Episode 8: Early Adopters

Show Notes

Host Dave Johnson and co-host Ben Baker sit down with Greg Notch, Chief Security Officer at Expel, and Jay Beale, CEO and CTO of InGuardians, for the first installment of the Early Adopters series. Greg and Jay share how they stumbled into cybersecurity before it had a name, built tools and standards that didn't exist yet, and found that the same curiosity that makes a great practitioner also makes a surprisingly good leader.

Key topics & timestamps

How they got started (1:41 - 8:15)

• Jay: Unix sysadmin at a university, suspected a hacker, wrote a hardening script, fell into Bastille Linux
• Greg: broke copy protection as a kid, became the NHL's first de facto CISO after a real incident made it real
• Dave: exploited a NetWare login screen at age 11 to print for free; attended HOPE 2000 with his dad at 16

Building security before the frameworks existed (18:55 - 21:00)

• No CIA triad, no NIST, no SANS certifications—just BBSs, Bugtraq, and people sharing what they figured out
• Aleph One's "Smashing the Stack" first appeared as a plain text file on a BBS
• The early community wasn't malicious—there was nothing to steal; it was a pure pursuit of knowledge

Hacking is QA (17:21 - 18:01)

• Jay ran the QA department at Bethesda Softworks in high school before it became the Elder Scrolls company
• Offensive and defensive security are both about asking "what happens if I do something unexpected?"

Curiosity as a leadership advantage (24:59 - 27:10)

• The same systems-thinking that makes a great practitioner translates directly to leading people
• Greg's test: ask aspiring managers what books they've read—most name a Python book, not one on team dynamics
• Empathy is a skill, not a personality trait—and it's learnable the same way technical skills are

The one thing that hasn't changed (30:49 - 31:12)

• With sufficient motivation, time, and effort: they're gonna get in
• 100% failure rate—always has been, still is

Key quotes

"For all of us defensive security people, for all of us offsec folks—we're kind of QA folks who found a way to make it cool. What are we doing? We're looking for ways to find out: what happens if I put in input that might be unexpected? It's a very, very related job. We just get to have a lot more fun with it." — Jay Beale

"Curiosity is a major advantage in leadership. But the system you become curious about isn't hardware, software, networks—it's human interaction. Team dynamics. What motivates people. My memory corruption vulnerability now is: how do I motivate someone during a one-on-one?" — Greg Notch

"Curiosity killed the cat—but the part we forgot is 'satisfaction brought it back.' We are very much in the satisfaction brought it back category." — Dave Johnson

Helpful links

• InGuardians
• Expel

Production credits

• Hosts: Dave Johnson, Ben Baker
• Producer: Ben Baker
• Sponsor: Expel Inc.

Connect

• Follow Expel on LinkedIn, Twitter/X, and YouTube
• Rate and review on your favorite podcast platform

Transcript

Greg Notch: 0:00

We had a situation where we had a malicious insider, somebody who was writing the thing that crawled and built the index that you would search against. And they fired this person, but he had written a back door into his co the back door allowed him to destroy the index, and which set the company back right, like it was a real business impact, and it was the first time I ever saw business impact for a cyber security incident. I was up close like I did. I worked on the investigation with the team like that was doing what we hired folks from the outside who were professionals to come in and do the investigation. But I was, like, a front row seat to that. I was like, this work is interesting. The defensive side of this is actually really interesting. It's a much harder problem than offense in some ways, and I saw the consequences, like, up close, I was like, oh, and so. And it kind of informed my opinion. Like, yeah, the offensive and, like, breaking machines is cool, but the defensive side is also very, very interesting. I better keep that in the back of my mind.

Dave Johnson: 0:57

Hey, this is Dave Johnson, and I'm Tyler Zito. Welcome to the job security podcast. We're here to explore the unique perspectives and stories of the people who make this industry what it is, whether they realize it or not. The job security early adopters series is a showcase of unique and talented individuals with great stories about the early days of cyber security. As you know, early adopters generally represent about 13 and a half percent of the people who have started to enjoy a new technology, and some of us go back a ways into the early days of the internet. Some of us were there when the first firewall was lit with me today is Jay Beal, who has a storied background, including tool building like pirates. Am I saying it correctly? Yeah. Paradies, sorry, it's a great word. Bastille. Linux, to name a few, many, many training sessions running companies as the CEO or and CTO like in Guardians, and thoroughly enjoys helping companies by breaking into places to make sure no one can break into those places. And Greg notch is a seasoned veteran of cyber leadership and conference community member with only over 20 years of direct experience, including one of the most challenging gigs in the CISO seat being the CISO for the NHL. Jay Greg, good to have you here. Yeah, thanks for having

Unknown: 2:24

us. Hey, good to be here. So

Dave Johnson: 2:26

I want to start with with primarily one question, what was your earliest memory in cybersecurity?

Ben Baker: 2:33

Jay, you go first. Oh, don't

Jay Beale: 2:35

make me go first. Wow. Let's see. So I was working at a university, and I was actually a grad student. I was a PhD student in math, and I was also working in the computer science department as a research assistant, but on the side, I was being a Unix sys admin for the math department that I was studying in, and I was having a blast, and I was learning a lot. I was basically plowing through like an O'Reilly book and everything I could find online as fast as we humanly could. And so I was having this experience where it's like, wait, I'm pretty sure we got a hacker in here. And my boss was like, Well, I don't know. It doesn't seem to we can do security later. Right now, I want to make sure we have a good inventory of all the of all these systems that we have in the department. And I'm like, oh my god, the priorities. I don't get it. I mean, nowadays, actually, Greg could probably tell us why that might have been a really good idea if you want to do in sphere.

Greg Notch: 3:34

Response, yeah, the GRT team showed up into the security program early, yeah.

Jay Beale: 3:40

So anyway, it was the like, well, or the, you know, it's like, hey, if we're gonna find ever where this person is, maybe we should know what we have and doing an inventory. Perhaps, I guess, to put the best face on, it might have been the early face of threat hunting. But anyway, I was, I was not. I didn't really love the priority there. And I was a, as I said, with a PhD student math, and I've been going, oh my god, I'm going to date myself. Yes, at the stage. Well, I've been going to these things on Friday nights where people watched Babylon five. So I've been going to these parties other people who liked this show to to watch the show. And started talking to somebody, and I was and I was telling him everything I was doing with Unix and Linux. And he's like, that's really cool. That's kind of my job. I don't know if you'd ever be willing to, you know, leave the university, but would you come and meet my boss sometime? So I came to meet the boss and and the boss then hired me on the spot. And I'm like, Okay, I guess I'm leaving university. This sounds really fun. The boss said you're going to be a Unix, a Unix System Administrator, system Ben, and since you have a special interest in security, we'll let you do security projects. And my special interest was just, I'm like, I was talking about my frustration that we weren't trying to track or repel our hacker. And so boss was like, Okay, so for the first two months. Yes, you'll do our security projects. We got a little backlog list. Was like, Sure, and I don't know I got two, three weeks in, I'd finished the list, but they'd already added more things to the list, and over time, it was just like, Okay, I guess he's our security person. And so they pull me in, they'd be like, a vendor wants to sell us something. Can you see if that's a good something? And I commented list for the whole thing, and be like, perhaps Anyway, well, we'll save what I thought of some of the products, but for later, if you like. But all of a sudden, I'm the security person. My job title never changed after me. I think once we started hiring a team for security, people started getting security titles. But security was, like, really common back then, and this is so long ago that I'm afraid to tell you that it was, it was 1999 and back then. Yeah, at least half the people I ever met working security, if not more, didn't formally have a security title. They were just, they were just a technologist in some area or another, and they were filling some needs. And so my, for me, part of my story there was that at that university, one of the things they wanted me to do is to write a hardening script. It's not something to take a Unix system and lock it down. So I wrote a hardening script. It was, you know, to understand why you need it. Like if you took a Solaris system and you just installed it base install, you had like, 65 ports that were all listening, and they had all kinds of services. And so if there was a vulnerability of any of them, even though you weren't using 55 of the 65 that were that were running, you were just rolling dice. When you whether you were going to get popped, send mail, yeah, absolutely. Well, you're, you know, and I'm at a university, at universities routinely back then, everything would have a public IP address. You could Nat, but universities had gotten on the internet early enough that they had enormous blocks of IP space, so they gave everything, and I a direct and internet accessible IP address and did virtually no firewalling. So yeah. So I wrote us, I wrote them a hardened script, and then I found out a Sans conference, that there was a group of other university folks, led by the now late John Lasser, who was trying to make a Linux distribution for universities that would be like Red Hat but like Red Hat Linux, but lockdown. And so when I met John, and he's like, Well, if you've written hardening scripts, maybe you could write the script that would just take an existing Linux distribution. Because this is taking us a while. We're finding out Linux distributions are a lot of work, and so I wrote that script and ended up being really useful all over the place. That's kind of how I got into security. My first memories was just basically falling into it because I was interested. And then having some like being having that really lucky situation where people are like, okay, you can keep doing that thing you're passionate about, because we have need and, yeah, sure, fine. It's really

Ben Baker: 7:44

interesting to me. I feel like that's a common story that you hear a lot from people who've been in security for a while. You know, cyber security is sort of an evolving discipline. People are for a while there they were trying to figure out what it was and how to go about it. And a lot of people seem to kind of fall into that, and before they know it, you've been swimming around in the water, and before you know it, you're like, Oh, this is Oh, this is what I do now. I guess I'm the security guy, Greg. You know, when we were talking yesterday, it sounds like, in some ways, that's your story as well. Tell us about how you got into cyber.

Greg Notch: 8:13

Yeah, sure. I mean, even more similarities than we than I thought. I also was recruited of college to be a Unix sys admin, and that was how I started my entire technology career. So, you know, separate, very congruent story there, I was trying to decide, like, how far to set the way back machine. Because, I mean, my first computer experiences were all like, oh, this system's cool. How can I break it? Like, Oh, yeah, make this do something that it's not supposed to do, whether it was copy, removing the copy protection of it for a game, or, like, getting access to something that I shouldn't like. I definitely started there, and even as I, like, began my, you know, technology career security was always the job of the people that were running the systems, or the networks, particularly networks, but also systems like you were, you kind of at least a certain subset of people were all about like, Well, wait a minute. How could this go wrong? And how do I keep that from going wrong? And, you know, Clifford stoles the cuckoo's egg, and, like, early, early stuff, you're like, Oh, well, that could actually happen. I don't know how far back to set, the way back machine, like, go all the way

Ben Baker: 9:12

back, all the way hot tub. Time Machine, baby. We're going all the way,

Greg Notch: 9:17

all the way, like, cracking game style, Apple TV. Yeah, sure, maybe in college, like, writing a kernel exploit for next step that bypass NFS security controls. Or maybe, like, you know, later on, some Solaris hacking here and there, just maybe working on the Xbox Media Center team, doing things where systems were, you know, they were vulnerable and needed. And was interesting how the machines would fail and how you could get into them. I mean, on the professional side, I think really my security career began, this is, I guess, a story I can tell now. I was working for Alta Vista, for those of you who are old enough to remember the time before Google and I worked on the team that built data centers for them. So like infrastructure. And networking again, like everybody's side hustle. If you did networking and infrastructure was security, you always had that component. And we had a situation where we had a malicious insider, somebody who was writing the thing that crawled and built the index that you would search against. And they fired this person, but he had written a back door into his coat. The back door allowed him to destroy the index and which set the company back right, like there's a real business impact. And it was the first time I ever saw business impact for cyber security. And said I was up close like I did. I worked on the investigation with the team like that was doing. We hired folks from the outside who were professionals to come in and do the investigation. But I was like, a front row seat to that. I was like, this work is interesting. The defensive side of this is actually really interesting. It's a much harder problem than offense in some ways. And I saw the consequences, like, up close. I was like, oh, and so. And it kind of informed my opinion. Like, yeah, the offensive and like, breaking machines is cool, but the defensive side is also very, very interesting. I better keep that in the back of my mind. So build infrastructure for them, and did a bunch of other more like, I'd say it and systems and networking work for a bunch of companies. I remember at the NHL at one point, it's still like, security kind of hadn't crested the wave where, like, your CFOs and like management cared about it, like it was like something that your tech people kind of took care of. And like, sure, like banks and other Rigid Industries had this, like, had solutions for this, but it wasn't, it wasn't, like, everybody needed it. And then the Sony breach happened, and all of a sudden, and like, you know, the CEO's emails are like, you know, in the New York Times, and like, people, like, execs are getting fired. And all of a sudden, board of directors, even in I was working in media entertainment at the NHL, right? So, like, all of a sudden other people started to pay attention. Like, oh, well, this has some real consequences. And, you know, I had seen business consequences for cyber breaches before. I just, I hadn't, it wasn't something that was talked about. And all of a sudden

Dave Johnson: 11:57

it was a problem people cared about. Yeah, TJX. TJX was a huge one for me. I remember seeing that and going, Wow, that was okay. That's big. That's huge nowadays. That's relatively small in comparison. But yeah, for sure.

Greg Notch: 12:08

I mean, and target, like, there was a bunch of them that had real consequences, and I think all of a sudden, everyone business is starting to pay attention to it. I mean, if I even rewind to the Wayback Machine, I remember when I first moved to New York, and I was a system and, like, I would go to hope conferences and go to, like, 2600 meetings and meet by the pay phone in the city court building. And I remember talking to those, but they were mostly Unix system administrators and operators, and then a bunch of like, BBs kids, right, who were like, and they'd all come together and they'd share information. But like, those two streams hadn't crossed, really, for me, I wasn't going to DEF CON, then I wasn't going to the big security conferences. Those streams hadn't crossed me until, obviously, it became real for a business that I worked at, and then all of a sudden it was real. Like, it was like, okay, CFO was like, What are we going to do about this? At the time, the Commissioner of the NHL was like, We better. Should do something. And so I put together this, yeah. I was like, Hey, we should probably hire a person who's done this before. And like, hire some people. And here's some tools you should maybe buy. And like, I don't know it's gonna look something like this. Here's what you should call like. So here, let's go do it. And then they were like, When can you start? And so first security job was, like, on top of my other two jobs. So just like all of the other you know, security being part of a technologist job, like, was like, Okay, I guess I got to figure out how to do this for real now. And that was when all of a sudden, I sort of crossed that like, Okay, this is now something I am focusing more than part of my attention on.

Dave Johnson: 13:36

So yeah. So I went to my first hope, my first security conference was hope 2000 and I was too young to go by myself, so I had to take my dad nice. And so he worked at Texas Instruments. He worked for the Air Force, doing aircraft repair, radio repair, etc. And he liked computers. He worked on some early ones and some like punch card based computers and stuff like that and so. So I brought them, and I went to a bunch of conferences and so on and so forth. A bunch of talks, I learned so much, and I found so many other people because I had been doing security stuff for about three years back then. So like, my earliest cybersecurity memory is, so I'm 11 years old. I'm trying to log into a machine. It won't let me. It's got novel NetWare on it. It's my elementary school library and or middle school. And I noticed that if you click so when you log in, it said username and admin. I didn't have those. But if you right, click on the question mark in the top left hand corner, it gives you a drop down, and it asks you what you want to open it with. And I'm like, What do you mean? I don't know, open with Explorer. And so I selected that, and it opened a tunnel with write access into the rest of the machine, and I could just change all the permissions I wanted, and then I had full access to the machine. I could print stuff for free, which. Was like amazing, considering the cost of printed materials and then all the other fun things that happened afterwards. But as I got into that more, I started to hear about conferences that were happening. I had just seen the movie Hackers. I thought that was neat. And I was not necessarily the best roller blader, but I wanted to be, and I knew about Kevin Mitnick. I had read the book, I think, around that same time, and had basically started, like early 2600 meetings and so on and so forth, and then ended up at Hope 2000 and I learned so much, went to 2002 went to DEF CON the following year. It was all downhill from there. Got a job offer from the head of security at Microsoft, and this is DEF CON nine or 10. He's like, hey, it sounds like you know what you're doing, as far as, like, firewall security. He was listening to a conversation my friends and I were having, and he's like, You should come work for me. And at the time, I was like, I don't know. I haven't heard great things about Microsoft?

Unknown: 16:02

Well, at the time, you were right, so there's that.

Dave Johnson: 16:06

And I'm 16, so I can't technically, like work there yet, or can I, and he's like, Call me when you when you're ready to come work here. And I lost the card. I should have called you signed my working papers exactly. I would have literally needed permission from my parents to work at Microsoft. At Microsoft. I had this

Jay Beale: 16:24

weird experience where, like, I was 14, and my parents had gone for job fair for themselves, and they had met people from a small startup that was called Bethesda Softworks, which was a like, 30 person company at the time. And so Bethesda Softworks needed QA people. They needed beta testers. They needed people to play games and get paid for finding bugs. So my parents sent me in, and I went and talked to their lead programmer, and he's like, okay, yeah, so I ended up getting a minimum wage job. I think they actually accidentally paid me five cents below minimum wage for a while, doing play testing, doing QA, and eventually ended up running their QA department while I was still in high school.

Ben Baker: 17:05

Oh, man. Because Wow,

Jay Beale: 17:07

Greg, it's the like, like, people end up just being like, oh yeah. It seems like you can do some of this, you can do some of this leadership stuff, and you're like, they're like, no, no, just try. You'll be fine. But the crazy thing for me, part of the reason I mention it is like, in some way, that was my first security job, because don't tell anybody, for all of us defensive security people, for all of us offsec Folks, you know, we're kind of QA folks who found a way to, like, make it cool. I mean, not that I've ever been cool, but the hoodies and all that, like the massive, like, just way huge cool, like hackers, moving so on. But what are we doing? We're looking for, we're looking for ways to find out, like, Well, what happens if I put in some input that might be unexpected? What happens if I click here? What happens if I and and, hell, it's the it's a very, it's a very, very related job. We just get to have a lot more fun with it.

Greg Notch: 17:59

I think that was the cool thing about, I think it's still, you'll see pockets of it still, I didn't do DEF CON, or I didn't do a lot of the bigger conferences until much later, but the like you see it now, which was like, these are rooms full of people with effectively insatiable curiosity, like, how these things work, especially early, like, I'm talking pre Internet, or pre, like, you know, ubiquitous internet, that information Sharon Come on, was like, Hey, I found this thing. And like, you're on BBS with people play. And like, Oh, hey, I found this thing. And like, people are gluing stuff together. I remember distinctly when a left dropped, and I didn't even know it was in FRAC. It was a text file on a BBS that I was on about the smashing stack thing. And I was like, holy, okay, those early communities folks, whether they were on the BBS or, you know, near pay phone and Citicorp or or at Hope, or whatever, like, you know, Dave's time, like, you just get a bunch of people who are just insanely curious about how technology works, and a little bit mischievous, maybe a little socially Awkward. And that, like, brew of like, it launched an entire thing, and then the internet took off. And then all of a sudden, you know, people who weren't using computers before, like, all of a sudden everyone was using computers, right? Like, everyone had a couple and then all of a sudden, it sort of was like the thing that grew alongside of it. And I just remember those really interesting and intense conversations with my fellow nerds. Wait, did you figure this little piece out? Like, oh, you have a manual for that. Hey, can you share that with me? Like, hey, and like, there wasn't really any, like, like, I go back to bug track again. It wasn't like, bug track wasn't like, a bunch of people being malicious. If bug track existed right now on the dark web, it would be called the calm, right? The malice wasn't there, though. It was. Like, these are just people sharing information, and like, trying to help each other understand the systems that they were using. And, you know, sure, there were some malicious actors in there and people, but like, there was nothing to steal, and either right or very little to steal, so it was a pure pursuit of knowledge. And I guess to the title of this podcast, right? It is like, those early adopters that represent, if you want to call it Crossing the Chasm, the early adopters there, like that. There was no well trod path. There was no like, oh, you can go get there was no path, yeah, you can go get a master's in. There wasn't even sans right? There wasn't like, you could go a course in pen testing. There certainly wasn't a master's in cyber security that you could go get like, there was none of that, right? It was just like, well, all right, you know, uni. I mean, basically the bar was, you know, Unix. You're a Windows hackers, but there and you were either a networking guy who was like, building an ISP, or you were a Unix guy who was like building, like, scalable systems in some way or another. I don't know if that matches your experience, Jay, but like, those are definitely strongly represented groups

Ben Baker: 20:40

and people. You know what I find interesting here, both of you have kind of joked about stumbling into leadership opportunities. But a part of that though, a part of that though, is you both teaching yourselves how to do the job while you're doing the job. And to me, as a non cybersecurity practitioner, those two things, cybersecurity, and you doing that feel connected in a way. In cybersecurity, it seems like you always have to be curious. Always have to be trying to tinker and figure out how things work, and learning and changing, and leadership is the same way. You just need a little bit of charisma. And so it seems like those two things, it seems like you both were teed up well for leadership, just through your innate curiosity.

Greg Notch: 21:22

Being a techie make this helpful. But you know, like there are books like Jack Welch and others have written books about, like, leadership and management. There was prior art in in a lot of ways. I mean, not that I sought it out, particularly until later, but the there at least was something to grab a hold of like MBAs existed. There wasn't like, here's the set of the body of knowledge. I mean, even the conceptual stuff didn't exist. It was like, Well, how to think about defending a network? There was no minor there was no deal chain, there was no CIA triad. There were no like, you know, 13 domains of NIST, 853 there was none of that art existed, right?

Jay Beale: 22:03

Like, so, I mean, we were early enough in that you got to participate in creating those and creating the kind of like the lists. And the guy the lists became the standards that became the hardened guides. And it's, I don't know, yeah, and I will echo what Greg said on the leadership side, is at least there are lots of books and all that. I mean, like, I, I will say that lot of leadership stuff came up for me. Like, I don't know. It's just, I don't know if this is how it was for you, Greg, but it's also the like, you know, you're a kid in junior high, and there's a group project to be run, and you get chosen to lead the thing. And, you know, it just seems to keep happening over and over again. People are like, yeah, you you do it, you know? Like, okay, well, or you're like, hey, I really feel like it'd be better if we, like, actually created a system around how we do this, because, you know, and people are like, yep, that's, that's what you're gonna do. But I think I don't want to claim charisma. So what I will get out of here, what I'll say is, I think for leaders, part of it's that maybe it might be that systems thinking or might be the just giving a rat's butt about something that maybe other people aren't or just haven't found a voice to give, to say they care about, but probably like more than charisma. I think the central, I don't want to call it quality, because I think it's a skill. The central skill might be empathy. You know, it's just the like, actually, like, at least, if you're how's the work that I was? Yeah, 100% my business partners in Guardians gave me the CEO role a while, but, you know, a few years back, and when they did, I had that same experience. One of my biggest blind spots. I think every leader I've ever talked to has shared this part of experience with me. It's very humbling. Everyone thinks you get some kind of role and you're gonna like, Greg's a seesaw. There's no way he walks around just ordering people to do things. Actually, the ordering probably happens far, far less than it ever could have at a, you know, at lower titles, he's got it like, it's a lot more of influence, or a lot more figuring what people actually care about and trying to line up what they care. Like, who cares about this with the where do we have a need or and so on. So, I mean, that's a form

Dave Johnson: 24:05

of hacking though the self awareness, and then taking your project management skills and then reapplying it to yourself and going like, basically, project manager, project manage thyself. You're leveraging that same insatiable curiosity flexibility of mind, asking the right questions and not being afraid to ask questions. Continue like I think, to me, the most powerful, the thing that separates offensive security, especially in security, from like all other things that have in forms of engineering, is the question, why not? But to me, that's kind of the ethos of hacking. It's like taking one thing and making it do something it was not originally designed to do. Yeah, there's a big

Greg Notch: 24:44

difference in mindset between how an engineer looks at a problem and how a cybersecurity person looks at a problem. They bounded in their thinking differently. I want to go back to one thing that Jay said, because it was super important, is like that curiosity is a major advantage in leadership. It. And coupled with the empathy group, the thing is, the system that you become curious about is not hardware, software, networks, it's human interaction and how groups of people like team dynamics and how they work together, and what motivates people, and all the different kinds of people, and realizing, like, I got to modulate my communication style because they don't all think the same way I do. And like, you learn, like, those systems about people and recognizing that there's like, infinite variation to that. And so it's like, the hardest part of being a leader. And by the way, I think I will say the same things about being a leader for as long as I am was like, Yeah, I do that, still learning. Like, still got a long way to go. Maybe someday I got there. But like, I feel like, the more I it's like parenting, like, the more I do it, I'm like, I know way less than I did before.

Ben Baker: 25:43

Yes, yes, thank you.

Greg Notch: 25:46

And he's telling early, like, people who tell me now, like, especially technical people who are like, hey, I want to, I want to be a manager. I want to be a leader. I'm like, Cool. Tell me the last three books you read for work. And invariably, they'll tell me, like, you know, some Python book or some AI thing that they've been reading or or whatever. I'm like, Cool. Like, was last book on, like, team dynamics, or, like, about human psychology, or just like, leadership in general. You read and you see, like, a bunch of them are like, Yeah, but like, you know, I'll just figure that out. Like, no, no. This is a whole, it's a whole discipline of its own. And you just watch them, like, like, if you want to get really good at that, you have to be a student of people, teams, companies, finance, even in the way that you were about assembler op codes, TCP headers, and all of the bits and bytes that you were, that you did early career, all of like, oh, how can I smash this stack? Or how, like, how do I this memory corruption vulnerability, or whatever it is, you're like, No, no. Like, my memory corruption vulnerability now is, like, how do I motivate someone during this one on one? Like, you know, it's not a or, How do I find out what's important to them or what they care about and, like, show up with some empathy for where they might be, but still, like, achieve the goals that we're trying to achieve with it the company. Like the curiosity part is super important. I think a lot of people miss that. And I think it gives people who are, I guess hackers are an edge, because I think there's a lot of not curious people. But I think if you were, the percentage of very curious people who work in this industry is very high. So I think that's a kind of a secret weapon. And so

Dave Johnson: 27:19

there's an old phrase, I'm sure everybody listening to this has heard curiosity killed the cat, right? It's an old adage. The part that we've forgotten, this was removed, I think, around the time where we became a specialist society, is the phrase, but satisfaction brought it back. And we are very much in our industry, in the satisfaction brought it back category because we are curious. We understand risk, but we also understand that with risk comes new adventures, new discoveries, and then you move on to the next thing. It's kind of it can be kind of addictive when you're say, smashing said stack, and you do that, and you go, Hey, that was actually really easy, or I at least, was able to accomplish that. Now my bar of or my threshold for difficulty is higher, and now I've got to try new things while I was doing that, I learned other stuff. Or you share it with somebody, and you teach it to them while you're teaching them, you then learn more things that you hadn't thought of prior because they ask questions that you never thought to ask, which is one of the other things that I see a lot of. And you alluded to this earlier, Greg, there wasn't much as far as ability to find information in the early days. And our early days were the late 90s, roughly, but there were people who were willing to teach and share, and now there's even more than ever, and that, in turn, can teach us stuff. I didn't want to ask so Jay, you and I ran into each other at Black Hat. I smashed into you while you were chatting with Jeff Ben and interrupted your conversation. But we chatted about a couple of things. But do you guys know each other by any chance? Have you crossed paths?

Jay Beale: 28:57

Oh, yeah, yeah, Greg and I can't, just can't figure out when we first met because we bump into each other on every so many years basis, and have conversations and then say we better we need to talk next week, then forget to if

Greg Notch: 29:10

my brain works correctly, which is suspect, highly suspect. I believe it was at an early like, right when I took on the CCD at the NHL. I started taking a bunch of sans classes, and I think I ran into you with, like, Ed SCOTUS and like, and Larry Pac and like that cohort early. But again, we're talking, you know, it could be fuzzy, but, and then, you know, a black hat

Jay Beale: 29:30

and DEF CON, for sure. That sounds about right? They were they, you're talking about a couple of my mentors. So it would have been following them around. Yeah. I remember

Greg Notch: 29:39

the when the Guardian folks and like, and Sam's were, like, growing in parallel and, you know, and then John strand kind of did the the Black Hills thing. Like, all of those folks were, like, really instrumental for me in, like, starting to put together, like, well, I know a little bit about hacking, but, like, how do you actually, like, handle information security for an enterprise? Like, all of them were, like, super helpful. Well, and again, to the point of, like, the theme here is, like, super generous with their time. I remember emailing Ed, like, endless amounts of dumb questions and like, he would just be patient and like, answer it be like, Well, don't do that. Like the folks that just were willing to just help, to help, which is amazing.

Jay Beale: 30:17

Ed's an amazing teacher and and the bulleted also, like pinpoint down to the most important thing to learn in a given spot is just is pretty epic.

Ben Baker: 30:26

Joe time. Check here. We got about four minutes left. I got a question for you, as a non security practitioner, speaking to two gentlemen who have been in security for quite a long time. No offense, what is one thing that's true about security back when you entered into security, that still remains true today, in an industry that is constantly changing, things are always evolving. You're always gonna get in. They're always gonna get in. 100% failure rate, yeah, with

Greg Notch: 30:59

sufficient motivation, time and effort, they're gonna get in

Jay Beale: 31:03

very depressing sometimes that way, isn't it? Means our field gets to stick around forever or for hopefully a long, long time. I think it's one that we've we've highlighted over and over again that like so first, it's all about learning. It's all about learning. And you'll end up teaching yourself a bunch, but you'll learn from other people, and then you'll pass it along. And one of the coolest things about what we've done like is that Greg and I both started out on BBSs, apparently, way before I got access to the internet, I was on BBSs, and BBSs were kind of one of those big places where it's like, Wait, what are we doing in socializing here? A huge amount of what we're doing, socializing on BBS is saying, is saying, Hey, I learned this thing. Let me tell you about it, and and everybody else doing the same thing. And I think that's the great thing, like for me, the thing that I you know, when I thought that I was pursuing a math PhD and thought I was going to become a professor and switch tracks, and somebody recruited me, the first question I asked him was, yeah, but, but I'm kind of really, really attracted to university because I want to learn. I want to constantly learn, and I like teaching, too. And, you know, I really like teaching. So if you get to learn in this, this area you're in, or, or do you just like, you have to learn, you know, for the first year, and after that, it's just, you're just doing the same thing. It's like, oh, you're gonna like it here. It's the that's our do you

Ben Baker: 32:26

get to learn? Yeah, do you get to learn? Do you get to learn?

Unknown: 32:30

And the answer is like, do you get to you

Ben Baker: 32:32

have Little did you know, like, constantly, that's exactly right. Yeah. You can't not learn.

Greg Notch: 32:39

Yeah, everything that I ever learned and know and knew about software exploitation and network no longer valid. Hi, Dave. Lead us

Ben Baker: 32:47

out, man. All right. Well, hey,

Dave Johnson: 32:49

thank you both for being on the show. It was really great hearing about your backgrounds and kind of where you got started. And there's a lot to be said for getting in early, and you also get great stories as a result. So that's one of the benefits. Speaking to those people who are now early adopters in AI looking forward to having you on the show in 10

Ben Baker: 33:09

years, there you go. Sounds

Dave Johnson: 33:10

awesome. Thanks everybody.

Ben Baker: 33:16

Thank you for tuning in to another episode of the job security podcast sponsored by expel MDR. This podcast was co hosted by Dave Johnson and Tyler Zito and was produced by me, Ben Baker. If you've enjoyed what you heard today, please consider giving us a glowing five star review and rating on your podcast app of choice, and be sure to follow us on YouTube for more cybersecurity content@youtube.com. Slash at expel security. We'll catch you next time you.