Venture into the intriguing intersection of fiction and cybersecurity with D. Greg Scott on 'Redefining CyberSecurity.' With compelling narratives mirroring real-world incidents, learn how thrilling storytelling can be a game-changer in understanding and implementing cybersecurity measures.
Guest: D. Greg Scott, Principal Technical Account Manager at Red Hat [@RedHat]
On Linkedin | https://www.linkedin.com/in/dgregscott/
On Twitter | https://twitter.com/DGregScott
Website | https://www.dgregscott.com/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
On this episode of 'Redefining CyberSecurity,' our host, Sean Martin, engages in an enlightening conversation with IT veteran and author, D. Greg Scott. Greg provides valuable insights from his journey in technology and cybersecurity, revealing how the seemingly innocuous act of not updating systems can lead to substantial financial damage. Using engaging stories that mirror real-world incidents, Greg delves into his novels 'Bullseye Breach' and 'Virus Bomb,' underlining the educational potential of the fiction genre in cybersecurity.
Together, they explore how these narratives can play a pivotal role in transforming perspectives about IT and cyber preparedness, emphasizing the urgent transition of viewing IT not only as an expense but a crucial business asset. The profound human and financial costs of failing to prioritize cybersecurity are brought to the fore, serving as a wake-up call for awareness and action. Greg also gives a sneak peek into his upcoming novel 'Trafficking You', yet another compelling narrative marrying the realms of technology and reader-engaging fiction.
Tune in for a unique blend of thrilling storytelling and critical cybersecurity learnings.
Key Insights:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Bullseye Breach: Anatomy of an Electronic Break-In: https://www.dgregscott.com/bullseye-breach/
Trafficking U: https://www.dgregscott.com/trafficking-u/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Hello everybody, you're very welcome to a new episode of Redefining Cybersecurity here on the ITSP Magazine Podcast Network. This is your host, Sean Martin, where I get to talk about all things cyber, uh, typically around how organizations can operationalize cyber security in their business, not just to, uh, to protect their assets, but perhaps even help them generate more, more, uh, more growth, um, which is not always an easy, easy feat.
Um, not everybody knows what those conversations look like, sound like, end up, uh, resulting in, in terms of programs. Um, What I found over the years is this goes back to some of my days in quality assurance that if you have a story that people can visualize, then Then perhaps they can take action because they can see where the story is going one way or the other [00:01:00] and their role in helping to guide it.
And sometimes those stories are technical in nature and other times they're a little more creative. And, uh, that's why I have my guest on today. Greg Scott. Thanks for joining.
D. Greg Scott: Thanks for having me, Sean.
Sean Martin: Pleasure to meet you. We connected on LinkedIn and I saw that you have a couple of books and I think another one in the works, if I'm not mistaken.
And then I was like. Let's talk about, uh, writing about cyber and, and, uh, and your books in particular. And, um, so we're going to get to those, but first I want to give you a moment to share a few words about yourself. I want to, and ultimately I want to, and maybe we start here actually, just kind of your, your, your entry into technology and your journey.
Sure. Into cybersecurity. Cause I think that'll kind of set the stage for us a bit.
D. Greg Scott: Sure. Um, technology and I, or we go way, way technology and I go way back, [00:02:00] like way back, you know, maybe the very first cybersecurity thing I did was before. Cyber security was even a word. And this is back in high school in the seventies.
And I, I had, I didn't make room. I didn't reflect light off the top of my head in my high school days. I had a whole lots of hair. And, um, we had a guy here and I, I live in Minnesota and we had a professor come in from the University of Wisconsin and River Falls, River Falls, Wisconsin. And we had We had our very own ASR 33 teletype, 110 characters per second.
And, and, uh, um, modem with an acoustic coupler. And just, you know, this goes back a few technology generations. And he came in and he was going to show us all the cool stuff. His, his CDC cyber computer could do at the university of Wisconsin. So we were all appropriately in awe and he dialed in and did his thing.
And a couple of us got together and we thought, you know, we want to, I want to see some of that [00:03:00] stuff for ourselves. So. We found a way to disconnect the phone line. So we had to dial in and log in again. And we watched over his shoulder as he tapped in the phone number on the phone. We watched him type in his password and we, we recorded that.
That's funny. Yeah, you'd go to jail for stuff like that today, but, um, we, um, so then he left, you know, he left and he did his demo and everybody was appropriately wildens out, he left and we dialed in ourselves and we logged in as him. And we just started exploring and we found. This whole humongous underground market where people bought and sold passwords as, as currency.
So you could, you could, you could leverage the password that you have and you can get other people's passwords and other people's credentials and leverage those credentials for others. We, we eventually leveraged our way into the A000 credentials for the, for the, for the Hewlett Packard HP 2000C computer that, that, that our school district.
shared. And so, and so we had, we had, we had high school kids all over [00:04:00] the twin cities doing this stuff and nobody, nobody knew about it. It was a whole big underground thing. And so, um, that was, we didn't break anything. We didn't damage anything. We went through lots and lots of paper printing, lots and lots of documentation, reading and studying.
And that's, that's the extent of, of, of the activity that we did. It was a big studying operation for us. But, Today's world that would have been frowned upon in that world. I don't think anybody realized what we were doing or the, or the potential consequences. So it's a whole different world today.
Sean Martin: It is a different world and things have changed. Uh, yeah. It's a fine, a fine, a fine line between. Yeah. Discovery and access and research.
D. Greg Scott: And yeah, we did it for the right reasons. Other people do it for the wrong reasons. Yeah. And, and, um, yeah, then, um, there was a time in like, um, a writer, November of 2000, one of the, I'm a, I've, I've been a gravel in the belly, do it yourself for, for like forever back in [00:05:00] college.
I, I. taught myself how to change oil in my car. I got oil all over myself. It took me half a day. I'm way better at it now than I was than I was back then. But one of the things I decided to do for myself was host my own D. N. S. At the time in 2000. So this is going back 20 some odd years. So I was I was an adult and didn't have a hair was gone.
And in in the late nineties and early two thousands people, you paid money. for someone to host your DNS and I could do it myself for free. Just learn how to do it. So I had my own DNS right here and in my basement. And one day my wife came in and she said, Greg, why is the internet so slow? What are you doing?
I don't know. I didn't feel slow. I went to looking and I was sending these 60, I was machine gunning the 65, 000 byte packets out to some IP address somewhere. And I didn't know where, just some IP address someplace. And I had some buddies at a company I knew called Mission Critical Linux. And I called them and they looked at it and they laughed at me.
They said, [00:06:00] Greg, you fell for the oldest trick in the book. And I had tried to log into my DNS server. And it didn't like my credentials. And then it sent me to a login prompt where I, in fact, log in. So I, I gave away my DI, my DI gave away my login credentials, my admin, my root login credentials to that server.
And not only did I do that, but somebody had, had, had exploited a known. bug with whatever version of bind I was using at the time. They got inside my name server and they did all kinds of stuff. And it turned out that I was attacking, that I was, I was part of a DDoS attack, distributed denial of service attack against the country of Brazil.
Now, I had 144 KB IDSL coming into here for internet service, so it's not like I, not like the country of Brazil cared about my, my volume hitting them, but that still scared me a lot. It made me mad too. Somebody got inside my stuff, inside my house and compromised [00:07:00] it and used me to attack somebody else.
And that, that just, I felt all the emotions. And, and then my buddies from Mission Critical Linux said, Greg, you got to call the FBI. Because if you don't call them and they see that you're doing this attack, they're going to come out here and they could arrest you for doing this stuff. And that, I was a lot more naive then than I am now.
That scared me. So I, in fact, called the FBI on a Tuesday. And I talked to a dispatcher. And the conversation was, was like as if I'd called from Mars and somehow spoke English. She didn't know what the internet was. This was 2000. So it's a long time ago. She didn't know what the internet was. And I finally had, and she said, do you know who did this to you?
And I said, no, well, how are we supposed to investigate if we don't know? And I said, well, it was over the internet. It could be somebody from next door. It could be somebody from around the world. You guys do have computer for exits people, don't you? He said, Oh, yes, we have great. I said, Great. I want to talk to one of them while they're all busy right now.
They can't talk to you. Okay, well, [00:08:00] when can they talk to me? Why don't you call back later in the day and then find out? So I got jerked around by the FBI. So I called back later that day. And nobody from that time knew that I'd called back the earlier time. They didn't know who I was and they totally blew me off.
So I wrote this magazine column for a magazine called Enterprise Linux, Greg's journey into learning Linux. That's, that's what it was. And so I wrote up that episode and how it happened. And the last sentence said, I really hope the FBI would be sharper than that. Three months past. Yeah, three months go by, the article goes live, it goes out to the world, now we're February 2001, and I get a phone call from somebody in the Minneapolis FBI office and they want to come out to my house and troubleshoot with me.
Yeah. Like I'm going to just leave everything, sit here just in case you guys decide three months later, you might want to call back. And so that, that, that was the inciting incident. That's, that's what made me care about cybersecurity right there. Cause somebody [00:09:00] penetrated me and made me mad and I decided no one was ever going to do that ever again.
And I've been mostly successful, not a hundred percent, but mostly successful.
Sean Martin: Yeah. And it's a. Not everybody's probably running their, even back then was running their own DNS, but
a lot of
people, a lot of people probably think I'm successful.
D. Greg Scott: Yeah. Yeah. I, I, I, I, I've taken on a whole lot more do it yourself or projects, even in the it world than most people would, would dream about.
So that, that part's true. That, that, that part's true.
Sean Martin: So you, so you recovered from that. I presume you just.
D. Greg Scott: Why
didn't I wipe it? I wiped my name. I get by. I grabbed all the configuration files, wiped my name servers, rebuilt them and put them back into production and learned a valuable lesson about keeping your stuff patched.
That might have been less than number one. When patches come out, find out when the patches come out and apply them. You don't just install and set it. Forget it. Keep the keep the [00:10:00] patches. Keep the patches running. It's amazing how many people out there still haven't learned that lesson.
Sean Martin: Yeah, individuals certainly.
Uh, and then companies, I think they, they get it. It's just, there are far too many to keep up with.
D. Greg Scott: Oh yeah, some do, some don't. This is going, this is probably 10 years ago, I did some work for a customer, for a small business customer, and it was a Windows server, and it needed, and it was Routine patches and one of the patches didn't want to go in right now.
Don't you hate that one when those patches don't go in and it's a patch Tuesday and there's a bazillion patches and one of them breaks. And so the whole thing just falls apart and you don't know which one breaks. And so you, you put it, you put in half and if that half works great, they're done. Now the other half is broken, put in the other half and you keep cutting by half.
It's kind of like a, it's kind of like a binary search, but it's with patches. So I, I did that trying to figure out which patch it was. And I probably poured about eight hours into it and I found the bad patch. The bad patch was because of a font. [00:11:00] There was a font, there was some font from somebody that broke this patch and that just made me crazy.
I fixed it, but then the customer, the customer got mad because it was hourly billing and I'd poured eight hours into getting this patch thing done and she couldn't, I couldn't, she couldn't, she didn't. Why, why am I spending all this money for you to do all this playing with computers? You're not, you're not making my business run any better.
The server is the same server as it was yesterday as it is today. I, I, I don't want to pay you for that anymore. I couldn't, I couldn't convince her that patching was important and why it was important and all the attackers out there. I, I just. Yeah. Couldn't do it. Yeah.
Sean Martin: Yeah. I'm in no way suggesting that, uh, that the majority of organizations get it.
There's no way that's possible.
D. Greg Scott: No, that's not true. They don't get it. And, but you know what? That's my failure. It's not their failure because they don't know any different. I didn't know any different way back in 2000, I got burned. They don't know any different. I've got to get better at [00:12:00] communicating.
That's why that's, that's why I write books.
Sean Martin: Yeah, let's and let's get into that. Because I, I think, um, yeah, so there's awareness and then there's doing it and then then there are problems you have to over overcome. I remember back in the day. Um, I was at, uh. I was working for EI and they would, the Tuesday of the patches, they would dig in and start testing them all.
And it would actually help companies figure out which patches were good to, to apply, which ones might need a little extra finesse. Um, and yeah, it was great to do that for a large group so that work could scale. Right. So you're eight hours. They spent those eight hours and helped many, many, many companies.
So it was pretty cool to be part of that in the early days. So stories to help people understand, I think that's where you're heading with, with your book. So what, tell us about, uh, how that all [00:13:00] came to fruition, which book started the whole thing off.
D. Greg Scott: Bullseye breach, this one right here, bullseye breach.
there. Bullseye breach. All the glow there. All right, right there. Bullseye breach. Anatomy of an electronic break in. So that's that's uh, oh, and I have to, I have to say I'm supposed to any resemblance to any, any characters. in the real world is purely coincidental. There's a, there's a sentence I'm supposed to say and I forget the exact words, but you might, you might come to the conclusion.
Sean Martin: Names have been changed hopefully to protect the innocent.
D. Greg Scott: Yeah. You might come to the conclusion that bullseye breach, the resemblance is not purely coincidental, but you'll, you'll decide that on your own. There's a, in, in bullseye breach, there's a, this, the, the. Big part of the story takes place during the Christmas holiday season in 2013, and there's a Minneapolis retailer named Bullseye Stores, and they lose [00:14:00] 40 million customer credit card numbers to overseas attackers.
In my fictional world, the attackers are from Russia. You may have read about similar attacks where attackers were from a different country, but that's, you know, there's real world and there's fiction. So in my fictional world, the attackers are from Russia and the Russians figure out a way to invade this store across the internet and they take advantage of a lot of people who are just.
Should know better who didn't who should know better but didn't bother and they they get inside this network and they pollute all of the point of sale systems with this software that that collects credit card numbers and then they then they offload it to these FTP sites around the U. S. And then they then from the FTP sites, they send it back to Russia.
And from there, they Sell the credit card numbers for, and make a, and theoretically make a lot of money. So how does somebody launch an attack like that? And I wanted to explore it. And so I wrote, I was going to write a cybersecurity how to book because I've accumulated a lot of know how in my head. And then the [00:15:00] more I looked, the more I found out the world is filled full of how to books.
There's some great how to books out there. And they have, they're crammed full of information that nobody reads. And when, well, when you go through like the CISSP curriculum, the books are like, they're like this thick and they're just as dry as can be. It's, it's, if you ever can't sleep, just get out a CISSP book.
Sean Martin: Exactly.
D. Greg Scott: Just sum through it. No offense to, uh, to Sean, of course. Oh, yeah. No offense to Sean. Sorry, Sean. It's not this Sean, the other
Sean Martin: SHO and Shon Harris.
D. Greg Scott: Oh, oh yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah. There's some great, there's some great writers and they're super important. Yeah. Yeah. And they're geniuses.
They, they, they, they produce great content, but you can't read it cover to cover it because it just puts you to sleep. And I, I'm not, there's no sense in me trying to reproduce that. It's already there. And I noticed that whenever any of [00:16:00] those books, there'd be little sidebars with personal snippets. Those would keep me awake, and I got to thinking, what if, what if, what if we tried some fiction?
What if we tried to use fiction to produce, to present truth better than the news? And so that's where, that's where Bullseye Breach came from. It was gonna be a little, it was gonna be a little snippet that would, that would, that would talk, that would, that would Compliment the how to content, but I never wrote the how to content.
I just did the book just did that turned into a novel and that that's how that's how it came about and it's it worked. It's a I think it's it's a pretty good story. If it's a pretty good story, you made a lot of personalities and the cyber security is every bit as much about psychology as it is about technology.
And you, you gotta, you gotta get a feel for the personalities and a feel for both, and a feel for why people make this, make decisions the way they make decisions. And a lot of times
Sean Martin: Talk to me a bit about that, because this is an interesting point. So I, [00:17:00] before we started recording, you noted that I had a little, it was a four part series, I think is the one you were referring to, that I wrote a little, a town got, uh.
Got ransomware and there are four different, three different stores and, and different stories for each one.
D. Greg Scott: Yeah. Yeah. Yeah. And how do they respond?
Sean Martin: And I'm a tech guy. I'm an ops guy. I'm a program guy. Everything looks like a project to me. And there's an A to Z and you have to figure out how to get there safely.
And And, uh, on budget and, uh, mitigate risk and then run through ambiguity. And that's all tech stuff in my head. So that's how I think. And as I was putting these together and I, that's why I want to get your perspective. I actually took a moment to figure out, okay, well, who, who are the people behind these companies?
And. What are their companies about? How do they run their company? How does that, how do those things relate? How do they engage with their customers? How does the society view them, which may [00:18:00] have an impact on how they do things as well?
So talk to me about the
D. Greg Scott: It all fits. It's all part of the same big puzzle, isn't it?
It all fits.
Sean Martin: So tell me about how you approach that.
D. Greg Scott: And, um, and this goes back from lots and lots and lots of firsthand experience with, with people and stories and stuff. And, um, so I, I invented these characters in bullseye breach that, that acted and thought the way that, that, that many of the customers that I'd met thought and acted, um, in one, one time, one, uh, one real world, real world story, real world story.
I sat in front of a small bank and I was pitching, let's do it. Let's do a, an audit. Let's just look at, look over your stuff and see how secure you are. You're a bank. You know, it would be good if you knew whether or not people were getting inside your account and your, your, your system and doing stuff.
And I talked to this bank vice president and he [00:19:00] looked at me and he said, well, you know, we've already done that, Greg. Would you like to see the results of the audit? It's like, that's like, duh, of course, what there's no, there's no answer to that question other than yes. So I said, yes, he said, well, let me go get it.
And he went and got it. And he brought me back to this Manila folder and I sat across the table from the desk from him. And I thumbed through the folder and look through it and look through it and look through it and look through it. I finally looked up and I said, you know, this is great. They did a great job evaluating your website.
Where's the part of this report where they talked about your network right here in the bank? I floored the guy. I floored him. I floored him. He sat back and he looked at me, said, and then he said, Greg, thanks for coming in. I appreciate your time. And let me just show you right out here to the door. Never talked to him ever again after that.
And you know, I, I laugh, but I should be crying for that. Yeah, I know it's willful ignorance. There's no other word for it. It's, it's like, I really want to, I just, I want to be stupid because it's technology and so [00:20:00] only smart people do technology and they wear white lab coats and stuff, and that's not me.
I don't do technology. I don't know anything. And so if I don't know anything, then it can't hurt me. And it's like, it's, it's, it's. You know, we've seen this psychology since before I was born and it plays out, it plays out in businesses across the world every single day. And that's why we keep getting penetrated and yeah, we want to laugh, but you also want to cry.
You're absolutely right. And what happened is a lot of these managers. They don't like technology. I talked to one guy at a trade show and I couldn't figure out. I had this trade show booth of all the cool IT stuff I could do and you see people flow like, you know, like water. They'd flow and they'd see my booth and they'd turn and they'd go across the other side of the aisle and like that and like that so they wouldn't have to get close and talk to me.
I finally had enough. I went out in the middle of the aisle and just stood there and I captured the next person that came by and said, what's wrong? Why do you hate my guts? What's wrong with my, what's wrong with [00:21:00] here? He said, I don't hate your guts. He said, I just, I don't hate you personally. I hate technology.
It's a necessary evil. I don't want to think about it. I don't want to have anything to do with it. It changes all the time. And it's just a rat race. I don't want to think about it. That was. That's the attitude of so many people. So IT is not an asset, it's an expense. And what do we do with expenses on our, on our, on our spreadsheets and stuff?
We minimize expenses. We don't maximize the value of our expenses because they're expenses. We maximize the value of our assets, if you want to speak business speak. But this stuff, it's, they're not assets, they're expenses. So we, we do the least we can do. To get to get done the stuff that we have to get done that we used to be able to do without any computers at all with pieces of paper and pencils and erasers and stuff.
Now we have to have all these expensive computers to do the same stuff. We've always done for the last 200 years. That's the attitude and we tell it until you change that attitude. Nothing else. Nothing good happens.
Sean Martin: [00:22:00] So who, who changes that? I mean, we might be off, off script a little bit. Not that there's ever a script in these conversations.
D. Greg Scott: who changes the attitude
Sean Martin: because I, I mean, well, I mean, you're, you're, you're deep in the, in the Linux world, right? You, you're I am now. Yeah. Yeah, yeah. You're, I mean, the, the stuff you're working on, you can share it if you like, but the stuff you're working on is probably everywhere. . I know it is everywhere.
Oh, yeah, yeah, yeah, yeah. And, um, so those. Those are assets. The people working on what you bring to market view their stuff as assets.
D. Greg Scott: Well, you'd think so. Like people who run these huge data centers. Ah, you'd think so. A lot of times, a lot of times in the big industrial computer business world, there's still expenses.
More zeros than in the small business world, a lot of times. That's true. A lot of times, not always, but a lot of times. That's true. Don't yeah, don't don't make don't make generalizations [00:23:00] based on scale because I've seen I've seen I've seen this. I've seen in depth small. I've got lots of small business stories and I've seen some of the big business stories now too.
And they, they They think similarly. And the big business side, there's a whole bunch of liability exposure and like boards of directors, if boards of directors, some have liability for some of these things that happen.
Sean Martin: What was the, the second book and what was
D. Greg Scott: the second book? The second book is virus bomb, virus bomb right here.
And the second book, that's where where culture on a bigger scale meets technology. So there's a, there's a bald headed it guy named Jerry Barkley. And Jerry Barkley is the main character in Bullseye Breach, too. They're both two novels from the same fictional world. They're independent novels. One reference, the Virus Bomb references Bullseye Breach, but it's a standalone book.
You don't, you don't need one to read the other. And Jerry finds, finds this cyber attack at a small marketing company, um, in the Twin [00:24:00] Cities. And that turns out to be related to another attack against a transportation company. And that turns out to be a, a tailored attack. Specific to that company and then he turns he learns that he learns through with help from an antivirus company He learns that this attack somebody somebody has has taken the member Stuxnet Somebody took the Stuxnet code that the stuff that attacked Iran the Iranians and messed up their nuclear centrifuges.
Somebody took that code And modified it to attack every transportation company in the U. S. And they did that to find out what stuff was shipping from where to where. So then the attackers used that, used that knowledge to take a shipment of industrial explosives and blow up a mine in northern Minnesota and murder 30 people.
Big deal. I mean, that's 30 people are dead, but that's not going to change the whole world or anything like that. But now they have, they [00:25:00] have these industrial explosives. that they can do stuff with because they, they only, they only used half of it to murder all those people. They have a whole bunch more.
So now what are they going to do with it? Well, they use that to launch another attack, but that attack is also a diversion against the real attack to catch, to, to, um, steal a virus sample from a Ebola that's plaguing the world at the, at that time, and then I use that to blame it on. on, on another player to try to induce, to try to persuade the U.
S. in the starting World War Three with the wrong people. And then if that, if that all works the way they want it to work, well, then millions of people will die and the U. S. will, the U. S. will get in big, big, big trouble. So Jerry Barkley sniffs all this out. Of course, nobody believes him because Jerry, Jerry's not any former government agent or anything.
He's just, he's just an IT contractor that lives in Minnesota and doesn't have any hair on top of his head. And so he calls the FBI and the FBI doesn't believe him. And, and the FBI dispatcher he talks to thinks Jerry is threatening to do all this bad stuff. [00:26:00] So the police come and arrest him and he spends a few hours in jail until they.
Figure out that he's not threatening. He's trying to warn by then it's almost too late. And then, and then we saved the world. That's a really good story. It's a really good story.
Sean Martin: Yeah, that's a good story. I think, uh, there's probably a lot in there that I mean, because it seems like maybe you gave away the ending, but, uh, no, I didn't give away the ending.
D. Greg Scott: Well, of course, of course, the good guy wins. The good guy wins and all, you know, there's a, there is, there is a, there's some humor behind that one too. I, um, I was, I was, well, I live here in the Twin Cities and we're right, I'm, I'm, I live 10 miles from the Mall of America and that's like the biggest shopping mall in the whole United States.
It still is. And, um, I was casing, casing, there's parking ramps underneath the hotel in front on the south side and on the north side, on the north side of the mall. And I was casing the parking lot [00:27:00] on the north side of the mall just for my own novel writing purposes. And I'm walking up and down the aisles and looking for security cameras in the ceiling and, and just trying to, trying to figure out what's what.
If I were going to park a van and blow stuff up, where would I park a van? And just, just looking over questions like that. Okay, it's novel research. If you're, if you're with, if you're with a government agency and you're monitoring my internet movements. But a couple things. First of all, everybody in your department is a professional and all the good looking professional people in your department, you need to buy copies of these two books for everyone in your department right away.
So I work in a commercial here. You need to buy and study these books because these are my manifestos to take over the world. But when you do novel research, you just get into weird stuff. So I'm casing the parking ramp. Back and forth. And this lady comes on, she says, can I help you? And I said, Oh, no, that's okay.
I'm just, I'm just, just, just walking around. [00:28:00] And then I made my huge mistake. I'll never make this mistake again. I said, we're going to blow this place up. And she, she got this looking like that. She backed up a few steps and I went, Oh crap. Wait, wait, wait. No, it's in a book. I'm not, I'm not really gonna, I just, it's in a book.
I'm a writer. It's in a book. That didn't, that didn't make her happy. She didn't want to write up and
Sean Martin: probably didn't ease her mind at all.
D. Greg Scott: No, I didn't, didn't bring her back. I, I finished casing the place and I, and I walked away really, really, really quick before the police came and took me away into a rubber room somewhere.
Sean Martin: So what, um, I presume you have some feedback from, from folks that, uh, I've read this, what, what do they say? Do they like, they like the stories? Is there, I know when, um, you know, when movies are made, a lot of people are quick, especially in our, our, uh. People are quick to say. Yeah, [00:29:00] but that's not really how it works.
D. Greg Scott: Oh, yeah, um, yeah, I've got blog posts about Hollywood hackers. I, I have, I have plenty to say about Hollywood hackers. And this is something I'm proud of. You will never see any fake Hollywood hackers seen in any book that I write. That, that's just, that ain't gonna happen, that's a promise. Cause I, I, I I don't like to see that.
That fake technology stuff doesn't do anybody any good. And it, and it fosters a whole bunch of attitudes out there that are just wrong about how technology works. If you want to find out about somebody, you don't just go hack into the DMV and click a couple buttons and find everything about your target.
It just, it just doesn't work that way. There was a, there was a, um, there was a thriller, I like to read thriller books, and there was a thriller novel planned. Author I won't name here because I'm gonna badmouth him and and he wrote and part of the story is His attacker [00:30:00] pulls into a parking ramp with an SUV and he's got and and then from from inside this SUV He gloms onto this hotel's wi fi And and somehow does that And then he finds the the thing that does video and he gloms onto that video And he records a little bit of it so that so that he can play the video back in a loop So he can have a secret meeting and no one can see that he has a secret meeting later He does that in about two hours time with no prior recon and no prior knowledge of what kind of a video system it has, and then the author manages to misuse the term access point in the whole story.
And, you know, the more I read that, the madder I got, because just, you know, do your homework. You're going to write technology books. Just do the basics of homework. There's plenty of people that will, that will tell it. That will answer the questions you want answered. Don't try to just make stuff up when you don't know what you're talking about because you just destroy your credibility.
So anyway, sorry, you got me way off on a tangent on that.
Sean Martin: Well, I
think, and I'm gonna, I'm gonna bring it [00:31:00] back. Full circle to, uh, what I think a lot of my listeners would care about, a lot of, a lot of my audience are practitioners and security leaders and executives that, uh, have peers that they're trying to convince that this stuff is important and, and how it not only, as I mentioned in the beginning, not just protects revenue, but maybe could help even generate, uh, value in the organization.
Um, yeah. A lot of those people don't understand it, right? And if, I guess the point is we, we need to be accurate, but we also need to have a good story and, and they, they both have to be good, right?
D. Greg Scott: I'll give you some stuff you can use both in fiction, from fiction and from the real world. So from fiction, from fiction, bullseye breach from fiction, the CEO of this company lost his job, so did the CIO, so did a whole bunch of managers.
And this company lost [00:32:00] millions of dollars in lawsuits and stuff that mirrors the real world when, when, um, when Opie, the office of personnel management, the, the, the, the U. S. government, H. R. agency and O. P. M. and Archuleta had to resign in disgrace because she let all she let the Chinese penetrate her agency.
And everybody who got security clearances. Now the Chinese know as much as everything that they fill out on their forums, the Chinese know about it. Imagine, imagine in the, now in the real world, in the real world, imagine that you fill out a bunch of, a bunch of, you put a bunch of information on your security clearance form.
And you send that to the government because the government's going to keep it safe, right? It's security, it's secret, but they don't keep it safe, the Chinese get to, get to it. And now you're helping a Christian organization distribute Bibles in communist China. How many people do you think will die because the Chinese know who you are and why you're there and what you're doing?
And they're not going to kill you because you're an American citizen and that's an act of [00:33:00] war and then, and we launched nuclear bombs and stuff like that. So they're not going to kill you, but they're going to kill everybody that you associate with. People die. People die because of this stuff. But forget that nobody loses money because people die.
So in the, in the retail world, retailers lose millions because of attacks like this. Home Depot, 2015, Home Depot lost 54 million credit card numbers to real attackers. Target lost 40 million credit card numbers to real attackers. They both lost millions to the, the consequences to Target. We're more secure, more severe than the consequences to Home Depot because Home Depot wasn't the first major one.
But the managers at Home Depot, when, when the people at the grassroots tried to warn the managers, the manager said, no, we sell hammers. We're not techno. We sell hammers. That's what we do. So they ignored it. And so that was, that was to their detriment that they ignored it. And then, um, and so then, and so then we make this make, make the stakes a little bit higher.
In [00:34:00] this world, if, if, if you don't think, if I can, if I can walk through the Mall of America, and I can walk up and down in case of parking ramp and figure out where to park a cargo van filled with electronics to blow the place up, if I can do that, what do you think people who, who are good at this kind of stuff can do?
I mean, come on, come on people. And then. cyber attacks. I've talked to so many people that that that just are just willfully ignorant about all the cyber attacks up. It's just all it is. It's just characters flying across the screen. It's characters and pictures on a computer screen. It doesn't mean anything, but it does.
It does mean stuff in my fictional world, my fictional world. 500 almost 600 people died when those hotels blew up, plus dozens of people died when the when the mines in northern Minnesota blew up and millions could have died because of World War three because some people figured out a way to take advantage of willful ignorance.
to pull that attack off. If you read this book, [00:35:00] this attack, this attack really could happen. I did, I did a lot of homework. It's not, that's not just, it's not just, it's not James Bond. It's just, this is real world kind of stuff and enjoy the fiction. Enjoy the fiction, use the education.
Sean Martin: Yep. I like that. Uh, like what you, what you say there at the end, enjoy the fiction.
Use the education. That's our whole, uh,
D. Greg Scott: That's how you change minds. That's how you change, that's how you change minds. Get them to read the fiction. And then they think, holy moly. This could really happen to me. This whole scenario makes sense. This could really happen. What are we going to do about this?
There you go. That's the
Sean Martin: reaction I want. A step at a time. Exactly. Yeah. Read it first. Take action. Yeah.
D. Greg Scott: Yeah. Um. If you work for a government agency and you're watching me, tell everybody that. And not because it's Greg's manifesto to take over the world, but because it's important fiction.
Sean Martin: Hopefully, hopefully people are [00:36:00] listening and uh, and thinking differently here.
Yeah. And Greg, I mean, your, your passion, uh, is super clear and, uh. Yeah, congratulations on those two books. I know you have a third one in the work, Trafficking You. Trafficking You,
D. Greg Scott: yeah, yeah. I'll give you a second. Yeah, I'll give you 10 seconds on that one. That one's searching for a publishing solution.
I'm, I'm, well, we'll see. I'm, I'm, I'm, I'm. Well, another day goes by, so I'm closer to finding a solution than I was a day before. But, um, and Trafficking You. Jerry Barkley is not the main character in Trafficking You. It's still in the same, it's in the same fictional world. Jesse Johnson is a, is a principal fraud analyst with a major bank in Minneapolis.
And, um, she, she runs into a young Native American And somebody who, a Native American who's a sex trafficking victim. And so, um, Jesse goes through a lot of trouble to try to rescue [00:37:00] Leilani, my, my, my victim, and she pays for it with her career, almost pays for it with her life. And then she finds out a whole lot of stuff about this, about this.
Trafficking industry that, that nobody, that nobody's aware of. Nobody really knew, knew, knew about. And it turns out in the real world, in the real world trafficking, most of it happens over the internet. There's a huge technology angle around this. You can't, you can't trust anybody who says you, we've heard all this about trust before with social media and things like that, but I wanted to.
I wanted to write a book about how the consequences of that work in the in the in the C. I. S. S. P. Ivory Tower. We care about the confidentiality, integrity and availability of data. You know, the C. I. A. Triad. That's your memory aid C. I. A. Okay, and we spend a lot of time on confidentiality. That's where data breaches and ransomware and that kind of stuff comes in business operations.
That's where that comes in. We need to [00:38:00] spend more time on integrity. In the social media world, we violate the integrity of messages all the time because anybody can impersonate anybody. You don't need an ID to sign up for a Facebook account. You just make an account and you can be anybody you want to be and get a fake picture from somebody and there you are.
There's your profile. You're, we're violating the integrity of messaging there. That's how it, that's, that's the, that's the framework around how it fits with the cybersecurity world. We need to pay more attention to that and we don't. And so there's that hypothetic, there's that. Hypothetical ivory tower framework and there's gut wrenching consequences in the real world for how that stuff happens I've got and I made a video about that if I were if I were an attacker if I were an online predator How would I do it?
And the way I would do it is the same I probe wide and then when I find a potential probe deep Does that sound familiar? And so I, and I, so I spent, I spent about five minutes looking at Facebook profiles and I [00:39:00] found one from somebody who appeared to be vulnerable. And then I hypothesized for how I would, how I would probe deep into that, into that person's profile to, to launch an attack.
And I've, I've got a video of, I made a video about it. It's the creepiest video I'll ever make ever. It's the creepiest video ever made. Hopefully the creepiest video I will ever make. Yeah. Yeah.
Sean Martin: And that's, uh, it's a, it's a shitty topic. Um, and, and, uh, a very, very, very sad reality. I've been, there's a conference in Ireland called, uh, Iris Con, and they often have folks in from Interpol.
And, uh, I was there one year where they talked about this and the use of technology to enable it's an industry, right? I mean, it's what it is and it is. And, uh, it's just messed up.
D. Greg Scott: Yeah, it is there. And here in Minneapolis, right here in the Twin Cities, [00:40:00] going back a few years. Um, I think it was 18 young men.
Young men, um, became victims of online persuasion and flew to Syria. Some flew to Syria, some flew to Somalia, and they, some joined ISIS. Some joined terrorist organizations to fight against the U S because they, because. Somebody persuaded them over social media that they could get involved in something bigger than themselves.
And there's a book, a nonfiction book called In the Skin of a Jihadist by Anna Arell. That's not her real name. And she impersonated a vulnerable young woman in France. And she got, and, and she regularly, um, traded video, like real time video, like what you and I are doing right now. She drew real time video with, with some ISIS kingpin.
And that got really, really, really hairy. That novel, that, you just, it's not a novel, sorry, that, that story [00:41:00] just, um, it, it, it, I couldn't put it down. I couldn't put it down. It's, and now Anna Arell, that's, she can't use her real name anymore because, Real, really, really, really bad terrorists are after her.
And she lives in France. She's a lot closer to them than we are here in the U S. So, yeah, this, this stuff, this stuff is really real and it's got real consequences that, that we need to consider a lot more than we have.
Sean Martin: WEll, Greg, it's been, uh, it's been great chatting with you and, uh, Congrats on the two books and uh, best wishes that the uh, the days don't take too much longer and you get your third one out.
D. Greg Scott: Yeah, thanks for having me. Oh yeah, website plug www. dgregscott. com. D as in Daniel. Dgregscott. com. And that's, find out, I've got tons of content there. Help yourself. Yep, love it. And leave, leave comments too so that, you know, I, I enjoy the dialogue.
Sean Martin: Perfect. All right, [00:42:00] Greg. Well, thanks very much. We'll put that link in the show notes as well.
So everybody can grab it from there. All right, cool. And, uh, speaking of everybody grabbing stuff from the show notes, uh, I want to thank you all for listening and watching, uh, today's episode. Hopefully it's, uh, it's made you think a bit. And I think a lot of, a lot of the audience here. Kind of already get the importance.
Um, I think the takeaway I would, I would encourage you to, to embrace is how storytelling can help you achieve what you're really trying to achieve in this role. I mean, we all, we all care about the same thing, which is helping, helping customers be safe, helping society be safe, stories, stories help with that.
So thanks. Uh, thanks again, Greg. Thanks everybody. Uh, be sure to subscribe and share and, uh, we'll see you all on the next one.