From Zero-Day Hunter to Cyber Defender: Cody Pierce's Journey

Welcome to the Security Cocktail Hour. I'm Joe Patti.

I'm Adam Roth.

Adam, you know, I thought I was impressed with myself for wearing the colors here, but as usual, you got me beat like by a mile. You got the shirt, the hat, and the background.

So normally it would just be probably the shirt and the background, but we had another podcast host recently and we sent him a hat. I figured if he was great enough to have a hat, I'm great enough to have a hat.

All right. Well done. Well, order up another hat because we got another guest on today. Sure. Cody Pierce is with us.

Cody, welcome to the show. Thanks for having me guys. I'll definitely, I'll definitely rock a hat.

Oh, you'll get a hat then. There's no problem.

Yeah. You'd be rocking it on the West coast too. It'd be like, you know, bi-coastal. Awesome. Mr. Worldwide. Yeah. That's right. Cody, you are the co-founder and CEO of Neon Cyber, doing a lot of stuff with, well, I think it's stealth. I don't know if I'm supposed to say what it is. No, it's fine. Okay. Well, why don't you say, you know better than I do.

Well, it's a startup that's trying to secure your workforce. So we're really focused on understanding the workforce and the way that they interact with the outside world. And we've been working on it for A little over a year now, as you mentioned, still in stealth, but you know, with a small community, it's not, not a rigid requirement. We're not trying to be a secret squirrel, but yeah, it's, it's, it's fun. It's a lot of switching from my background of device and infrastructure and you know, the machines that we've been trying to secure for a long time to switching to trying to secure people. And that's a whole host of different problems, but we think it's It's one of the most critical and emerging difficulties of defenders to do.

Yeah, well, it's interesting that you're doing defense, and that's really what we're going to be talking a lot about, because you have a long background in offensive security, quite a history there. Why don't you tell us a little bit about that?

Well, I mean, you know, I think it's a lot of circumstance. I think everybody has an interesting story on how they got into cyber security. Mine definitely started as a teenager in the 90s, you know, hacking and phones and the emergence of the internet. And for me personally, a lot of that was, you know, the fun, I think, when you're young of breaking things and new technologies. And it's one thing to learn them, it's another thing to learn them. And you know, play with them to the degree that you start to make them act differently and differently from how they were intended. And so that really hooked me when I was a teenager and I kept pursuing that. So I went and did, of course, at that time, there wasn't certainly at my age, there wasn't really a, uh, career path that I can look at and say, you know, offensive security or even cyber was something that I was going to do. Well, not a legitimate career path. No, no. Yeah. You know. Yeah, there's definitely, you can see black hats and white hats diverging in career paths, if you will. But, you know, I always found it, I always liked the technology aspect, and I still do. I love to learn. I love new technology. It's fascinating to me. And so, you know, breaking things was, you know, kind of punk rock and fun. That's what I wanted to keep doing. And, you know, I did that. I'd say, you know, I was a Unix system administrator was kind of the first job I had, you know, like, like a lot of people get into at that time in the nineties. And then finally got my first security job in 2000 or 2001 big Unix systems doing distributed Unix computing. And what's. I think kind of the next journey is that something that from the offensive side I've kept with forever was, you know, A lot of offensive security is about finding technologies that people haven't looked at yet. So being around these big Unix systems, HP UX was the primary one because I worked at Verizon as a contractor for HP. Attackers and researchers weren't able to get access to a big HP UX system. And so that was the first time I found my own vulnerabilities. So I had been you know, definitely into using exploits in the 90s and, you know, trying to learn all of that. But I think one thing that happened was of a greenfield opportunity of both Unix and cybersecurity. So I started to find my own vulnerabilities in HP UX and AIX and Solaris. And that really kind of started off my journey in probably 2002. And then in 2005, I joined the Zero Day Initiative, which for listeners that don't know, the Zero Day Initiative came out of an iDefense vulnerability purchasing program. And Zero Day Initiative was some of the guys from iDefense had moved to Austin, started working for Tipping Point, and I am from the Dallas-Fort Worth area, so I packed everything, loved Austin, and moved down there, and started at the Zero Day Initiative in 2005.

I gotta tell you, you know, it's funny. I'm listening to you and the emergence of the internet, And I'm thinking to myself, the late 70s, early 80s, I was hanging out in a radio shack, looking to see if I can get an acoustic coupler, a telephone modem or a 110 board dial up. And then I also remind myself that when I was a kid, I used to buy the 13.56 color burst crystals. I think we spoke about this once. And I used to put it into the DTM F dialers to make the nickels, dimes and quarters. And then I would put a ground from the phone to the, uh, to a, to a payphone so that I can get a free phone call or cut the yellow wire escrow. So the, the money would come back out. And I know hopefully there's a statute of limitations about doing that because I don't want to get like locked up for 38 cents, but, but it's funny, you know, this is how like we all started. Like a lot of us started in telephony. We, a lot of us used to do crazy things in telephony and, uh, either whether it was war driving or anything like that, but man, You, I know I'm older than you, but you're talking about the emergence of the internet. I used to, I used to do dial up for bulletin board services. So that's when I was around, so.

Yeah, it was around when the internet was like all smoke and everything going like that.

Yeah, it's, you know, and then I think there's always, there's always a hook. I think, you know, there's, there's a hook and what's exciting and there's a hook and then there's the time in your life. Like what, what are you really, you know, what is keeping you interested as a teenager in your twenties or whatever? I definitely was in to the phone stuff, but I had friends that were going wild in the phone world. And they were, you know, cloning cell phones, cloning pagers, cloning, you know, and that was really, really cool. For whatever reason, I just, maybe it's because of the Unix background, like the software side was always drawing me in. Maybe it's because I couldn't afford all these things, or I was still a teenager and couldn't go. you know, to the market and buy all this stuff. But I certainly had a Redbox, and I would go to the, you know, BBSs and download all the different schematics. Yeah, yeah. Couldn't afford to build anything besides a Redbox.

You know, yeah, it's funny, because we were talking with, from another episode, Palacidorian, and we were having a conversation with them. We were talking about, you know, Solaris. and then the Ultra Sun workstations and the Ultra 10s, Ultra 20s, and having that at home. And then we started, and I said, oh, by the way, man, I always wanted to get like a Sun laptop. And then we're like, Sun laptop? Yeah, there was a Sun laptop for a short period of time in life. And like, people didn't even know that existed. And I was dying to get one, but you know, those are the old days. I didn't know what Unix was until I really saw an SEO Zenix. And it was from a point of sale system from Radio Shack. Those are the old days.

Okay. You know, I've, I should have said at the beginning that we're doing a drinking game every time Adam mentions Radio Shack, it's a drink.

Is that what it is?

I should have, because you're doing that pretty consistently these days.

Mad respect to Radio Shack. Cause I don't think, you know, now Radio Shack's no longer around, but I just drove to Ithaca.

And then when I was driving down the street, there was a Radio Shack store. There are like... That's not to work on. No, no. There are very, very, very, very few. They still exist. I think they're franchises, not stores. Like you can go into a gas station deli slash Radio Shack. They still have the logos. I think there's like a handful left. I couldn't believe it. I almost had a heart attack.

So did you go in and like corner the kid and start telling them how it's done?

know back in the day when we worked at Radio Shack there were so many things that you would learn like if you dialed a 700 number and the last four digits of the store you were able to get any Radio Shack in the world like in the country really but in the world so 700 dash the first three digits dash let's say the store was 1165 you dial 1165 you got that store number there were so many weird things about telephony and numbers and like people used to come in and teach me about like how you can actually mirror a number at a higher rate, but a different exchange, crazy stuff. Anyway, I learned that at Radio Shack.

Adam, it's a good, it's a good point about, I think a lot of the knowledge sharing and, you know, people just kind of working on something that not many people cared about, you know, and so my, my heart is always in the community because That was, I was in my formative years. So swapping a bit of information with your buddy who gave you some information, or you'd go to a BBS that gets it, or, you know, go to an IRC channel. You just wanted little tips, you know, and if you're around enough people, you know, the, you know, the 950 exchange, or who had a party phone exchange, or, you know, it's like, who has a code to it was, it was very personal, and exciting. That's, you know, and kind of to that point is, There was a similar community in the offensive security world where someone would write an exploit and then, you know, everybody would study it. And so certain people were really good at Unix shellcode and another group in another country was great at writing, you know, remote Apache exploits. And so you were always looking for that little piece that maybe you didn't know, uh, and, and retain it and then keep using it. Everything I've learned is. some information I got from somebody else, right? Like, I've come up with some things, but it's just such a collaborative community.

I never did what you did. Well, hold on a second. Watch this. Hey, Joe, where you at, Shaq?

All right. Thank you. We should actually say we didn't talk about the drink in honor of Cody. We are, well, some of us aren't actually drinking cocktails. It was supposed to be Mocktail Day. But, you know.

Well, I'm sorry. But you know, Cody, like I was really the worst hacker. I really didn't know what hacking was. I did get, you know, the back in the day when they even first started, it was two magazines, I believe it was 2,600, obviously. And I think it was 411. It was another publication the size of 2,600 that didn't last many years. And those were people, I think, I hope these people don't come after me for 2,600, but I think they left 2,600 Because 2600 is in Mid Island Long Island somewhere it's in it's but those guys are from over here and hacked and hacked the planet or hackers that was based on it, but What I'm getting at is I used to learn from some of these guys that belong to those groups about using assembly on Z80 back when I had a model 3, please don't make fun of me and I used to go in there and shift the bits and change things in hexadecimal with hexadecimal editor to get either more lives in a game or I mean I grew up on Crest Crumble and Chomp and these other games that people knew from the beginning like games were nothing or typing in stuff on a 6809 or 6509 for Apple typing in all these adventure games. Oh my god back in the day. Those were fun.

Yeah, I still maintain that that Some of the best hackers were video game pirates or video game programmers. I'm still fascinated by it because it's real. There's something about it, like getting those extra lives that gamifies the hard work of trying to crack some of that stuff.

Now, besides all the software stuff, you talked about software, but you've done some hardware too.

I have. Yeah. Um, I was thinking about this driving back home for the podcast. There's, you know, heart there's software is all, all in your head, right? Like, yeah, you're, you're typing, you're doing some things. It's all in your head, but there's just a. You know, there's like a, a tangible kind of elegance and excitement around, around. I remember even, I mean, you could look at like war games, right. Kind of going back to what Adam was saying with a paperclip and some phones and a acoustic coupler. You could go to Terminator 2 with the ATM. you know, where he plugged in the ATM. I mean, it's like the movies in the popular culture of just the hacking part are always a little bit corny, but the ones that always captured my attention and still do are where there's a physical device involved. You know, it's just that kind of real world thing. And so I've done, by no means am I, you know, a hardware guy, but Yeah, I've done everything from, you know, the, the USB devices, uh, that create a keyboard or mouse to, you know, we mentioned red boxes, even on the offensive side, looking for getting JTAG set up and just exploring the firmware and dumping the firmware ROM. And there's something physical that I think is really exciting. I'm not, I'm just not smart enough to, to, to do the real hardcore stuff. I look at like Joe Grand or some of the OGs and my brain couldn't really do it. I stuck with the software.

Look, that's, that's still pretty impressive because for me, I mean, maybe Adam, you did a little bit. I have never, I've been in computers for years. I know networking and software, all of it. I have never understood electronics. I mean, I can't fix anything. I can't do any of that stuff in grad school. They tried to get me to work on a breadboard to do some things. I was freaking clueless. I can't use a multimeter to test my car. I'd replace batteries constantly. I have no clue.

When I was younger, I said to my dad, hey, back in the day, I shouldn't even be saying this either, but I'm like, dad, can I take the TV apart? I want to put a WHT box. I'm going to put an antenna on the roof. I'm going to put a WHT box. I'm going to solder some stuff into the TV. I got it to work and by no means am I a hardware hacker or anything? I am a script kiddie in The in the parallel when it comes to hardware a lot of what I have ever done I have bought but I'm not gonna lie to you. You know, I played with Smart cards I played with the the the 125 kilohertz back in the day when there was no encryption on the access cards and now there's you know, I The smart chips and then you have to use cloners and you have to change each of the pages. So I know a little bit about I know a little bit to know I know nothing, but it's always nice to play, but I just don't have the time these days.

Yeah, I, I would recommend, you know. Some of the most fun hardware stuff was not necessarily hacking related, but I've modified every game console I've had. So like putting a chip on a PlayStation, you know, is fun because then you're like, Hey, now I'll, you know, now I'll go play any game I want, but...

I've done that too, but I'm talking about... How the hell do you know how to do that? It's out there.

I did it. It was very big, PlayStation 1. Yeah, PlayStation 1, the original Xbox, those are really fun to go mod, because you buy the chip, and you gotta solder it, and then you gotta install an operating system, and all those things. And nowadays, even designing chips or designing circuit boards and stuff, it's all digital. So the chips are you know, system on a chip or stacked chips and you get the memory and all that stuff. And so, like, I just never, I think it's... hardware hacking is probably outside of the signal path and trying to do fault injection or something. It's really just which chip do you think has something you're interested in? And then there's probably a real-time operating system on it or there's some signals on there and just buying like a JTAG and trying to find the right JTAG and hook it up. What's cool, if you want to get into that, is really smart people have created the debuggers and the chips and everything that you can go try to play with. So you don't really need, in some cases, like a multimeter or your own breadboard. There's so much out there nowadays that you can buy for 20 bucks and just start pulling off USB, pulling off SPI, pulling off, you know, all of those things that you want. And it's just, getting the software off and looking at the software and then learning how to upload or flash your firmware. You know, there's a lot you can do now that is not as hardcore analog electronics as it used to be.

What I always wanted to do, Cody, if you want to come out to the East Coast and help and help me, I always wanted to make a candy dispensing machine for Halloween. So so I would I would go I go online every year and I try to find ready made bread boards and apertures and, you know, different things and electronics to dispense candy and maybe shoot it at somebody as they're walking across the street. But I've never really, there's very little out there. There is stuff out there to make it, but I don't wanna make it purely by design. Like I was a kid, and please don't make fun of me again, but I used to play with 555 timers, 556 timers. I used to play with PNP transistors. As a matter of fact, on LinkedIn the other day, we were talking about the color code and how people remember from the military. I never was in the military. from the RCA school, which was a really Obnoxious thing you can never repeat. How do you remember the color codes? But um, I used to love doing that stuff. You like You know, well, do I need a 200 ohm resistor doing the 2200 ohm resistor? You know, is it black? Is it red? You know, I love those things, but I never was the hardcore Solder breadboard wire wrapper. I tried it. I've done it but I never got hardcore. That was really hardcore for me, for people that did that. I used to look up to them like, can I be your friend?

Well, Adam loves the Hack 5 devices, all that stuff. Loves that. It's always talking about it's rubber ducky and it's pineapple and this stuff. He's going to write a script for a show about it someday.

I already started it. But the truth of the matter is, is that a lot of people like it. A lot of people are fascinated by it. It's the script kitty of hardware. Let's be honest, it's in all the movies and all the TV shows. Plus then, but what the crazy stuff that's out there, the real crazy stuff, let's talk about that, Cody, right? The people who are stealing cars that are buying those special, you know, you can get it on your computer and the USB and you can listen to it with an antenna, but there's kits for $2,000 that can literally be a script kitty Get the signal and it replays it right away. I mean, I know back in the day people were doing it and when I say in the day last two years anymore though, no, they do absolutely They still do it's a replay attack. No, it's it's still working Don't some people are still trying to use the hyundai the older hyundai's. They're not modified people It's kind of like a vulnerability if you don't bring it in and repair it Then you still have that vulnerability and people are grounding out there the um The head the headlights and being able to use it as a bus In order to inject signals, it's still out there. Am I wrong, Cody?

No, I mean, I think, I don't, I don't keep up on what's the latest, but I think you're very insightful to say that you do have to update it. It's software and you know, there's going to be, there's going to be new ones discovered. There's going to be new techniques discovered, new tools. It's just too, it's too easy if you can get those to work because you just walk up and steal a car and that's always going to be financial. So I think the, you know, kind of go into that, the hack five itself. I think it's fun, and I think any way that you can get, understand and get lower level in technology is good. You know, it just helps you kind of understand. So understanding the physical security, understanding that people can do these things is enlightening to some people, because I think some people think of everything is just secure by default, or, you know, it's in my house, or I don't mean us in cybersecurity, but I mean, people that may not think about these things. And so those are good entry points, you know, entry points. So I don't, I don't really, I mean, you know, whether you like it or not, if you're enjoying it, I think it's fine. And, but there is a, an issue with, I think, making things sophisticated and easy to access that then changes the conversation a bit.

Yeah, that's what I wanted to get into, because you've got a really interesting story that you, you built one of those things. Right? Why don't you tell us that story? It's a good one.

And this is, I think part of the, the bigger conversation that we get into a little bit, but, so I built one like a, I have it here, like a rubber thing. They're just these little, um, these little prebuilt USB. This one's called a trend key. I think I got it from Adafruit or one of those sites.

It was a nice site. I remember those.

Yeah. It's definitely Adafruit. It's the trend key RP 2040 QT. And essentially it's the same thing as like the rubber ducky, where it just emulates or it'll execute code once it's plugged in, power up, execute your code.

And I made it- So it's basically a little computer with a USB that you can put code onto?

Yeah. And you run like- And you can just buy that? You could just, these are $5 a piece, $5 or $10 a piece. It's basically the same concept as the rubber ducky or whatever. And so I got it because I had a rubber ducky and I didn't like how the code worked and it wasn't flexible enough. I knew I could do more, so I made that thing. I didn't solder all of it, just to be clear. I just bought it because, again, it's just so easy to spend five bucks and get you know, a USB interface with a bootloader and all that kind of things. Then I started to write the Python scripts that will actually do exfiltration and unlocking. And I had it all in a GitHub repository. and pictures of how to build it. And I bought PlastiDip, the PlastiDip in it. So I don't have a 3D printer. I didn't want to make a case. But then I just decided not to push it to GitHub. And this is very different than what I used to do when I started at Zero Day Initiative and then went to Endgame and started to kind of change what I was doing. Because I just didn't, I wanted there to be a barrier to entry, you know, like I love to share. It's still part of what I like to do, but I didn't want to make it so easy that somebody who didn't care about how it worked was able to use it. And that's kind of the impetus of switching from offense to defense in some ways, but also my opinions have changed on publishing offensive cybersecurity tools and work. Once it goes, once it can be used by people who don't care how it works or the impact, really changes the, the, the, the, the context of it. Yeah. Yeah.

So I'm going to jump in there. I'm going to say this, right. You know, I know several people that have found six, seven, eight, zero days. And their feeling is, I don't want to release it. I want to do responsible reporting. However, if the organization doesn't do anything to resolve it, then I feel like I need to publish it in order to force their hand to do it. But not everybody is going to feel that responsibility. Not every manufacturer, not every corporation is going to feel that responsibility to patch it. And we've seen that, right? If you don't do something, I'm going to release this zero day information in 90 days. 91 days later, they release it. The organization hasn't done anything and people get compromised. But at least the people who are responsible that follow this, they know to do, they might not be able to resolve it, but they might be able to add other layers of security. And that's what security is all about. It's not about one layer, it's about multiple layers, about mitigating, not stopping. We never stop issues, we mitigate them. Yes, sometimes mitigating them does stop them, But we never get to a point where we say, man, I can sleep at night. My network's 100% safe. It never is.

Yeah, that's a, it's a great, it's a great kind of prompt because when I joined ZDI, it was a vulnerability disclosure program. So the way that it works is you can find a vulnerability and you report it to ZDI and then ZDI pays you and then they are in charge of disclosing it to the vendor and working on the timelines and work you know, getting alerted when there's a patch. And then once that happens, then some details will get published. So I spent four years there. Yeah.

And Cody, before you go on, I should probably just give a little background to everyone that before that was in place, one of the reasons things like that came about and what we call the responsible disclosure is because people used to, you know, there are guys that bug hunters, vulnerability hunters, they go, you know, some were, you know, bad and would go to the vendor and say, you know, I want some, I want some money. Bug bounty, yeah. Well, not a bug bounty, just straight out blackmail. Yes, true, true. I want money or I'm going to disclose it, tell people. And then there's the opposite side where companies would like, you know, when someone just altruistically came to them with a vulnerability, they'd threaten them and all the other things, sue them, whatever. So the ZDI and the initiatives like that were to get something that was ethical and safe and good overall for everybody.

That was the idea. And the idea was to really, we were always trying to represent the security community, right? And so represent them as a, as a for-profit company that had security solutions. You know, it was good marketing. It was good. It was, it was good interface to these, these types of things because, you know, Tipping Point also wanted to protect their customers. So there was kind of a, you know, a win-win by. Having a vendor like Tipping Point in the Zero Day Initiative go to the affected vendor, it was easier to do that because we had people who had those contacts, who worked with those vendors. And we would make sure that the researcher got credit. We would make sure that the vendor had an avenue to push off the timeline. And I loved it. I think it was a really good moment, but we certainly went through times where vendors wanted to sue or wanted to mishandle it. And I think we had some good people at the time who were able to talk to the vendors and say, look, that's not the right path. We will work with you. We really think, and it's hard to kind of talk about this now because things have changed. This is 2005. So we were trying to advocate that. Security is important for every vendor. Instead of attacking people that are trying to, at the end of the day, improve your security, I think I'm always an optimist that certainly the people we're dealing with wanted money and wanted recognition, but most of them were really good actors. They were great, smart people. Trying to get the vendor to say, hey, look, security is a critical part of your business. The small community in cybersecurity is really going to watch how you react. So if you start trying to sue people, if you start saying these things about reducing the exposure of this thing, it's not going to work out well for you. And that's a battle you win, sometimes you lose. It certainly was my first entrance into the economics of vulnerabilities as well. You know, so the economics of what you pay for vulnerability and that scale, and then getting into where I went to afterwards, the end game of zero days and those economics and things was really rounded out how I, you know, how I felt at the time and reasons that I changed my opinions later about disclosure and responsible disclosure and whatnot. So I'd say in all cases, vendors have gotten better, but what has not gotten better is the ability and I'll caveat all this, like everything has gotten better in cybersecurity, but things, but the problems have gotten bigger. So we don't have to manually patch as much these days. We don't have to wait for necessarily those. Microsoft Tuesdays to come out. It's important for people, but we've got enough technology to deploy patches and stuff like that. So what has not gotten better is the amount of work that defenders have to do and the amount that they have to prioritize is overwhelming. So as I've learned and matured, I am very empathetic to what, you know, your CISOs, your SOCs, and all those people have to do from a priority perspective. So while it's easy to look at a vendor and say, you have 30 days or I'm releasing some information, there's a long tail of what defenders have to consider along with their priority. And so they may in certain cases not be able to patch on day one. And that's the missing link that I think I even had at some point. to say you can't enforce an arbitrary timeline on everyone in the world. You can push vendors to patch, but the patches aren't always the end all be all of fixing a vulnerability. And you're right, it's about priorities.

I'll tell you, one of my peeves, I've never been, well. For a long time, I wasn't at a place to produce software or anything. I was at a, you know, I would say a defender or practitioner or whatever. But one of the things that would drive me nuts was when you got someone, not even externally in IT, who'd say, oh, I found this problem. And he says, I found this problem, tells you about it, and walks away. And tells everybody else, tells your boss, whatever, you got this. Or an auditor finds the one thing that he knows how to find, and it gets blown up and that becomes your top priority.

We're talking about a vendor though?

Actually, I'm talking about internally. I mean, the same thing applies to vendors. If I play devil's advocate, I mean, it's like, The thing that's making all that noise jumps to the top of the priority list. And you know, the person making the noise may not know what you're working on now. You may very well be working on something even nastier than that.

And that goes back to the legal framework, Joe. We've experienced that together, right? People can experience zero days based on against a purple team, against doing some kind of assessment on your organization. But that legal framework should mean that The people that you enter into a contract with, whether we're employees or whether outside vendors, should have some kind of NDA or ethical disclosure agreement built into that. And not every organization has that, but if you're engaging in a tabletop, a purple team, some kind of assessment, there should be a non-disclosure. But what I wanted to bring up one thing, Cody, what about the underground? What about that dark side of zero days? I mean, that gets to be sometimes dangerous, right? bad guys.

Yeah. So maybe the bad guys, some of the good guys too. Well, I'll, I'll progress the story then to, to that issue. Right. So I left. Okay. So there's a huge difference in a vulnerability and an exploit. Right. So that's, it's undeniable that it, there's a massive difference. So we have 60,000 vulnerabilities every year. Right. And 1% or less are actually exploited. And there's a very, very good reason for that. I went from discovering vulnerabilities and writing proof of concepts for those vulnerabilities, because at ZDI, we would always need a proof of concept so that the vendor could reproduce it or that we could reproduce it. And you validate it's for real. Yeah, exactly. And so a proof of concept, you know, it's just going to kind of trigger the flaw, not necessarily fully exploit it unless we just decided it was something fun to try to do. But then I really wanted to go down the route of writing exploits because I saw that it was that not all vulnerabilities were the same, that there's a black magic to writing exploits. And it's fun. I hear I haven't done it.

Well, let's do this. Let's do this. Can you tell us what the difference between a vulnerability and exploit is for the audience and stuff? This way they're going to listen. They're going to ask that.

Yeah. A vulnerability is potential. So a vulnerability is a potential security issue. An exploit is the actualization of that, of doing, running arbitrary code or gaining some kind of privilege and being able to do that in a way that gets you additional access. So you can look at vulnerabilities and say, yeah, that that seems like you could exploit that. And I could become administrator or execute code. The devil is in the details. So an exploit, though, is going to actually get you the shell or the privilege escalation or you'll execute arbitrary code. And at that point, it's really kind of. The in different ways, it's it's a proof of what is real. Right? So I've worked on, you know, looking at a vulnerability and understanding the exploitability of it just from a hypothetical perspective, you know, now all the way up to now where AI can read a vulnerability disclosure and try to generate an exploit. But at the end of the day, it's really to just validate beyond a shadow of a doubt that this is usable by an attacker. So I started to get really fascinated into that, because it always kind of bothered me if I had found and disclosed a vulnerability that I truly didn't know if it was a high, medium, critical, earth-shattering, or just unexploitable. Because until you get in there and do it, It's hard to know. So I started to kind of work on that offensive security, you know, vulnerability discovery I was doing for many years and then writing actual exploits. And so I went to a company in game and. started actually writing exploits, discovering the zero days, writing exploits, and got deeper and deeper into that marketplace, those techniques, what it means to write a proof of concept versus a weaponized exploit, what the economics of a zero day are, what is the value of that type of thing, what is the longevity. So there was a lot more about that area of research that continued to fascinate me. And so I ran that team for eight years, eight or nine years, but started, certainly started off on the zero-day discovery and exploitation and weaponization of those exploits. And the company that you worked for, they sold those exploits to people. Yep. Not to people, I want to be very clear, to U.S. institutions.

To whom did they say? To U.S. institutions.

To U.S. entities with the authority to use them. I see.

And that's kind of like my point, right? If there's a zero-day out there, and you might get a visit and say, don't you publicly disclose that, because it might be utilized for other reasons.

I'm sure that happens, but I don't think it works quite that straight. It's not that straightforward. Um, so. It never is. It never is. And that's part of why this conversation is really fun for me. And, and I no longer do that work, but any, any kind of dual use technology, whether you're using it for a defense or offense, it's going to have a gray area. And, you know, the business model really that I was working under was to find vulnerabilities in zero days in highly popular software and then package those up. And, you know, we had contracts. So kind of back to your NDA and legal frameworks, like we had all those. There were occasions where I would hear of, you know, a patch that was coming out that affected one of our capabilities. And we needed to tell people, um, you know, and there were times when we would find a zero day and write the exploit and get ready to, to deliver it. And a patch came out, we'd have to go refactor it, or we'd have to go look and say that it only works on these versions. And, you know, part of developing something You know, I don't necessarily like the term weaponized, but that's what's used in our, in our culture. But, uh, you know, you'd have to go and say, Hey, it only works on these versions. So you'd have to find a way to make sure that only works on those versions. Yeah. There there's anecdotal stories of people. delaying a patch. I think that's such a minute thing that has happened.

Well, I'm sure, yeah. But like, Cody, check this out, right? Let's just talk about one thing for one second. Stuxnet, or whatever they called it. Stuxnet, because I don't know the legal framework, whatever it was, Stuxnet was done by Symantec. That was the name they used. But there was several zero days in that execution, right, of Stuxnet. So those zero days were gathered. Those zero days were not published. Those zero days were used. as a weapon.

They hang on to them. And they say they bank a lot.

Yeah, you bank, you bank a lot. And we've we found dozens and dozens. And you want to want a deep set of capabilities. And it's really target specific. So there's certainly capabilities we found that apply to all Windows systems or Linux or whatnot. And what essentially you do is you chain, you chain your exploits. So it's all automated, maybe not in that case, because it was such a high, high value target. But in most cases, you want to chain your, your capabilities. So you would have a remote capability that may be very targeted. Let's say like a camera or a file share, like a Samba.

So we had like a Samba exploit.

And then then you have a Linux privilege escalation exploit, and then you have a a, you know, something that allows you to pivot to other systems. And then you if you had a target like in that instance, then you probably get to the the management system of a controller and that becomes highly, highly targeted. So you always have a change.

It's like chess. You know, you want to move a certain amount of steps. Step one is this on this exploit. Step two is this exploit. Step three is this exploit. And not every step works. You might have backup exploits for each step, right? So if I'm doing step one and step one works, when I go to step two and step two doesn't work, what is my backup exploit? What's my other backup exploit? What am I using in order to keep on moving laterally forward?

Yeah, and it's, you know, and I think this is important for anybody in cybersecurity. No attacker is going to use a zero day until they have to. My car is losing. It is much more expensive for that attacker than whatever they're trying to compromise. So right.

Because when you use it, it's disclosed.

Everyone knows exactly. It's not a zero day. You know, if you get if it gets burned, you maybe have a little bit of life, but you also have attributions. So you don't want the attribution of your zero day to come back to you. So everyone of any means is going to try end days or disclosed vulnerabilities, they're going to find your unpatched, they're going to do all that. And then if it's high value enough, they will do a targeted attack. And the difference in you know, like spray and pray what we see 99% of the time. And what you see on the 1% or less is those things when they fail, you don't know. When they are successful, you don't know. So everything we would build would be, you know, you call it like continuation of execution or fingerprinting or whatever it may be. When it does its thing, it knows it's going to be successful. So and then it knows how to clean up just a different stratosphere that I don't think people should worry too much about until it becomes public. Like if it becomes public, then by all means, the next layer of cyber criminals are going to use it at random and at scale at scale. Yeah, that's it. Yeah.

I'm going to give you an example. I go to CBS, which I don't know if you have CBS on the West Coast, but it's like, you know, a pharmacy and in the pharmacy, you get these coupons attached to your number. And I might get a 50% coupon, but I'm not gonna use that 50% coupon to buy a pack of gum. I'm gonna use that 50% coupon if I'm buying a $150 item and it's $75. So it's similar to the exploits. You're not going to use something unless you really need to use it for the right thing.

Yeah. There's an economy behind it and there's economics behind it. And that's not, this is no secret. There's been books written about this and everything, but the economics I think are very interesting because the economics are not controllable in a lot of cases. So you have a time of when you've written an exploit until it's patched. Some of those exploits are still unpatched 10, 15 years later. Some got patched before you finish and the economics of it crater. So if you go from something that is worth, let's say $50,000 as a zero day, The vulnerability and the end day is maybe worth five because it's much easier to write. I, I, I hate to say easy in this world, but it's much more efficient to take a vulnerability that's already has everything you need to do and go write an exploit. And if it's simple enough.

Yeah, we just should say that the defender side is that, you know, once the vulnerability is used, once it's detected and becomes publicized, then the detection systems for it are throughout the whole industry happen within hours, virtually instantly. So it becomes virtually worthless unless people are not doing a very good job of patching and detection.

And some things can't be patched, right? So, for example, Back in the day, you had a 2000 server. And on that 2000 server, you had this really customized proprietary application that was built on that. And there's no way you can move that application to another server, to a later server. So what did you do, right? You couldn't patch because there's no longer patches from Microsoft. Then you had to use micro-segmentation, deception, ACLs. Things you had to do layers and layers of security because you needed to keep that application running But what you would do is you would you would wireshark you look what am I communicating with? What's the only necessary ports to be opened source destination? port source destination ips and then you would put other layers in between and might be authentication between the points or vpn or ipsec whatever it is That's how you had to do it. So there were times where No longer. That operating system went into the sunset, but you had to find a way to still maintain it. And people are like, are you kidding me? Why would you run an operating system out of date? Because sometimes you had no choice.

Yeah. And it, I mean, that's even like MS08067, which I think is, was around the time of Stuxnet.

Is that the SMB?

Yeah.

It's one of the- Wow, I remember that one.

It, it was devastating because it would, because once you're, you know, I don't lie, I don't think of the perimeter as like the castle and moat, but once you were on an internal Windows network, you just needed one, right? And that kind of goes back to the patching. I think people have gotten better, but that's the opportunistic piece of any attack is it's opportunity, it's discovery and. You know, you're always going to find the things that people forgot about. Maybe it's the NT4 server in the closet or, you know, someone that hasn't updated. And that that's really tough, but. Oh, yeah.

So that's the catch 22, right, Joe? You're that engineer says, crap, I got to find a way to maintain that Windows 10 machine or that Windows 2000 machine. And then you're going on all the different boards. How do I do this? How do I do that? Yeah. Email me at Adam at my company.com. Whoa. You just gave out, you just gave out public information that you're running that you just gave away the keys to the kingdom. I'm not saying they're going to get right in there, but if they send you an email and there's an execution that when you received that email and window and Microsoft office or when there was a vulnerability there, You just gave yourself away, right? I mean, so you have to be really careful what you advertise to. It's a catch.

Yeah. And I think it just kind of goes back to the defense problem, like in. You know, after spending that time developing zero days and and I'll say, you know, there's there's a lot of misinformation out there about those types of programs. Like anything, there's good actors, bad actors, great actors like. But what I what I realized is You know, I had so much empathy for the defenders. It's a really, really impossible problem. You've got all this new information, all this new technology, and you're trying to keep up. And, you know, you're often seen as someone that is bothering people by bugging them to update their system. And, you know, that to me became, I think, you know, a lot of it is just personal maturity and getting older and seeing how bad things can get. But that empathy led me to, you know, moving more towards defense. And part of that journey was that in-game who also switched from offense to defense. They really, they did. Yeah. Yeah. They went from, you know, offensive cyber to an EDR solution. I was, a lot of us had to pivot and get into the EDR. And it was fun because we essentially had a lot of those capabilities on the offensive side. And thinking about them from a different lens was yet another new area to kind of explore and to uncover. And having the background of doing these things helped you provide capabilities to defenders, right?

Yeah. As a defender, you have to be right all the time. As a person on offense, you only have to be right once.

I would say maybe, I think it's just... You don't like that, do you? Well, that sounds really overwhelming to a defender, right? And it probably gives a little too much credit to the attacker, although it is, you know, there's rings of privilege. So it's like, I'd say most people don't have those rings sufficiently far enough apart. So you may compromise a system and you've got active directory access to every system. In that case, the attacker needs to be right once. So I definitely advocate for, for separating your trust into different rings. And a lot of people are good at that. So there is, it is hard. It's harder in a lot of cases to fully compromise a business. But what the defender is having to do is not necessarily maybe be right all the time. It's they're prioritizing correctly all the time. So they need to prioritize correctly all the time. And that's really, really difficult.

Yeah, you know, the reality of defense, and I'm glad you have some empathy for it, because I've always been on the defense side, is you can't fix everything. You know, you make it as difficult for the attackers as possible. You close all the doors, as many doors as you can. You try to make it so we catch them if they get in. But, you know, the whole cliche of, you know, what keeps you up at night? Well, Everybody in security knows there is a way in. It's not impossible. It's possible. It's not easy for the attackers either, but it's possible. And that, unfortunately, is the reality of the game.

It's just what happens. And there's limited budget, Joe. We know this already, right? That's right. You can want everything and every tool and everything possible, but at the end of the day, that budget is going to be limited. Plus, as a defender, you don't have always a larger team behind you and you have to constantly be up to date on what you're learning. So I don't want to make it seem like the defenders are not doing anything. They're certainly doing a lot, probably more than they should be. But at the end of the day, again, I keep on saying that the company's only going to have a limited amount of resources, whether it's money, whether it's people, whether it's educating you. What I was getting at is not that you only need to be right once because you're always going to get in. It means if an attacker gets in, they got in, right? But it's like being in a boxing ring. You know, you can put your hands up and block almost every single punch, but eventually, if somebody wants to hit you, they're probably going to hit you. Now, it might not be a hard hit when you get knocked out. You might be able to get back up and defend, but you always constantly have to be on your guard in order to defend against your defender.

Yeah. You get tired. I think that the way that You know, in cyber security and thinking about this problem is, you know, it's a tough role. It's a tough to keep up. There's always new technologies. There's always new attacks. There's all this new stuff. And it's easy to kind of get caught in a wheel of, well, I'm going to secure a piece of technology. I'm going to secure this thing. And that's not the right approach. The right approach is to become really good at prioritizing based off your budget, based off your time, based off your skills and based off the company's, you know, crown jewels or what the company cares about protecting. And then trying to just, you know, I like tabletop exercises or collaboration and say, what happens if this person in HR system gets compromised? Just ignore that it might happen or that it may not happen. It's like, what happens? Because that actually drives priority and that drives budget and that drives, you know, some kind of strategy. And without that, it's just going to be a bad time to be in that organization's cybersecurity program. Because even if you had a limited budget, without that insight, without that strategy, without that understanding, you're going to be actually confusing and complicating the matter. So you need visibility into your technology, you need prioritization, you need controls, but it's impossible to do all that until you've sat down and said, what are we really protecting? What happens if this device is compromised or this data is leaked? And that's really the only thing that in my experience has kept me from going crazy. with all the new things that come out, you know, and that goes for vulnerabilities and exploits too. If you've had that exercise and an exploit comes out, hopefully a light bulb goes off and says, we run that router. I know exactly where it is. I have visibility into it through my logs or my, you know, uh, database or whatever, Sam, I'm going to go check it out. You know, that that's that's what really, I think, keeps keeps people trying to refine their security programs and is really beneficial seeing it from the attacker side and also seeing it from the defense side.

Yeah, well, defense is tough. You know, it's very complicated, like you're saying.

I'll say, you know, if we got to wrap up, I'll say the it's tough, but the best thing about cybersecurity is the impact you have on society. impact you have on the safety of real people. And that's why I've kind of gone back into that role. And I empathize because you wake up every day and you can make a difference in the world. And you can keep people safe. And you know, you can have a real impact. And I think for our, you know, offensive intelligence and that's also keeping people safe. So I don't want to get it twisted that there isn't- When done correctly. Yes, when done with- Ethically. Ethically. And I'll say the people that I worked with, you know, on the classified side, incredible people, incredibly passionate about the mission and incredibly moral. And you have to just believe that that's the guiding light of those type of operations. But defenders are having to do that across every aspect of society. not just intelligence collection or warfare. And it's a really meaningful role. So keep at it and find your priority and your groove. That's why I think I've been in cybersecurity for 25 years. And you find a lot of people who've been in it for a really long time that absolutely care about making it meaningful and securing people and doing the right thing.

I'm doing a doctorate on ethical cyber warfare. And people look at me like, is there such a thing? I'm like, yeah, there is actually. I mean, and I'm not going to go into the whole thing right now because we've, this is the end of the podcast, but what people have to remember is that like, for example, you get into a fight in the street, you can either kill the person possibly, or you can thwart them off. So they leave, but some people, they want to go as far as they can go as fast as they can go to completely pummel somebody to a point where They're probably never going to exist. And that's how I use the analogy about cyber warfare. You do just enough to accomplish your task, but there are other countries and other nation states that want to take it as far as they can to show they have no ethics and they have no concerns. And that's what I'm getting at. That's the same thing with doing an attack. How far are you willing to go? How far do you want to go? How much you want to devastate something?

Yeah, it's a, it's a great point. I mean, it's certainly not something I can, I can help solve, but as we're increasingly more, you know, our society is a digital society. Every, every company is digitally connected and you're always going to have bad actors. You know, you're going to have good actors. That's just life. No matter, you know, you go back a hundred thousand years, right? It's more about planning on, on. you know, what do we need to do to not make this a complete catastrophe? And to your point, I mean, there's definitely escalation. Like people don't want to escalate. I don't think countries want to escalate, but some do. Some like to do that. And that's just the reality. And you've got to have a deterrence. And increasingly those deterrents are digital. That's the way that you deter things sometimes, is to show power or to use something, and that's just the way that the world works. Peace through superior firepower. Yeah. Some of us lived through the Cold War. It was all about escalation, and nobody wanted to do it, but it was always hanging over your head.

The argument is countries with nuclear weapons are never going to want to use them, which is why they claim there's no war. So I don't know how true that is, but that's some theories, right?

Yeah, well, hopefully that holds. But in any case, well, you know what? A lot of us do do this to try to make things better, even though it doesn't always seem like it. But Cody, I am very glad to see that someone who was on the offensive side was a good guy, but also that you've come over to our side, to the defense.

Well, who says it's our side? It might be your side.

It's your side, too. Sorry. You only dream of being a hacker. You you're a defender.

Yeah, I like I like hard problems. And the hardest problem is on the defensive side right now.

Yes, sir. Offense gets the glory, but defense wins the game.

Offense is very, very fun until you start to realize that you're impacting people. That changes it a little bit. When I was young, didn't necessarily have that level of empathy, but you know, there are necessary aspects. My heart will always be in offensive security research, just how I grew up. But, but there is, um, you know, growing need to just take a beat and say, Hey, do I have friends that are on defense that are going to have a nightmare and have to work all weekend because I do this thing? Maybe that's a check, you know, maybe there's something there.

Well, as you look at this way, if you're, if you're watching soccer, And the goalkeeper keeps on preventing the ball from going out of the, going into the goal. Everyone's like, yeah, okay, cool. But when the striker is kicking the ball into, oh my God.

It is fun. Yeah, that's where, yeah, that's definitely, uh, there's definitely a rockstar feeling to it. Not, not me personally, but I think there's definitely an aura of, of doing it. Cause it's, it's really technical, really difficult. And you're doing something and, and sometimes that no one else has really done that, you know, And you feel good about it. It's, it's an accomplishment and I think that's to be celebrated, but. You know, there's also people that have to prevent that and they don't get as much celebration by preventing a thousand attacks a day or 40,000 attacks. Your goalie, your goalie thing is very apropos. It's like they're over there getting beat up with a hockey puck or a ball in their face and the last to leave the pitch and they're exhausted. And the fighting on their knees, pumping it up. And, you know, I like that. I like that.

Thank you.

All right. Well, Cody, this is a great topic. There's a lot of stuff here that's all about technology, but also ethics and even Adam's favorite cyber warfare.

Hold on a second. RadioShack.

Sorry. RadioShack.

Here's the RadioShack. They took it hard when they started selling the cell phones.

That's right. OK, well, Cody, thanks so much for joining us. Thank you, Cody. Yeah, I appreciate it, guys.

This was fun. Thank you.

All right. And thanks everyone for listening.