Interview with Lance James

hi Lance thank you so much for joining me today and chatting with me so firstly you had a great keynote today at bsides NYC so thank you so much for that and in your keynote you spoke about disruptive thinking can you quickly give us a brief summary of what it is that you're trying to convey to the cyber security Community with your disruptive thinking ideology sure and thanks for having me um it's exciting to be back to see besides thenc come back on the on the on the game so um so let's start with the observations that I've had being in the industry for a while okay right and I never like the feeling of being bored by

something when I know that we all were originally super excited about something uh and I've been you know I I personally been in this community for at least 25 years I wouldn't say industry but the community for sure and what brings me to conferences is the excitement to get together with others and share things that they've learned for the year see you're old friends but also like new people and we can talk about these like hacks or these cool things whether it's defensive or oper we're all trying to solve these problems and share this information and to me life is about IO right it's it's literally we like to learn we like to share we like to learn we like to share

right I totally resonate with that right and so and that's when we're happiest we're in the psychology of flow we lose a sense of time that is truly psychologically when people are happy most right so um and and we're following our light we're following this need to solve these problems we're all kind of scientists right um we may not do it in the academic science way but we're all a bunch of scientists just trying to like take it to the next level figure something out and it's great so anyways the point being is though is that like when I've seen how our industry has become and we all have to have jobs so I'm not like saying industry you failed

us right it's just the nature of the Beast and I think accepting the nature of the Beast as one piece but then saying what can I do that would change it at least a few times a year where we change something because like if you plan to see and that's the idea is I just wanted to plan seat of a methodology of getting back to our hacker Roots inside the work and disrupting and innovating instead of being a a person that's defending the networks and going we've got five major things to worry about this year well you could worry about them or you could solve one of them I completely agree sometimes I also notice that we tend to

put adversaries on a pedestal but you're you're right it's it's good to at least think about what we can control and try to solve at least one of those problems correct and that's a great point you bring about yeah yeah and it's it's it's it's an emotional issue right we're we're been a little bit like operant conditioned to do a certain expectation in work and things like this but I go back and I know Steve Jobs is not perfect as a human being but he added like that whole ad he did in like the The Misfits and the this and that and all this stuff I mean it just goes back to like what happened to that like the

the the the the ones that were crazy enough do change the world that thing there is a crazy Focus that we have this like we all have ADHD or something similar we all have a hyperfocus there's these commonalities that I think the hacker Community has this drive this like thirst for knowledge right and then thirst for creativity and curiosity and then persistence to never let it go until you figure out that problem and then we might have a fase go okay I all let's go on that that's how we get our dopamine and it's so important you know so yeah I I hear it a lot and clear from you that you really like to have that

those kinds of Innovations where you're creating a paradigm shift yeah uh there are incremental Innovations and then there are like innovations that kind of shift and you believe that the disruption disruptive mindset can definitely help towards that Paradigm Innovation like yeah I'll give a good example so I'm a definite true blue hacker and what I mean by that is like I'll get into a mode or a phase and I'm like oh let me hack this for during Co cuz I want to learn AI right or something and I'll start messing with models and just tinkering for like eight months yep then after I've done it I'm bored but what I'll do is write something on it share it with other

people and go go farther with this like you know I've always been a phase person where I'm like okay Zeus malware like da okay let me take her with that and learn everything about this new type of thing and then that opens the door for everybody else to go there's more malware like this and here's some techniques they use to analyze this and it's really that I learned this stuff and now like let me tell you what I learned MH and then that like influences or inspires or plants a seed or a pebble to like literally start Rippling through and then people are like you know going well it's not that bad it's not that

it's doesn't take this like super genius thing it just takes some time and work and you know a little bit of hyperfocus and you catching something that you you know you care about right got it um there's this like myth in the hacker Community you got to be some whiz kid and and and that's not really true it's it's a field and if you're persistent and you want to do Mastery you just need to put a lot of time into the field do you know what I mean so yeah that's that's that's an interesting point so I think you truly represent the research phase and then you also talked a bit about planting the idea or doing the

Inception if you may call it and um letting others run wild with the idea what would you like to see people do with some of the ideas that security researchers put out what do you think would be some good uh intermediate effort and The Last Mile effort to materialize some of this research well when you so we we almost have like I don't want to sound conspiracy stuff but um when Big Business gets involved it's not I don't think it's of Mal intent but there are people like money because money keeps research going but sometimes also solving the problem stops the research money coming in okay right right and that's a conscious thing that's not like some conspiracy that's

just more like it is sometimes better to like keep having like a research funded okay right incentive wise than solving a problem and there are many problems that could have been solved a long time ago in our industry for instance passwordless pki or public key encryption or you know things like this have been around since the 70s right yeah we have still are wrestling with that and trying to get everybody to adopt PH2 and go to to you know no passwords and all this stuff and we're finally getting there yeah we're definitely making a lot of um progress in look at the academics they're always 20 years ahead mhm right you want to look at where like let's start with like

where do you find innovation ideas like if you go to Academia in the 90s you will see Bitcoin talked about before it was Bitcoin by David chm and a few other people like hash cash and all these different systems that wasn't scalable yet but these great theories were already there yes and then like 20 years later we tend to get scale and you know we Mor's law and we finally get like to this place we can do it so the secret to like if you get bored and go what do I want to innovate you might want to start looking at some of these academic papers right um and then essentially I think when to answer your question of like

what we can change now right so today I did a methodology a tabletop methodology and like here's like one example of of uh you know disruptive thinking I looked at and did the how and why and I looked at every step and says there is there something in each step that I could exploit into like for for this and the cool thing is like in security you're you're really good at seeing patterns of vulnerabilities or patterns of intuition that say would the software do this if I worked it this way that's the entire kind of magic of hacker intuition right and so you have like this structural patterns thing with this like intuitive like if I were them it's like I'm like

empathy you're sitting in that shoe and going well what would this work yeah and ransomware vaccine or something like that if AI can like suggest that right or so that we can start thinking about that too because it means it's there's something going on there right but let's just I want to see for the middle path us take one of these four to five or 10 freaking top tens that we've had exactly the same for the LA oh sorry exactly the same for the last 10 years um and solve one and that's really what I want us to do is like why why do we stay so stagnant in our belief that it has to be devices that solve this

versus my security team could do a hackathon for a couple weeks and if you let them have that time it's money better spent in the company as an investment because they actually will be like accessing more of their creative side of their their brain and I think that's going to one give them more joy it'll create retention in that sense but two you might actually solve a problem okay yeah so what I'm hearing is you know like definitely look into some research and think about how to scale like start thinking about that early and also uh invest more in your research team so that they can be more creative and give them more time and space to do

that I think those are um great tips M the other part that other thing that I wanted to ask you today was there are so many security conferences out there what brought you to besides NYC specifically there's two things uh I was I I was notified by H about it because he was like you want to speak and stuff uh and so um and uh so obviously it got to my attention because I got the early notice that it was coming back okay um I'm a big fan of besides um I think that's where the real discussions are okay um New York City is kind of historically where hackers kind of like 9x and all

the Freaks and all the Emanuel Goldstein and the 2600s and all that stuff came out in New York right um besides to me like I've done the Minnesota one I've done I think a Vegas one I've done a you know different different spots Atlanta um New York City I mean one of the biggest cities in in America in the sense of how many people here uh when I've been dying to meet some of the the we've been stuck at Co in the house for four years like this is like oh my gosh I can finally hang out with I can meet like a lot of great people in New York um that have the same interest and I am

also trying to make a New Year's resolution not being a Hermit and get back out again um because like your Co brain kind of got used to it cating staying inside um secondly um this is kind of where it all starts right these kind of conferences this volunteers like work where like it's a John J it's it's great for students and as you know I I like the io so there's a teaching element to like getting that and like we talk about all these cyber security economy problems oh it's hard to hire good people I'm like you have to open doors like one of the biggest problems boot camps you pay all for money and

then they can't get a career and they got a whole like year of going like well we need you to have a year experience well it's cash 22 blah blah blah blah conferences like this we can change that because there might be here that can go actually let me open that door for you yeah like and and I'm doing that to a few people here and I'm like let me open the door for you there's no and that's the thing is like once you get to meet these people it's better than an interview it's better than a process and you get to do you know sharing of information you get to you know go back

and forth and talk about some cool stuff and to me like the tour consons the besides the the real deal like volunteer like Metro like area type like specific cons to their area are where it's really the best because you are back to your natural state so amazing so looks like you're going to be doing more Inception and planting more of those seeds toar from them as well y to a lot of younger folks so thank you so much for that um and now onto the fun segment of this uh before we started this conversation I had asked you to prompt chat GD on one of your favorite questions and your prompt was if you were an inventor in cyber

security how would you put an end to the ransomware problem do you want to look at chat gb's response and tell us what you think of it well of course of course it says as an AI language model because they changed their moderation to noys me um I don't have personal opinions or emotions okay skipping that part and then it explains ransomware it's a type of malicious software because it's trying to be like all that one way to prevent attacks is to ensure that all software and systems are up to dat to the latest security patches and updates okay that's nice and idealistic that it's like the should or could have we talked about earlier right yeah and

this is something that is actually fairly common and available in most literature around so I think it's spouting that I think it's just taking from what already is out there so I'm not sure a large language model is that great of invention correct the creative aspects are perhaps yeah the creative so like this is going to like if I want to report on like telling a customer the standard ways of preventing it um detention methods like I Union detection thread hunting can obviously do that still reactive in some aspects but still I get it respon I do agree with her though threat hunting is good uh response strategies include Technical and non-technical such as you know

response plans true legal action against perpetrators very true and I'm a big supporter of that and communication with affected stakeholders as an inventor in cyber security I would focus on developing new technology and techniques to improve prevention detection and response that sounds very generous it's very generic yeah um it says ultimately putting an end to the ransomware problem will require coordinated effort for from government's businesses individuals and priors that's true because I do think there's vendors oh sorry that okay I do think there's vendors out there probably have solved this problem okay but it's customer acquisition cost they got to go into the diluted market and try to sell the something it might be some small company

that says this and that and the problem with it is is that everybody has to agree that this solved the problem and they all have to adapt this and get on board to solve the problem otherwise they're just like I use this solution would you use this solution I use this solution you use this solution and I'm like well that's probably what we need a homogeneous like one thing and and the problem is we were in a competitive society and a capitalist like um industry and so everybody's fighting to like get that you know I I did it I solved it well maybe all of you did actually um but maybe you all should just become one research environment and

say Here's the answer and make it better perhaps and make it better yeah so so we have to get a little bit more to collect in my opinion this is generic but it's not wrong but we need to get more Collective and truly like that last part is harder to do for a lot of people okay you know so great thanks for that um overview of what you thought the answer and thank you so much for being here and chatting with me so for anybody who's watching this video you know who's going to open the doors for you feel free to reach out yeah I'm I'm making that pitch on behalf of you but thank you so much

it was really nice talking to you and same here thank you thank you l