Hacking for Good: Inside the World of a Top Microsoft Security Researcher

[00:00:00] It is what it is. Dr. Nasturi Sinema, how are you? I'm fine. Thanks for joining me today. Much, much appreciated. So you are in Sweden? Finland. Finland. Oh, okay. You never should mix those two people because... I really apologize. The strike one on this conversation to begin with.

[00:00:26] So, first and foremost, when somebody looks up your LinkedIn profile, I think I would say the striking thing is immediately to see how much education have you pursued.

[00:00:41] Oh, okay.

[00:00:42] You know, I would just say right off the bat, talk to me about the pursuit of knowledge in an academic sense. Because you were a CIO, but you also, as you progress, you, aside from being a PhD, you also acquired a couple of different masters and you're continuously doing that. So talk to me about the driving of the pursuit of the academic route.

[00:01:11] Yeah, so when I was a young boy, I didn't have any education and I got hired to a company, which was doing like programming. And I quite fast in three years or four years, something like that, I became CTO of that company. And I was part of like the group or the board. And I was like, maybe I need to get some education.

[00:01:36] And then I got a vocational qualification on IT systems. And that took like three months, something like that. And then I went to study business administration.

[00:01:52] So in the next three years or something, I spent in my free time, I was studying as a bachelor degree in business administration.

[00:02:01] And then I decided to continue. So I went to master's degree in business administration or economics and business administration in university. And I did that like next two years.

[00:02:18] And then I decided maybe this is okay now. But then after a year, maybe one more.

[00:02:25] And then I applied to university. And then I applied to university of Reading and to be more specific,

[00:02:33] a headley business school. And then inside that there was a thing called Informatics Research Center.

[00:02:38] And I applied there and I was selected to the doctoral program. And it took like five years or something.

[00:02:46] But it was 2015 when I graduated from there. And that was all about Informatics. So it wasn't about cybersecurity as such.

[00:02:57] But anyways, I've done a lot of certification. So I have like 40 or 50 of them, like Microsoft and IBM and ITIL and that kind of like things.

[00:03:12] And then last year, it was 22. Yeah. There was one course, master's course for cybersecurity, Master of Engineering.

[00:03:26] And I thought that maybe I'll just try to apply. Let's see how it goes. And then I got 96 out of 100 points.

[00:03:35] And I was selected first to do that program. And then okay, maybe I need to finish this. And I did that last year.

[00:03:43] And I'm also pursuing another PhD in cybersecurity in one of the Finnish universities. So it's also like, I'm almost done there, but not yet. Maybe next year.

[00:03:58] Yeah.

[00:03:59] And it's very cool because it also aligns with what you do now as being a researcher at Microsoft, like very much so you back up some, you know, well, your research work with your academic work. So it aligns together. But I would say most people, I would say, first of all, like just from experience, most people would just say, you know, why don't I just stop here?

[00:04:25] You know, you know, they do undergrad. I don't know what percentage points this. Some people pursue undergrad and they go a master's. And then only a few of them go to PhD program because it's, I think the challenging piece of it is that you have to contribute something new back to the academia.

[00:04:45] And so, and it is different from masters because first it's shorter in time span, but also you have to have your own driver. It's almost like you, you got to continuously be motivated to finish.

[00:05:01] And there's a lot of people that are doing their lifetime PhD students, meaning that they're, you're smiling because you know it's true. So what, what do you think is the driver behind, behind this pursuit? Is that because you have nothing to prove you, you, you, you're, you know, you've done quite a bit, you've done well for yourself. Like why do you think is, is that some sort of a hobby that you've created yourself or.

[00:05:25] Yeah. Yeah. You could say that it's a hobby. So the science or academia, it has been a kind of a hobby for me. Well, I used to do also like a, like lecturing university, like part-time 50% of my time.

[00:05:37] Just to, you know, just to, you know, give something back. But I'm also doing like research, like, and publishing in, in like scientific conferences. So I've done that actually about with 10 of my colleagues.

[00:05:53] So they had some idea and I said, Hey, we could write a paper about that. They will know, no, no, no, let me help you. And then we did it and, and it, it got published and so on.

[00:06:02] So that was kind of my hobby. And now in Finland, you can do PhD in two different ways. So I, either you write one big book or monography, or then you can do it by, by, um, publishing like scientific papers.

[00:06:19] And if you have five or something, you can do your PhD about that. And now that I've done that, publishing one or two papers a year, I've got a bunch of those.

[00:06:29] So I just need to put them together and, and, you know, write a story about all of those and that should do it. But, but yeah, that's also like a, because I've done that already.

[00:06:39] So why not to finish? You know, that you, I have the bits and pieces and why not just put them together and finish the degree.

[00:06:47] And it also seems like it's, it comes almost naturally to you, meaning a lot of people struggle. I mean, it's not easy to, to get into some of these programs.

[00:06:57] As you mentioned, the selection process, some dentists, you have to go through an entrance exam.

[00:07:03] And what do you think from particular attributes that you have that makes it so easy for you?

[00:07:08] Because I'm sure some people will view and listen to this and say, wow, listen, I've always wanted to do a PhD.

[00:07:14] I always wanted, but I, I find it so difficult.

[00:07:16] I find it so difficult to get myself going and applying, you know, for a GMAT, doing the GMAT exam and getting into MBA school and doing all that stuff.

[00:07:25] Is there a particular thing in your upbringing that made you, you know, so academically in doubt, I would say?

[00:07:34] Well, first of all, PhD is nothing but nothing, but like a little big, larger assignment.

[00:07:43] And it just takes a couple of years usually to finish.

[00:07:47] Well, it depends on country and what kind of program you are.

[00:07:51] And also like about the university you are attending, but, but anyways, it usually takes a couple of years.

[00:07:57] Usually when you are a PhD student, you are working.

[00:08:00] So you can't do that full time.

[00:08:03] If you can, it might be a little bit faster, but there are some qualities.

[00:08:08] And first one is that you need to finish what you start.

[00:08:14] So that's one of the qualities that usually helps in doing that.

[00:08:19] And also like, you don't need to be too hard to yourself because there are some times that you don't have time to do your studies, but you just need to be persistent.

[00:08:29] So if I don't do anything this month, I'll do next month and so on.

[00:08:33] Yeah.

[00:08:34] So yeah, we all have, I think life catches on to us a lot of times.

[00:08:38] People start programs that take a couple of courses and then, um, you know, life basically happens.

[00:08:45] Um, and I know that some people do, they join these programs maybe after, maybe, uh, lower, like an older age where they've, you know, maybe they've, they've dealt with the family and all that stuff and they have more free time.

[00:08:59] Um, but it's really interesting.

[00:09:01] Uh, and then from, from the future of education, I'd love to talk to you about this because you also have a lot of certifications and there's this struggle or, or conversations about, you know, from cybersecurity professionals, whether, whether it's worth it, whether you have to have a degree in a particular business, uh, or cybersecurity or IT discipline to be successful in cyber.

[00:09:28] And whether you have to have all the certification, if that's a contributor to you being more effective.

[00:09:35] And it's almost like, you know, I like how you're like, you're either Nikon or Canon for photography.

[00:09:41] I think this is also school of thoughts.

[00:09:43] You're either in favor of formal education for cyber and saying this is a mess or you say, well, it doesn't matter.

[00:09:52] And there's the other school of thoughts.

[00:09:55] So I like to get your thoughts about that.

[00:09:58] Yeah.

[00:09:59] So the formal education is good in a certain way that it, it, uh, proves something.

[00:10:05] Okay.

[00:10:06] You finish what you started.

[00:10:07] So you are like, uh, people know that they can trust you to finish, finish whatever you are starting.

[00:10:14] Second one is that, uh, it is like teaching you like, um, how to do the science, how to research that kind of like mindset.

[00:10:23] Uh, whereas the certifications are measuring like, what are your like skills and not like a, what are your like ethics and, and moral and that kind of things.

[00:10:36] So I would say that it would be good ideal to have both.

[00:10:42] Like the undergrad and then a couple of certifications and, and, and, and certification, especially in the area you are interested at.

[00:10:52] But, but, but those are also like a bit difficult because sometimes you need to have like work experience a couple of years before you can get that certificate.

[00:11:01] So that's also a bit challenging.

[00:11:03] And, and there's been a lot of like talks or discussions about that, are those certifications any good?

[00:11:10] And my opinion is that it depends.

[00:11:14] Like the consultant always said the same thing.

[00:11:17] So that, so let's imagine that you are applying to a cybersecurity job in organizations like Microsoft or SecureWorks or CrowdStrike.

[00:11:28] Well, those are organizations that already know probably about you and, and your skills, and then you can explain them or show what you have done.

[00:11:40] And then they are okay, we can hire you.

[00:11:42] But if you are going to apply a cybersecurity job in an organization or company that doesn't work in cybersecurity at all, maybe let's say some, some like factory, for instance, manufacturing, whatever, bicycles or something.

[00:12:00] So how can they access your knowledge?

[00:12:02] Because they don't know.

[00:12:04] They are not subject matter expert on that.

[00:12:06] So what can they do?

[00:12:08] They can go and ask somebody who knows that, Hey, what would be a nice certification that if the guy has, who is applying, we can say, we can be pretty much sure that he knows about these things.

[00:12:21] So, yeah.

[00:12:22] So it's kind of like a, it depends.

[00:12:25] And you also have, with all of that, you also have a designation from Microsoft, right?

[00:12:32] For being, there's only what, a hundred of these that they give out yearly.

[00:12:38] What's the effect?

[00:12:39] You mean this MVR thing?

[00:12:41] Yeah.

[00:12:41] Uh-huh.

[00:12:41] Yeah.

[00:12:42] Yeah.

[00:12:42] I want to ask you about that.

[00:12:44] Yeah.

[00:12:45] Yeah.

[00:12:45] So it's most valuable researcher, Microsoft's most valuable researcher.

[00:12:50] And how do you get that?

[00:12:52] Well, you need to report vulnerabilities to Microsoft using their portal.

[00:12:56] And then depending on, on how severe that vulnerabilities or how, what is the quality of your report?

[00:13:05] You will get points, also bounties like money.

[00:13:10] And then at the end of the year, well, it's actually at the end of the fiscal year of Microsoft.

[00:13:16] So it's around June or something.

[00:13:20] There will be a list of top hundred researchers and those will be on that list.

[00:13:26] And some people will say, you know, for people that are really interested in reverse engineering and malware analysis and research, I mean, it's going to be the dream job to be able to do that.

[00:13:37] And it's going to be able to do that, something that may or may not be your hobby and actually get paid for it and be recognized.

[00:13:44] You know, it really is.

[00:13:45] And I would say when people are saying cybersecurity, it's not the first thing they think, oh, let me become a researcher.

[00:13:55] You know, it's not trivial.

[00:13:57] They think, okay, a pen tester working in, you know, being a CISO, whatever the case may be, but they don't think necessarily research.

[00:14:06] And so if you don't mind, just describe the kind of the, you know, what's a day like in your day to day?

[00:14:16] Like if you get up in the morning or say, okay, because it's almost like, it's almost like a scientist that is looking for a new species of bees.

[00:14:28] You know, you're like walking down, you travel to some country, you're trying to figure out and you're smiling because you know it's true.

[00:14:35] You're out there trying to figure out if there's anything out in the wild.

[00:14:40] So I would love to double click on it and just figure out what that looks like.

[00:14:44] Yeah.

[00:14:44] So basically there are two parts in my job and one is like to be a public speaker or public voice about things.

[00:14:51] And the second one is doing the research so that I can talk about something.

[00:14:54] So, so, so, and in research during my career or in my experience, there are actually like two things or ways or processes, if you will.

[00:15:06] And the first one is that I'm just, you know, browsing a portal or doing just something and, and maybe running like a tool that shows the traffic between the client and cloud.

[00:15:18] And then I just say, Hey, what, what is that?

[00:15:21] Hmm.

[00:15:21] Interesting.

[00:15:22] And then I just noticed something and, and what if I changed this parameter to something else?

[00:15:28] What happens?

[00:15:29] Is that like a, like beautiful mind?

[00:15:31] If you have, if you watched a movie.

[00:15:33] Yeah.

[00:15:33] Yeah.

[00:15:34] Yeah.

[00:15:35] It's almost, I'm not, I'm not that cute, but, but, but, but yeah, it's pretty much the same, like a mindset.

[00:15:40] Yeah.

[00:15:40] Yeah.

[00:15:41] Same mindset where you, you're looking for patterns and you're trying to figure things out.

[00:15:44] Maybe that are not trivial and may not be detected by, by, by others.

[00:15:50] Yeah.

[00:15:51] And maybe not at that level.

[00:15:52] The guy was obviously a genius, but, but I'm sure you're not, you know, you know, you're not for the pain of heart either.

[00:16:00] I'm sure you have a lot of some brain power to, to, to do this kind of job.

[00:16:04] So talk to me.

[00:16:05] So you're like viewing traffic and you, you're trying to break stuff.

[00:16:08] Really?

[00:16:09] Right.

[00:16:10] Yeah.

[00:16:10] Yeah.

[00:16:10] So I can see that how it works, like when, when it's, when something is working as it should, that's, that's usually what like programmers want to do.

[00:16:19] That's they create features so that they work according to their specification.

[00:16:25] Yeah.

[00:16:25] Predictability is very important, right?

[00:16:27] So you, you have a program where you have the input and then the output, it has to be super predictable.

[00:16:33] Right.

[00:16:33] So that's the whole point of, of software.

[00:16:36] Yeah.

[00:16:36] I mean that programmers try to make things to work.

[00:16:39] Okay.

[00:16:40] And programmers doesn't usually think that how this feature can be used for wrong purposes.

[00:16:46] So when I'm putting something, some input inside what the programmer didn't anticipate, the output could be something totally different.

[00:16:55] So that's kind of what happens when you, you know, what's the traffic and try to change some parameter to some other values and see what happens.

[00:17:03] So, so that's, that's one, one way.

[00:17:05] But the story, how do you, how do you change that?

[00:17:09] Assuming that the, the, the, the software receives input from somewhere.

[00:17:13] So when you say change it, so you're trying to change the input on, on the, on the input side.

[00:17:18] But like, I'm thinking to myself, any portal, like this traffic goes around and there's a million different, you know, like back and forth.

[00:17:25] How do you in actuality make, make a change in the input?

[00:17:30] Well, there are like very many ways to do that.

[00:17:34] But typically let's speak about, like for instance, if you are using browser and you are browsing portal, you usually use the, like a network traffic monitor or like, well, actually it's a proxy.

[00:17:46] I use Fiddler, but it could be like Perp Suite.

[00:17:49] So whatever is your choice of tool.

[00:17:52] And then you can see the traffic and in both things, you can like a replay requests.

[00:17:59] So when you, for instance, you, let's say you want to find a user, you type in username like Nestor and hit enter.

[00:18:06] There's an API call in the background.

[00:18:09] An API call, it has to, like the search parameters, username equals Nestor or starts with Nestor.

[00:18:15] And then you can just edit the request and replay that.

[00:18:19] So you can try different parameters to see what happens.

[00:18:24] So that's one way.

[00:18:26] Or other things are that if you have like a client in your computer that somehow doesn't allow you to, you know, see the traffic, then you can just debug that online.

[00:18:39] And then when it's running, you can just change parameters and again, see what happens like at breakpoints and so on.

[00:18:47] So there are many, many, many ways to do that.

[00:18:50] And so it sounds like a lot of manual process, right?

[00:18:54] I know there are like, there are fuzzers or tools out there that are trying to automate this process.

[00:19:00] And I would, I would throw in the mix of this question.

[00:19:03] It was also, it seems like almost something that AI engine would be very good at creating these, these nuances or changes, subtle changes to the, to the input and do it on a automatic level.

[00:19:18] Yeah.

[00:19:19] And usually the fuzzers are good for finding like, like programming errors in the software or libraries or so on.

[00:19:30] But what I'm usually looking at is more like a business logic errors.

[00:19:33] So, so that it behaves some, somehow differently when I'm asking different things.

[00:19:39] But yeah, I assume that AI would be very good for that.

[00:19:46] Helping like to find things, especially if you, you know, teach AI that how I work, for instance, is copying that and then tries to, you know, do that.

[00:19:59] To be, to be really good at it.

[00:20:01] I think that you have to really have the mindset of the developer and understand the inner works of almost like, it's almost like you have to know, you're trying to hack a car.

[00:20:14] You have to know how the engine is running.

[00:20:17] So the same thing for you, you have to understand, you have to have a really deep understanding of, of the underlying software.

[00:20:24] And then in your case, your business logic, right?

[00:20:26] What is a developer when they develop this software or develop this portal?

[00:20:30] What is it expecting?

[00:20:32] And how, once they receive it, where does it go?

[00:20:35] And so you have to have almost like, and so do you, is this something you have?

[00:20:39] Cause it's something I'm sure you have in your mind when you were like trying to fiddle with the input.

[00:20:45] Is it something you have in your mind, almost like a mental note on how, how the software is supposed to work?

[00:20:52] Yeah.

[00:20:53] Yeah.

[00:20:54] You need to, you need to know that.

[00:20:56] Hmm.

[00:20:56] And sometimes it's like, you can see the API call that there's a one parameter equals one.

[00:21:03] And, and the second is like zero.

[00:21:06] And you could guess that, okay, maybe if I put two, something different happens.

[00:21:13] And then if you see the output and you understand that, okay, when it was zero, it was user.

[00:21:19] When it was one, it was group.

[00:21:21] When it's two, now it's device.

[00:21:23] And then you could, you know, try to figure out, okay, this number means like different kind of objects.

[00:21:29] And, and yeah, so, but yeah, you, you need to know like some programming basics and, but also in this business, it's networking is quite important.

[00:21:39] So you also need to know like network protocols, how they work.

[00:21:43] And then like a basic self cryptography, like public and private key stuff.

[00:21:49] And so on.

[00:21:50] So there's a lot of, like a lot of things.

[00:21:54] And then you, you're trying to pull on a sweater, the thread, you're trying to pull it.

[00:21:58] And see if everything falls apart.

[00:22:02] When do you know that you have something, that something's there?

[00:22:05] Like I'm sure, cause you've done this before you, you uncovered vulnerabilities.

[00:22:09] And I'm sure that's super exciting.

[00:22:10] Cause it's like, it's almost like being a detective, right?

[00:22:13] You like sit there in a stakeout for so many hours and nothing happens.

[00:22:17] And all of a sudden, like the bad guys are coming in.

[00:22:20] Like, but it's almost the same, similar for you.

[00:22:22] Like you, you might poke a piece of software many, many times and nothing happens.

[00:22:26] And all of a sudden you do the right thing and everything falls apart.

[00:22:31] Yeah.

[00:22:32] So I measured the one way to, you know, one like method for researching is that I was like

[00:22:39] just making observations of what happens.

[00:22:42] But the second thing is that I, every now and then I got a theme.

[00:22:46] I try to study like certain kinds of things.

[00:22:49] So for instance, I think it was two years ago, I decided to study all the migration methods.

[00:22:54] They were related to Microsoft's.

[00:22:56] services.

[00:22:57] And that was before I joined Microsoft.

[00:23:01] So I looked for email.

[00:23:03] I didn't find anything there.

[00:23:05] Then I looked for SharePoint, which is also like a background service for Teams and OneDrive.

[00:23:13] And I actually found out that there was a migration API that was meant for, well, as the name

[00:23:21] suggests, migrates stuff to the cloud.

[00:23:25] And I noticed that all the file like dates and creators and everything like that, that metadata

[00:23:32] was also advanced to cloud.

[00:23:34] I was like, okay, that sounds interesting.

[00:23:37] So I was able to replicate the protocol.

[00:23:39] And I noticed that I can create documents as any user if I have a certain level of admin rights.

[00:23:47] And in Teams, if you create a team, you have those permissions.

[00:23:51] So basically, if I had a team, I could like create documents as any person in my tenant.

[00:23:57] And also I was like able to replace existing files without any log events.

[00:24:04] So that was like, okay, now I find something interesting.

[00:24:08] And actually, I had a talk about that in 2023 in DEFCON during the Hackers Summer Academy.

[00:24:18] And Dr. Cinnamon, why is that important?

[00:24:21] And why, because to me, for in layman terms, I think, okay, well, you know, you can replace

[00:24:27] a file and create a file.

[00:24:30] What does it matter?

[00:24:32] But it does matter, right?

[00:24:33] I mean, there's certain aspects of maliciousness that's a reward.

[00:24:39] Yeah.

[00:24:39] So for instance, if I, let's say my boss says that, hey, Nestor, why don't you put up a team

[00:24:46] where we are storing our policies?

[00:24:50] And I say, okay.

[00:24:51] And then I create a document as my boss, which says, okay, I can always travel in first class.

[00:24:56] And it's created by my boss.

[00:24:59] He can't deny that because there's no lock event whatsoever.

[00:25:03] So he can't say that I didn't do that.

[00:25:06] You know, it doesn't...

[00:25:07] It worries me, Nestor, the ease of which you came out with this example.

[00:25:12] Yeah.

[00:25:14] Because I've used the same example earlier.

[00:25:18] I'm joking.

[00:25:19] Okay.

[00:25:19] And so there is, once there's an exploit and once a software or a portal or whatever misbehaves

[00:25:25] or behaves in an unexpected way, you'd be almost certain that someone was going to use

[00:25:31] that in a nefarious way.

[00:25:34] Is that a correct statement?

[00:25:36] Is that somebody out there would say, okay, I know this is possible.

[00:25:41] I'm going to exploit this.

[00:25:43] Yes, probably they will.

[00:25:46] They will, yeah.

[00:25:47] With some card addresses.

[00:25:50] Yeah, probably there is.

[00:25:51] But it is kind of like...

[00:25:55] So before I searched Microsoft, so I was like outside researcher.

[00:25:59] So when you're outside, the process is usually this, that you report something and then, and

[00:26:06] you report that to Microsoft Security Response Center or MSRC.

[00:26:09] And they will review the case.

[00:26:12] They talk with engineering.

[00:26:13] And then they will, you know, end up to a conclusion that is it a vulnerability or not.

[00:26:19] So that's the first one.

[00:26:19] And for instance, this particular thing, it wasn't.

[00:26:23] So it wasn't like a sense of vulnerability.

[00:26:27] So then it means for researchers that they can publish that.

[00:26:32] And sometimes it happens that, it still happens that if somebody publishes something that was

[00:26:38] like categorized for some reason, like by design or not vulnerability, then it will get

[00:26:45] an attention and then it might come a problem later on.

[00:26:49] So then it will be fixed later.

[00:26:50] But anyways, that's always the same with researching.

[00:26:54] So if vendor doesn't agree with you, it says we're not going to fix this.

[00:26:59] And then you are free to publish that.

[00:27:01] They might change their mind after it comes on issue.

[00:27:05] But now it's a bit different for me because I work inside Microsoft.

[00:27:09] So which means that if I find some vulnerability, I can see the metadata.

[00:27:14] Sorry, telemetry.

[00:27:16] That is somebody exploiting this already.

[00:27:19] Because if I can find something, someone else might have already found that already.

[00:27:25] So I can see that.

[00:27:27] So does it happen?

[00:27:29] And then we can build detections for that, even though it wouldn't be fixed.

[00:27:36] Maybe because it's not a big issue, that big issue.

[00:27:40] Or maybe nobody's using that particular feature or something.

[00:27:44] But anyways, we can build the detection beforehand.

[00:27:47] So if we or somebody else finds that later on, we can detect that.

[00:27:52] So we have the capability.

[00:27:54] So it's a bit different like now when I'm working inside.

[00:27:57] So I could say that now I can...

[00:28:00] You have the inside of you.

[00:28:01] You have the inside of you.

[00:28:02] You have the ability to look under the hood.

[00:28:05] Yeah.

[00:28:05] So I can kind of like have a better impact now inside.

[00:28:11] Because I can get the data that backs up my views.

[00:28:13] Okay, I think this is a bad thing.

[00:28:15] Maybe we should fix that.

[00:28:16] Because people are exploiting already this.

[00:28:18] And how do people know that you're successful?

[00:28:22] Meaning, you know, there's a...

[00:28:25] And I hate to use that term, KPI, key performance indicators.

[00:28:30] You know, when you sit with your boss or your supervisor at the end of the year

[00:28:34] or the quarterly NSA, and a story like you are doing great.

[00:28:40] What does great mean for a security researcher?

[00:28:46] That's a very good question.

[00:28:47] Because kind of like if I don't find anything,

[00:28:51] does it mean that I'm a bad researcher?

[00:28:54] Or are we getting better at making like more secure products?

[00:28:58] So you really don't know.

[00:29:03] But we are pushing so many features out to the markets.

[00:29:07] So there's always something to find for me.

[00:29:09] So I'm probably going to find things also in the future.

[00:29:12] But, well, you can kind of build KPIs for researchers as such.

[00:29:20] Because what could that be?

[00:29:27] So I used to teach also like ITIL and like that kind of mythology.

[00:29:37] And one example there was that you always get what you measure.

[00:29:44] So there was a software company that they were a bit worried

[00:29:49] because their software quality was so bad that customers were angry.

[00:29:53] And they were thinking, okay, what should we do?

[00:29:55] And somebody said, hey, maybe we should pay a bonus for finding a bug.

[00:29:59] And they did.

[00:30:00] So what happened?

[00:30:03] People found more bugs than ever, but customers were still angry.

[00:30:07] Because, you know, software dealers, they want to get more money.

[00:30:11] So they just created bugs so that they could find those

[00:30:13] instead of like implementing the features the customers wanted.

[00:30:17] So that's a very hard thing to like measure.

[00:30:21] But for me, like part of my job is to be the public speaker.

[00:30:25] So how many talks you had?

[00:30:27] One, that's not good.

[00:30:29] Ten, that's better.

[00:30:30] Lenny, you did very good.

[00:30:32] So that's quite easy to measure.

[00:30:34] Sure.

[00:30:36] And yeah.

[00:30:36] But the research part as such, it's not that easy.

[00:30:41] Yeah, absolutely.

[00:30:42] And it seems like you're fighting against the current, as you mentioned,

[00:30:47] because software should, all things considered,

[00:30:50] should become more secure over time.

[00:30:52] Yes.

[00:30:55] So the job in theory should be more and more difficult over time.

[00:31:03] But as you described, there's a lot of new features, new updates and so on.

[00:31:08] And I'm assuming, again, that there's,

[00:31:10] I know the fact that Microsoft moved to the cloud, the Office 365,

[00:31:14] the migration, all that pieces,

[00:31:16] they had to really revamp some of the architecture

[00:31:20] because what was good for on-prem was not necessarily great in cloud.

[00:31:26] And I know they do that for,

[00:31:28] they had to do some stuff for Active Directory and so on and so on.

[00:31:31] But there seems to be always new features, innovation.

[00:31:37] And what's the OS level?

[00:31:40] Like how many codes, lines of codes is Windows 11 or like,

[00:31:46] or SharePoint or Exchange, Office 365?

[00:31:50] I can't even imagine how many lines of codes.

[00:31:54] Yeah, I have no idea, but I would assume that millions of rows.

[00:31:58] Millions.

[00:31:59] Yeah.

[00:32:00] If not more.

[00:32:02] Yeah, if not more.

[00:32:03] And so, and now with AI in the mix,

[00:32:09] right now we got to bring this back as well to the discussion.

[00:32:11] It seems like there's always discussion about poisoning AI engines.

[00:32:16] And I know that Microsoft is pushing for,

[00:32:20] in the cyberspace for co-pilot.

[00:32:24] And so there's a push for that.

[00:32:27] What's your take on the vulnerabilities in the,

[00:32:31] in some of the AI models?

[00:32:33] If you have an opinion of how,

[00:32:35] because again, I think some,

[00:32:36] some of the things you're doing is similar in nature.

[00:32:40] You have input that you expect and output.

[00:32:43] And the input can be the creation of the model or the modification of the model.

[00:32:48] And the output can,

[00:32:49] and you expect something because you,

[00:32:51] you,

[00:32:51] you train the model a certain way and you expect an output a certain way.

[00:32:55] But as you know,

[00:32:57] as especially you know from all people as a researcher,

[00:33:00] that's not typically the case.

[00:33:02] It's not always the case.

[00:33:05] Yeah.

[00:33:05] So,

[00:33:09] I don't,

[00:33:10] I don't know much about security of the models,

[00:33:13] as such.

[00:33:15] But to me,

[00:33:18] AI appears to be like,

[00:33:21] a bit like a child who has a very much brain power,

[00:33:26] if you will.

[00:33:27] And now that people are starting to use things,

[00:33:31] there wasn't actually talking Black Hat about hacking co-pilot.

[00:33:35] So there was this group,

[00:33:37] I can't remember the group name,

[00:33:38] but anyways,

[00:33:39] they were studying like,

[00:33:42] like Fortune 500 organizations and,

[00:33:44] and how many like co-pilots they had.

[00:33:47] And I think that was called co-pilot studio,

[00:33:51] where you could build your own like a bot.

[00:33:54] Backed by AI.

[00:33:57] And the agent,

[00:33:58] I think that they call these agents,

[00:34:01] like there's a lot of these agents where you build your own agent to solve a certain problem,

[00:34:04] based on co-pilot or based on something else.

[00:34:08] Yeah.

[00:34:08] So,

[00:34:09] so they used an example that there was an HR guy,

[00:34:15] who created an agent,

[00:34:17] if you will,

[00:34:18] that allowed you to ask your salary.

[00:34:21] Okay.

[00:34:22] So what's my salary?

[00:34:23] So just send email or just ask from the bot,

[00:34:25] and then the bot answered.

[00:34:27] Now,

[00:34:28] there was a couple of things here.

[00:34:30] So,

[00:34:32] the bot is running with the permissions of its creator.

[00:34:37] So the bot has had access to all the same people I mentioned that type person.

[00:34:41] God power.

[00:34:42] Like admin,

[00:34:43] God power.

[00:34:44] No,

[00:34:45] no,

[00:34:45] not admin,

[00:34:45] but just like a,

[00:34:46] like normal HR person.

[00:34:48] Oh,

[00:34:48] okay.

[00:34:48] Okay.

[00:34:48] So,

[00:34:49] so you had access to all salary permission of all people,

[00:34:54] for instance.

[00:34:54] And now about the childish mind,

[00:34:58] what I,

[00:34:59] what I said,

[00:34:59] I meant that people were able to pursue the agent to get salary permission of others also,

[00:35:06] just by,

[00:35:07] you know,

[00:35:08] making a correct prompt.

[00:35:12] So this,

[00:35:12] this kind of like a business logic errors that you can build,

[00:35:17] like on purposely in your agent.

[00:35:20] And you shouldn't trust that much to,

[00:35:23] you know,

[00:35:24] what the agent does,

[00:35:26] because it's just an AI based thing and,

[00:35:28] and they can be light on or,

[00:35:31] well,

[00:35:33] try to do making something else.

[00:35:34] And then there was a kind of a technical thing that at least in the beginning,

[00:35:40] you could create bots or agent that for,

[00:35:43] by default,

[00:35:44] they were open to internet.

[00:35:47] So anybody could access that agent and ask anybody's basically salary,

[00:35:53] if they're able to find that.

[00:35:55] So that kind of technical things,

[00:35:58] they are also,

[00:35:59] but that's,

[00:36:00] I would say that that's same with all the new technologies,

[00:36:02] because everybody's now doing the AI and,

[00:36:05] and,

[00:36:06] and try to,

[00:36:07] you know,

[00:36:08] be ahead of the market or,

[00:36:10] or competition.

[00:36:12] So they are,

[00:36:13] you know,

[00:36:14] trying to use or find the use cases for those,

[00:36:17] but because we are in the very beginning,

[00:36:19] there are some default settings or something that we don't know how to implement correctly yet.

[00:36:24] Yeah.

[00:36:25] It makes total sense.

[00:36:26] And so the,

[00:36:27] what's interesting about all these vulnerabilities in software,

[00:36:32] is that there's quite a,

[00:36:35] a thriving ecosystem of vendors that take,

[00:36:41] that they see some issues,

[00:36:43] maybe not necessarily just the vulnerabilities,

[00:36:45] but maybe the management of,

[00:36:47] of a certain tool.

[00:36:48] So for example,

[00:36:49] Active Directory or whatever else they can,

[00:36:52] and then they,

[00:36:53] the vendor takes out and create like,

[00:36:54] it's almost like a,

[00:36:55] another layer on top of it.

[00:36:57] And there's quite a,

[00:36:58] quite a few of them.

[00:36:59] There's ones for like,

[00:37:00] for Active Directory,

[00:37:01] there's ones for firewalls,

[00:37:04] endpoint,

[00:37:05] you name it.

[00:37:07] What's your take on that?

[00:37:08] Is that,

[00:37:09] why don't like,

[00:37:12] the vendor itself,

[00:37:13] like a Microsoft,

[00:37:14] would take all the modification,

[00:37:16] the vendor that provide augmentation,

[00:37:18] it just provides it in the software itself.

[00:37:21] Why do you have to,

[00:37:22] you're already using Microsoft.

[00:37:23] So why do you have to use a third party to,

[00:37:25] to almost protect Microsoft solutions,

[00:37:29] to,

[00:37:30] to,

[00:37:30] from,

[00:37:31] from misbehaving?

[00:37:33] What's your take on that?

[00:37:35] Well,

[00:37:36] I'm not familiar with that,

[00:37:38] that,

[00:37:39] that,

[00:37:40] so that I could,

[00:37:41] you know,

[00:37:42] give a comment on that.

[00:37:43] But,

[00:37:43] but in general,

[00:37:44] I would imagine that people want to have like,

[00:37:48] like security product,

[00:37:49] for instance,

[00:37:50] from different vendors,

[00:37:51] like two or three different firewalls,

[00:37:54] you know,

[00:37:55] linked,

[00:37:56] to protect from,

[00:37:57] different like things.

[00:37:59] So,

[00:37:59] maybe that's the reason,

[00:38:00] I'm not sure about it.

[00:38:02] Yeah,

[00:38:02] and then as a CIO,

[00:38:03] you were a CIO,

[00:38:04] handling very large infrastructure.

[00:38:06] So,

[00:38:07] it's really interesting,

[00:38:08] because you were facing,

[00:38:10] well,

[00:38:11] business issues,

[00:38:12] as a CIO.

[00:38:14] So,

[00:38:14] you had to,

[00:38:16] run a reliable infrastructure,

[00:38:18] with demanding users,

[00:38:20] that expect nothing else,

[00:38:21] but 100% uptime.

[00:38:24] And,

[00:38:24] and,

[00:38:26] and they don't care about anything else.

[00:38:27] Like,

[00:38:28] they don't necessarily care about security.

[00:38:29] They don't care about how,

[00:38:31] how things operate.

[00:38:33] What was your kind of major,

[00:38:36] mindset of running like,

[00:38:38] these large infrastructure?

[00:38:39] What was your main concern,

[00:38:41] aside from,

[00:38:42] from it getting to work,

[00:38:44] from a,

[00:38:45] from a cyber perspective,

[00:38:46] since you got into the space,

[00:38:48] and started looking at vulnerabilities,

[00:38:49] and so on?

[00:38:50] Having that kind of responsibility is,

[00:38:52] is stressful,

[00:38:54] I think.

[00:38:55] Right?

[00:38:55] As a,

[00:38:56] yeah,

[00:38:56] so,

[00:38:56] large infrastructure.

[00:38:58] So,

[00:38:58] just to open that a little bit,

[00:38:59] so,

[00:39:00] I was CIO of eight cities,

[00:39:04] surrounding my hometown,

[00:39:05] where I live now.

[00:39:06] So,

[00:39:07] but we had a shared infrastructure,

[00:39:09] with that,

[00:39:10] my hometown,

[00:39:11] where I live now.

[00:39:12] So,

[00:39:12] in total nine cities,

[00:39:13] they were having the,

[00:39:14] like,

[00:39:15] shared infrastructure,

[00:39:16] like,

[00:39:16] networks.

[00:39:17] Do you remember?

[00:39:19] Approximately?

[00:39:19] 25,000 or something like that.

[00:39:21] Significant.

[00:39:22] Yeah.

[00:39:23] So,

[00:39:25] so,

[00:39:26] we had,

[00:39:26] like,

[00:39:27] a,

[00:39:27] very much,

[00:39:29] let's say,

[00:39:31] power,

[00:39:33] like,

[00:39:34] to put people to,

[00:39:35] you know,

[00:39:35] keep that,

[00:39:36] like,

[00:39:37] core infrastructure,

[00:39:39] like,

[00:39:39] up and running,

[00:39:40] and safe.

[00:39:41] So,

[00:39:42] the small cities,

[00:39:44] only had to,

[00:39:44] like,

[00:39:45] focus on their own,

[00:39:47] information management,

[00:39:48] or information systems.

[00:39:50] And,

[00:39:51] what was the most difficult,

[00:39:52] to me,

[00:39:53] was that,

[00:39:55] because there were eight,

[00:39:56] different cities,

[00:39:58] and everybody had,

[00:40:00] like,

[00:40:00] same problems,

[00:40:01] same functions.

[00:40:01] Every,

[00:40:02] like,

[00:40:02] single city,

[00:40:03] municipality in Finland,

[00:40:05] they have the,

[00:40:06] 33,

[00:40:07] like,

[00:40:08] mandatory services,

[00:40:09] that they have to provide,

[00:40:10] according to law.

[00:40:11] And then,

[00:40:12] they can also have,

[00:40:13] like,

[00:40:13] the voluntary ones.

[00:40:14] But,

[00:40:14] those basic things are,

[00:40:16] same for everybody,

[00:40:17] like,

[00:40:18] child education,

[00:40:19] and,

[00:40:20] that kind of things.

[00:40:22] So,

[00:40:24] they,

[00:40:25] didn't see outside their own,

[00:40:27] like,

[00:40:27] city,

[00:40:28] of municipality.

[00:40:29] So,

[00:40:29] I want to buy this one,

[00:40:31] and they bought that.

[00:40:32] And,

[00:40:33] and the second one was,

[00:40:35] the story,

[00:40:36] it's almost like,

[00:40:37] they,

[00:40:37] you know,

[00:40:38] they all were operating in their own little bubble,

[00:40:40] like,

[00:40:40] in their own little,

[00:40:42] yeah,

[00:40:42] you know,

[00:40:43] and usually when you,

[00:40:44] purchase something,

[00:40:45] you,

[00:40:45] you are locked to that,

[00:40:46] like,

[00:40:46] five years or something.

[00:40:48] And,

[00:40:49] okay,

[00:40:49] one city,

[00:40:50] starts,

[00:40:51] both,

[00:40:52] something now,

[00:40:52] and the second one,

[00:40:54] there would be,

[00:40:55] like,

[00:40:55] a set,

[00:40:56] there,

[00:40:56] like,

[00:40:57] a contract would end,

[00:40:58] after one year.

[00:40:59] I was like,

[00:41:00] why don't you wait one year,

[00:41:01] and you can buy,

[00:41:03] same one.

[00:41:04] No,

[00:41:04] no,

[00:41:05] we,

[00:41:05] we can't wait,

[00:41:06] or anything like that.

[00:41:07] So,

[00:41:08] so that was,

[00:41:09] like,

[00:41:09] the biggest issue.

[00:41:09] So,

[00:41:09] we,

[00:41:10] like,

[00:41:12] we had a limited resource,

[00:41:14] and they were doing,

[00:41:14] like,

[00:41:15] a little bit,

[00:41:15] like,

[00:41:16] wrong,

[00:41:16] wrong things.

[00:41:17] But,

[00:41:17] but,

[00:41:18] but,

[00:41:18] from safety point of view,

[00:41:20] I just had to make sure that they tell me about that,

[00:41:23] as soon as possible,

[00:41:24] so that we can,

[00:41:25] like,

[00:41:25] review the security.

[00:41:27] And the worst case is,

[00:41:28] was that,

[00:41:28] okay,

[00:41:28] we bought this,

[00:41:29] and we want to,

[00:41:30] integrate it to Entro ID,

[00:41:32] and they need to have global admin permissions.

[00:41:34] And I said,

[00:41:35] what?

[00:41:36] That's not gonna happen.

[00:41:38] So,

[00:41:39] so yeah.

[00:41:40] It sounds like almost,

[00:41:41] like,

[00:41:41] operational problems.

[00:41:43] Not so much security problems.

[00:41:45] It's,

[00:41:45] it's really much the,

[00:41:46] the mindset.

[00:41:48] It's almost like,

[00:41:50] reining everybody in,

[00:41:52] under one,

[00:41:53] run roof,

[00:41:54] and because they are so disjointed,

[00:41:56] and each one care about their own.

[00:41:58] And,

[00:41:58] and I think you see that a lot,

[00:42:00] in municipalities as well.

[00:42:01] And,

[00:42:01] not even,

[00:42:02] look at,

[00:42:03] even enterprise,

[00:42:04] right?

[00:42:04] It's almost the same.

[00:42:05] Large enterprise,

[00:42:06] you have all these departments,

[00:42:07] and they go out,

[00:42:08] maybe,

[00:42:08] I don't know if they do,

[00:42:09] still do today,

[00:42:10] but they go out and buy solutions on their own.

[00:42:13] They have their own departments,

[00:42:14] they implement them,

[00:42:15] and then they don't care if,

[00:42:16] if,

[00:42:17] in fact,

[00:42:17] they might,

[00:42:18] not even know that they already have a license,

[00:42:20] somewhere else in the organization.

[00:42:23] And they can utilize that.

[00:42:24] They just go out and buy it,

[00:42:25] and implement it,

[00:42:26] and then they request access,

[00:42:30] sometimes,

[00:42:31] as you mentioned,

[00:42:32] to a larger database,

[00:42:34] and cause some,

[00:42:35] some issues.

[00:42:36] And so,

[00:42:37] it's a lot of that,

[00:42:38] and,

[00:42:38] and then,

[00:42:39] essentially,

[00:42:40] as an executive,

[00:42:42] you have to be nice.

[00:42:43] I'm assuming there's a lot of politics involved,

[00:42:45] so you can't really,

[00:42:47] you can't really,

[00:42:48] like,

[00:42:48] just be like a really strong hand,

[00:42:50] and say,

[00:42:50] well,

[00:42:51] you know,

[00:42:51] you can't use it.

[00:42:52] There's a lot of nuances that are involved.

[00:42:56] And so,

[00:42:57] how do you manage to,

[00:43:00] to at least make people,

[00:43:02] and it's,

[00:43:02] and that's what they say,

[00:43:03] it's about IT,

[00:43:04] it's,

[00:43:04] it's all about getting the buy-in

[00:43:08] from,

[00:43:08] from the other groups.

[00:43:09] It's almost like being able to,

[00:43:10] to be able to convince other groups that,

[00:43:13] that you're,

[00:43:14] we're in this together,

[00:43:15] and it's,

[00:43:15] it's a soft skills,

[00:43:17] it has nothing to do with IT,

[00:43:19] almost nothing,

[00:43:19] or nothing to do with,

[00:43:20] it's all soft skills associated with that.

[00:43:23] Yeah,

[00:43:23] and it was,

[00:43:24] like,

[00:43:24] interesting that IT people,

[00:43:26] from all the cities,

[00:43:27] they were like,

[00:43:28] yeah,

[00:43:28] we are,

[00:43:28] we want to do this,

[00:43:30] like,

[00:43:30] together.

[00:43:31] But it was more like a,

[00:43:32] local,

[00:43:34] like,

[00:43:36] substance owners,

[00:43:37] or,

[00:43:38] I don't know if that's the correct terminology,

[00:43:40] but,

[00:43:40] yeah,

[00:43:41] the subject owners,

[00:43:42] yeah,

[00:43:42] they're,

[00:43:42] they're business owners.

[00:43:44] Yeah,

[00:43:45] so they were like,

[00:43:46] they just saw their own thing.

[00:43:51] But,

[00:43:52] but,

[00:43:53] there was,

[00:43:54] a couple of things,

[00:43:55] like,

[00:43:57] like,

[00:43:59] like,

[00:44:00] for instance.

[00:44:01] So,

[00:44:02] every,

[00:44:02] every,

[00:44:03] like,

[00:44:03] city has their,

[00:44:04] websites,

[00:44:05] and so on.

[00:44:06] So,

[00:44:06] a couple of cities,

[00:44:07] cities,

[00:44:07] I think there were three,

[00:44:08] or four,

[00:44:09] they purchased,

[00:44:11] one platform,

[00:44:12] so that they could share,

[00:44:13] share that.

[00:44:15] But that came,

[00:44:16] because,

[00:44:17] we were kind of,

[00:44:18] able to bring those people together.

[00:44:21] Hey,

[00:44:22] talk about this,

[00:44:22] and,

[00:44:23] and they will,

[00:44:23] they were like,

[00:44:24] okay,

[00:44:24] let's make this together.

[00:44:27] And then the promise.

[00:44:28] So,

[00:44:28] you can push that.

[00:44:30] Yeah,

[00:44:30] yeah,

[00:44:30] for sure.

[00:44:30] And the promise,

[00:44:31] the promise of,

[00:44:33] of,

[00:44:34] becoming more digitized,

[00:44:35] and efficiencies,

[00:44:38] you know,

[00:44:38] we talk about,

[00:44:39] a lot about securing,

[00:44:41] entities now.

[00:44:42] Not just identities,

[00:44:43] like,

[00:44:43] individuals,

[00:44:44] but now machines,

[00:44:47] IoT devices.

[00:44:49] what's your philosophy,

[00:44:51] on getting,

[00:44:52] all that mix,

[00:44:54] into,

[00:44:55] under control,

[00:44:57] in an organization,

[00:44:57] that's so disjointed,

[00:44:59] like,

[00:44:59] just like yours was.

[00:45:01] Because they all want,

[00:45:02] the best,

[00:45:03] and most shiny,

[00:45:04] new device,

[00:45:05] that can potentially save money,

[00:45:07] and maybe become more green,

[00:45:08] as an organization.

[00:45:09] There's just so much,

[00:45:11] promise.

[00:45:12] But then,

[00:45:13] they plug it into the network,

[00:45:14] it might be an IT device,

[00:45:16] and then,

[00:45:17] all hell,

[00:45:18] break loose,

[00:45:19] because there's,

[00:45:19] there's some default,

[00:45:20] username and password on it.

[00:45:22] Yeah,

[00:45:22] but that was easy,

[00:45:23] because,

[00:45:24] the IT,

[00:45:26] or my organization,

[00:45:27] was only,

[00:45:28] organization,

[00:45:29] that could provide devices,

[00:45:31] and you could only use,

[00:45:32] devices provided by us.

[00:45:34] So,

[00:45:34] even if you plugged in your own,

[00:45:35] laptop,

[00:45:36] it didn't work.

[00:45:37] You didn't get any connection.

[00:45:39] Oh,

[00:45:39] so you have,

[00:45:39] you have a complete lockdown.

[00:45:41] Yeah.

[00:45:43] Yeah.

[00:45:44] And also,

[00:45:44] like,

[00:45:45] if they bought,

[00:45:46] a piece of software,

[00:45:48] so,

[00:45:48] we had a firewalls around the,

[00:45:50] you know,

[00:45:50] the sandbox,

[00:45:51] and we said,

[00:45:52] put it there,

[00:45:53] so even though,

[00:45:55] there could be a bug,

[00:45:56] or somebody could compromise,

[00:45:57] that they couldn't get out of there.

[00:45:59] So,

[00:45:59] we tried to minimize risk,

[00:46:01] that way.

[00:46:03] So,

[00:46:03] switching gears a bit,

[00:46:04] I just wanted to ask you,

[00:46:05] a little bit more,

[00:46:05] about the,

[00:46:06] the research community.

[00:46:09] Okay.

[00:46:10] We know the adversaries,

[00:46:12] the people that are looking for these exploits,

[00:46:15] they collaborate.

[00:46:17] There's forums,

[00:46:19] there are,

[00:46:19] there's,

[00:46:20] you know,

[00:46:21] there's user groups,

[00:46:22] telegrams,

[00:46:22] whatever the case may be.

[00:46:23] In fact,

[00:46:24] you can probably go and,

[00:46:25] and buy some zero days,

[00:46:27] or buy some,

[00:46:27] some exploits,

[00:46:29] in the open market.

[00:46:31] Yes,

[00:46:31] you can.

[00:46:32] How much of that is done,

[00:46:34] on your side?

[00:46:36] Meaning,

[00:46:36] like,

[00:46:36] how much do you collaborate,

[00:46:37] on a day-to-day basis,

[00:46:38] with others,

[00:46:39] to try to figure things out,

[00:46:41] maybe share ideas?

[00:46:43] Is that something,

[00:46:44] that you do normally,

[00:46:45] or is it something,

[00:46:46] that typically doesn't happen?

[00:46:48] Yeah,

[00:46:48] it happens.

[00:46:50] So,

[00:46:50] they are no formal thing,

[00:46:52] but,

[00:46:52] but,

[00:46:53] for instance,

[00:46:54] me and others,

[00:46:55] who are,

[00:46:55] you know,

[00:46:56] traveling around the world,

[00:46:57] and speaking conferences,

[00:46:58] so we,

[00:46:59] become like friends,

[00:47:01] so we share things.

[00:47:02] And,

[00:47:03] and also,

[00:47:05] there's like a,

[00:47:06] informal group,

[00:47:08] currently,

[00:47:09] run by us,

[00:47:10] and they are a couple of researchers,

[00:47:11] doing the same kind of things,

[00:47:12] that I do.

[00:47:13] So,

[00:47:14] so we are like,

[00:47:15] sharing our expertise,

[00:47:16] and,

[00:47:18] and so on.

[00:47:18] So,

[00:47:19] we do that,

[00:47:19] yes.

[00:47:20] Is there a,

[00:47:22] like,

[00:47:23] a pride thing,

[00:47:24] where you're not,

[00:47:25] if you found something,

[00:47:26] really good,

[00:47:27] you're not going to share,

[00:47:27] until you announce it?

[00:47:29] Or,

[00:47:30] is there like,

[00:47:31] almost like a competition,

[00:47:33] a competition,

[00:47:34] between,

[00:47:35] between researchers?

[00:47:37] Yeah,

[00:47:37] well,

[00:47:38] obviously,

[00:47:38] I can't say,

[00:47:39] say my findings,

[00:47:41] nowadays,

[00:47:45] in the same way,

[00:47:46] but,

[00:47:46] when I,

[00:47:47] didn't work for Microsoft,

[00:47:49] we could say,

[00:47:49] like,

[00:47:49] something,

[00:47:50] especially,

[00:47:52] of course,

[00:47:52] if you are meeting,

[00:47:54] there's not always,

[00:47:55] like,

[00:47:55] everybody,

[00:47:56] are able to attend,

[00:47:57] so,

[00:47:57] if there was only,

[00:47:58] like,

[00:47:58] Microsoft people,

[00:47:59] I could,

[00:47:59] like,

[00:47:59] tell them,

[00:48:00] but if there are,

[00:48:01] there's just,

[00:48:01] maybe some hints,

[00:48:03] and so on,

[00:48:04] so,

[00:48:04] what it might be,

[00:48:05] but,

[00:48:06] but usually,

[00:48:06] we don't share the details,

[00:48:08] but when it's public,

[00:48:10] after somebody has published that,

[00:48:11] then,

[00:48:12] we can talk about that,

[00:48:13] like,

[00:48:14] in details.

[00:48:16] And there's a bunch of,

[00:48:17] bounty programs.

[00:48:18] Yes.

[00:48:20] That you can make,

[00:48:21] actually,

[00:48:21] significant amount of money,

[00:48:22] I don't know how much,

[00:48:23] Apple is,

[00:48:24] is,

[00:48:25] paying for,

[00:48:26] like,

[00:48:26] zero days,

[00:48:27] I don't know if Microsoft,

[00:48:28] does the same.

[00:48:29] Yeah,

[00:48:30] there's,

[00:48:30] different,

[00:48:31] like,

[00:48:33] bounty programs,

[00:48:34] and,

[00:48:34] and,

[00:48:35] different categories.

[00:48:37] So,

[00:48:37] my biggest bounty is,

[00:48:38] like,

[00:48:39] the,

[00:48:39] the single bounty has been $20,000,

[00:48:42] and in total,

[00:48:43] I think I,

[00:48:44] I earned,

[00:48:45] like,

[00:48:45] $100,000,

[00:48:47] in bounties in,

[00:48:48] That's amazing.

[00:48:48] Two or three years.

[00:48:50] Sorry?

[00:48:51] That's before tax.

[00:48:52] Those are,

[00:48:52] like,

[00:48:53] you know,

[00:48:53] you still have to pay taxes on top of that.

[00:48:55] Yeah,

[00:48:56] yeah,

[00:48:56] yeah,

[00:48:56] yeah,

[00:48:57] but,

[00:48:57] yeah.

[00:48:58] It's pretty amazing.

[00:48:59] Yeah.

[00:49:01] But there's some,

[00:49:02] there's some bounties that are,

[00:49:03] like,

[00:49:03] millions of dollars,

[00:49:04] apparently.

[00:49:06] Depending on the,

[00:49:07] the exploit,

[00:49:08] depending on what,

[00:49:09] what type of,

[00:49:10] Yeah,

[00:49:10] and it depends on the program.

[00:49:11] So,

[00:49:11] Microsoft program,

[00:49:12] for instance,

[00:49:13] so if you go to msrc.microsoft.com,

[00:49:15] I hope that's the correct URL.

[00:49:17] But anyways,

[00:49:18] there you can go and see the bounties.

[00:49:19] And I think the highest one currently,

[00:49:22] well,

[00:49:22] last time I checked,

[00:49:23] it was like $500,000 for Hyper-V kind of things.

[00:49:29] Because Azure runs on Hyper-V,

[00:49:32] so it's very important that there are no bugs there

[00:49:35] or vulnerabilities.

[00:49:37] Yeah,

[00:49:38] and so is it worth it to maybe say,

[00:49:41] that's a significant amount of money,

[00:49:43] right?

[00:49:43] So maybe someone will say,

[00:49:45] hey,

[00:49:45] you know,

[00:49:46] I can,

[00:49:47] I can treat it like a job.

[00:49:49] I'm going to take a year off from work

[00:49:51] and basically saying,

[00:49:53] all I do all day long is like,

[00:49:54] get up in the morning and trying to hack

[00:49:56] and trying to exploit and trying to find,

[00:49:58] you know,

[00:49:59] and then sell it back to Microsoft.

[00:50:02] Is that something someone can do?

[00:50:04] or do you think the odds of them finding is?

[00:50:08] Yeah,

[00:50:09] yeah,

[00:50:09] yes,

[00:50:09] they are.

[00:50:10] So for instance,

[00:50:10] the NVR list we were talking about earlier.

[00:50:13] So,

[00:50:14] what did I have last time?

[00:50:15] I was on,

[00:50:17] because that's the ultimate,

[00:50:18] nine,

[00:50:19] 90 something.

[00:50:20] That's the ultimate work from home.

[00:50:22] Yeah,

[00:50:22] yeah.

[00:50:23] So you can,

[00:50:23] you can be anywhere and you can be on a beach in Thailand

[00:50:26] and trying to hack the,

[00:50:28] somebody's box.

[00:50:28] Yeah,

[00:50:28] and there are people who are doing that.

[00:50:30] But,

[00:50:30] but anyways,

[00:50:31] last time I was on that list,

[00:50:32] I think I had like 200 or something points

[00:50:34] and I was in 90 or 70 or 80 or something like that.

[00:50:39] But the first one had like a,

[00:50:42] 5,000 points or something.

[00:50:45] So,

[00:50:45] so he or she,

[00:50:47] I don't know.

[00:50:47] So,

[00:50:48] but anyways,

[00:50:49] the first person is,

[00:50:51] is,

[00:50:51] it's doing only that for living because there's no way you can get that amount of like points

[00:50:58] and also like bounties if you are not doing that full time.

[00:51:03] And do you think they're also using leveraging tools like maybe some homegrown things that they developed?

[00:51:11] Or AI tools or combination there agents?

[00:51:15] Because that's,

[00:51:16] you know,

[00:51:17] again,

[00:51:17] it's significant.

[00:51:18] You can,

[00:51:18] honestly,

[00:51:19] you can make a pretty decent living if you're successful at it.

[00:51:23] And,

[00:51:24] and not even that after,

[00:51:25] after you do that,

[00:51:26] you can work as a consultant anywhere because you could say,

[00:51:30] Hey,

[00:51:30] I'm like,

[00:51:30] I'm the one who discovered these exploits.

[00:51:33] I was a top number one,

[00:51:35] these five years,

[00:51:36] you should hire me as a security consultant to,

[00:51:38] to protect your business or protect your code.

[00:51:41] Yeah.

[00:51:42] Now that's actually a good point that if you are on that list and you are working in countries where the income is not that well,

[00:51:50] well,

[00:51:51] first of all,

[00:51:51] you can get bounties,

[00:51:52] but you can also prove to your employee,

[00:51:55] employers that,

[00:51:56] Hey,

[00:51:57] look at this.

[00:51:58] I know this stuff.

[00:52:00] I'm on the list of 100 top security researchers calling Microsoft.

[00:52:05] So,

[00:52:05] yeah,

[00:52:06] it's amazing.

[00:52:07] Yeah.

[00:52:07] So you can get hired much easily.

[00:52:10] Yeah.

[00:52:10] And,

[00:52:11] and it's almost just as good,

[00:52:13] if not better than having a GitHub account with all the stuff that you've done.

[00:52:18] It's like the,

[00:52:19] it's like the hacker version of GitHub is being on the list of,

[00:52:23] of the top 100 in,

[00:52:26] in that list.

[00:52:27] Uh,

[00:52:27] so does the top 100,

[00:52:28] did they ever get together?

[00:52:29] Is that like the top 100 conference where people get together and,

[00:52:32] or is it?

[00:52:33] Well,

[00:52:34] well,

[00:52:34] during the black hat,

[00:52:35] there's a research celebration party.

[00:52:39] Uh,

[00:52:39] and all the MVRs are invited.

[00:52:41] There are also other researchers and Microsoft employees and,

[00:52:43] and partners.

[00:52:45] So,

[00:52:45] so,

[00:52:45] so yeah,

[00:52:46] there's a nice party.

[00:52:47] It's,

[00:52:48] it's almost,

[00:52:48] it reminds me of the,

[00:52:50] uh,

[00:52:50] the chess ranking,

[00:52:53] like how you have like the people are like enamored by what's your ranking.

[00:52:57] And as a chess player,

[00:52:59] you have the number one in the world.

[00:53:00] And then you can go up or down depending on,

[00:53:03] cause there's a list,

[00:53:04] right?

[00:53:04] And they tell you,

[00:53:05] uh,

[00:53:05] what ranking in order for you to,

[00:53:07] to go up the ranks,

[00:53:09] you got to beat somebody in this particular case,

[00:53:11] there's ranking,

[00:53:12] but you're,

[00:53:12] you're not beating,

[00:53:14] you're not competing against,

[00:53:16] you know,

[00:53:17] someone else,

[00:53:17] but you're trying to find exploit and trying to uncover more and more,

[00:53:21] uh,

[00:53:22] vulnerability.

[00:53:23] So,

[00:53:23] and is there a list for Microsoft and all the large vendors?

[00:53:27] Or is it strictly,

[00:53:28] or is it like one list that for everybody?

[00:53:32] Yeah,

[00:53:32] no,

[00:53:32] this is just for Microsoft internal list.

[00:53:35] And they are also like a general bug bounty platforms like hacker one or

[00:53:39] bug route or can't remember the third one,

[00:53:43] but there you can find it like a ranking list who are doing bug bounties through

[00:53:47] that.

[00:53:47] So you can also do bug bounties for Microsoft through that platform.

[00:53:51] Uh,

[00:53:51] and then like others.

[00:53:53] So usually they are like organizations who have their own bug bounty,

[00:53:57] bug bounty programs,

[00:53:58] but they are running that on,

[00:53:59] on that platform,

[00:54:01] like hacker one,

[00:54:02] and everybody can attend.

[00:54:03] And some bug bounty like programs are closed.

[00:54:08] So it's invitation only.

[00:54:09] So if you are doing good on those ranking lists,

[00:54:12] you will get invited to do something special every now and then.

[00:54:16] It's such a,

[00:54:17] such a fascinating world.

[00:54:18] And you have to be in it to know it.

[00:54:21] Uh,

[00:54:22] and it's amazing.

[00:54:23] I appreciate you providing the insight into that.

[00:54:25] So let's last question.

[00:54:27] If somebody listens to this and say,

[00:54:29] listen,

[00:54:29] this is so cool.

[00:54:30] I would love to do this,

[00:54:31] right?

[00:54:31] I would love to,

[00:54:33] to,

[00:54:33] to be a hacker full-time essentially be a white hat,

[00:54:36] but like just looking to,

[00:54:37] to solve some of these problems.

[00:54:39] And it's amazing because you can make money,

[00:54:41] but you also,

[00:54:42] you're giving back.

[00:54:43] You're actually,

[00:54:43] when every time you,

[00:54:44] you make money,

[00:54:45] you're actually making the world safer for all of us to,

[00:54:48] to use these software.

[00:54:50] How do you get started?

[00:54:51] What's the,

[00:54:52] you know,

[00:54:52] if I watching this and I'm just going to have a bit of knowledge,

[00:54:54] some programming knowledge,

[00:54:55] I have a lot of curiosity,

[00:54:57] a lot of time on my hand.

[00:54:58] And how do I get started?

[00:55:01] Yeah.

[00:55:02] The easiest would be if there's some area you are interested in and you like a,

[00:55:08] very enthusiastic to do that.

[00:55:10] So that would help.

[00:55:11] Like for me,

[00:55:12] it was the cloud thing.

[00:55:14] And whenever you found your area,

[00:55:18] what easiest way is to,

[00:55:20] you know,

[00:55:20] go and see blog posts of write-ups.

[00:55:23] So for instance,

[00:55:24] when I did find a blog,

[00:55:25] I post a very detailed write-up.

[00:55:27] So what did I do?

[00:55:28] Which tools I used,

[00:55:30] how I noticed that and this and that.

[00:55:32] So there it's like step-by-step.

[00:55:34] So kind of like a thought process.

[00:55:37] So I learned a lot of people,

[00:55:39] other people by,

[00:55:41] by reading their write-ups.

[00:55:43] And then they are,

[00:55:44] by the way,

[00:55:45] you not to cut you off on the story that it's basically reminds me of when I was in high school,

[00:55:50] show your work.

[00:55:51] Like,

[00:55:52] it's not enough to show the end result.

[00:55:54] Like,

[00:55:54] it's amazing that you,

[00:55:56] because that's,

[00:55:57] that's an effort.

[00:55:57] That's,

[00:55:58] to do these write-ups,

[00:55:59] you have to,

[00:55:59] it takes some time.

[00:56:00] So you gotta,

[00:56:01] yeah,

[00:56:02] it could go through the two,

[00:56:03] two or three days.

[00:56:04] And you need to remember,

[00:56:06] document everything.

[00:56:07] So you're showing your work of exactly how,

[00:56:11] from,

[00:56:12] from the beginning to end.

[00:56:14] Right.

[00:56:14] And so people can replicate.

[00:56:17] Is that the reason why you do this?

[00:56:19] People can replicate what you've done?

[00:56:20] Yes.

[00:56:21] And also like to teach that how to detect your own things and,

[00:56:26] and what tools I use and how I was able to,

[00:56:29] you know,

[00:56:30] get to that point because that's easy way to learn because now,

[00:56:35] you know,

[00:56:35] okay,

[00:56:35] that guy found that bug or vulnerability by,

[00:56:38] by doing those,

[00:56:40] using those tools and so on.

[00:56:42] So you mentioned,

[00:56:44] this is one day,

[00:56:45] one way to start,

[00:56:46] right?

[00:56:47] By,

[00:56:47] by viewing.

[00:56:49] Yes.

[00:56:49] Some of these write-ups.

[00:56:50] Yeah.

[00:56:51] And then try to replicate using the same tools and so on.

[00:56:54] And the second thing is that there's a lot of organization,

[00:56:57] I think hack the boxes,

[00:56:59] one of them.

[00:57:00] So you can go and buy like labs or challenges.

[00:57:04] And there are,

[00:57:05] those two to,

[00:57:06] to those also,

[00:57:08] if you,

[00:57:08] you know,

[00:57:09] get stuck.

[00:57:09] But anyways,

[00:57:10] by doing those,

[00:57:12] you can learn that how to attack,

[00:57:14] like a,

[00:57:14] for instance,

[00:57:14] Windows computer,

[00:57:16] Linux computer,

[00:57:17] or certain service,

[00:57:18] AWS or Azure,

[00:57:21] maybe through some misconfiguration and so on.

[00:57:24] So that's also one,

[00:57:25] one way to do that.

[00:57:26] If you want to do it by yourself.

[00:57:28] And they are also like thought courses.

[00:57:30] So they took like one or two,

[00:57:32] two weeks,

[00:57:33] online courses.

[00:57:35] They teach you to hack,

[00:57:37] and then you can replicate that in your laboratory and so on.

[00:57:41] So there are a lot of,

[00:57:42] a lot of ways to do that.

[00:57:44] And I think what's driving is that I'm sure,

[00:57:47] I'm sure that you get a bit of a rush.

[00:57:49] Once you,

[00:57:50] you,

[00:57:50] once you find a break into something,

[00:57:53] there's a,

[00:57:54] there's almost like this,

[00:57:56] this rush of,

[00:57:58] of,

[00:57:58] of,

[00:57:59] adrenaline.

[00:58:00] Yeah.

[00:58:01] It's just like any other type of,

[00:58:04] and,

[00:58:04] and that's what I mentioned is it's almost like a stakeout for like,

[00:58:07] you're sitting there trying to,

[00:58:09] and then something happens and then the spike.

[00:58:12] So how did,

[00:58:13] once you find something,

[00:58:16] there's,

[00:58:16] I'm assuming the next day it was like,

[00:58:18] okay,

[00:58:19] now what?

[00:58:19] There's like this,

[00:58:20] like fall,

[00:58:21] you know,

[00:58:21] like,

[00:58:21] how do you then get up again and do this again?

[00:58:26] Well,

[00:58:28] it keeps getting,

[00:58:29] if you will.

[00:58:30] So when you find that it's a very good feeling,

[00:58:32] and then you report that and you're able to replicate that,

[00:58:36] maybe to see what else you can do after you got in or you found something,

[00:58:41] but usually you should stop there.

[00:58:42] So just,

[00:58:44] when you got there,

[00:58:45] just stop.

[00:58:45] So don't destroy anything because that's,

[00:58:49] you might lose your bounty and maybe even get sued.

[00:58:53] And that's actually a very,

[00:58:55] very important thing that you shouldn't hack anything without permissions.

[00:58:59] And if you do the bug bounties,

[00:59:02] they are usually,

[00:59:03] I think it's called safe hub.

[00:59:06] So for instance,

[00:59:07] Microsoft lets you to hack like our cloud environment,

[00:59:12] as long as you do,

[00:59:13] you keep boundaries.

[00:59:15] For instance,

[00:59:15] if you find something bug that lets you in,

[00:59:18] stop there.

[00:59:20] Oh,

[00:59:21] so you don't,

[00:59:21] you don't continue pulling on that thread without their permission.

[00:59:26] Yeah,

[00:59:27] correct.

[00:59:28] So you don't want to unravel that.

[00:59:29] Then you are not covered with,

[00:59:30] with that safe hub anymore and you might get sued and you need to pay,

[00:59:34] let's say,

[00:59:34] if you crash the whole Azure,

[00:59:36] that would be very,

[00:59:37] very expensive.

[00:59:39] But,

[00:59:39] but anyways,

[00:59:41] okay,

[00:59:41] you found the bug,

[00:59:42] you report that.

[00:59:43] And then if the,

[00:59:44] you know,

[00:59:45] vendor agrees with you that it's a vulnerability,

[00:59:47] yes,

[00:59:48] that's a second good feeling.

[00:59:50] And then third might be when they pay you bounty.

[00:59:53] And the fourth one,

[00:59:54] when you,

[00:59:54] when you are able to publish that.

[00:59:58] And in the best case,

[00:59:59] your target accepted the Black Hat or DEFCON.

[01:00:02] And that's also like a very nice adrenaline kick to speak to many thousand

[01:00:07] peoples on a main stage.

[01:00:09] so they are different like.

[01:00:12] And,

[01:00:13] and so is there's some,

[01:00:16] there's a few that don't go through that route,

[01:00:19] but use that.

[01:00:21] And they basically to exploit and make money on the other side.

[01:00:24] And that sometimes could be more lucrative.

[01:00:28] And I remember like seeing a software engineer that turned it,

[01:00:32] turned to a hacker.

[01:00:32] So,

[01:00:33] well,

[01:00:33] listen,

[01:00:33] I work,

[01:00:34] he was in Eastern Europe somewhere.

[01:00:35] I can make $200 a month or I can make,

[01:00:39] you know,

[01:00:40] $200,000 in a day,

[01:00:41] you know,

[01:00:42] doing something like,

[01:00:43] and it's,

[01:00:43] it's,

[01:00:44] it's a,

[01:00:45] it's a tough,

[01:00:46] you know,

[01:00:46] for some people it's a very tough struggle to,

[01:00:49] to do the right thing,

[01:00:51] go through the process.

[01:00:51] Cause it's,

[01:00:52] you know,

[01:00:52] it's very rewarding,

[01:00:53] but it's a,

[01:00:54] almost like some people say,

[01:00:55] well,

[01:00:55] there's a quicker path to reward on the other side.

[01:00:59] Yeah.

[01:00:59] But it's all about ethics.

[01:01:01] So,

[01:01:01] so if you find vulnerability,

[01:01:04] well,

[01:01:04] you can compare that to guns,

[01:01:05] for instance.

[01:01:06] So if you walk out there and you find a gun,

[01:01:08] you usually deliver it to police,

[01:01:09] right?

[01:01:10] But if you're a bad guy,

[01:01:11] you can just take it and start shooting people.

[01:01:14] So,

[01:01:15] yeah.

[01:01:16] So there's a difference.

[01:01:20] And that is correct.

[01:01:21] That if you want to make quick or big money,

[01:01:25] people are selling their vulnerabilities on the black market,

[01:01:29] because you can do that many times,

[01:01:31] because if you report,

[01:01:34] for instance,

[01:01:34] us something you found,

[01:01:35] you can only get paid once and it's,

[01:01:38] it's going to be fixed.

[01:01:39] But on the black market,

[01:01:40] you can sell,

[01:01:41] sell them.

[01:01:42] And that,

[01:01:42] that is the problem.

[01:01:44] And,

[01:01:45] and we just need to kind of like believe that they are good people,

[01:01:48] white hat hackers.

[01:01:50] And also that's why I do my job.

[01:01:52] So I trying to find things which probably bad guys have already also found.

[01:01:58] So,

[01:01:58] yeah,

[01:01:59] you have to find it first or as fast as possible.

[01:02:04] Yeah.

[01:02:05] And then,

[01:02:06] so that makes you wonder if,

[01:02:08] if they're paying enough.

[01:02:10] Yeah.

[01:02:11] Meaning that if the bounties are large enough,

[01:02:14] that,

[01:02:15] because there's always this like balance,

[01:02:18] you know,

[01:02:19] you can get an NX and then be risked being,

[01:02:23] putting life in jail without parole,

[01:02:25] or you can get enough and sleep well at night.

[01:02:30] But I guess if the Delta is too high,

[01:02:32] that's why I think people are,

[01:02:34] are,

[01:02:35] are moving and picking the right,

[01:02:38] the wrong,

[01:02:38] the wrong with the right choice,

[01:02:40] if you wish.

[01:02:41] So maybe they have to increase those.

[01:02:43] Yeah.

[01:02:44] And the most like a known researchers,

[01:02:47] they are working for companies.

[01:02:49] They are publishing their fundings as their companies.

[01:02:53] And the companies are usually security companies.

[01:02:56] So they also want to make things safer and they,

[01:03:00] they don't care about the bounty amount that puts,

[01:03:04] but more like that,

[01:03:05] that whatever they found that they,

[01:03:07] you know,

[01:03:08] that vendors would like agree that that's a vulnerability and do something

[01:03:12] about that.

[01:03:14] Last question.

[01:03:15] Is there a Nobel,

[01:03:16] Nobel prize version of,

[01:03:19] you know,

[01:03:20] for researchers in,

[01:03:22] in your area where,

[01:03:23] you know,

[01:03:23] when people do a,

[01:03:24] in a scientific version,

[01:03:27] they,

[01:03:27] they get a Nobel prize for,

[01:03:29] do a complete breakout in,

[01:03:31] in certain topics.

[01:03:33] Is there a version of that for,

[01:03:34] for us,

[01:03:34] for you?

[01:03:35] Um,

[01:03:37] I don't think so,

[01:03:38] but of course there's,

[01:03:39] there's like a cyber security people of the year and that kind of,

[01:03:44] I was,

[01:03:44] I suppose,

[01:03:46] but I don't think there's no book.

[01:03:47] We should vote for that.

[01:03:48] We should vote to have an official,

[01:03:51] uh,

[01:03:51] we'll call it something else.

[01:03:52] No,

[01:03:53] instead of Nobel prize would be something else,

[01:03:54] because I think they should be,

[01:03:55] listen,

[01:03:55] you're,

[01:03:56] you're just as contributing to,

[01:03:58] to,

[01:03:59] to the overall wellbeing of everybody.

[01:04:01] We all touch software on a regular basis,

[01:04:03] whether it's Microsoft or not.

[01:04:05] And so your,

[01:04:06] your,

[01:04:06] your job has a direct impact to every,

[01:04:09] every day's life for everybody.

[01:04:12] So for the security of everyone,

[01:04:14] and it's a lot of times it's a matter of national security or,

[01:04:17] or not,

[01:04:17] but it's,

[01:04:18] it's always,

[01:04:18] so there should be,

[01:04:20] uh,

[01:04:21] for people that are contributing so much to this space,

[01:04:23] there should be a,

[01:04:25] a recognition associated with it as well.

[01:04:27] Yeah.

[01:04:27] And the best researchers,

[01:04:28] I mean,

[01:04:29] those who found the most vulnerabilities,

[01:04:32] they are the quiet ones.

[01:04:33] They don't usually even go to conferences and talk about that.

[01:04:36] So I,

[01:04:37] I'm just one of those who are talking in conferences because I like that.

[01:04:41] Uh,

[01:04:42] but,

[01:04:42] but those who are doing the biggest job or the greatest impact,

[01:04:46] they don't,

[01:04:46] they are,

[01:04:47] you know,

[01:04:48] just,

[01:04:48] uh,

[01:04:48] sitting back home and drinking coffee or,

[01:04:51] or Coke and,

[01:04:51] and,

[01:04:52] and eating pizza.

[01:04:53] Is that because of who they are?

[01:04:56] Or is that because out of necessity,

[01:04:58] because they,

[01:04:59] they can be very valuable to certain individuals.

[01:05:01] So I would say like,

[01:05:02] it'd be almost risky to,

[01:05:04] to,

[01:05:05] if you have the kind of skillset,

[01:05:07] there's somebody out there that maybe will want to,

[01:05:10] to export you to,

[01:05:12] to hack into a new system or whatever the case may be.

[01:05:15] It can be very valuable.

[01:05:17] Well,

[01:05:18] we can only guess,

[01:05:19] but I suppose that it's more like a personal thing that.

[01:05:23] Yeah.

[01:05:24] Interesting.

[01:05:25] Yeah.

[01:05:25] So it's just,

[01:05:26] so it's just like the,

[01:05:27] uh,

[01:05:27] like what you would imagine somebody sits in their,

[01:05:30] their,

[01:05:30] you know,

[01:05:30] Paris basement with a,

[01:05:32] playing video games all day and everyone wants to,

[01:05:34] a little while just venturing into the,

[01:05:36] you know,

[01:05:37] because that's what we see in the movies,

[01:05:38] right?

[01:05:38] Like they have,

[01:05:39] you know,

[01:05:40] how they like eat,

[01:05:41] you know,

[01:05:41] Cheetos and,

[01:05:43] and play video games all day.

[01:05:44] And then somehow they managed to,

[01:05:46] to hack into the biggest,

[01:05:47] uh,

[01:05:48] biggest systems out there.

[01:05:55] Okay.

[01:05:56] Good stuff.

[01:05:57] Thank you very much.

[01:05:57] So what's,

[01:05:58] what's the easiest way for people to reach out to you,

[01:06:00] to know more about what you do,

[01:06:02] uh,

[01:06:03] just in general to get in touch.

[01:06:05] Uh,

[01:06:05] Twitter or X or whatever it's called nowadays.

[01:06:08] Dr.

[01:06:09] Asurate is my handle also in other social media platforms,

[01:06:12] which I don't use that much,

[01:06:14] but anyways,

[01:06:15] I think that's the easiest one or LinkedIn.

[01:06:18] Fantastic.

[01:06:19] So it's easy because I was one of the first users in LinkedIn in Finland.

[01:06:22] So the address is linkedin.com slash in slash Nestory.

[01:06:27] So it's my first name.

[01:06:29] Fantastic.

[01:06:29] You're the first one that,

[01:06:30] uh,

[01:06:31] it's amazing.

[01:06:31] Uh,

[01:06:32] I really appreciate this conversation.

[01:06:33] Thank you very much for giving us a glimpse behind the scene of,

[01:06:37] uh,

[01:06:38] or it's,

[01:06:38] it's truly amazing.

[01:06:39] Again,

[01:06:40] it's a,

[01:06:40] I think this conversation was super valuable to a lot,

[01:06:42] a lot of folks.

[01:06:43] Yeah.

[01:06:44] Thanks for having me.

[01:06:44] This was great fun.

[01:06:46] Yeah.

[01:06:47] It's supposed to be fun.

[01:06:48] And I,

[01:06:48] and I apologize for,

[01:06:50] you know,

[01:06:50] for misplacing you in Sweden and I'm not going to,

[01:06:53] never going to miss this again.

[01:06:54] So I appreciate you being,

[01:06:55] being,

[01:06:57] Finland.

[01:06:58] It is the story.

[01:07:00] Thank you very much,

[01:07:00] Dr.

[01:07:01] And so thank you very much for,

[01:07:02] for attending this and looking forward to,

[01:07:04] uh,

[01:07:04] maybe doing this again sometime soon.

[01:07:06] Maybe we'll find a new,

[01:07:08] hopefully you find some new vulnerability and we'll be able to discuss this,

[01:07:11] uh,

[01:07:11] in the next episode.

[01:07:12] Thank you very much.

[01:07:13] Okay.

[01:07:14] Thank you.

[01:07:14] Thank you.

[01:07:17] Good stuff.

[01:07:18] Uh,

[01:07:18] 99% upload.

[01:07:19] That was fun.

[01:07:20] That was fun.

[01:07:21] Yeah.

[01:07:22] It was.

[01:07:22] I,

[01:07:23] I,

[01:07:23] I didn't even know this that how much time.

[01:07:26] Yeah.

[01:07:26] And I could have kept going cause I have,

[01:07:28] I,

[01:07:28] I,

[01:07:29] I had so many questions every time you say something and we should vote for a

[01:07:33] Nobel prize in,

[01:07:34] uh,

[01:07:35] you shouldn't make our own for Nobel prize for researchers.

[01:07:38] I'm telling you that's,

[01:07:40] uh,

[01:07:40] cause you do the exact same thing.

[01:07:41] Like you,

[01:07:42] what's the opposite.

[01:07:43] Instead of uncovering new stuff,

[01:07:45] you,

[01:07:45] you,

[01:07:46] well,

[01:07:46] you uncover new stuff and vulnerability.

[01:07:48] So,

[01:07:49] uh,

[01:07:49] which,

[01:07:50] uh,

[01:07:50] makes the world a better place,

[01:07:51] you know?

[01:07:52] So,

[01:07:53] or a more secure place if,

[01:07:54] if you wish.

[01:07:56] so what did you make?

[01:07:56] One of the funniest bug bounty story was that I,

[01:08:00] I found some,

[01:08:00] something in,

[01:08:02] in intro ID.

[01:08:04] At that time it was Azure ID.

[01:08:06] And I reported that.

[01:08:08] And it,

[01:08:08] it took almost like two years before Microsoft said,

[01:08:11] okay,

[01:08:12] yes,

[01:08:12] this is an issue.

[01:08:13] And they fixed that by introducing a,

[01:08:16] a new setting.

[01:08:18] Wow.

[01:08:19] Uh,

[01:08:20] and,

[01:08:21] and then they said that it,

[01:08:22] it got fixed.

[01:08:23] And I said them that,

[01:08:24] but you can change the setting back without like a special permissions.

[01:08:31] They were like,

[01:08:32] Oh dear.

[01:08:33] So here's,

[01:08:34] here's another bounty.

[01:08:35] So I got,

[01:08:37] so I got two times 20,000.

[01:08:39] Wow.

[01:08:39] For one bounty.

[01:08:41] One,

[01:08:41] one way in the back.

[01:08:42] Yeah.

[01:08:43] That's cool.

[01:08:44] That's Microsoft for you,

[01:08:45] right?

[01:08:45] It's like,

[01:08:46] you know,

[01:08:46] listen,

[01:08:46] it's a drop in the bucket.

[01:08:51] Yeah.

[01:08:52] Yeah.

[01:08:52] I'm sure about that.

[01:09:25] Yeah.

[01:09:26] It's been 99%.

[01:09:27] It's still recording.

[01:09:28] So maybe that's a reason,

[01:09:32] but I can see the,

[01:09:33] I can see a reg button here.

[01:09:36] Should I press it?

[01:10:01] Yeah.

[01:10:12] Okay.

[01:10:14] Sounds good.

[01:10:15] Okay.

[01:10:16] Thank you.