so

[00:06:54] Evan Francen: I made I made a word map out of the only I can see that the open yeah. The only open ended raw question I gave was give me one piece of advice to make security better for you. Uh And overwhelmingly it was simple and it’s true that people really want to do the right thing with security. They just don’t know how there’s no there’s no one standard defined for security at home. So it really resonated well uh and I’m not happy to report that their average score. What’s better than mine?

[00:07:29] Brad Nigh: That’s, wow. I know. But see I think you

[00:07:33] Evan Francen: know the emperor has no clothes. Well

[00:07:35] Brad Nigh: but we do this all day every day. So there’s certain things we take for granted and don’t formalize just because its second major

[00:07:42] Evan Francen: right? And we

[00:07:43] Brad Nigh: should and we should.

[00:07:46] Evan Francen: So I wasn’t happy with my results. But there were some things that came out of it that were very obvious because because one of the things that the S2 team peace as the administrator that I can see from their assessments is how they what the aggregate sort of scores were. Right. And the two areas that scored the worst, which is same as you is back up and uh incident response. And so what I told that I told them is what that tells me is your like everybody else. We all think it’s going to happen to somebody else. I mean if I was so certain and I knew that this was going to be happening to me. You know overtly I would do these things better and it comes to the same thing with incident response. Right? So you know, everybody would have an incident response plan if they actually plan for an incident.

[00:08:37] Brad Nigh: Right. Well, you know, and what’s even worse for me is I said, well I had my identity, my wife and I had our identity stolen 3.5 years ago. People filed fraudulent taxes. So, you know, we’ve already got all the monitoring and the freeze on the credit and all that type of thing. But we don’t have anything I think formally documented which we absolutely should. We’ve been there and had it happened

[00:09:02] Evan Francen: Oscar. What about you? What was your lowest scoring piece of the s to me,

[00:09:06] Oscar Minks: backups were was my lowest. I can’t remember what the second one is. I should pull up my report while we’re talking here and see. But um, you know, and that’s one of the things I’ve talked to you about right with like my tater whole idea, I know how important it is. We work in it so much. It’s one of those things where you can’t see the forest for the trees. Sometimes you become so consumed with something with work. And then when I’m in my personal life, maybe I don’t spend as much time as I should on those things that were preaching to everyone all the time. And so it was a good like refresher for me to say, oh yeah, I got to start thinking about myself too.

[00:09:42] Evan Francen: Yeah. Good, good. Well, that’s good insight. And I think, uh, I’m excited to when you’re ready to talk about your tater whole idea because I think it’s a super cool idea. Plus the fact that some, some dude from Kentucky because it later. All right.

[00:09:58] Oscar Minks: Yeah, I’m still brainstorming and put it on paper. But I think in the next few months I’ll be ready to talk about it. Maybe we can talk about it here, then.

[00:10:09] Evan Francen: That’s cool. So there’s a pen tester, A guy who leads a bunch of pen testers in Kentucky making a tater whole thing,

[00:10:20] Brad Nigh: I just hear people that’s our Oscar.

[00:10:24] Evan Francen: I All right. So for anybody who is listening or listeners go on doing this to me? Have your parents doing this to me. Have your Wives and husbands do smes. Like I said, it’s completely free. And one of the things it does, at least in my house is now me and my wife and I’m a security guy in the security industry for 27 years. But now our conversation is different at home about security because when she went through the estimates like what is, I didn’t, I didn’t realize that this was something I shouldn’t. You know what I mean?

[00:10:59] Brad Nigh: That’s the whole point

[00:11:00] Evan Francen: of Exactly. Exactly. So get out there, get your ass to me. And if you feel like sharing, you’re asking me score with us. You know, don’t tell us the details. We don’t want to know the details. We don’t want your private stuff. But if you feel like you want to share your score, email the show on security at proton mail dot com. And we’ll talk about

[00:11:23] Oscar Minks: that. So yesterday day before yesterday actually met with the Lexington fayette Department of financial crimes. Lexington fades. The urban city government here. And uh, it was cool. We’re talking to him about some of the stuff they’re saying come in and how we could help them with their customers that are having incidents and so on. But the conversation ended on. Well, what would you recommend for us personally? What should we do? And I said, I got a link as to me do this to me. So we sent it to the entire Lexington department of financial crimes force. Yeah. And uh they got the length and hopefully they’re working through it now. Hopefully going to take that advice and secure themselves.

[00:12:00] Evan Francen: Yeah. And another thing too, I mean this is a relatively new product for us. Uh we’d love to hear your input and your feedback, right? Because I’m a security guy and I had input into how it was developed. But I don’t know

[00:12:15] Brad Nigh: does it resonate with Alright security people.

[00:12:18] Evan Francen: Yeah. So eventually this has to me will become a community tool where we’ll take put regularly from the community on what they’d like to see different, what they’d like to see changed. And then another thing sort of emerged when I was in with men attack a school district. I was explaining to them that this is an adult tool. It’s totally free. And I said but what I want to go next is I want to do in S2 teen for teens because here from parents I’ve talked to they have no idea truly what their kids are doing with electronics with their phones, with their ipads with their laptops. Uh And we need to somehow break down that barrier right? Because there’s a generational problem my generation, I’m 48 years old, right? I know I look like I’m 20, I’m done. It’s beautiful. But you know 48 years old. I was one of the last generations, I grew up without a cell phone. I can remember dropping a dime in a pay phone when I wanted to contact somebody.

[00:13:25] Brad Nigh: I’m not that much younger than you because yeah, I remember it was I was out of nobody had cell phones in high school, right? It was you had a quarter that you would go and

[00:13:35] Evan Francen: and some and so now we’re raising kids because now we’re all parents, right? We’re raising kids who are using devices that we never grew up with. I can’t I can’t relate to what what what it feels like to use instagram, right? I never used instagram when I was a teenager. I might use it now, I’m an adult, but it’s still not the same perspective. So this is two teen, I think it’s going to be a really cool thing because and then you have an S two teen and s to me is that make an S to you

[00:14:03] Brad Nigh: can always do it as two child because right, you’re eventually, you have people with, you know, I mean, I don’t want to admit it, but my five year old does have an older ipad that he watches like Disney now or whatever watches, you know, guardians of the Galaxy or whatever show he’s watching, right? Well, as he gets a little older. Yeah, he’s gonna, you’re gonna want to have

[00:14:26] Evan Francen: write something when we want to get, we’re already behind the curve. So let’s get back ahead of this

[00:14:31] Brad Nigh: thing. I like the

[00:14:33] Evan Francen: uh, and so because then imagine your conversations and so you have to make these two teams have to be careful on how you build that because there has to be built in a way that it’s going to incent the teens to tell you the truth, you need to gamify it. They want games and things like that. I mean you have to make it right. So I asked Minnetonka school district there, the second largest school district in the state, would you guys help? Would you guys collaborate with me on this? Yeah, I would love to, I know. And then I went to remember Ryan cloudier who was a guest on podcast, I don’t know, somewhere back in 20s somewhere. He, uh, he, I can’t remember the name of the organization. They support all the schools in the state of Minnesota and very active in, in this area. So I reached out to him a couple of days ago and I said, hey man, you want to collaborate with me on this. He’s like, hell yeah, so, and then with you and I mean let’s make this a community thing too,

[00:15:31] Brad Nigh: definitely.

[00:15:33] Evan Francen: So I’m excited about as to me, but that’s where it starts. I’m excited about is to me, I’m excited about as to teen to come excited about as to family. I think it’s going to be and then where we use that from a business perspective is we’re all creatures of habit, right? Good or bad habits at home that was translated a good or bad habits.

[00:15:51] Brad Nigh: I mean, it’s what we’ve been preaching. Like one of the first things when I started was when we was redoing our kind of our based training slide deck is now information protecting personal and corporate data. Yeah. Just because you do something here doesn’t, you know, whatever you do at home, you’re gonna do it work the same habits

[00:16:12] Evan Francen: apply. Right? Alright, so again, s to me, go get it, get your ass to score, share it. Talk about your family and talk about it with your wife, your husband, family, you know, I mean get take this seriously. It’s simple and it’s kind of fun. I’m a competitive guy. So my score is better than my wife and it will stay that

[00:16:32] Brad Nigh: way, accepted it. That’s an option. So,

[00:16:41] Evan Francen: and the next thing uh, is I wanted to talk about, you know, here we are again, another week and we’ve got more incidents. So two incidents came in that I know of because they both came through me. The first one is, it isn’t run through our incident response service because it’s where I’m the VC. So right now. So it’s my job to take it, right. Uh, but the, the incident is, so let’s just talk about that real quick because I think it’s uh, we’re having so many incidents so often we might have to have a dedicated podcast just for incidents.

[00:17:23] Brad Nigh: It’s not

[00:17:24] Evan Francen: We’re not a huge huge company. Right? We’re not Deloitte, we don’t have hundreds of thousands of clients. We have about 1500 clients. Uh So the incident I got I’ll be really quick was um sure uh an email compromise. Uh ow a single factor authentication billion. Uh huh. Until that, you know what was the indication was, a whole bunch of emails are being sent from her mailbox that she didn’t actually send. Right. And so the the incident responder is in san Diego and he’s got some security job. So really it was working with him to come. You know. All right, consider this, consider

[00:18:06] Brad Nigh: that.

[00:18:07] Evan Francen: Yeah, this lady works in finance and we’ve pretty much determined at this point that there was no other compromise. There was no other way in. There was nothing in going out. Uh But it’s uh you have to consider everything in that mailbox as being compromised. That means we have to go through everything in that mailbox to look for any type of personally identifiable information.

[00:18:33] Brad Nigh: How many records what kind of information. Yeah.

[00:18:38] Evan Francen: So that’s where we’re at right now with this and said now the other one came through what yesterday it was two years ago.

[00:18:45] Brad Nigh: I don’t even know at this point. It was yesterday.

[00:18:47] Evan Francen: Right? I don’t remember what date it is today friday.

[00:18:50] Brad Nigh: It was it was Wednesday, Okay

[00:18:52] Evan Francen: Wednesday. So this incident, I got an email from a friend who works at a large law firm, um who said, you know, essentially we have a we have an incident or something like All right, well, I’m in the car coming back from, you know, central Minnesota. And I call him up and like, all right, tell me what’s going on. And so we talked through it and he’s got, I don’t know his whole team on the call. We talked through it, find out it’s an active incident. It’s an active investigation that you guys are doing. But it came that way. So then it got a little funky with like, okay, I got to hand this off to you guys to handle. But now it’s long

[00:19:36] Brad Nigh: underwear. Yeah. So that was we don’t, well, they didn’t fully know the scope. They just knew for sure there was a brute force attacks coming in through there. Ow, a instance.

[00:19:49] Evan Francen: Did you confirm that account? Have you gotten

[00:19:53] Brad Nigh: there? So they did work that, I don’t know. I’m not actually working it. I’m just gonna helping. Right. Right. So response team now. So what was it working on it? Um, had a couple of users that did get a push from their multi factor, which during the time that they know there was a brute force. So we’re with

[00:20:13] Evan Francen: one factor was compromised,

[00:20:14] Brad Nigh: potentially. Well, most likely we don’t know. I don’t know yet.

[00:20:19] Evan Francen: Right? We can’t when you’re making you’re making a great point right here, you don’t have to response. Right,

[00:20:25] Brad Nigh: prove it. So they’re looking into all the logs and all that stuff. But one of the first things we did was deployed 300 rules across the entire environment because we don’t know what’s going on, it’s a little easier when go, okay, We know it’s This and this is what happened and, and know the scope of it here. They were like, did they deploy anything there? You know, they were having 70,000 failed attempts a day

[00:20:54] Evan Francen: Oscar your team is working on it, right? Is it is it members of your team that are actually doing the full investigation

[00:21:00] Oscar Minks: that we’ve got a new guy tom on that one. And uh he’s working with a couple of our other analysts who are transitioning from other roles right now and so brad and I are letting those guys run with it so far. So good. I think we’re gonna check in with him after the podcast here, see how they’re doing. But so far,

[00:21:16] Brad Nigh: so I’ve been keeping on them fairly close tabs on him just because I’m not interfering just monitoring the conversations, you know, just

[00:21:27] Evan Francen: and even even I’m involved in the conversation because I see I see all the emails just because, you know, it was a friend of mine. I’m like, well, if you guys want to drop me from this, it’s that

[00:21:35] Brad Nigh: okay, luckily you haven’t been on the secure chat channel where we’re actually doing real time back and forth. Hey, we’re seeing this. So I’ve been watching that. Just, you know,

[00:21:49] Evan Francen: if you invited me to it, I would, I would

[00:21:51] Brad Nigh: not, it’s like, uh, it’s like Oscar, you know, it’s like your kids, right? You’re handing it off to kind of run and stretch their legs, but you still, which is, we want to make sure they’re not keep an eye on things that

[00:22:04] Oscar Minks: they’ve been doing it. I’m sure brad you do the same thing as me. It’s one of those things where space works better in some situations because if I’m there, I’m going to be saying, hold on, do this, hold on to this, wait, wait, wait, just let me see a minute. So I think it’s better step off check in every, you know, go often to make sure they’re right on the right track, but otherwise we’re just gonna get the edge and try to take over again.

[00:22:25] Brad Nigh: Yeah, no, I’ve just been, I haven’t been saying a whole lot other than like the answering questions or, you know, there was a couple times where they’re like, well, so here’s what we’ve done and I’m not sure what to look at next or what would be the next step and well, here’s where I would go from there, Right? So give him some guidance around it. But yeah, I haven’t been, it’s been pretty well, hands off, I’ve just been, you know, kind of facilitating and helping out wherever they need help

[00:22:52] Evan Francen: from my perspective, you know, not actively investigating incidents anymore but been in hundreds and hundreds of incidents over the years. I love the way you guys are handling it. You know, this is the first one I’ve seen in the new sort of programming approach because there’s a few things that you see over and over again that fail. An incident response is one of those is making assumptions which you just talked about. That’s there are certain times you have to make assumptions if there just isn’t evidence right there anymore. And I really love that. And then I really like the fact that on how you guys control the communications during the incident, uh because that’s also a very common failure. There’s two types of communication that happened. And Vincent you’ve got internal communications and you’ve got external communications. And so the way you guys are handling the internal communications, kind of keeping that live not making assumptions that you know, somebody not off somewhere. Looking stuff investigating something that isn’t even relevant. I mean, just kudos to you guys for what you’re doing it.

[00:23:59] Brad Nigh: Yeah, yeah,

[00:24:02] Evan Francen: yeah. So I got right now. All right, well, good enough. So a couple more incidents. It looks like one is an attempted at this point, not confirmed but an attempted brute force attack on uh on one and the other one was another single factor authentication on ow a which if you have single factor authentication on ow a just expect to get had

[00:24:32] Brad Nigh: you probably

[00:24:33] Oscar Minks: you probably already breached, you just don’t know it yet. Someone set inside the right time to use it. Just just turn

[00:24:39] Evan Francen: on your mailbox auditing now because we’re going to be looking for that when we come. All right, so the other thing uh two weeks ago we had Ben in air quotes. Ben was, Ben’s been very busy. Ben was out at def Con but he was also on our show a couple weeks ago and he was also on T. V. Earlier this week with his face blurred, which is pretty cool

[00:25:05] Brad Nigh: real celebrity for being that anonymous.

[00:25:08] Evan Francen: Right? So he was out there at def Con. Now all the guys that were out at that we had 10 people overall at def Con eight on from your team Oscar Right,

[00:25:20] Oscar Minks: yep eight on team ambush.

[00:25:22] Evan Francen: Excellent. And then we had our President fr secures president john Herman was there and then our VP of operations Renee rudder was also there. Uh So anyway, I just wanted to talk about def con, you know, I think some there’s a good portion of the audience december. Steam def Con never been at def Con before, there’s others who you know that are there every single year. So let’s just talk about def con Oscar you were there brad and I had to miss it this

[00:25:52] Oscar Minks: year. Yeah it was uh it was pretty awesome. Um this year there were over 30,000 attendees. Don’t know if you guys knew that they print 30,000 attendees. Um when I went in 2010 I was just looking back and My buddy we’re talking about, it was like it felt pretty big. Then we looked at the numbers that were like 9000 people in 2010. and so over 30,000 people this year, They had only created 26,000 badges that really need badges this year. They were like it was a hand cut hand polished piece of courts and there was a circuit board on the back of the courts with some L. E. D. S. Built in some proximity sensors. Uh There was it had wifi built in as well. And so the idea that they called these badges the human badge. And so the idea was that there were challenges that were integrated into your badge. Where if you could link with other humans so we would walk to each other, you can put your badges together and it would you know give you a series of beeps to know that they have been connected. And so the idea was to try to figure out what the challenges are and solve these challenges. Um more dig into details that it was a pretty cool experience. It was a way to uh you know kind of humanized def con and the idea the theme of this year’s conference was this like uh the idea of a harmonious interaction between humans and technology and so the badge was developed with that in mind, right? Using our technologies to become more human with each other. And so I thought that was pretty neat, you know, to to have an excuse for people who may not know each other to go up to each other and say, hey, You mind if we scanned batches and then who knows what that leads to friendships conversations, maybe they’re solving the problems of, you know, the future after that and all thanks to these badges. Um but they had only printed, you had 26,000 of those, there was 4000 people that didn’t even get a badge. It was pretty crazy. Yeah,

[00:27:50] Evan Francen: so yeah, I didn’t even hear about that. I mean, I think I heard something about it, but I didn’t hear it explained that way.

[00:27:57] Brad Nigh: Yeah, they always have cool badges that I really like that. It’s a great idea and they also being around like hacking for health or something.

[00:28:05] Oscar Minks: Yeah,

[00:28:07] Evan Francen: fake hospital.

[00:28:08] Oscar Minks: Yeah, they had a lot of villages set up and we didn’t get to go to a lot of them because we were pretty busy, but they had the bow hacking village, uh the hospital, like fake hospital, they had the fake voting booths, which I’m sure you guys have heard about, I think that there was a, you know, a kid, a young kid that was able to own all the voting machines, Same thing happened last year too,

[00:28:31] Evan Francen: so a

[00:28:33] Oscar Minks: real uh, so there’s a lot of neat villages going on. There was some cool stuff too, you know, where they try to build an indestructible computer and uh literally if you win the competition the last year you’re gonna walk around with a sledgehammer, try to break other people’s, you know, computers they’ve made. Um, it’s just cool challenges to for like social engineering attacks, physical attacks, crypto. Um, there was some fitness challenges. I haven’t seen one attack. It was our one challenge where they were trying to catch a cooling mug and whoever could make a cooling mug that could lower the temperature of water or liquid in the shortest amount of time and reach the lowest temperature, you know, could win this flag. So it’s really uh, the idea that what I enjoy about defcon the most is, you know, I think a lot of people when they think of hackers, they think explained a black hoodie in a basement, trying to do bad things, crack things with reckless abandon without reason, when you hear this conference, you can expose that, you know, hacking is not just limited to cyber technology. Hacking is really all aspects of our life. Um, and it’s really this idea of trying to make something do what it’s not designed to do to begin with. And so that’s a hack and you know, to me that can be, you know, everything from computers, web applications, um you know, to a soda cup or a beer cup all the way to just how the human mind works and how we’re able to interact with each other. And so Um it’s a pretty cool experience to get to, you know, be surrounded by 30,000 or so like minded people feels pretty good.

[00:30:04] Evan Francen: That’s cool. Yeah, this one it’s our, It’s cool to see that there’s such an emphasis, it just seems like in the last, you know, 12-18 months such of an a bigger emphasis on uh huh putting putting the meaning to hacker back in the meaning of

[00:30:22] Brad Nigh: hacker. Yeah, almost like marketed or media margin is to just this one thing, it’s

[00:30:30] Evan Francen: just, that’s always been what hackers are, right. Hackers have always been people that are curious and want to see how things actually work and look for ways to improve things and everything right. And then it got this bad rap because I think people didn’t understand it. And so that’s where you got the hoodies and all that other crap. But it seems like we’re turning back to kind of at least the culture, everything seems to be turning back to the pure.

[00:30:59] Oscar Minks: Yeah, I think so. I think it was originally like a buzzword, the media tribe and they got a reaction right? They seen people were afraid of the word because they didn’t understand it. So use that to their advantage to create this, just negative connotation of the word that we see as something completely different. And so I think you’re right, it’s through events like this, you know, through even the news story on the team this week and everything else, all the positive media that’s starting to focus on hackers, that’s giving offensive security folks. And even just hackers in general a chance to be seen by the public in a positive lot, which is the way they should be. I mean, they’re the people that for good or bad, the work that they are doing and we are doing at any specific time. It’s going to be, you know, the solutions to the problems of tomorrow. Um, I’m kind of writing about this a little bit in a blog post right now and, you know, making like the comparison, you know, that the, you know, the network admin or the system admin at company X, y and Z. Um, those tickets, he’s got this week to deploy those new patches to secure his system and prevent an exploit. Well, that’s, you know, the work of somebody who was possibly at def con finding new exploits and and trying to make the world a better place.

[00:32:08] Evan Francen: Yeah, that’s pretty man. So you mentioned, uh, you mentioned that you were too busy, you’re on the team. I think the whole team ambush were too busy to really see everything at def con and I think even if you weren’t busy wouldn’t see everything? Uh, what was the team

[00:32:28] Oscar Minks: doing? Yeah, we were busy competing and a CTF competition, capture the flag for those people that don’t know. Uh, this particular competition is called the Warlock Games. Um, and it’s a 24 7 ongoing capture the flag event begins friday, it began friday at noon and it closed sunday at noon and we were actively solving, um, challenges which were related to offensive security and hacking um, from friday until sunday. The event is, um, this was its fourth time earning black badge hall of Fame, which, if no one knows what that is, we don’t have to explain it, but you should look it up, it’s pretty darn cool. And uh, yeah, so we were busy competing in that event from pretty much friday at noon until sunday at noon.

[00:33:20] Evan Francen: And for people who don’t know when does black hats start? When is it open?

[00:33:24] Oscar Minks: So def con or black hat, Yeah, yeah, so def con opens thursday, that’s when we’re all able to get our badges get checked in, get our hotel, there are a few talks and a few social events on thursday and then friday, um, is really when it goes full steam and that’s when all the CTS fire up and um, you know, all the villages are open and uh, all the challenges are really rolling full steam.

[00:33:51] Evan Francen: Cool. So how many do you know, how many cts, there are

[00:33:55] Oscar Minks: definite um I do not um there’s a whole range of CTF. Um You know there’s some for uh you know physical security there’s some social engineering cts there’s some crypto cts. Um But the one that we do is a more holistic CTF so it approaches um you know all aspects of offensive security really in the round of the space that we’re working today which is technology related. Um And so you know they’re forensics cases in there. There’s typically web app stuff, there’s cryptography, steganography, um network sniffing. Um You know just kind of honor and then they had physical challenges too. So we do some physical lock pickings and things like that. Um And then they always do a couple of just erroneous challenges in the warlock CTF this year it was physical hacking. Um And which was you know a physical exercising. So we put family who looked like our most fit guy in charge of that challenge. But in the tops of CTS were doing which is really a holistic technology approach. Um There’s only a handful um Open C. T. S. Another um can’t name all of them but you know maybe three or four there are more of a comprehensive style CTF.

[00:35:11] Brad Nigh: How many are the are were black badge events.

[00:35:15] Oscar Minks: Yeah so we were the only it was the main there’s the primary defcon CTF and warlock was the only two that really focused in the space we’re working that were black badge events this year.

[00:35:27] Evan Francen: Yeah, and, and the defcon CTF is really purely technical, I don’t think there’s any physical component to that.

[00:35:36] Oscar Minks: No, physical component, all it’s purely technical. Um, and that’s something that’s on our roadmap. I’ve talked briefly with some of the guys after the challenge and uh, you know, there were some things that went down at the warlock this year and we’re going to get a yeah, and long term though, you know, we, we want to compete in, uh, the other challenge as well. Um, ideally, I think, uh, the next two years, I want us to have a couple of teams, be able to compete in a few different Cts out there. I think what the rate we’re growing and our technical skills are growing, that no reason why we couldn’t have two or three teams out there, showing everybody what we’ve got next year.

[00:36:11] Evan Francen: That’s cool. Well, and speaking of showing what you got, I mean, this is the second consecutive year that you guys placed in second place.

[00:36:19] Oscar Minks: Yeah, super excited. My first time with the team out there, you know, so it was uh, it was awesome and there were over 300 teams in this and so to be finished second place and they’re from all over the world, The guys who finished right behind us in third place for, from the Dominican Republic, we gotta meet those guys really, some super cool guys. Um, and so yeah, it just, it just felt good too and it also felt good, you know, there was so many times that the competition, we were just leading the competition, we were solving these challenges as soon as they would come up staying ahead of the curve and uh it felt awesome and we all, you know, we’re all super proud of what we did um and it felt good to to operate as a team. I can honestly say that um all the guys contributed, everyone had something that made a difference in one point or another and without the team, I don’t think we could have been able to do it and you know, it was just, it was, it was

[00:37:12] Evan Francen: one of the things that uh That I heard, you know, his feedback, I wasn’t, there was how this year was the team operated, you kind of alluded to it, we had 18 members there and this year even more than last year, every team member played a role. You all participated and I think that’s just so freaking cool and I love the picture of you guys all up on stage, man, I’ll eight of you, standing up there, you know, in your badges, your pretty t shirts,

[00:37:44] Oscar Minks: it was a nice feeling to, and you know, we wanted to make sure this year that the whole team was recognized and so when we found out we were going to be a black badge event and it was going to be in the main def con ceremonies. Um yeah, we were all excited and we decided, you know, that everyone’s going to get a chance to be on stage, everyone’s gonna get recognized as part of this. And because we are a team, we work together and uh we all should be recognized because you know, we’re, it’s a pretty big accomplishment I think, to get where we are. Um even though we’re disappointed with landing second place, uh, we’re pretty proud of being there. It

[00:38:22] Evan Francen: well, speaking of landing in second place now there was some controversy in the war lock in this

[00:38:27] Brad Nigh: year where we get all fired up. Well, I know

[00:38:30] Evan Francen: and I want to be careful, you know, because I want to protect the team and I want to protect you know what? You’re trying to build their uh then thank God I wasn’t on your team this year because if I would have been on a stage it would’ve gotten ugly. But you know, kudos to you guys for keeping your cool too.

[00:38:46] Oscar Minks: There were sometimes we, a few of us almost lost are cool I think, but we took a step back thought about long term thought about big picture and we think it’s better to handle this the right way,

[00:39:00] Evan Francen: right? So what what about the controversy at some point we’ll write something publicly, you know, because I think people need to know and the reason why people need to know is everybody puts so much freaking effort into this and our team, you know, in particular was on the cusp of first place. And I think would have had first place, had the controversy not occurred. And I don’t want to sound like sore loser, but there are certain things that or just, I mean, it’s not like it’s not like a subjective call, right? Like in a football game where the, where the ref didn’t call, uh, you know, you missed a holding call or missed a uh, you know, pass interference. This is a legitimate, like a black and white.

[00:39:43] Oscar Minks: Yeah, it is, there’s a few things, and I think to understand completely what happened while we were so upset would be best to start with, um what we found and what we did, and then talk about the second thing. So when we were working through the challenge, um, we identified a data leak in the platform and this data leak would permit other participants who identified this, um, to view the correct submissions of other competing teams. Um, it didn’t matter too much for us because we were already in first place. But yeah, we we found this, uh, and it was a huge red flag

[00:40:27] Evan Francen: uh,

[00:40:29] Oscar Minks: across it. We we’ve seen, we’re actually exploring the web application within the web application without doing, you know, any sort of hacks or exploits, or anything. Uh, we came across the specific page in there that was leaking information pertaining to information, uh, answers submitted by their teams. And so we immediately, I went to, uh, the organizers of the competition and showed them in data, show them exactly what was going on. And um, you know, the main thing is we want this to be a fair competition win, lose or draw. We always want things to be fair. And so we presented that to the organizers and they did the right thing. They responded promptly by taking the data leak down and fixing exposure. Um, so that was good. It was a good thing. The bad thing is we were halfway through the game at that point and there’s no way that we could confirm if other team members had utilized that data lead to their own advantage. We did ask if they would investigate and try to see if they can identify signs of abuse. They said they would, we never heard of anything further. Um, so then moving on to the next thing that happened, which is really what were salty about today is, uh,

[00:41:43] Evan Francen: so we

[00:41:47] Oscar Minks: Woke up about between three and 4:00 AM on Sunday because there’s been some new challenges posted and we all get right to work. And you know, we knocked these challenges out ahead of everyone else by a long shot. And so then we were just in some point talent because we knew were going to go into the sprint to the finish. we knew there was going to be more challenges come up and so on. And there was a couple other teams that were in the running as well. And so we investigated their scores to try to just confirm everything is accurate the system right? Because there was, it just didn’t look right. And so in investigating, we identified that one of the teams had an extra 100 points, um, and it’s an extra 100 points that’s not accountable for by any challenge that’s been released to every other competitor. Um, and so immediately

[00:42:35] Brad Nigh: I’m, for anyone who’s not familiar, how do the points work? How do they get, how do you learn them? You know how much are challenging? Maybe that will

[00:42:43] Oscar Minks: help help? Yeah, that’s a really good, really good question. So like in this challenge, the, The point value ranged from 1 to 200 points for each challenge. And so essentially, uh, there’ll be a challenge released. This challenge will have a set of data with it and then there will be questions associated with the data. And in order to find the answers to those questions, you will have to either successfully exploit the data or successfully identify covert communications, things like that within the data. And they’re called flags, right? So when you identify these flags and you can answer the questions that relates to that data set? And this challenge, there was typically from 3 to 5 flags for each data set released. And so back to the story, we identified that one of our teams were competing against had 100 points that couldn’t be accounted for from the challenge board. The challenge boards are master board that shows all the challenges and all the points and where you stand against the other teams and so on. And so we immediately took that information again to the organizers and we said, look, there’s a problem. We don’t know what the problem is, but one of the teams has 100 points that’s not available to anyone else. It was easy for us to identify they had an extra 0.100 points because we had solved all the challenges at this point. And so we knew what the max score should be and they had 100 over the max score. They had also solved all the challenges. Although behind us, there were a good team, I’m not taking anything away from them. And so we raised it to the organizers and then they do begin an investigation. So good on them for looking into that their investigation concludes. Um, and they confirmed it with the other team that the other team had access the challenge board via backdoor by utilizing aPI calls and by utilizing the aPI calls, they were able to extract a challenge that was not visible to any other competing team. The reason the challenge was not visible is because the organizers had mistakenly named the challenge the same name as another challenge, and so the web application uh couldn’t present that data was a duplicate. It was causing errors. So the challenge was supposed to have been released to all of us, but it wasn’t. And because the other team had identified a back door that would allow them to pull the challenges down a raw format, they could see the challenge. Um Now, ethically, if we had discovered this, I can say the first thing we would have done is notify the organisers. Hey, there’s a problem with the game, we want this to be fair. Um We also know that typically in most situations if you attack the game platform, meaning access it from the back door or an alternate channel other than what’s presented to you from the organizer that’s considered attack on the platform and is considered disqualification, right? Uh that wasn’t the case here and that’s that’s okay. Like, you know, I’m not even saying that should have happened, I don’t know, it’s it’s the organizer’s choice. Um but after we brought their attention, they did confirm what had happened and they acknowledged the other team had the data, had the challenge before us was able to answer that, so they decided to try to make things right now, this is with one hour left to go in the challenge. All right, we’ve got less than an hour left, what they decided to do to make it fair is republished that challenge so everyone can see it along with three other accompanied questions. Okay, So what happened is the team who already had the data already had 100 points so that we’re in the sprint to the finish here. They released a challenge that one team already has and that data just becomes available to my team by the time we download the data set, literally we’re still downloading the data, the other team is already putting in their answers. So what happened is the other team had an unfair advantage because they were able to access the data set, analyzed the data set and solve the first challenge hours before my team or any other competitor was even allowed to see the data even allowed to start analyzing the data and so on. And tom is so critical in these challenges that if you have a four hour advantage over another team for the last data set of the challenge, um, I view that personally as an extremely unfair advantage and an unethical decision by the organizers of the event.

[00:47:10] Evan Francen: Absolutely well and there’s a couple of you know, think things that issue. One is anybody who has participated in CTS before sort of knows what the rules are participating in a CTF

[00:47:22] Brad Nigh: backdoor on the platform. Right? I mean,

[00:47:24] Evan Francen: right. I mean it’s like, well that’s unethical and it should be, it should be a disqualification and then the way that it was made, right? And we know that there’s some friend buddy buddy, you know, political things at play as well. You know, that probably influenced, you know, the decision of the game organizer. But the problem here is Our people, all of these teams, 300 teams. How many hours of preparation, dedication went into the competition on the part of the teams and to know that the game lacks integrity, you know, that all your hard work. Yeah. So what, you know, I mean the game, essentially the games essentially rigged and so, and this is a black badge event. This is like, this is

[00:48:12] Brad Nigh: to be the elite, the top

[00:48:13] Evan Francen: of the top. It’s a big deal. And the fact that there’s no integrity in the game, uh, people need to know that because personally I wouldn’t play the game. I don’t play games where well I’m a competitive guy can competitive competition is one of my strengths. I will play games that I can’t win and I don’t cheat. So if I can’t win the game because the cards are stacked against you, it doesn’t matter how good you are. You still, you still lose the game.

[00:48:48] Oscar Minks: Yeah, yeah. And I got to say to like going back to the team and um, you know, just how proud I am of everyone and it was just great whenever we came across that data leak to begin with, there was no question, no one on the team had any other idea. Our immediate reaction was we’ve got to report this so we can fix this? So it’s fair to everyone. So I’m I’m super proud that we’ve got a group of guys who, you know, all live by that ethical standard and the strong moral code of doing the right thing. Um, and you know sometimes we assume that other people are going to live by that code as well. They don’t unfortunately we got the short end of the stick on this one. Um, I just wish that the other folks would have done the same thing we did and I wish the organizers would have done the right thing when it was brought to their attention because they could have fixed this and they chose not to when

[00:49:42] Evan Francen: it goes back to what we talked about about the hacker, right. Hackers are good galleries, hackers are good people and gals should say, you know, hackers are the good people. And when you don’t play by the rules, when you don’t play by some set of standards and a code,

[00:50:00] Brad Nigh: you’re not a good guy and you go back to that.

[00:50:02] Evan Francen: Yeah, that’s why I’ve always hated the term gray at grant is B. S. It’s black and white. You know, you’re good or you’re not. Yeah, there’s certain, you know, if you compromise your integrity, you compromise your integrity. It’s not that you don’t give people a second chance. No, that’s another thing. But I’m sorry, did you did you do it right or not? Yeah. So anyway, yeah, I agree with you. You know, uh, and you know, for listeners, they know that, you know, Oscar at the end of the day, um, you know, I’m the ceo of fr secure and I cannot possibly tell you how proud I am of this team because basically what they did is they gave up glory for the sake of their integrity.

[00:50:52] Brad Nigh: Yeah. Like that is such a, yeah, speaks so much to your team

[00:50:58] Evan Francen: and hopefully customers know that too. Right? I mean, this is how we operate and this is proof that, uh, this is how we operate, man.

[00:51:07] Oscar Minks: Yeah, yeah. Thanks. Thanks for that guy. I really appreciate it. And the whole team does too. Just so you guys know, I’ve been sharing the praises and uh, you know, having that email you sent out yesterday, I know our listeners will never here. But it was beautiful man. Brought it brought a tear of joy to my almost, uh, sit on a meme of James Vanderbeek saying, I’m not crying. You’re crying. But I didn’t want to take away from, uh,

[00:51:29] Evan Francen: came from the heart, man. It was an easy email too. Right?

[00:51:32] Brad Nigh: Yeah. It was, uh, yeah, we’re joking. And Evan. And I, I, I’m for sure. Next year I want to go. And uh, even if I’ll do, you know, and I told you haven’t, I was like, oh, I’ll go to, I’m just going to be a pizza for people and I don’t think so. You did hear, Yeah, there you

[00:51:48] Oscar Minks: go. Uh Oh, here we go. Hey, so you know, next year, who knows? Maybe we’ll be hosting our own CTF there next year something I’ve been talking around with the guys and uh, I think we are going to start reaching out to the planning committee at def con to see what we need to do to submit for that. And you know, we’ve got a pretty, pretty good CTF rolling right now and we’ve got a lot of good minds that could make some good challenges. And I know if we put on an event, it’s going to be fair and we’re gonna keep the integrity of the man. Yeah,

[00:52:15] Evan Francen: Awesome one. And I know matt uh, talk to me about it and I’m 100% behind it. Cool. Very cool. All right. So let’s uh let’s get to some news. That’s that’s our def con and for people who read the show notes, that was the controversy part of death of of the def con. And I know you sent an email, I’ll be really interested to hear what you hear back. You know, if anything Oscar because I think we should share that with the listeners to

[00:52:43] Oscar Minks: yeah, if you guys want, we do an update, whenever, when and if I hear back from them, I’ve got to hear back from them because they still owe us our awards. And uh, so I don’t think they can ignore me. We’ll see. They could be pissed off at me now. We’ll just have to wait and see how well

[00:52:59] Brad Nigh: they were before. They will be now

[00:53:01] Evan Francen: such as like hopefully, you know, good rich out evil, you know what I mean?

[00:53:06] Brad Nigh: Yeah, I’d rather come in second with integrity doing it the right way than knowing I, you know, had an unfair advantage or cheated to get, get the way. This is not the right thing. Well,

[00:53:20] Evan Francen: that’s what I was telling. Like who was I talking to? Because there’s this bigger game that we’re all playing, right? It’s the game of life, right? It’s bigger than any other game and the win, you know, depending on, you know what your end game is. My end game being a christian guy. My end game is to stand from jesus and have them say well done. Other people might have a different end game, right? I’m not gonna knock on that. We’re not going to get into a religious discussion. But that’s the game I play. So that makes me put be, you know, it makes you have integrity, right? Uh, So it puts it in perspective too. I mean how big a deal is a, is a def con capsule flag in the game of life. It’s not the end, not

[00:54:03] Brad Nigh: worth exactly your integrity for

[00:54:06] Evan Francen: Yeah. Don’t play. They play the degree more. Make sure you’re playing the radiator. Yeah. Alright, so lightning cable. So we’re gonna get into some news now and then we’ll close this sucker up. We’re we’ll have to go through pretty fast. The first set of news I have is uh uh news broke this week and I think it was released that come from that mistaken crazy lightning cables. They can be hacked now to access Apple devices. Hey. Right so where do you where do you where do you get your marketing cables now?

[00:54:38] Brad Nigh: I wasn’t I think wasn’t it that they were basically putting like a small wifi into the

[00:54:43] Evan Francen: yeah they put certain code into the cable and the cable as soon as you plug that cable in right? It’s powered up by the U. S. B. And there you go back door everything and now he’s taking those cables and selling them. Yeah

[00:54:59] Oscar Minks: but I think that this is a a redo right of an old hack. I’ve seen this before on the older Apple cables and some of the even Apple wall chargers. You guys remember seeing that some of the like um I guess chinese aftermarket ones were bad wifi uh installed in the box. No one even knew it. I was tucking your dad off

[00:55:17] Brad Nigh: buy from a reputable solar not the cheapest price.

[00:55:20] Evan Francen: Well I mean it’s stuff like this. I mean if you truly want to do it right? You will go to Apple in the Apple store where you assume there’s some security in there manufacturing and delivery process to get to the Star

[00:55:31] Brad Nigh: nevertheless and they’re expensive as hell. Right?

[00:55:34] Evan Francen: You gotta pay $40 for a damn cable. I can go to my wife and I were at the hardware store, I found a nine ft cable. I think it’s nine ft for nine bucks. I was like, hell yeah, nine. I

[00:55:48] Brad Nigh: mean I always do like the anchor or uh, what’s the other Well known kind of aftermarket 1? It starts with an a as well.

[00:55:59] Oscar Minks: But my question is, why are you guys using cables?

[00:56:03] Evan Francen: Yeah, Whatever. I

[00:56:06] Brad Nigh: have a phone, but I do have a night.

[00:56:10] Evan Francen: Well for me, I’m stuck in the ecosystem.

[00:56:12] Oscar Minks: That’s the toughest thing man,

[00:56:15] Evan Francen: totally is, I just don’t, you know, Yeah, I tried, I tried an android for a little while, but I was so stuck in into the apple ecosystem. It just

[00:56:26] Brad Nigh: pissed me off. I’ve got all kinds of fun stuff on the android you can’t put on an Apple.

[00:56:32] Evan Francen: I know.

[00:56:32] Oscar Minks: Yeah. I went through the painful process of ejecting from that Apple ecosystem about five years ago and I swore I’m never going back even if like for somebody and they give me a free iphone again, I’m gonna say, nope, keep it, don’t want it.

[00:56:47] Brad Nigh: It’s like just, it’s an entertainment, right? So reading articles in the evening games, you netflix, Those types of things. It doesn’t have any like productivity. Yeah.

[00:57:04] Evan Francen: So anyway, there you go. Well, you know the same thing. I mean, it’s not just apple cables.

[00:57:09] Brad Nigh: I mean any, I think it makes big news because first time lightning cables that had this happen, right?

[00:57:16] Evan Francen: But at the same thing can happen on any cable that gets, you know, us being allowed to transfer. So

[00:57:21] Oscar Minks: 100%. I just want to throw in a shot that you guys were still using lightning cables. So sorry about

[00:57:25] Evan Francen: that. What?

[00:57:27] Brad Nigh: All the phones in my house or android phones? All right.

[00:57:33] Evan Francen: So you guys are all just giving out more information than I need to.

[00:57:36] Oscar Minks: I’m actually using an old nokia candy bar, so nobody knows anything about me

[00:57:43] Brad Nigh: either.

[00:57:48] Evan Francen: Alright, next news is uh, this comes from vice. You know, I find a lot of pretty good, but

[00:57:55] Brad Nigh: uh, I saw this somewhere else, but yes, is

[00:57:58] Evan Francen: the arctic. The title is team security researcher suspended for exposing vulnerabilities in his school’s software. Let’s define researcher. Just kidding. Uh Yeah, 5000 schools bill, I’m surprised that they published his name. He must have can must be over 18 now or something or something,

[00:58:22] Brad Nigh: wow.

[00:58:25] Evan Francen: Bill dimmer copy. 11th grader in Lexington massachusetts, not Kentucky. Not down by you. Right. I found a vulnerability in aspen the software his school uses to deliver student grades. Should this be surprising to anybody, right? This is what teens do.

[00:58:45] Brad Nigh: Well, what’s frustrating for me, you know? So, first I’m sure he’s that smart to find that stuff and I mean it is a bit of a savvy move to get your name out there that you found it right and get it approved like start making a brand. But uh he was, he notify tried to notifying the company

[00:59:03] Evan Francen: trying to go the multiple times. I never responded responsible disclosure around.

[00:59:07] Oscar Minks: Yeah, you see he actually when he exploited it, he still sent a message to the company saying hey this is vulnerable, You should fix it.

[00:59:16] Brad Nigh: Yeah, yeah and and his exploit was like

[00:59:20] Evan Francen: it’s not super sophisticated.

[00:59:22] Brad Nigh: I mean he didn’t do anything malicious with it, basically use the exploit to say, hey I told you this was here here, it is

[00:59:29] Evan Francen: fix it, wow, it doesn’t, it doesn’t give uh, you know, you tried to do the right thing right? As a teenager. It doesn’t reinforce that behavior when you punish them for it.

[00:59:40] Oscar Minks: Yeah. So do you think this goes back to what we’re talking about earlier in the show with the idea of a hacker and people’s misconceptions and especially thinking about in school districts and how they actually understand information security as a whole.

[00:59:53] Evan Francen: That’s a good point.

[00:59:53] Oscar Minks: Very good point. I think they were probably afraid of him. That’s why they told him to go home.

[00:59:58] Brad Nigh: Yeah, yeah, I like the best person to hire him. Yeah, he’s gonna be a mystery you to

[01:00:03] Oscar Minks: technology got some free time right now, maybe we’ll get him on the

[01:00:06] Brad Nigh: phone. Exactly. I thought it was funny that they had the, uh, the uh doug Levett 11, consultancy firm. He said vulnerability disclosure process in education in Passaic is quote quite very, but generally speaking not great. That’s really, I like the way he said that

[01:00:29] Evan Francen: there’s so many out the way you just said that. All right, the last minute because we’ve got a kind of hurry up a little bit apple, open up a bug bounty every year. You know, it’s something that black cat, uh, not def con, but at black hat where they’ll um, make some kind of an announcement and this year it was, We’re going to pay up to $1 million iPhone. So this is their new bug bounty program. Mm forget down. Yeah, I wonder if

[01:01:04] Oscar Minks: I go ahead. I think they’re up to, I think they’re up to 1.5 now. Have you seen that? I’ve seen updates recently since black at that said Um yeah, it would be five. Yeah.

[01:01:17] Evan Francen: Geez, what are the chances though, playing once? You know what I mean? How many years do I need to devote to breaking iphone,

[01:01:28] Brad Nigh: but not only that, but the cost to them. If the iphone is rooted or packed is going to be far more than a million dollars plus they’ve got enough cash to basically by, you know, like 80% of the countries on the, in the world. So a million bucks isn’t, is nothing

[01:01:44] Evan Francen: by china. Well, that’s the thing. I mean, there’s so much value in bug bounty programs. Right? I mean, Apple Gives up $1 million $1.5 million dollars for something that would cost many, many millions of dollars in the marketplace.

[01:02:00] Brad Nigh: So it’s a million for the iPhone and a 50% bonus if the bug is found in a previous Watson Bela No, no, if it’s where to go, I just had it. Uh, it’s the bound. Oh yeah, it’s found

[01:02:14] Oscar Minks: in pre release. Yeah. I think there are data testing is part of it too now.

[01:02:18] Brad Nigh: Yeah. You know

[01:02:20] Evan Francen: one like hacking uh, like the Tesla. Right? I mean, you give up a 50 60 $80,000 car for somebody to tell you a vulnerability. Yeah, we’ve got a plus you get the, the marketing bit. Right? I mean, your marketing how secure this thing is. It’s had a def con for four days. Nobody got it pretty good.

[01:02:41] Brad Nigh: It deeper than

[01:02:43] Evan Francen: Yeah, there are 30,000 hackers. They’re not that all of them tried it, but a

[01:02:47] Brad Nigh: decent number. Did

[01:02:50] Evan Francen: Yeah. So anyway, good stuff. Get a bug bounty program. If you have a use for it. Uh, that’s it. We’re gonna close this thing up. That’s how it is. Thank you. Oscar for joining us. Love you man.

[01:03:03] Oscar Minks: Yeah. Thanks for thanks for having me love you guys as well. I can’t wait to get back up and see you again in a few weeks.

[01:03:10] Brad Nigh: Have you in person the next time we do this.

[01:03:12] Evan Francen: Right? Exactly. And thank you brad as always. Great partner. Love working with U. S. Special. Thank you to our listeners and especially those of you who give us input and feedback. We really appreciate it. You can reach us on the show by email and un security at proton mail dot com. If you’d like to be a guest on the show, if you want, if you think you can be even half as cool as Oscar, let us let us know ask you to come on the show or send us somebody else’s information. If you think there’s somebody we should get. As always. You can find me and or Brad on twitter. You can find me @EvanFrancen. That’s just my name without a space in the middle. Uh Brad is @BradNigh just his name without a space in the middle. We’re trying to hide from nobody. Oscar do you twit?

[01:03:59] Oscar Minks:  I don’t twit

[01:04:02] Evan Francen: All right. No twit for Oscar so you can’t you have to reach him through us. Um That’s it. So thank you all have a great week.