1 00:00:00,040 --> 00:00:05,000 Speaker 1: Hey everyone, it's Robert and Joe here. Today we've got 2 00:00:05,040 --> 00:00:06,960 Speaker 1: something a little bit different to share with you. It 3 00:00:07,080 --> 00:00:10,680 Speaker 1: is a new edition of the Smart Talks podcast series, 4 00:00:10,720 --> 00:00:14,319 Speaker 1: which is produced in partnership with IBM. This season of 5 00:00:14,360 --> 00:00:18,640 Speaker 1: Smart Talks with IBM is all about new creators, the developers, 6 00:00:19,040 --> 00:00:22,600 Speaker 1: data scientists, c t o s, and other visionaries creatively 7 00:00:22,640 --> 00:00:27,120 Speaker 1: applying technology and business to drive change. They use their 8 00:00:27,160 --> 00:00:30,640 Speaker 1: knowledge and creativity to develop better ways of working, no 9 00:00:30,720 --> 00:00:34,840 Speaker 1: matter the industry. Join hosts from your favorite Pushkin Industries 10 00:00:34,920 --> 00:00:38,560 Speaker 1: podcast as they use their expertise to deepen these conversations. 11 00:00:39,040 --> 00:00:41,800 Speaker 1: Malcolm Gladwell will guide you through this season as your 12 00:00:41,840 --> 00:00:45,000 Speaker 1: host to provide his thoughts and analysis along the way. 13 00:00:45,320 --> 00:00:48,600 Speaker 1: Look out for new episodes of Smart Talks with IBM 14 00:00:48,680 --> 00:00:52,040 Speaker 1: every month on the I Heart Radio app, Apple Podcasts, 15 00:00:52,159 --> 00:00:55,480 Speaker 1: or wherever you get your podcasts. And learn more at 16 00:00:55,520 --> 00:01:07,679 Speaker 1: IBM dot com slash smart Talks. Hello, Hello, Welcome to 17 00:01:07,760 --> 00:01:11,560 Speaker 1: Smart Talks with IBM, a podcast from Bushkin Industries, I 18 00:01:11,720 --> 00:01:16,119 Speaker 1: Heart Radio and IBM. I'm Malcolm Globwell. This season we're 19 00:01:16,160 --> 00:01:20,920 Speaker 1: talking to new creators, the developers, data scientists, ct o s, 20 00:01:21,200 --> 00:01:24,720 Speaker 1: and other visionaries who are creatively applying technology and business 21 00:01:24,760 --> 00:01:29,240 Speaker 1: to drive change. Channeling their knowledge and expertise, they're developing 22 00:01:29,240 --> 00:01:33,880 Speaker 1: more creative and effective solutions no matter the industry. Our 23 00:01:33,880 --> 00:01:38,080 Speaker 1: guest today is Stephanie Snow Cruthers. Snow is a hacker alias, 24 00:01:38,360 --> 00:01:40,560 Speaker 1: and it's how we'll refer to Stephanie for the rest 25 00:01:40,560 --> 00:01:44,480 Speaker 1: of this episode. Snow is the chief people hacker for 26 00:01:44,840 --> 00:01:47,760 Speaker 1: x Force at IBM. She gets paid to hack into 27 00:01:47,760 --> 00:01:51,480 Speaker 1: her client's businesses before criminal hackers do in order to 28 00:01:51,560 --> 00:01:55,960 Speaker 1: test her client's information security. In today's show, you'll hear 29 00:01:56,000 --> 00:01:58,600 Speaker 1: some of the more creative ways Snow has persuaded people 30 00:01:58,960 --> 00:02:02,840 Speaker 1: into sharing con udential information. She also talks about the 31 00:02:02,840 --> 00:02:06,560 Speaker 1: state of cybersecurity and what businesses need to do to 32 00:02:06,680 --> 00:02:11,520 Speaker 1: keep their data protected. Snow spoke with economics journalist Tim Harford, 33 00:02:11,760 --> 00:02:15,680 Speaker 1: host of the Pushkin podcast Cautionary Tales and a longtime 34 00:02:15,720 --> 00:02:19,560 Speaker 1: columnist at the Financial Times, where he writes The Undercover 35 00:02:19,760 --> 00:02:23,560 Speaker 1: Economist in addition to publishing several books on the topic. 36 00:02:23,919 --> 00:02:27,280 Speaker 1: Tim is also a BBC broadcaster with his show More 37 00:02:27,600 --> 00:02:31,359 Speaker 1: or Less. Okay, let's now get to the interview with 38 00:02:31,400 --> 00:02:37,200 Speaker 1: Tim and Chief people hacker Snow. Before you tell me 39 00:02:37,919 --> 00:02:41,320 Speaker 1: what achieve people. Hacker is what is hacking to you? 40 00:02:42,440 --> 00:02:45,000 Speaker 1: I think if you ask the average person to close 41 00:02:45,040 --> 00:02:47,800 Speaker 1: their eyes and envision a hacker, they are going to 42 00:02:48,000 --> 00:02:52,080 Speaker 1: think of someone in a dark room with a black 43 00:02:52,160 --> 00:02:56,160 Speaker 1: hoodieon and all the screen text behind them. Right. Um, 44 00:02:56,200 --> 00:02:59,880 Speaker 1: But to me, a hacker doesn't even have to be technical. 45 00:03:00,160 --> 00:03:06,720 Speaker 1: It's someone who finds creative solutions or just different ways 46 00:03:06,800 --> 00:03:09,640 Speaker 1: to break apart something to make it work in a 47 00:03:09,760 --> 00:03:13,280 Speaker 1: unique way that maybe it wasn't intended to do. Whether 48 00:03:13,320 --> 00:03:17,440 Speaker 1: that's computers, people devices, it could be a number of things. Right. 49 00:03:17,480 --> 00:03:20,880 Speaker 1: We see food hackers, we see life hackers. That's absolutely 50 00:03:21,040 --> 00:03:24,720 Speaker 1: a type of hacker. Yeah. And my my mother, I think, 51 00:03:24,760 --> 00:03:27,720 Speaker 1: would have described herself as a hacker before she died. 52 00:03:27,760 --> 00:03:30,679 Speaker 1: She loved to take apart computer. She had loved to 53 00:03:30,720 --> 00:03:33,840 Speaker 1: take apart software. She just wanted to know how everything worked, 54 00:03:33,880 --> 00:03:36,560 Speaker 1: and when she put it back together again, it sometimes 55 00:03:36,560 --> 00:03:38,800 Speaker 1: worked how she wanted it to work, rather than her 56 00:03:38,840 --> 00:03:42,440 Speaker 1: it was originally designed. But how was it that you 57 00:03:42,560 --> 00:03:45,920 Speaker 1: originally became interested in in this strange craft of hacking. 58 00:03:46,560 --> 00:03:49,640 Speaker 1: I actually got involved and figured out I want to 59 00:03:49,680 --> 00:03:51,520 Speaker 1: do this a little bit late in life. I was 60 00:03:51,560 --> 00:03:55,000 Speaker 1: in my mid twenties and I went to the world's 61 00:03:55,080 --> 00:03:58,120 Speaker 1: largest hacking conference, which takes place every year in Las Vegas, 62 00:03:58,880 --> 00:04:01,640 Speaker 1: and went with a group of friends in my husband 63 00:04:01,760 --> 00:04:05,480 Speaker 1: and I had honestly no interest at all. I wanted 64 00:04:05,520 --> 00:04:07,560 Speaker 1: to go to Vegas and sip drinks by the pool. 65 00:04:07,920 --> 00:04:10,520 Speaker 1: But they got me a pass to attend this really 66 00:04:10,520 --> 00:04:13,520 Speaker 1: cool conference and we sat in on the first talk 67 00:04:13,560 --> 00:04:17,240 Speaker 1: and it was extremely technical. They were going through step 68 00:04:17,320 --> 00:04:21,280 Speaker 1: by step about how to reverse malware, and I fell asleep. 69 00:04:21,920 --> 00:04:26,279 Speaker 1: I completely just zoned out. It didn't make sense to me. 70 00:04:26,640 --> 00:04:28,720 Speaker 1: So I got up and I started wandering around this 71 00:04:28,880 --> 00:04:31,440 Speaker 1: huge conference and I found what was called the lock 72 00:04:31,560 --> 00:04:35,320 Speaker 1: picking Village. I was very confused by that, like why 73 00:04:35,640 --> 00:04:38,280 Speaker 1: do people want to pick locks? I mean, there was 74 00:04:38,320 --> 00:04:41,840 Speaker 1: a there was an obvious answer to that question, but okay, 75 00:04:41,880 --> 00:04:44,719 Speaker 1: that's very true. So in that point in my life, 76 00:04:44,760 --> 00:04:48,480 Speaker 1: it did not like click at all. And so I'm 77 00:04:48,480 --> 00:04:50,640 Speaker 1: walking and someone's like, hey, do you want to learn 78 00:04:50,640 --> 00:04:53,839 Speaker 1: how to pick a lock? I said sure, and so 79 00:04:53,880 --> 00:04:56,559 Speaker 1: they sat me down and taught me everything. And there's 80 00:04:56,600 --> 00:04:59,760 Speaker 1: something magical that happens when someone picks a lock for 81 00:04:59,800 --> 00:05:01,680 Speaker 1: the first time, like you can see it in their 82 00:05:01,680 --> 00:05:04,360 Speaker 1: face where it's like, Wow, that was really cool and easy, 83 00:05:04,440 --> 00:05:07,400 Speaker 1: and then that oh shit, I just picked a lock. 84 00:05:08,040 --> 00:05:12,360 Speaker 1: And they're envisioning everything in their life that's protected by locks, right, 85 00:05:12,760 --> 00:05:16,440 Speaker 1: file cabinets, their door, things that protect their children, like 86 00:05:16,560 --> 00:05:19,360 Speaker 1: all these things that you have locks to protect and 87 00:05:19,400 --> 00:05:23,080 Speaker 1: you just picked it in seconds. Um. So that was 88 00:05:23,320 --> 00:05:27,040 Speaker 1: the most eye opening moment for me, that really launched 89 00:05:27,080 --> 00:05:29,920 Speaker 1: me into this career and thinking that I could do 90 00:05:29,960 --> 00:05:32,880 Speaker 1: it for a living. Well, there's I mean, it feels 91 00:05:32,920 --> 00:05:36,600 Speaker 1: like a long gap between that, or big gap at least, 92 00:05:36,600 --> 00:05:39,760 Speaker 1: maybe not a long one between that initial spark of wow, 93 00:05:40,000 --> 00:05:42,680 Speaker 1: I can pick a lock. This is this matters to 94 00:05:42,800 --> 00:05:46,120 Speaker 1: realizing there's a career in this and I might actually 95 00:05:46,120 --> 00:05:49,040 Speaker 1: be good at this career. So how did you figure 96 00:05:49,040 --> 00:05:51,000 Speaker 1: out there's a there's a job being a hacker, and 97 00:05:51,040 --> 00:05:53,280 Speaker 1: how did you figure out that you actually might be 98 00:05:53,279 --> 00:05:56,000 Speaker 1: good at doing that job? So once I was at 99 00:05:56,040 --> 00:05:58,479 Speaker 1: that conference, I had met so many different people who 100 00:05:58,600 --> 00:06:01,240 Speaker 1: explained what they do for a living, and again, at 101 00:06:01,240 --> 00:06:04,279 Speaker 1: that point in my life, it felt like that shouldn't 102 00:06:04,320 --> 00:06:07,680 Speaker 1: be possible. Right, people are getting paid money to break 103 00:06:07,800 --> 00:06:11,400 Speaker 1: into clients networks, into their computers and all these things 104 00:06:11,440 --> 00:06:14,520 Speaker 1: and it's still it didn't add up. But what for 105 00:06:14,560 --> 00:06:18,479 Speaker 1: me really stood out was another village at the same conference, 106 00:06:18,480 --> 00:06:21,919 Speaker 1: staf Con, called the Social Engineering Village, And when I 107 00:06:22,000 --> 00:06:25,360 Speaker 1: walked in, they were actually placing live phone calls to 108 00:06:25,640 --> 00:06:30,040 Speaker 1: people to try to elicit information. And so I'm sitting 109 00:06:30,040 --> 00:06:32,880 Speaker 1: there in the audience listening to how these people were 110 00:06:32,880 --> 00:06:36,080 Speaker 1: doing it. I'm like, wow, Like, I'm a people person, 111 00:06:36,600 --> 00:06:40,520 Speaker 1: I've done cells, I could absolutely do this. Um. So 112 00:06:40,880 --> 00:06:43,640 Speaker 1: from there, I talked to a bunch of people that 113 00:06:43,720 --> 00:06:45,599 Speaker 1: I just met, like my goal is just to meet 114 00:06:45,600 --> 00:06:48,839 Speaker 1: people and ask questions at that point, and found every 115 00:06:48,839 --> 00:06:51,680 Speaker 1: book I could on the subject matter, went home and 116 00:06:51,839 --> 00:06:55,320 Speaker 1: practiced and taught myself, and actually went back and competed 117 00:06:55,480 --> 00:06:58,240 Speaker 1: in that same competition three years in a row, and 118 00:06:58,279 --> 00:07:00,400 Speaker 1: I went on my third year, which was huge, but 119 00:07:00,480 --> 00:07:04,240 Speaker 1: that really was able to propel me into this career. 120 00:07:04,480 --> 00:07:07,719 Speaker 1: And We're a company actually saw me placing these calls 121 00:07:07,720 --> 00:07:09,440 Speaker 1: and asked me like, hey, do you want a job? 122 00:07:09,480 --> 00:07:12,320 Speaker 1: And that's that was my first job. It was super exciting. 123 00:07:13,320 --> 00:07:16,440 Speaker 1: In three years, Snow went from amateur hacking enthusiasts to 124 00:07:16,600 --> 00:07:20,600 Speaker 1: hacking professional Companies started to pay her real money to 125 00:07:20,680 --> 00:07:25,320 Speaker 1: test their information security. But remember Snow's line of work 126 00:07:25,400 --> 00:07:29,160 Speaker 1: isn't just limited to email servers and data networks. She's 127 00:07:29,200 --> 00:07:32,880 Speaker 1: a people hacker. Instead of trying to bypass a firewall 128 00:07:33,280 --> 00:07:37,160 Speaker 1: or cracking a password, she uses what's called social engineering 129 00:07:37,200 --> 00:07:40,280 Speaker 1: to trick users into letting her into systems where she 130 00:07:40,320 --> 00:07:43,960 Speaker 1: doesn't belong. In her work on what's called a red team, 131 00:07:44,240 --> 00:07:48,560 Speaker 1: Snow explains how hacking, the technical and the human come together. 132 00:07:48,920 --> 00:07:52,840 Speaker 1: So a red team is a group of offensive security 133 00:07:53,080 --> 00:07:55,880 Speaker 1: or hackers. So IBM on our x fource team, we 134 00:07:55,960 --> 00:07:59,480 Speaker 1: have a whole team dedicated to our we call adversary simulation, 135 00:07:59,520 --> 00:08:01,680 Speaker 1: but our red team and how it works. As a 136 00:08:01,720 --> 00:08:05,239 Speaker 1: client comes in and says, these are our crown jewels, 137 00:08:05,320 --> 00:08:08,680 Speaker 1: we want to make sure you cannot access them. We 138 00:08:08,800 --> 00:08:13,040 Speaker 1: spend months trying to access them, and along the way 139 00:08:13,080 --> 00:08:15,480 Speaker 1: we have tons of meetings with our clients and giving 140 00:08:15,520 --> 00:08:19,400 Speaker 1: them status updates and where we are. Um but it's 141 00:08:19,440 --> 00:08:22,920 Speaker 1: it's a very long engagement to try to get access 142 00:08:22,960 --> 00:08:26,120 Speaker 1: to the most sensitive things that our clients have. So 143 00:08:26,200 --> 00:08:28,640 Speaker 1: how do they brief you, I mean, and how do 144 00:08:28,640 --> 00:08:31,200 Speaker 1: they brief you in such a way as to not 145 00:08:31,360 --> 00:08:34,400 Speaker 1: give away the stuff that they're trying to not give aways, 146 00:08:34,440 --> 00:08:37,000 Speaker 1: if that makes any sense. Yeah, So, so they stay 147 00:08:37,040 --> 00:08:40,040 Speaker 1: as high level as possible. They might say, um, let's 148 00:08:40,280 --> 00:08:43,080 Speaker 1: let's use I P for example. Right, they have this 149 00:08:43,559 --> 00:08:46,760 Speaker 1: their secret sauce that if their competitors get or anyone 150 00:08:46,760 --> 00:08:49,960 Speaker 1: else gets, they can pretty much copy their business. And 151 00:08:50,000 --> 00:08:55,280 Speaker 1: so that information probably lives on something that's very secure 152 00:08:55,400 --> 00:08:58,680 Speaker 1: in a couple of documents that hopefully limited people have 153 00:08:58,720 --> 00:09:02,440 Speaker 1: access to. So a certain a certain soft drinks secret 154 00:09:02,480 --> 00:09:07,000 Speaker 1: recipe for example, mentioning no particular brand names. Yes, exactly. 155 00:09:07,559 --> 00:09:10,440 Speaker 1: So they might say, okay, we have this secret recipe 156 00:09:10,679 --> 00:09:12,400 Speaker 1: and we want to see if you can get it. 157 00:09:12,440 --> 00:09:15,640 Speaker 1: They won't give us any details to where it's stored 158 00:09:16,040 --> 00:09:19,440 Speaker 1: or any other information, but they'll just say go. They 159 00:09:19,520 --> 00:09:21,240 Speaker 1: might have a couple of things that are off limits, 160 00:09:21,280 --> 00:09:24,280 Speaker 1: but in general it's can we get this by any 161 00:09:24,320 --> 00:09:27,719 Speaker 1: means possible. So a lot of social engineering is used, 162 00:09:27,720 --> 00:09:30,840 Speaker 1: whether it's phone calls or emails, sometimes on site, and 163 00:09:30,880 --> 00:09:34,000 Speaker 1: a good amount of technical hacking. Right, if we get 164 00:09:34,040 --> 00:09:37,199 Speaker 1: into one person's computer, can we move into another's? And 165 00:09:37,240 --> 00:09:39,280 Speaker 1: then can we move into a server? And it's a 166 00:09:39,320 --> 00:09:42,439 Speaker 1: lot of moving around and digging, But um, at the end, 167 00:09:42,440 --> 00:09:45,920 Speaker 1: of the day. We're pretty successful with these types of engagements. 168 00:09:46,120 --> 00:09:50,280 Speaker 1: And you mentioned certain things being off limits because really 169 00:09:50,280 --> 00:09:53,520 Speaker 1: the hackers that the bad hackers don't care what's off 170 00:09:53,559 --> 00:09:56,840 Speaker 1: limits and what is not. So what are the kinds 171 00:09:56,840 --> 00:09:58,640 Speaker 1: of things that people are the clients are saying, no, 172 00:09:58,720 --> 00:10:02,040 Speaker 1: you're not allowed to do that, that's cheating. Yeah, So 173 00:10:02,040 --> 00:10:04,880 Speaker 1: so we will see a good handful times is do 174 00:10:05,040 --> 00:10:08,160 Speaker 1: not mess with our executives, like don't send our CEO 175 00:10:08,280 --> 00:10:11,520 Speaker 1: and email, which again, bad guys do not have limits, 176 00:10:11,520 --> 00:10:14,400 Speaker 1: and they will absolutely continue to do that. Um, but 177 00:10:14,440 --> 00:10:16,920 Speaker 1: we have to expect those unfortunately. But we will every 178 00:10:16,920 --> 00:10:19,600 Speaker 1: once in a while run into a good handful things 179 00:10:19,679 --> 00:10:23,240 Speaker 1: or maybe they have another system that I don't know 180 00:10:23,640 --> 00:10:28,000 Speaker 1: runs something sensitive, right, maybe it's a medical device company. 181 00:10:28,040 --> 00:10:31,120 Speaker 1: They're like, okay, do not access this system because you know, 182 00:10:31,240 --> 00:10:33,280 Speaker 1: people's lives could be on the line. So we won't 183 00:10:33,280 --> 00:10:36,520 Speaker 1: even touch those types of systems. It really depends on 184 00:10:36,559 --> 00:10:38,160 Speaker 1: the end of the day. What what they don't want 185 00:10:38,200 --> 00:10:40,640 Speaker 1: us to have access to your people hackness, you're doing 186 00:10:40,640 --> 00:10:43,840 Speaker 1: it with people, So so I mean, what does that 187 00:10:43,920 --> 00:10:46,040 Speaker 1: what does that look like? I mean, is it is 188 00:10:46,040 --> 00:10:48,320 Speaker 1: it literally phoning people up and persuading them to give 189 00:10:48,360 --> 00:10:50,520 Speaker 1: you passwords or is it a bit more complicated than 190 00:10:50,559 --> 00:10:54,440 Speaker 1: that these days? So I break down social engineering in 191 00:10:54,480 --> 00:10:57,680 Speaker 1: two ways. You either have remote or on site. When 192 00:10:57,679 --> 00:11:00,320 Speaker 1: you look at the remote, you're looking at a couple 193 00:11:00,320 --> 00:11:01,800 Speaker 1: of different things. So the first one is what we 194 00:11:01,880 --> 00:11:04,520 Speaker 1: call OS and T, which stands for open source intelligence, 195 00:11:05,120 --> 00:11:09,360 Speaker 1: and that's actually not actively hacking a person, but it's 196 00:11:09,440 --> 00:11:13,800 Speaker 1: looking at their online accounts. Are they revealing information that 197 00:11:13,840 --> 00:11:16,320 Speaker 1: they shouldn't be that an attacker could leverage. So that's 198 00:11:16,400 --> 00:11:19,319 Speaker 1: that's one type of assessment. We have the fishing or 199 00:11:19,400 --> 00:11:22,199 Speaker 1: voice fishing, so that's placing those phone calls to get 200 00:11:22,280 --> 00:11:24,720 Speaker 1: information or maybe get them to do a task over 201 00:11:24,720 --> 00:11:27,480 Speaker 1: the phone. And then fishing and that's by far the 202 00:11:27,559 --> 00:11:31,199 Speaker 1: most common social engineering type of assessment. That's the malicious 203 00:11:31,200 --> 00:11:35,359 Speaker 1: email with a link or an attachment or even a conversation. 204 00:11:35,880 --> 00:11:37,760 Speaker 1: And then we move into the on site stuff, and 205 00:11:38,600 --> 00:11:41,120 Speaker 1: this is my favorite. It's the most tangible, but it's 206 00:11:41,320 --> 00:11:45,079 Speaker 1: actually breaking and entering, so it's trying to get access 207 00:11:45,160 --> 00:11:48,800 Speaker 1: to clients, sensitive locations, and sensitive data. So those are 208 00:11:48,840 --> 00:11:52,719 Speaker 1: the two um types of social engineering. Give me a 209 00:11:52,760 --> 00:11:55,480 Speaker 1: little bit of advice, then if if if you're trying 210 00:11:55,520 --> 00:11:58,440 Speaker 1: to find a weakness. If you're trying to persuade somebody 211 00:11:58,880 --> 00:12:01,439 Speaker 1: to do something they shouldn't be doing. What are the 212 00:12:01,520 --> 00:12:04,439 Speaker 1: kind of things that you're doing. So let's just take 213 00:12:04,480 --> 00:12:08,080 Speaker 1: the physical part for an example. Is tailgating? Right? That 214 00:12:08,200 --> 00:12:11,400 Speaker 1: sounds so easy and so obvious, but it's the number 215 00:12:11,400 --> 00:12:14,320 Speaker 1: one way that we break into buildings. It's just following 216 00:12:14,440 --> 00:12:18,440 Speaker 1: someone who badges in, who unlocks the door, who has 217 00:12:18,520 --> 00:12:22,079 Speaker 1: that access. We just follow them and people are trained 218 00:12:22,120 --> 00:12:24,240 Speaker 1: all the time, don't let anyone fall, you, check the 219 00:12:24,240 --> 00:12:26,560 Speaker 1: badge behind you, make sure people badge in. All of 220 00:12:26,600 --> 00:12:30,840 Speaker 1: these policies, but when it comes down to it, people 221 00:12:31,080 --> 00:12:34,800 Speaker 1: are a little bit scared to ask to see the badger, 222 00:12:34,880 --> 00:12:40,200 Speaker 1: to question them. It's rude for somebody. Yes, it's human 223 00:12:40,280 --> 00:12:42,920 Speaker 1: nature to want to help, so that goes against everything 224 00:12:43,320 --> 00:12:45,760 Speaker 1: that people are used to doing. So that's by far 225 00:12:45,800 --> 00:12:49,440 Speaker 1: the number one way that that we get into buildings. Now, 226 00:12:49,760 --> 00:12:52,800 Speaker 1: I understand that before you got into this game, you 227 00:12:52,840 --> 00:12:57,560 Speaker 1: were a makeup artist for independent films. Is there a 228 00:12:57,600 --> 00:13:01,079 Speaker 1: connection between It seems like a stretch, but between being 229 00:13:01,080 --> 00:13:03,959 Speaker 1: a makeup artist and being a people hecker, Yeah, you 230 00:13:03,960 --> 00:13:07,800 Speaker 1: would think those those things absolutely don't go together at all. However, 231 00:13:07,880 --> 00:13:10,400 Speaker 1: I've been pretty lucky where I've been able to leverage 232 00:13:10,880 --> 00:13:13,000 Speaker 1: a little bit of the makeup, art and special effects 233 00:13:13,000 --> 00:13:16,600 Speaker 1: to when we do the physical security assessments. So maybe 234 00:13:16,679 --> 00:13:19,840 Speaker 1: we get caught on the first day, or maybe someone suspicious, 235 00:13:19,880 --> 00:13:21,640 Speaker 1: so we don't want to go back and blow our cover, 236 00:13:22,040 --> 00:13:24,920 Speaker 1: so we'll change our appearance as much as possible when 237 00:13:25,000 --> 00:13:27,720 Speaker 1: we go back the next day. So absolutely something that 238 00:13:27,800 --> 00:13:30,280 Speaker 1: I leverage all the time. And it's it's a lot 239 00:13:30,320 --> 00:13:31,880 Speaker 1: of fun too. It just adds a little bit more 240 00:13:31,920 --> 00:13:36,400 Speaker 1: to the job. It sounds like it's more creative than 241 00:13:36,440 --> 00:13:39,920 Speaker 1: I would have expected a cybersecurity job to be. Oh. Absolutely. 242 00:13:39,960 --> 00:13:41,520 Speaker 1: When you think of cyber secuity, you just think of 243 00:13:41,559 --> 00:13:43,760 Speaker 1: someone sitting at a computer typing all day. That is 244 00:13:44,559 --> 00:13:47,640 Speaker 1: not my job at all. Um. It's it's pretty amazing 245 00:13:47,760 --> 00:13:51,000 Speaker 1: how much I could leverage creativity in what I do 246 00:13:51,120 --> 00:13:54,320 Speaker 1: day to day. Can you give me an example, so 247 00:13:54,360 --> 00:13:57,120 Speaker 1: I actually have a story, um, if you're ready for 248 00:13:57,200 --> 00:14:00,360 Speaker 1: a breaking story. It's one of the ones that slowly 249 00:14:00,400 --> 00:14:04,120 Speaker 1: went wrong. Our client was based out of the US 250 00:14:04,200 --> 00:14:07,800 Speaker 1: and they had just opened their European branch, their headquarters 251 00:14:07,800 --> 00:14:10,640 Speaker 1: in Amsterdam, and so They wanted us to test the 252 00:14:10,679 --> 00:14:14,400 Speaker 1: building's physical security to see if it's protecting their people 253 00:14:14,400 --> 00:14:17,080 Speaker 1: and their data, and so some of the goals were 254 00:14:17,240 --> 00:14:20,080 Speaker 1: to see if we can get insight past all the 255 00:14:20,080 --> 00:14:23,440 Speaker 1: badged areas where we shouldn't have access and see if 256 00:14:23,440 --> 00:14:26,240 Speaker 1: we see anything that's out of place or or maybe 257 00:14:26,240 --> 00:14:29,360 Speaker 1: red flags or something that they should fix. So we 258 00:14:29,400 --> 00:14:32,160 Speaker 1: always start with with our osen, our open source intelligence, 259 00:14:32,160 --> 00:14:36,840 Speaker 1: where we're going online investigating the location. We're looking at 260 00:14:36,880 --> 00:14:40,520 Speaker 1: Google Maps as much as we can. However, this building 261 00:14:40,600 --> 00:14:43,120 Speaker 1: was so new that they weren't even on Google Maps yet, 262 00:14:43,200 --> 00:14:46,120 Speaker 1: so we had a really hard time finding all of 263 00:14:46,120 --> 00:14:49,360 Speaker 1: this information. We decided we just had to show up 264 00:14:49,400 --> 00:14:52,520 Speaker 1: on site to to see what we can do. So 265 00:14:52,560 --> 00:14:54,680 Speaker 1: I walk, I walk into the building and walk into 266 00:14:54,680 --> 00:14:57,920 Speaker 1: the lobby. The second I walk in, the lady pretty 267 00:14:57,960 --> 00:14:59,600 Speaker 1: much kicked me out. I didn't even get to open 268 00:14:59,640 --> 00:15:02,800 Speaker 1: my mouth or explain why I was there, right out 269 00:15:02,800 --> 00:15:06,880 Speaker 1: of the gate, just get out. And so for doing 270 00:15:06,960 --> 00:15:11,360 Speaker 1: this type of an assessment, that was horrible. This client 271 00:15:11,400 --> 00:15:13,800 Speaker 1: paid all this money to get me out there to 272 00:15:13,880 --> 00:15:17,320 Speaker 1: test her physical security and here I am getting kicked 273 00:15:17,320 --> 00:15:20,280 Speaker 1: out within the first five minutes. So that was awful. 274 00:15:21,160 --> 00:15:24,200 Speaker 1: Physical security is pretty good. Yeah, yeah, no there their 275 00:15:24,400 --> 00:15:27,760 Speaker 1: Their receptionist was on her game. UM. So I went 276 00:15:27,800 --> 00:15:30,160 Speaker 1: back to my hotel room and like was binging my 277 00:15:30,200 --> 00:15:32,600 Speaker 1: head against the wall, like how do I get in? 278 00:15:32,640 --> 00:15:36,520 Speaker 1: I can't find information online. They're kicking me out before 279 00:15:36,520 --> 00:15:38,600 Speaker 1: I'm even trying, Like I was just wanting to go 280 00:15:38,640 --> 00:15:40,080 Speaker 1: in and see what it looked like because I had 281 00:15:40,120 --> 00:15:43,040 Speaker 1: no idea what I was walking into. So I went 282 00:15:43,080 --> 00:15:45,080 Speaker 1: back online, like, okay, I have to I have to 283 00:15:45,120 --> 00:15:49,040 Speaker 1: figure this out. And finally, out of nowhere, it popped 284 00:15:49,080 --> 00:15:52,240 Speaker 1: into my head. Okay, it has to be someone that's 285 00:15:52,280 --> 00:15:55,560 Speaker 1: not local because I'm not from Amsterdam, and I have 286 00:15:55,800 --> 00:15:58,800 Speaker 1: to leverage some type of position of authority, some reason 287 00:15:58,840 --> 00:16:02,040 Speaker 1: why I'm supposed to be there. And so I thought, 288 00:16:02,280 --> 00:16:05,720 Speaker 1: investor relations. I am going to pretend to be an 289 00:16:05,720 --> 00:16:09,240 Speaker 1: investor relations manager from the US and I'm going to 290 00:16:09,320 --> 00:16:13,160 Speaker 1: their new site meeting with some potential investors. And so 291 00:16:13,200 --> 00:16:16,200 Speaker 1: I called the receptionist. I spoofed my number, so I 292 00:16:16,240 --> 00:16:18,600 Speaker 1: made it look like I was calling from the US location, 293 00:16:19,360 --> 00:16:21,640 Speaker 1: and UM, changed my voice a little bit and said 294 00:16:21,680 --> 00:16:23,720 Speaker 1: that we have someone that's going to be coming on 295 00:16:23,800 --> 00:16:26,320 Speaker 1: site tomorrow. Please give them whatever they need. They're going 296 00:16:26,360 --> 00:16:30,240 Speaker 1: to be meeting with all these high end clients potentially, um, 297 00:16:30,280 --> 00:16:33,000 Speaker 1: so just make sure they're comfortable. The next day, I 298 00:16:33,040 --> 00:16:34,600 Speaker 1: walk in and again I had to change my parents 299 00:16:34,640 --> 00:16:37,440 Speaker 1: a bit because she saw me and she didn't that, 300 00:16:37,720 --> 00:16:41,040 Speaker 1: and I she welcomed me, She got me coffee, She 301 00:16:41,280 --> 00:16:43,120 Speaker 1: sent me up in an office where they had my 302 00:16:43,240 --> 00:16:46,120 Speaker 1: name on the on the front door, and I was like, 303 00:16:46,240 --> 00:16:49,920 Speaker 1: how can we help? So from there I was able 304 00:16:49,960 --> 00:16:52,560 Speaker 1: to go through and complete my objectives. But it's it's 305 00:16:52,640 --> 00:16:56,520 Speaker 1: kind of amazing how much you have to leverage creativity 306 00:16:56,720 --> 00:16:59,720 Speaker 1: and even kind of the on the spot improv sometimes too. 307 00:17:00,000 --> 00:17:05,840 Speaker 1: Who actually complete these objectives? Yeah, improv was the word 308 00:17:05,960 --> 00:17:10,840 Speaker 1: that springs to mind hearing that story. I would imagine 309 00:17:10,840 --> 00:17:13,640 Speaker 1: that there must be some playbook that there's a bunch 310 00:17:13,680 --> 00:17:16,639 Speaker 1: of things you try, but and then you have to 311 00:17:16,760 --> 00:17:20,399 Speaker 1: improvise if the playbook isn't working. Is that playbook always changing? 312 00:17:20,680 --> 00:17:24,119 Speaker 1: Is it? Is it this constant arms race? Constantly? It 313 00:17:24,240 --> 00:17:27,640 Speaker 1: also depends on who my target is. Right, I will 314 00:17:27,760 --> 00:17:31,720 Speaker 1: change the way I ask questions, the way I set 315 00:17:31,720 --> 00:17:36,000 Speaker 1: things up, just completely everything depending on if I'm talking 316 00:17:36,040 --> 00:17:39,040 Speaker 1: to someone younger or older, or male, or female. Like, 317 00:17:39,080 --> 00:17:42,880 Speaker 1: there's a lot of things that absolutely adapt to whoever 318 00:17:42,960 --> 00:17:45,000 Speaker 1: I'm speaking to at the end of the day, because 319 00:17:45,840 --> 00:17:48,080 Speaker 1: people are different and I want to try to make 320 00:17:48,080 --> 00:17:51,280 Speaker 1: sure whoever I'm talking to is comfortable and I can 321 00:17:51,320 --> 00:17:54,679 Speaker 1: get them to trust me. And is there a collaborative 322 00:17:54,720 --> 00:17:58,239 Speaker 1: process this kind of ethical hacking or is it very 323 00:17:58,320 --> 00:18:02,720 Speaker 1: much a lone wolf. It's really both. It just depends 324 00:18:02,760 --> 00:18:05,800 Speaker 1: on what the type of assessment is. And there's a 325 00:18:05,840 --> 00:18:09,480 Speaker 1: lot of variables. I prefer a team right, working with 326 00:18:09,520 --> 00:18:12,520 Speaker 1: as many people as possible, because I might be looking 327 00:18:12,560 --> 00:18:16,080 Speaker 1: at a problem from, you know, my perspective, but if 328 00:18:16,119 --> 00:18:18,320 Speaker 1: I have two or three other people with completely different 329 00:18:18,320 --> 00:18:22,520 Speaker 1: backgrounds and sets of experience, they're thinking about from another perspective. 330 00:18:22,600 --> 00:18:26,199 Speaker 1: So the more we collaborate and work together, typically the 331 00:18:26,240 --> 00:18:30,640 Speaker 1: more successful we can be as well. I'm curious about 332 00:18:31,600 --> 00:18:34,679 Speaker 1: a day in the life of Snow. I mean, on 333 00:18:34,720 --> 00:18:39,200 Speaker 1: a completely typical day, what is it that you're doing. 334 00:18:40,040 --> 00:18:42,080 Speaker 1: So that's what I love about my job is I 335 00:18:42,119 --> 00:18:45,120 Speaker 1: don't have a typical day. I could be one day 336 00:18:45,160 --> 00:18:49,280 Speaker 1: waking up in Manhattan breaking into the building, and the 337 00:18:49,400 --> 00:18:51,720 Speaker 1: next day I could be in my home office writing 338 00:18:51,720 --> 00:18:54,800 Speaker 1: a report like it's all over the place, and that's 339 00:18:54,840 --> 00:18:59,040 Speaker 1: what makes it super exciting that it's not mundane. It's 340 00:18:59,240 --> 00:19:01,560 Speaker 1: constantly change and I love that. It's like, yeah, one 341 00:19:01,600 --> 00:19:03,400 Speaker 1: day I'm writing a report, the other day, I'm breaking 342 00:19:03,440 --> 00:19:08,920 Speaker 1: into a building in Manhattan. It's perfectly One description I've 343 00:19:08,960 --> 00:19:12,040 Speaker 1: seen is that you're like a secret shopper, except instead 344 00:19:12,040 --> 00:19:14,359 Speaker 1: of being a secret shopper for a restaurateur or a 345 00:19:14,440 --> 00:19:17,520 Speaker 1: chain store, you're a secret shopper for breaking in and 346 00:19:17,680 --> 00:19:21,520 Speaker 1: stealing passwords. It is that accurate that I would I 347 00:19:21,520 --> 00:19:24,320 Speaker 1: would say that's accurate. And if people are hiring you 348 00:19:24,400 --> 00:19:28,919 Speaker 1: to probe their security and to find the weaknesses, have 349 00:19:29,000 --> 00:19:31,359 Speaker 1: you ever come back and said, no, it's perfect. I 350 00:19:31,440 --> 00:19:35,840 Speaker 1: got nothing couldn't get in. So I have broken into 351 00:19:35,880 --> 00:19:39,400 Speaker 1: over a hundred and thirty unique buildings. I've only had 352 00:19:39,520 --> 00:19:42,000 Speaker 1: one of those buildings I was not able to break into, 353 00:19:43,200 --> 00:19:46,000 Speaker 1: and that is because it was a small company in 354 00:19:46,040 --> 00:19:49,080 Speaker 1: the middle of nowhere where everyone knew each other. It's 355 00:19:49,119 --> 00:19:52,840 Speaker 1: not because necessarily because they had all these you know, 356 00:19:53,000 --> 00:19:55,840 Speaker 1: expensive security control that they had place. It was just 357 00:19:56,240 --> 00:19:58,280 Speaker 1: I stuck out like a sore thumb, and no matter 358 00:19:58,359 --> 00:20:01,520 Speaker 1: what I said, they knew I wasn't supposed to be there. 359 00:20:01,960 --> 00:20:04,160 Speaker 1: But it's kind of scary some of the very large 360 00:20:04,240 --> 00:20:09,040 Speaker 1: organizations in these famous skyscrapers that I've broken into, where 361 00:20:09,359 --> 00:20:12,560 Speaker 1: they've invested hundreds of thousands, if not millions of dollars 362 00:20:12,600 --> 00:20:16,840 Speaker 1: into their physical security, but I'm able to get in right. 363 00:20:16,920 --> 00:20:20,639 Speaker 1: That's kind of terrifying if you think about it. Whether 364 00:20:20,640 --> 00:20:23,680 Speaker 1: it's brick and mortar hacking or using something much more 365 00:20:23,760 --> 00:20:27,240 Speaker 1: high tech, it's all founded on the same principle, using 366 00:20:27,320 --> 00:20:31,399 Speaker 1: deception to get what you want. To round out their conversation, 367 00:20:31,680 --> 00:20:34,440 Speaker 1: Tim and Snow talk about the state of the global 368 00:20:34,520 --> 00:20:37,960 Speaker 1: cybersecurity industry, where the art of the corn is headed, 369 00:20:38,200 --> 00:20:41,560 Speaker 1: and how prepared companies are for any of it. Let's 370 00:20:41,600 --> 00:20:44,520 Speaker 1: zoom back a bit now and and take in what 371 00:20:44,640 --> 00:20:47,520 Speaker 1: you know the state of the global hacking industry if 372 00:20:47,520 --> 00:20:51,879 Speaker 1: that's a phrase, or the global security industry, and what 373 00:20:52,200 --> 00:20:57,359 Speaker 1: has changed in security and cybersecurity over the last few years. 374 00:20:57,560 --> 00:21:01,760 Speaker 1: What are the new trends? So what's changed? I would 375 00:21:01,760 --> 00:21:05,240 Speaker 1: say more of our lives are online, and and that's 376 00:21:05,320 --> 00:21:09,640 Speaker 1: kind of scary. Everything from your IoT lightbulb to your 377 00:21:09,680 --> 00:21:12,960 Speaker 1: oven to IoT being the the Internet of things. So 378 00:21:13,080 --> 00:21:15,520 Speaker 1: I just Basically every everything has a web a dress 379 00:21:15,600 --> 00:21:19,560 Speaker 1: now exactly, and so there's so much more of that now. 380 00:21:19,840 --> 00:21:23,160 Speaker 1: It's just it surrounds us are are just our lives 381 00:21:23,160 --> 00:21:27,399 Speaker 1: are online, and with that much being online, that's just 382 00:21:27,440 --> 00:21:29,399 Speaker 1: more that we have to protect or more that we 383 00:21:29,520 --> 00:21:34,080 Speaker 1: have to worry about. Unfortunately, that clearly raises the stakes. 384 00:21:35,600 --> 00:21:39,160 Speaker 1: I would have hoped there's also more awareness. People don't 385 00:21:39,200 --> 00:21:45,159 Speaker 1: fall for the most obvious scams and tricks anymore. And 386 00:21:45,320 --> 00:21:48,639 Speaker 1: do you think companies put enough emphasis on security? Is 387 00:21:48,680 --> 00:21:51,640 Speaker 1: it a high enough priority at the c suite level? 388 00:21:52,240 --> 00:21:55,080 Speaker 1: I wish I could say yes. However, it's all over 389 00:21:55,119 --> 00:21:58,120 Speaker 1: the board. I've I've worked with clients who they put 390 00:21:58,119 --> 00:22:02,000 Speaker 1: everything they have into stopping attackers, into securing their environment. 391 00:22:02,400 --> 00:22:04,880 Speaker 1: I've seen some clients in the past to just want 392 00:22:04,880 --> 00:22:06,800 Speaker 1: to get the check in the box that they did 393 00:22:06,840 --> 00:22:10,119 Speaker 1: their assessments and they want to move on to something else. So, unfortunately, 394 00:22:10,200 --> 00:22:13,920 Speaker 1: it's a pretty big range of types of people who 395 00:22:14,160 --> 00:22:19,000 Speaker 1: really have that security mindset. And I'm always reading stories 396 00:22:19,040 --> 00:22:24,000 Speaker 1: in the news about breaches and they these security breaches, 397 00:22:24,040 --> 00:22:29,760 Speaker 1: and they sometimes they sound very sensational. Sometimes they sound 398 00:22:29,760 --> 00:22:34,359 Speaker 1: incredibly banal, like, oh yeah, somebody just stuck all the 399 00:22:34,480 --> 00:22:39,840 Speaker 1: passwords online in plain text books. I mean, is there 400 00:22:39,359 --> 00:22:42,760 Speaker 1: a standard procedure for the bad actors? Is there a 401 00:22:42,800 --> 00:22:48,879 Speaker 1: way that breaches happen like this? Not these days, just 402 00:22:48,920 --> 00:22:51,400 Speaker 1: because there's so many different ways they get in. I mean, 403 00:22:51,480 --> 00:22:54,359 Speaker 1: most of them are financially motivated. So at the end 404 00:22:54,359 --> 00:22:56,439 Speaker 1: of the day, once they get in there going for 405 00:22:56,880 --> 00:22:59,040 Speaker 1: they're going to see if they can get money somehow, 406 00:22:59,040 --> 00:23:02,919 Speaker 1: whether it's ransom where or they're looking for credentials to 407 00:23:03,320 --> 00:23:07,359 Speaker 1: high end executives. Right, it kind of depends on their angle, 408 00:23:07,480 --> 00:23:11,480 Speaker 1: but really it's it's how they're getting in is It's 409 00:23:11,480 --> 00:23:14,560 Speaker 1: pretty tricky again. Social engineering is one of the number 410 00:23:14,560 --> 00:23:18,240 Speaker 1: one ways to get in, typically through fishing, um sending 411 00:23:18,320 --> 00:23:21,040 Speaker 1: some type of malicious payload and if their target does 412 00:23:21,119 --> 00:23:24,040 Speaker 1: open it, that gets them into their environment and then 413 00:23:24,040 --> 00:23:25,919 Speaker 1: they kind of pivot from there and see what they 414 00:23:25,960 --> 00:23:29,040 Speaker 1: could get access to and how much does it cost 415 00:23:29,200 --> 00:23:34,680 Speaker 1: when security has breached? So ibmed at a report the 416 00:23:34,720 --> 00:23:38,399 Speaker 1: one from one the cost of an average data breach 417 00:23:38,560 --> 00:23:43,480 Speaker 1: was over four million dollars, which is insane to think about. 418 00:23:43,640 --> 00:23:46,640 Speaker 1: It kind of makes you wonder why they don't put 419 00:23:46,640 --> 00:23:50,119 Speaker 1: more emphasis on their security and security awareness. Training and 420 00:23:50,600 --> 00:23:53,159 Speaker 1: updating their machines and things like that. When when you 421 00:23:53,200 --> 00:23:57,240 Speaker 1: think about how big that number is, why, there's tons 422 00:23:57,240 --> 00:23:59,560 Speaker 1: of reasons they could have finds that they have to 423 00:23:59,600 --> 00:24:02,359 Speaker 1: pay out depending on what industry they're in, they have 424 00:24:02,600 --> 00:24:05,879 Speaker 1: to pay out for things like credit monitoring for whoever 425 00:24:06,200 --> 00:24:10,320 Speaker 1: is effective, UM, legal fees like there's there's tons and 426 00:24:10,359 --> 00:24:13,080 Speaker 1: tons of things that are involved. When when a company 427 00:24:13,119 --> 00:24:15,720 Speaker 1: actually gets breached, there's a couple of things they could 428 00:24:15,760 --> 00:24:18,480 Speaker 1: do to try to prevent them UM. And the first 429 00:24:18,520 --> 00:24:21,600 Speaker 1: one is higher folks like myself to come in and 430 00:24:21,640 --> 00:24:26,160 Speaker 1: test their environments to see where those vulnerabilities are so 431 00:24:26,200 --> 00:24:29,960 Speaker 1: they can patch them. UM, to do ongoing training for 432 00:24:30,080 --> 00:24:32,400 Speaker 1: their internal team to make sure they're up to date 433 00:24:32,480 --> 00:24:35,720 Speaker 1: they know how to stop these type of attacks, and 434 00:24:36,080 --> 00:24:40,879 Speaker 1: really just care about security in general goes a long way. No, 435 00:24:41,240 --> 00:24:43,080 Speaker 1: I mean, in some ways what you're describing is is 436 00:24:43,160 --> 00:24:47,600 Speaker 1: tremendously varied, lots of creativity, lots of improvisation, lots of variety. 437 00:24:47,840 --> 00:24:50,320 Speaker 1: In other ways, it's it seems kind of simple. You're 438 00:24:50,320 --> 00:24:53,800 Speaker 1: trying to break into places, So what's the state of 439 00:24:53,840 --> 00:24:55,720 Speaker 1: the art and how do you advance the state of 440 00:24:55,760 --> 00:25:00,159 Speaker 1: the art? In people hacking. Unfortunately, social engineering is is 441 00:25:00,240 --> 00:25:02,480 Speaker 1: kind of stagnant. I mean, if you if you go 442 00:25:03,840 --> 00:25:06,600 Speaker 1: it feels it feels kind of like it might be 443 00:25:06,640 --> 00:25:10,560 Speaker 1: good news for me. It's unfortunate. Okay, I'm looking from 444 00:25:10,600 --> 00:25:13,480 Speaker 1: the attack or point of view, So that's very correct. Um, 445 00:25:13,480 --> 00:25:15,680 Speaker 1: but if you go back to the Middle Ages, there 446 00:25:15,720 --> 00:25:18,600 Speaker 1: were cons that people were doing back then. Um, there's 447 00:25:18,680 --> 00:25:22,639 Speaker 1: tons of cons from the early nineteen hundreds and still 448 00:25:22,720 --> 00:25:24,760 Speaker 1: we're taking some of those kinds of cons and just 449 00:25:24,840 --> 00:25:29,000 Speaker 1: adapting it to today's digital world, which there's there's improvements there, 450 00:25:29,560 --> 00:25:33,160 Speaker 1: but in general social engineering there's there's not much that's 451 00:25:34,119 --> 00:25:36,560 Speaker 1: that's changing. So that's actually one of the things that 452 00:25:36,840 --> 00:25:39,720 Speaker 1: I have put a lot of emphasis on the last year, 453 00:25:39,800 --> 00:25:42,280 Speaker 1: especially with my team, is once we go in and 454 00:25:42,280 --> 00:25:48,080 Speaker 1: we complete an assessment, we spend the last trying something new, 455 00:25:48,160 --> 00:25:52,720 Speaker 1: trying something novel. Can this technique work? Maybe it's walking 456 00:25:52,760 --> 00:25:54,680 Speaker 1: into a building saying, hey, I shouldn't be here, will 457 00:25:54,720 --> 00:25:57,639 Speaker 1: someone stop us? Right? Any little thing like that. What 458 00:25:57,800 --> 00:26:00,880 Speaker 1: can we actually get away with? And that's that's something 459 00:26:00,920 --> 00:26:03,880 Speaker 1: that I've enjoyed doing and pushing my team to see 460 00:26:04,000 --> 00:26:07,280 Speaker 1: what we can learn and where those boundaries are. Can 461 00:26:07,320 --> 00:26:11,520 Speaker 1: you give me an example of a medieval con very curious. Yes, okay, 462 00:26:11,600 --> 00:26:15,720 Speaker 1: So in the Middle Ages there is have you ever 463 00:26:15,760 --> 00:26:18,600 Speaker 1: heard the term pig and a poke? Uh? Yeah, I've 464 00:26:18,640 --> 00:26:21,520 Speaker 1: heard the term. I always wanted where it came from. Yeah, 465 00:26:21,600 --> 00:26:25,879 Speaker 1: So pig and a poke came from vendors at the times, 466 00:26:25,720 --> 00:26:28,679 Speaker 1: or people who worked on the street and sold different 467 00:26:28,960 --> 00:26:32,160 Speaker 1: various goods and foods. They would put a suckling pig 468 00:26:32,240 --> 00:26:33,840 Speaker 1: inside of what they called a poke, which is a 469 00:26:33,880 --> 00:26:36,359 Speaker 1: burlack sack, and so did it shut, and that's what 470 00:26:36,359 --> 00:26:39,640 Speaker 1: they would sell on people by then eat that for dinner. However, 471 00:26:39,800 --> 00:26:44,320 Speaker 1: at the time, there were no shortage of small dogs 472 00:26:44,320 --> 00:26:47,800 Speaker 1: and cats, So what some creative folks would do is 473 00:26:48,040 --> 00:26:50,639 Speaker 1: put those types of animals inside of the sack and 474 00:26:50,680 --> 00:26:53,639 Speaker 1: so it shut, and make a lot of money and 475 00:26:53,640 --> 00:26:56,679 Speaker 1: then move on to the next city and continue that 476 00:26:56,800 --> 00:27:00,359 Speaker 1: con So again, cons have been around four are the 477 00:27:00,600 --> 00:27:07,280 Speaker 1: longest time. I suppose the fact that cons themselves haven't 478 00:27:07,359 --> 00:27:10,640 Speaker 1: changed that much. In a way, it seems to make 479 00:27:10,680 --> 00:27:13,520 Speaker 1: life easy, right then nothing nothing changes. But in another way, 480 00:27:13,560 --> 00:27:16,280 Speaker 1: that just goes to show that we are just all 481 00:27:16,280 --> 00:27:18,720 Speaker 1: have the same vulnerabilities over and over again, and people 482 00:27:18,720 --> 00:27:22,600 Speaker 1: have been exploiting them for centuries. Exactly if it's not broke, 483 00:27:22,680 --> 00:27:26,080 Speaker 1: why fix it? Yes, or if it's broken away that 484 00:27:26,240 --> 00:27:32,160 Speaker 1: will enable you to take it. Really enjoyed this conversation. 485 00:27:32,160 --> 00:27:34,639 Speaker 1: Thank you so much and goodbye. Absolutely, thank you so 486 00:27:34,720 --> 00:27:39,160 Speaker 1: much for having me. Snow mentioned something that's really hard 487 00:27:39,200 --> 00:27:42,359 Speaker 1: to forget. She's tried to break into over a hundred 488 00:27:42,359 --> 00:27:45,680 Speaker 1: and thirty unique buildings, and out of those, she's had 489 00:27:45,760 --> 00:27:48,800 Speaker 1: only one one that she wasn't able to break into. 490 00:27:49,440 --> 00:27:52,679 Speaker 1: That's bananas. What Snow start us is that we have 491 00:27:52,800 --> 00:27:56,760 Speaker 1: to think of information security in a much more holistic way. 492 00:27:57,080 --> 00:28:01,160 Speaker 1: It has to involve networks and computers, but also employees 493 00:28:01,200 --> 00:28:05,760 Speaker 1: and office buildings. Of course, no defense is ever perfect, 494 00:28:06,280 --> 00:28:08,879 Speaker 1: and that's why it's important for companies to have people 495 00:28:08,960 --> 00:28:11,960 Speaker 1: like Snow on their side, because in a world where 496 00:28:11,960 --> 00:28:15,359 Speaker 1: business is bound to be hacked, the real question is 497 00:28:15,359 --> 00:28:20,439 Speaker 1: is there a good hacker hacking for you. On the 498 00:28:20,480 --> 00:28:24,720 Speaker 1: next episode of Smart Talks with IBM the Mayflower Autonomous Ship, 499 00:28:25,280 --> 00:28:30,040 Speaker 1: how IBM's artificial intelligence is powering the world's very first 500 00:28:30,080 --> 00:28:34,280 Speaker 1: autonomous vessel. We talked with Brett Fanoff and Don Scott 501 00:28:34,520 --> 00:28:39,960 Speaker 1: about how they're using IBM tech to revolutionize oceanography. Smart 502 00:28:39,960 --> 00:28:43,000 Speaker 1: Talks as IBM is produced by Molly Sosha, David jaw, 503 00:28:43,360 --> 00:28:48,640 Speaker 1: Royston Reserve and Edith Russelo with Jacob Goldstein were edited 504 00:28:48,640 --> 00:28:52,560 Speaker 1: by Jan Guerra. Our engineers are Jason Gambrel, Sarah Brugare 505 00:28:52,880 --> 00:28:57,480 Speaker 1: and Ben Tolliday. Theme song by Gramoscope. Special thanks to 506 00:28:57,600 --> 00:29:02,080 Speaker 1: Carlie Megliori, Andy Kelly, the Callaghan and the Eight Bar 507 00:29:02,240 --> 00:29:06,560 Speaker 1: and IBM teams, as well as the Pushkin marketing team. 508 00:29:06,720 --> 00:29:09,480 Speaker 1: Smart Talks with IBM is a production of Pushkin Industries 509 00:29:09,760 --> 00:29:13,400 Speaker 1: and I Heart Media. To find more Pushkin podcasts, listen 510 00:29:13,440 --> 00:29:16,760 Speaker 1: on the I Heart Radio app, Apple Podcasts, or wherever 511 00:29:17,040 --> 00:29:20,640 Speaker 1: you listen to podcasts. Hi'm Malcolm Gladwell. This is a 512 00:29:20,640 --> 00:29:35,160 Speaker 1: paid advertisement from IBM.