EPISODE 92
 
Going Behind the Darknet Diaries…

EP 92: Going Behind the Darknet Diaries…

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

November 9, 2021

 

If you’re not listening to the Darknet Diaries, you’re missing out on some relatable stories that will help you better tell your own cyber risk story to your senior decision makers. Find out how with the host of Darknet Diaries, Jack Rhysider, along with Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Sign up for our free ethics CLE on December 15, 2021 at noon Pacific Time: https://www.eventbrite.com/e/1-hour-cutting-edge-cle-on-december-15th-at-12-pm-pacific-tickets-187700476177

Tags:

Episode Transcript

Kip: Hey everybody. We're going to interrupt the start of the show with a brief announcement for the attorneys in our audience.

Jake: Do you need an ethics credit before the end of 2021?

Kip: If you do, we have a free, continuing legal education course with your name on it, and it's practical for your law firm.

Jake: That's right. We're going to explore or reasonable cybersecurity, according to RPC 1.6C and the ABA formal opinion for 477R and how that specifically applies to risk assessment and data backups.

Kip: Yep. So join us online for our one hour cutting edge CLE. It's going to happen on December 15th, 2021 at noon, Pacific time, and this is going to be live. And Jake and I are going to teach you how to operationalize these topics.

Jake: In addition to the ever valuable ethics credit, you'll receive actionable advice that you can use right away.

Kip: Exactly. So I want you to sign up now and there's two ways to do. You can go to eventbright.com and you can search for us and find the event or more helpfully, we've put the link for you in the show notes. So get down into the show notes and find it.

Jake: We hope to see you there. And now, on with this episode.

Speaker 3: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake: So Kip, what are we going to talk about today?

Kip: Hey Jake, today, we're going to introduce our audience to a fantastic, I think, award winning, everybody else thinks, podcast that they should be listening to. It's called Darknet Diaries. It's by Jack Rhysider. He's the creator and he's also our guest for today.

Jake: Jack, welcome to our podcast.

Jack Rhysider: Hi guys. Thanks for having me here. I'm honored to be here.

Kip: Oh, it's just fantastic. I'm really glad we you agreed-

Jake: We're honored to have you, that's I think what we should be saying.

Kip: Yeah. Well, yeah. I mean, your podcast, it's amazing. The production values are amazing. Stories are amazing. I think it's really, really well done and I was really happy after some conversation when you agreed to join us here so we could share a little bit more about you and your work with our audience, because I think our audience would benefit a lot from listening to your show. So on that note, please, we want to know a lot more about your podcast. So, in your words, what is it about and who do you make it for?

Jack Rhysider: Well, I make it for me. This was a show I wanted to hear. I love podcasts. And I was like, where's the... What I wanted was not the bleeding edge news stories in cybersecurity world and not the opinions, but I wanted the full story. Right? So, the LinkedIn data breach, I think it was 2014, we heard when that happened and then we heard there was a little bit more extra information, but then we didn't hear anything for years. It just disappeared and where they arrested the person and brought him to trial and convicted him and he's in prison now and we didn't really hear that news cycle. Right? And so once that goes to trial, now there's a whole bunch of evidence that gets brought forward. Here's testimony from LinkedIn and all this kind of stuff. And we get to see all kinds of things.

And that's kind of like a long form story that you might see written up in maybe Rolling Stone or something, just-

Kip: Wired.

Jack Rhysider: Yeah. Wired. But a 10 page article and that's kind of hard to consume when we're on a fast paced beat. So podcasts are a nice way to consume these kind of things. So, I wanted this audio storytelling, journalistic kind of thing that interviews anybody that was involved and brings their voices into it as well. And I just wasn't finding that in podcast world. So I made it and I'm just thrilled that other people like it too. And of course I add all kinds of rich audio and music and production to it, to just kind of improve the drama and get it more exciting. So yeah, it is very fun to just get into these stories and I'm just so fascinated by it to hear all of the policies that have changed or the changes of things that have been affected by it and all that kind of stuff.

And to hear from the beginning, all the way to the end of the story, I think is... It takes an hour to tell, but I think it's just really needed in today's world because there's so much, not so much misinformation, but conjecture that just shows up in Twitter and stuff about, oh, I think North Korean did it or something. Like, what, where's the basis. Where's the evidence for that? So I wait until the indictments, I wait until the trial or whatever, and then we bring it all together and put something together. That was the goal of making it. And a lot of episodes kind of follow that.

Kip: Yeah, I think the way you do it is so accessible. That's one of the things I really enjoy about it because so much of this career field and the work that we do is abstract, weird, unusual. And I think that's a significant barrier for a lot of people, particularly people who are in senior decision making roles and they're not immersed in this. And so that's one of the reasons why I recommend your podcast to people who don't practice cybersecurity every day or don't have that background because you just make it accessible. You make it real.

Jack Rhysider: Yeah. And I-

Jake: I Fully agree.

Jack Rhysider: Okay. So another reason I made it was because I was working in IT security. I was doing security engineering work. And my manager came to me and said, I think if we got breached, it wouldn't be that big of a deal for us. We would be able to clean up pretty quick. And I just realized at that moment, I'm in this alone, my management and everyone above me, doesn't understand the importance of security. And so I also make the show to try to convince people to take this stuff seriously. It is a big deal. Even if you think you don't have intellectual property or money that can be siphoned out somehow or whatever the case is, people's stuff can be stolen and posted and it just can ruin morale in the office and it can ruin trust with your customers and all these kind of things that you don't think about. And so I like to really highlight all these, this was why the CEO had to get fired for this particular thing, because they weren't putting the right assets in place to keep things secure or whatever. And it's really interesting to see how, how things get affected, how companies can get affected from this as well. So I do it for my manager who didn't believe in security.

Kip: And do you have listeners who actually tell you like, Hey, your podcast is actually helping me have a better conversation with my bosses.

Jack Rhysider: Yeah, yeah. There, there was times where they couldn't get the budget passed and then they gave the podcast to their boss and their boss is like, okay, you have the budget. Go for it, make it happen. So that's kind of fun that way.

Kip: That's pure magic.

Jake: It's great. And I think, what I really like about your format is at one, I'm just going to say it, it takes a lot of preparation. And I think people should understand just how much work you must do to put together a single episode. Kip and I, we've made what, 92 episodes, give or take?

Kip: yeah.

Jake: Basically using the radio show format. It works for us. But your podcast, even if we put aside the time spent just kind of doing the production values, the research. Maybe if you could just give us a little bit of an idea about how much time does it take to put together your roughly hour long episodes.

Jack Rhysider: Yeah. I mean, it takes a good 40 hours of human hours. And the first half, the first 40 episodes or so were all done by me. But now I do have some researchers and some producers and stuff to help out. But yeah, there's a ton of research that goes on. I mean, like the case of the LinkedIn thing, I think it was hundreds of... It was like a six day court case. So I had to read six days of transcripts, that's six hour days. Right? So, yeah. Going through all that. So yeah, it just takes a lot of that.

Kip: And we're going to talk a little bit more about that particular episode in a couple of minutes, because we want to actually ask you some very specific questions about three very specific episodes. I wanted to ask you, you said you worked in cybersecurity and I believe you worked in security operations center. And how does that experience that you had, aside from the fact that what you just kind of said a moment ago that your bosses weren't necessarily supportive and so forth, but the technical work that you did, how does that inform the podcast that you make now?

Jack Rhysider: Yeah, I mean, I don't want an after school special version of this? I'm very technical. And so I want to hear what was it that this hacker did. Right. And if they just found a password written underneath someone's keyboard, I want to know that. If they used a proprietary nation state hacking tool, I want to know that. Right? And so, I'm fascinated with the tech that's involved, but at the same time I can navigate this world to know when that was an important step. Like, if the police were the ones who infiltrated that network, well, that's a big deal that the police were able to do offensive work. Right? That's not common. What happened here? How did the police get break into this network?

I get what the landscape is like, because I've been to a lot of conferences, I've seen lots of customers networks. I've done that for 10 years. And that absolutely gives me the leg up on being able to understand this world and what's important and what doesn't smell right and all this kind of stuff. So yeah, it helps tremendously.

Jake: So Jack, you've published some amazing episodes, quite a few. And we want to ask you some questions about three relatively recent episodes that we think our listeners will specifically enjoy. And the first one is number 98, which is quite recent, Zero Day Brokers, which focuses on the weaponization of vulnerabilities. And you did this episode with Nicole Perlroth at the New York Times. So, why was she your guest and how did you get connected with her?

Jack Rhysider: Yeah, so I mean, the episode titled, Zero Day Brokers, and this is people who create zero day exploits and then sell it to governments around the world. And I have been able to reach a lot of people out there. For some reason, black hat hackers are fine telling me their stories. Penetration testers are fun stories to listen to because you get to hear all the social engineering tricks they use to break into buildings and stuff. But some stuff that I just can't seem to get people to talk about are when, you're a zero day creator, you're creating exploits and then selling it to governments. This is very secretive kind of world. And there's people who are bounty hunters, they're fine telling stories. And there's people who even go and compete at the zero day initiative and stuff or something like that. And they're fine telling stories too.

It's just the ones that are selling it to governments that are like, nope, can't talk about that. And the thing is, is that Nicole Perlroth wrote a whole book on that and she went around the world, trying to meet these people who make these things, to Europe, to south America and did quite a lot of meeting with people who actually create zero days and sell them to governments. And that, yeah, I wanted to hear her experience of doing all that. And of course she has this book out and it's just really a fascinating read to hear how the whole trade market and stuff is going,

Kip: Oh my gosh, that is such an important topic. And I agree with you, it's wildly underreported. So much of what's going on these days actually very, very underreported. And I didn't even really know that Nicole had this book out until I listened to this episode that you did. And my goodness, it really got me excited to read her book. And so it's on my list now. And so again, even somebody like me that works in this industry, I appreciate your podcast because it's actually connecting me with really important bodies of work and the people who are doing that work.

So let me ask you about episode 91. And I know you're over a hundred episodes at this point. So congratulations on that. Jake and I know that's no easy thing and we don't put anywhere near 40 hours into making an individual podcast episode. So like, oh my gosh. But episode 91, Web Jedi. And so this is a blue team episode, which as you pointed out when you introduced it, it's like, you often talk about red team, that is to say, the people who do the exploits and who test defenses and that sort of thing. But 91, you talked about defenders and the kind of work that you did because you were a blue team, right? When you work on a security operations center, that's a blue team thing.

And I found the whole episode to be really dramatic, also grounded in reality, right, because this came straight from Web Jedi's notes. And I thought an entire season of Mr. Robot could be written just based on the things that Web Jedi had experienced on, on the job. But I was curious about how did you know, because you take a journalistic approach to this, right, so you want to know that what reporting is authentic and that was a lot of stories. How did you authenticate those stories? Was it just out of the journal or was there more that you did?

Jack Rhysider: Yeah. To give more context, Web Jedi is Amelie Koran and she came on the show to tell a story about, I don't know, it was like a decade ago, when she was working at the World Bank and there was a breach at the World Bank. So that's a big premise to start with. Right? There's a hack at the World Bank. Wow. Tell us all about it. Right? And so she walked us through, step by step on how they discovered it, what their first response was, how they figured it out, and they turned out, it was real... It's got some twist to it. I don't want to give it away. So the thing is, is that, that's episode 91, right? So at this point I've been around for a while, a few years, three years, and it's gotten some steam. So people are giving me recommendations and Amelie has such a strong background. I can't list her accomplishments, but something like-

Kip: She's got a great website where you could go to and see them all. She's very transparent about it.

Jack Rhysider: Yeah. I mean, she's worked in a lot of different places in Washington, DC, for federal government and commercials and commercial entities, and just has a very strong background. So to start with, right, you got to see, is this person... Where is this person? Are they in that field? Are they straight and narrow? And she has just all the credentials you can imagine. And she was given me by someone who I highly trust, right, and this person's like, you got to get Amelie on the show. So, you go with someone you trust and you find these people and then you look at their background and they're very trustworthy. And yeah, I mean, she's got the history of being a very helpful teacher and very honest and straightforward. So I went mostly with that.

On previous episodes, what I'd do is I look at news articles to confirm stories, which there were some news articles about the World Bank at the time, which confirmed some of the points that she was making. And I will call up other people who might have been involved, maybe sometimes their parents or their best friend, if they're in jail or something. I've called people's best friends before and said, yeah, tell me what happened to this person. So, I'll do my due diligence to see what I can. On this last episode, episode 101, about Puerto Rico, I actually called around in Puerto Rico to see if I could find some extra information on this and yeah, got some info. So.

Kip: Do you like doing that work, the actual digging and the verifying sources and stuff? I mean, that's just like straight up investigative journalism, right?

Jack Rhysider: Yeah. It is. It's really hard. I don't technically like a lot of the aspects of making it, but I love when it's done and I can listen to it, because like I said, I make it for me. So when it's done, I just feel so satisfied that I put all this work into it. So it's kind of like running, I hate doing it, but when you're done with it, you're like, okay, I feel great about being able to push myself through something I don't want to do and my body is better about it and everything. So it's one of those love-hate kind of things.

Kip: Yeah. I totally get that.

Jake: And I think the interesting thing about Amelie's episode, the Web Jedi episode, is that she actually had what I, as a lawyer, would call, contemporaneous records, right? She had all of these blue team notebooks that she had apparently back in the day before all of the iPads and the iPhones paper notebooks, which of course have the side benefit of being hackable, though, they can be destroyed it easier. And so she had all of that. And I assume that that was a big part of kind of reconstructing the events and telling that story and working through that episode with her.

Jack Rhysider: Yeah. That helped a lot. It was really nice for us to stop and look in the book to see exactly what was the course of events and stuff. So yeah, that does help. And sometimes people share these notes with me privately and I'm not going to publicly publish some of this stuff because there's names and IP addresses or whatever that don't need to be published. But I do want to see it to confirm some things.

Jake: Yeah, that's good. So, another, I think, rig and relatively recent episode, 86, the LinkedIn incident, and this has already come up a few times, really talks about how specialization has taken hold inside the cyber criminal world. Now to do this story, as you mentioned, you had to read, I mean, gosh, a six day court hearing or a trial can produce hundreds and hundreds of pages of court transcripts. So I'm curious, how did you cut through all of that testimony. And I'm what must have been a whole bunch of legalese sprinkled here and there and then may sense of it all?

Jack Rhysider: Yeah. What's funny is that the legal side of it doesn't understand the technical aspects. So they don't have the good questions that I'm like, please ask this question next. You have to ask them, what was the... You totally skipped over... And so, the legalese is really easy to get through. It's the technical pits that, they don't ask the right questions, anyway. I mean, a lot of that legalese is garbage. They use three paragraphs just to say, you're guilty of these particular crimes or whatever. Right? You can sum it up. So a lot of just skimming. But yeah, it's finding the characters that are involved. So basically when I'm building a story, I like to come up with two pages to start with, right? A timeline of events and a set of characters, right?

Who are all the victims, who are all the attackers and who are the special agents from the FBI investigating this? And then when I have those pieces, then I can start looking through the transcripts to see when did this person talk and what did they say? And then who are all these other people that got interviewed and what are their areas of expertise and why would I need them? So, once you have these pieces in place, it's just a matter of reading their testimony and filling in the gaps.

So yeah, that one took a while just because I had to go through a lot of, like you said, hundreds of pages. But you can go through it pretty quick. Not pretty quick, but I mean, it's not like a reading-

Kip: It wasn't as much of a barrier is it might have seemed.

Jack Rhysider: Yeah.

Kip: Which is why we wanted to ask the question.

Jack Rhysider: Yeah. And well, this is kind of where I like being, is having notes scribbled all over my desk and a map on the wall and with strings connecting, okay, so they were from here and then these were the three victims and all this kind of stuff. And I just get into it and I have encyclopedia open to look up certain terms and 40 tabs open.

Kip: Did you like going to school when you went, did you enjoy school, because this sounds like a research assignment, right?

Jack Rhysider: Yeah. I mean, I didn't really like writing in school and I didn't like research assignments, but I do like going down rabbit holes and seeing like, wow, this is something... Because I mean, some of these stories aren't concisely talked about in Wired or Rolling Stone or wherever you might read a long form thing. Right? So you've got to really do some mining yourself and that's kind of fun. It's kind of exploring something that not many people know about.

Kip: Hmm. So that's not really all that different from getting a book on Linux and then installing it yourself and exploring it yourself and trying commands and seeing what'll happen and string them together. I mean, conceptually, it sounds very similar.

Jack Rhysider: Well, yeah. And I think you have to have that sort of interest just to get into tech. You can't just listen to what you're supposed to do and do it and be done. You have to say, but wait, what if I changed this parameter? And you have to just be curious constantly.

Jake: Yeah. I think one of the biggest barriers for people with just computer usage in general, is fear. I don't want to screw it up. What do I do? And so, they don't play. Right? I think play is probably the most important mechanism for learning how to really use all of this technology that we have. And Jack, I think what's fascinating and we'll get to kind of some of your favorite episodes here in a moment, but so as a lawyer, and I've done a few trials and I've done a fair amount of litigation kind of back in the past, one of the things that we talk about when we're developing a case is the story of the case, right? The best cases, the best lawsuits are put together like stories.

And what I find so wonderful and why I think your podcast is such a great resource, is that that's exactly how it basically takes all of these incidents, which, as I think you would appreciate more than most, are combinations of personal and technical and corporate behavior and actions and activities and you put them together in a way that really does, I mean, it could be a TV... There could be the Darknet Diaries, the TV series, right? An episodic kind of TV show where you could dramatize all of this. Even more-

Jack Rhysider: And maybe there will be.

Jake: Than you do just on the podcast side. And I want everyone to understand, because I don't know how much overlap we have in our listenership. We should have total overlap. Well, everyone who listens to us should listen to Jack. I don't know if everyone who listens to Jack should listen to us. We're probably even more niche. But the reason I say that is that so often in our world, in the way that we work with our clients and our customers, we find that people don't understand what's happening in the cyber world in a breach, in a hack, because as you said, so rarely are the details made public. And even if they're made public, they're not really accessible.

And so my kind of homework assignment for our listeners is, if you're in a situation where you're working in cyber security and you need to get leadership's attention, use this resource, use the Darknet Diaries, because it will allow you to humanize and dramatize cybersecurity reality in such a way that executives and quite honestly, most of my lawyer colleagues can understand it and grasp it and really appreciate that a lot goes on behind the scenes. It is not quick, it's not simple, but it is fascinating. And I think it's just such a wonderful resource. So I thank you for all the work well that you put in.

Jack Rhysider: Thank you. Yeah. I think hearing just the breaking news doesn't do half of these things justice, you really have to slow down, go back and do a full case study on some of these breaches. And like in the case of LinkedIn, one of the engineers who worked there had his home PC hacked and got into a VM of his home PC. And then they shaped out of the VM to get into another part of his PC. And then that part was connected to the VPN to go into LinkedIn. And so understanding these little nuances is so much more helpful to us than just hearing LinkedIn was breached. And we've got to be more careful. Like, well, be more careful and what?

Kip: How exactly?

Jack Rhysider: Yeah. So getting those details are very helpful. And unfortunately, a lot of these companies who do get breached, don't give us those details. In this particular case, because the guy who did it was saying not guilty, not guilty, they took come to trial and that was the only reason why these details came out. There was multiple LinkedIn, including the CISO of LinkedIn gave testimony of how it happened so that they could say this. But if that guy would've said guilty and not all this, then we would've heard none of those details. And it would've just went to the grave. And that's what I'm trying to bring into the surface here, is these things that just so happened to be like, oh, okay. We do know what happened here. This is great. Let's talk about it.

Kip: So lawyers actually helped us.

Jake: crosstalk

Jack Rhysider: Yeah.

Jake: Hah. We did.

Kip: All right. Lawyers actually helped. Okay. So Jack, now, we've shared with you three episodes that really caught our attention, but I'd really like to know one or two of your favorite episodes. What's your most favorite episode? I mean, you got a hundred children, right, is it fair for me to ask you that?

Jack Rhysider: Yeah, I do. There's some that really make me feel like I did what I had in my mind. Right? So, starting the show, I was like, I want to hear from the trenches, from the cyber trenches, what it was like when you first had to deal with that, or from the hacker's perspective, why'd you just break into this thing? And a few really just... Like for instance, the one called Operation Glowing Symphony, I was at DEFCON and got a tap on my shoulder and it just happened to be someone from the NSA who said, do you want to hear a story from the NSA? And I said, yes. And we got official approval from general Nakasone. It was all the way up the chain. Let's have the NSA come on Darknet Diaries and talk about this time where they hacked ISIS.

And so many of the details, right, like the recon, the infiltration, the war room, what it looked like, their go... Cleared hot, actually, what happened when we got the, okay, how the approvals got in, how they named it, Operation Glowing Symphony, and then what kind of targets they had and what kind of destruction they did and how they got out and what their ongoing campaign was. This is something I previously have never heard NSA admitting to any hacks ever. And then here is someone representing the NSA coming on, it was actually cyber command, but that's just kind of a branch of the NSA, talking about how they did it and fully approved.

Actually, when it was done, I sent the audio back to NSA and they said, okay, take this out in that out because that's, means and measures or something, that thing you said, we can't have that on the show, but otherwise everything's fine. So I just took it out. So there are people in the NSA who listen and like the show and were able to kind of fast track this through as opposed to somebody who the NSA doesn't know anything about, saying, podcast? What's that? So I was just really lucky to get that access and have people who are part of that unit that were fans of the show, that wanted to hear it on the show. Right? So that one is kind of just, wow, I can't believe I actually... When you get off the phone with someone who, after they tell you the story, you just kind of full of emotion. Like, whoa, I can't believe I just captured this audio. This is going to be such an amazing episode. So, that one is great.

And another one that is always one of the best in my mind is Xbox Underground. And this is a story about how bunch of hackers broke into video game companies all over. I mean, pretty much every video game company you can name, they were in it. And the story is just so ridiculous. Just for me to say that, like how, what? Every video game? Kind of like Blizzard, Valve, Zemi? Yes. Just keep going. Even they got into Disney at some point. And yeah, it's such a mind blowing story. But the thing that makes it fun for me was that I interviewed three people who were involved with this and got their voices on there.

And you can hear the difference in and the way they think about what their mission was or what they were doing and what their attitudes were. And when you bring the attacker's voice on to talk about why they broke into all these places, it just gives you a sense of connection and empathy or something that you just don't ever hear. You don't ever hear. I mean, even if it's a written article and they're like, well, we interviewed the hacker who did it, you don't hear what their voice is like, you don't hear their anything. So, hearing them explain why they did that. And three of them, right, usually I can only get one to talk, but hearing three of them was just such a mammoth task for me to put all these interviews together. Because I interviewed three, not all at the same time, but at three different. And it was just a really difficult thing to do, but it turned out to be the most downloaded episode out there.

Kip: Wow. Gosh. I could see why you like these two and there's something you said about this last one that really, really resonates with me in my work. I really am stuck on that point. This idea that X, Y, Z was hacked. Okay. That's not enough. Right? Because I think for people to take cyber seriously, it has to be humanized. They have to know that there's people behind all this stuff. These are not just random weather events. Right? This isn't just physics rearing its head every now and then, oh, well, another phishing email. I guess that just happens. Right? No, there's real people behind all of this. So when I talk to people about it, I always show the people when I can, like whether it's an FBI help... Help wanted... An FBI wanted poster or a photograph, or if I can name names, I do that. Not to shame the people who do these things, but just to make it more real. So yeah, that's super important. I'm glad you do that.

Jake: Well, and I think to kind of going back to something I meant to add is, and I've said this before, I say this a lot when I'm speaking with audiences that are not technical, right, I think the Darknet Diaries are even more important if you are not technical. And the reason for that is that I think people have a hard time, particularly in the cyberspace, even kind of conceptualizing and having any frame of reference at all. One of the things I've said in the past is, look, everybody can begin to imagine how you might break into a house, right? We all live in the physical world. Everybody understands the concepts of doors and locks and windows and climbing a building or smashing a window or picking a lock, you can't help but understand these things intrinsically just by living your life.

Not so with cyber security issues, right? For so many people, all of the technology might as well be a magic black box and everything from a cellular connection to simply downloading a file across the internet, it happens, but I don't really have any idea how or why or what. And when you are in that space mentally, and particularly if you are a decision maker in a company, particularly a non-technology company, I mean, Kip, you and I've worked many incidents where the victim was not a tech company, right? Far from it.

Kip: Right. They're a mortgage broker, they're a social services agency. They're-

Jake: Manufacturing.

Kip: It goes on and on. Yeah. Manufacturing, goes on and on.

Jake: Agriculture.

Kip: yeah.

Jake: And the issue that the decision makers have there is, they don't have enough text to, to have the imagination to understand what can happen. And the Darknet Diaries and Jack, this is just, I think, one of the best things about it is, you don't have to be technical to listen and to get a sense of how things happen. I'm just curious, what's your reaction to kind of hear me say that?

Jack Rhysider: Yeah. I mean, I thought about it a lot of times where I got to pick a side of the fence, right? Is this for technical audiences or non-technical, and I just have not quite picked that side. I like both sides. I want to be interesting to technical people, but I also want to bring the non-technical stories to them. And I think I do both. It's really difficult to do. And I'm glad I do, because I think a lot of people who would not have really understood this or something... People are telling me all the time, they've quit their job to go learn cybersecurity to start doing this kind of work. And I'm like, wow, that's crazy. Mechanics or pizza delivery drivers. I don't know.

Kip: Yeah. Beat cops.

Jack Rhysider: They just didn't have a place in their life and now they have a direction because of show. Yeah. It's great.

Jake: I think you walk that fence very well. Please don't change too much how you do it because I think the temptation I think could always be to be less technical and have less detail, but that's where so much of the richness comes from. And it's okay if, as a listener, if you don't understand all of the technical. Being told that it exists is enough. I mean, there's a lot of information that one can go get, you can waste a lot of time on YouTube if you want to learn more. But I think it's a great balance and I just, am very much appreciative of how you do it.

Jack Rhysider: Yeah. I think the thing is when... I'm surprised at how technical everyone is. Here's the thing, everyone's like, oh, I don't know anything about computer. Like my dad or my grandparents, whatever, they just act all like they don't know anything. Then I put out an episode and I feel like it's really technical and I'm like, sorry, I just couldn't get over this. It is just a really technical episode and they just come back and they're like, that was the best episode yet. There's nothing that's going to beat that one. And I'm like, how did you understand any of that? That was just over like a lot of people's heads, but you got it. And so, people are just a lot smarter than we give them credit for as well. And I think they can handle it. I don't like to dumb it down for them.

Jake: And I think it's that, that people are smarter than they think they are and they can handle it, but it's also you. It's also how well you bring the stories out and explain things.

Kip: Yeah. I agree with that.

Jake: It's a good combination.

Kip: Yeah. I absolutely agree with that. I don't think these episodes are too technical. So yeah, it's just fantastic.

Well, obviously we like Jack and we like the podcast and we talk about what you do, Jack, with our customers to help them cope because they have all kinds of... Normally we're working with senior decision makers. Some of them are technical, most of them aren't and they're just... In fact, if anything, they're taking too much of what they know about the real world and projecting it into the digital world. And I think that's how we ended up with perimeter networks, for example, because people thought, oh, we'll build a fence, because that's what I would do if I was going to protect my building, right? As I'd build a fence, I'd put some barbwire on top of it. So let's do the digital version of that.

And that's utterly failed. It might have worked okay in the beginning, but now, I mean, that's a completely, , ineffective defense these days because of the new types of attacks that are going on. So anyway. So listen, as we wrap up the episode, Jack, thank you for being our guest. And do you want to just say anything about where people can find you on the internet or where they can drop off story ideas or just anything?

Jack Rhysider: Yep. I mean, I'm on any search engine you can pick, Darknet Diaries and you'll find me pretty easily there. But yeah. I mean, stories that I have trouble finding are ones where a company got breached and they typically don't want to talk about it. There's a CEO that emails me once a week, "I'd like to come on your show and talk about an expert opinion on us in that." And I'm like, tell me about the time you got breached, because you probably did and you probably didn't tell anybody about it and come on to my show on that. And they never respond. So yeah. I mean, stories like that, I think, are kind of rare. So I would love to hear people's inside moments of what happened there, especially from leadership's perspective.

Kip: Yeah, absolutely. Well, I hope, anybody in our audience, if you've been hacked, take a deep breath, reach out to Jack and turn it into an episode because you're going to be helping a lot of people in the process. It's going to make a big difference to a lot of other people's lives. So, if you like doing that, if you like having impact, I think you should reach out to Jack. But that wraps up this episode of the Cyber Risk Management podcast. Today, we went deep into the Darknet Diaries podcast and we did that with its creator and our guest Jack Rhysider. We'll see you next time.

Jake: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.