Cyber Distortion

Kevin Pentecost and Jason Poppillon, hosts of the Cyber Distortion podcast, stop by BarCode to share their experiences and insights in the field of cybersecurity. We discuss topics such as ransomware, social engineering, and the CISSP. Their podcast combines technical expertise with a fun and engaging approach, making it accessible to both technical and non-technical audiences. They also highlight the importance of networking and building relationships in the cybersecurity industry.

TIMESTAMPS
0:00: Introductions and cybersecurity importance
0:05: Hosts’ backgrounds
0:07: Ransomware attack experience
0:09: Lessons learned
0:11: Preparedness
0:15: How hosts met
0:24: CDP – Goals and approach
0:29: Content delivery balancing
0:31: Episode output
0:34: Memorable guests
0:42: Production workflow
0:47: Process improvements
0:50: Future topics
0:55: CDP future plans
1:08: Where to connect with CDP

SYMLINKS
CDP – YOUTUBE
Kevin – Linkedin
Jason – Linkedin

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: Kevin Pentecost and Jason Poppillon are two very experienced CISSP, card carrying cybersecurity pros with a deep understanding of today’s threat landscape. They’re skilled in identifying and mitigating potential risks, both in personal and enterprise level scenarios.

Chris: With many years of combined experience in technology and cybersecurity, they have seen the landscape evolve and mature, giving them valuable insights into the best practices and methodologies. United, they formed the Cyber Distortion Podcast, which they describe as their own way of paying back an industry that has been so amazing to them over the past couple of decades. They believe that as cybersecurity experts, we all play a critical role in protecting businesses and individuals from cyber threats.

Chris: Those who work in the industry have a satisfaction of knowing that their work directly impacts the safety and security of others. In front of me, I have a fittingly named drink that will accompany me in this conversation. It’s called the crooked tree. To make it, take a cocktail shaker, fill it with ice, add 2oz of your favorite bourbon, three quarters ounce freshly squeezed lemon juice, and three quarters ounce of honey syrup.

Chris: Shake it, and then fine strain it into an ice filled glass. Just as the crooked Tree grows distorted and bent, this drink will have us looking at the world from an askew perspective and to guide us through the twists and turns of distractions in cybersecurity. I welcome Kevin and Jason of the Cyber Distortion podcast. Thanks for stopping by, Barcode. So to begin this conversation, I’d love to hear how you both entered cybersecurity.

Chris: What led you down this path? All right.

Kevin: Yeah. Well, I’ll give you the Reader’s Digest. It’s basically, I was in graphic design, doing 3D animation and 2D animation for a company in Hearst, Texas called Flight Safety. We did training for pilots. We built pilot training programs, and several of the other animators wanted to get into it as soon as we realized what some of our It guys were making. And we’re like, Dude, we got to get in on some of that. So they said, let’s go to this MCSE Boot camp, right?

Kevin: I had never once in my life thought about getting into it at this point in my life because I’m very creative minded. I’m a right brain thinker, for sure. So I said, sure, if you guys do it, I’ll do it. There was five of us, so we did that. We paid for the boot camp. We started going by week two. Two had dropped out. I’m not a quitter, so I’m like, I’m seeing this shit through. That’s why I was so hesitant to do it in the first place, because I knew some of these guys might flake on me. Well, sure enough, two weeks, two down.

Kevin: Well, we get to the last week of the boot camp. It’s just me and one other guy, and we both finished the boot camp, and to this day, I’m the only one in it. He went on to be a custom home builder. Great guy. I still talk to him all the time. I still talk to a lot of these guys. But he went on to build custom homes. I landed in It, and the rest is history. I just decided, man. Hey, MCSE. I’m hearing that everybody that gets the MCSE starts at 50K.

Kevin: That sounded like a fortune back then to me. Right. So we finished it up and landed my first job in It back in 99.

Chris: Nice. Sammy R started oh, yeah, 99. Yeah, 99. And once you got the MCSE, I mean, that’s the point of no return then.

Kevin: Yeah.

Chris: Places were hiring with that certification. I mean, that was one of these certs to have.

Kevin: The amazing thing about it is I got hired only three exams in. I wasn’t even a full MCSE. I found out through a friend of mine that his company was hiring It folks. They were about to roll out this huge Citrix rollout, and he asked me if I’d be interested, and I said, Well, I don’t even have an MCSE, man, and I have no experience. He goes, that won’t matter. All they care about is the fact that you’re getting an MCSE.

Kevin: I said.

Jason: All right.

Kevin: Cool. So they threw some carrots in front of me to make sure I finished my exams, and each exam paid a little bit more on my base salary. So we kind of worked it that way. In the end, it worked out. Been there for 24 years.

Chris: Nice. Jason, did you have a similar path into security?

Jason: Absolutely not, dude. So I was serving as the CTO of my organization, and I was probably on year probably on year twelve or so of a 17 year stint. And it was about the time, if you’re in technology, you needed to start paying attention to what was happening in cybersecurity. The lack thereof meant that something was going to happen and you wasn’t going to be prepared for it. So I’ve always kind of been forward thinking and looking for those opportunities of the next thing I need to be aware of.

Jason: And Kevin and I have had a relationship long before then. Right. And so Kevin had been talking to me about all this stuff, and he’s like, Dude, if you really want to know how it’s going down, you need to start attending these black hat defcon sessions with me. And I’m like, Kevin, man, I don’t have time for that. No, man, I’m serious, dude, you really need to come to this. So the first year he did that, I’m like, Whatever, man. I can’t do that.

Jason: Whatever. He kept hounding me. Second year, he hounded on me, and I was fine. Fine. I’ll go. So I showed up and I was like, wow, dude. I mean, like, yeah, this is it, dude. I’m glad you really got me going in this. I really need to get I learned so much, and I need to stay on top of this. This is exactly what I needed. So it just kind of catapulted me into being deep into it and wanting to know more and understand it and know how I can protect the organization better and all this stuff. And so from that time until about two years later, I was heavy into putting cybersecurity programs within our organization.

Jason: But I didn’t do any certs yet. I wasn’t official, right? I was a CTO, but I didn’t need to be official because I was a CTO, right? But it got to a point where we were doing a lot of things right. Like, everybody, you can do a lot of things right, but you can still be vulnerable. And we had an incident occur, and it was a ransomware incident. It happened to be a perfect storm of things happening at that time. In Iowa, we hold that year, we held the Democratic National Convention in December, and it was a hotbed, generally speaking, in cybersecurity for attacks. So when you have a common event like that, it becomes an even hotter bed for those types of attacks.

Jason: Downtown Des Moines was where all of these things were happening, these conventions were happening. So we were targeted without knowing we were targeted. And it just happened to be the perfect storm at the same time. One of those days during that week, we were rolling out a new instance of cloud resource, and it didn’t get properly locked down. Timely. Timely is the key, right? It got locked down. Just not timely.

Jason: And in that time frame, hackers had just been probing. And the forensics team that we had, the third party forensics team that we had that did the analysis afterwards said, it appears that it was just you being in the wrong place at the wrong time. Like they were at your front gate waiting and looking for something to happen. And it just happened to be that’s when you did that and they were at the front gate, and so they found a way in.

Jason: So needless to say, that changed my life. Because it was four days of extremely horrible hell and I can’t even describe it how bad it was other than to use those words. Because if there’s ever a time when you’re thinking about being defeated in the worst way, that an incident like that, that’s ransomware that can make or break not only the company but the industry you serve as a result of you, that is a huge amount of pressure. Right?

Jason: And I could tell you, I vividly remember a turning point in those four days that we were down. There was a turning point in which I was at the data center executing on our plan as always. And we had a plan. A plan was fine. It was just that we needed a plan of a plan of a plan because everything worked together fine in the first part of that plan. But there was some misfortune in the second part and a little bit more misfortune in the third part in getting it exactly executed like we should.

Jason: And so we had to constantly brainstorm and think about alternative ways on the fly. And there was a moment in there where I sat there and contemplated and knew I was doing everything I could, but I was going to have to beat this. I was going to have to beat it because I wasn’t paying no damn ransom and I wasn’t being subject to someone else creating misfortune for a lot of people. I’m not wearing that weight.

Jason: I’m going to win at it. And so we buckled down. The ideas came, we pulled it off, came back around, and that catapulted me to going after my CISSP. After that, I’m like, I need to be an expert. I need to know it all. I need to know what I don’t know and how I could have done better. Because if it happens to me and I’m an expert, that’s fine. There’s nothing I could do about it. But I know there’s more I could be doing.

Jason: So I need to go after that CISSP. And so I did that.

Kevin: Yeah.

Chris: So what did you take away from that experience that you still carry with you to this day? What do you feel from that experience, helped you progress in your think?

Jason: You know, man, there’s a lot of learnings from mean, I think at the very basic, at the very beginning, the basics of that learning is the people you surround yourself with. You know, in a moment like that, even if you had any doubts prior, you will know if you have the right people and if you’ve been doing the right things prior to the incident happening based on how those people perform. And they all performed way above expectations.

Jason: They all carried each other through that incident, the whole entire company did. Even people you wouldn’t even think of were finding ways to carry the company in that incident. And that was a great awakening and takeaway for me. The second one is and I’ve practiced this nonstop ever since. You can’t ever practice enough. You can’t ever be prepared enough. When you think you are, you need to be preparing more.

Jason: So what I instituted from that moment on was monthly. Not quarterly, not annually, monthly tabletop exercises that were unique every month. And they were designed to just practice, practice how you’re going to play. And that when an incident like this occurs so that you’re prepared and everyone knows what they’re doing. I think that was an extreme takeaway. And the third one that I would say is one that’s overlooked by many, many people. I mean, I could keep going on and on.

Jason: But this one’s important is I don’t think enough people test their backups however their backups are designed or however the backup strategies are set up. I don’t think enough people test their backups adequately enough. And so, you know you have them, but do you really have them? I mean, are they really going to work when you need them? You don’t know unless you test them, right? And that was one of our setbacks. We hadn’t had a practice around testing our backups regularly. We knew we had backups, we had them all there.

Jason: But when we went to utilize these backups, some of them were corrupt, some of them didn’t execute the way we needed them to execute. So we had to continue to do workarounds. So subsequently, I had also decided as a result of this incident, I decided that it’s not good enough for me to just know that I also needed to educate as many people as possible. I need to be out there helping people understand how to get themselves better. And so I started doing sock two, type one, type two security audits from a technical perspective for organizations all over the country.

Jason: And so I would come in with the AICPA auditors and help bridge the complexities between the technical speak and the auditor speak. When an auditor was asking for something and the technical people was like, yeah, we do that. It’s right here. And they give them something, the auditors would go back and be like, well, they gave us this, and I’m going to be like, yeah, they gave you the check mark that said they do it.

Jason: But do they really do it? Let’s go back and find out. And I could dive deeper into it. But the positive part to that was the reason why I was doing that was not to catch them in mistakes, but was to help them know where their vulnerabilities are, what they needed to do to improve so that they don’t get caught like we did and have to struggle through all of that thinking that they were good. It helps everybody out by doing that work. And so I did that for about five years and loved it. Learned a lot. Learned a lot about different technologies, how people implement different technologies and different ways that you should think like a hacker to try to get into some of these implementations of technology.

Chris: So then talk to me about where your two paths met. Like, how did you initially meet up and then sort of establish a friendship after that? Oh, gosh, you would define yourselves as friends. Go at it.

Kevin: There’s so many ways you can define Jason. Let’s just go ahead and stay with friends for Jason. Jason and I have probably both told this story a dozen times. So we met in our industry and we found ourselves attending a lot of conferences and a lot of industry related events to where we were raising our hands to ask questions or getting involved and trying to come up with solutions for certain industry related challenges.

Kevin: We were sitting on committees that were building standards for certain types of data sets that we were selling and having to manage for our online catalogs and things like that. So we were always involved in these projects related to the councils and the committees that we would sit on. But this started probably gosh, what, Jason, about 2006? Seven, somewhere in there, 2005 even maybe five or six.

Jason: Yeah.

Kevin: So that’s really the main thing. We got to know each other through that. But then later on, my company became a customer of his company and started leveraging their services. Because in our industry, there’s a lot of smaller businesses that just don’t have internal It teams, that don’t have the skill sets to manage certain types of data transfers back and forth to each other. And that’s what Jason’s company service provided for larger suppliers in the industry, like our company.

Kevin: And so that’s how we became customers of theirs. And then through that we became friends and collaborated at the networking events. Jason was always the guy, like, when I’d get there, I’d go looking for Jason because I knew at the end of the conference there was the social events and we were going to go blow that stuff up, man. That was going to be the fun part of the conference. So that’s kind of how we became buddies.

Kevin: We just kind of became networking and social networking buddies after the events. And we were kind of known for that.

Chris: Jason knew the bar that you needed to go to.

Kevin: Well, I don’t think that’s not true. I think in a lot of cases we would repeat certain cities that we were, so because we were on these committees for so long. So if we knew, okay, we’re going to be back in Huntington Beach next week, we knew right where to go, right? Because we were usually in the same hotels, we just could go see some of the same cool hotspots. So that was cool about it, too.

Jason: So I think part of it with that too, is when you’re on committees like this, where you’re working to set standards for an industry, all of this is legit, what I’m going to tell you, but part of it is truly from the heart, and it’s not BS. My practice is more along the line. How I like to operate is I like to operate by understanding the people I’m working with. Because if I understand the people I’m working with, then when we get into those hard conversations, it’s easier for us to navigate those hard conversations.

Jason: So I have to meet people where they are. And so, like for Kevin, let’s make no mistake about it, I exert myself in these meetings, right? If I know something is solid, that I’m talking about, then I’m going to exert myself. If I don’t know, then I’m just going to sit back and listen and let people guide me to where it should be. And so Kevin would reach out to me. He’s like, yeah, dude, I think I like what you’re talking about. I really like that stuff.

Jason: We need to talk more about this kind of stuff. And so we just started talking on the side around how do we help promote the industry to do better. And that’s kind of where we connected at first. And then as we continue to do this over the years, how our industry operates is very relational. So once you build relationships, more people want to be put into your orbit and be a part of that. And so that was important for us. So part of building relationships at these conferences is outside of the meetings, also being able to meet people where they are and have fun and talk about things other than work.

Jason: Because then when you go back and sit at the table and have to have the hard conversations, people are more willing to compromise when they need to or at least have a better conversation. And so that was kind of the cycle that we went through and to the point that when we were finally done, after however many years of doing this stuff, people knew how we operated and they respected that of us.

Chris: Yeah, I love that, and I completely agree, and I’ve said it before, that the magic happens outside of those four conference walls.

Kevin: Totally.

Chris: And I’m happy to see that you believe in that same mantra.

Kevin: Yeah, that’s definitely true. I feel like even when we go to places, to the events like Black Hat, now, it’s cybersecurity focused, but we’re still going to the same types of events, just different product world. It’s a different industry, it’s a different group of people, but the end game is the same. You can sit in there and listen to the talks and that’s great. You take a lot away from that, and we do.

Kevin: But really, I get the most out of the networking than I do anywhere else. That’s where I meet my friends. That’s where I meet the people that I go ask questions of or go collaborate with after the event’s over.

Chris: Yeah, that’s important, for sure. So I love the infectious energy and camaraderie that you both bring to your podcast. It definitely gives it a unique vibe. So I’m just curious, beyond the great chemistry from both of your personalities, what are some of the complementary skills and experiences that each of you bring to cyber distortion? In what specific ways do your individual skill set complement each other to strengthen the show?

Jason: All right, so here’s the thing. I think one of the things between Kevin and I, we recognize where we’re strong and where we’re not, and we don’t really care. I mean, if you want to cross over, fine, go for it. Who cares? We’re both operate along the premise of we’re all about getting things done and being successful at what we’re doing. That being the case, I have a very highly technical background.

Jason: Very broad, very technical background, do many, many things technical, right? And so when we get into a lot of the technicalities of how to do things, typically that’s where I kind of surface and do things around. Now, what I don’t have is any of the idea creation or I’m not as strong in idea creation graphics. That foresight in thinking on how do we really make this pop, right? And that’s where Kevin comes in strong.

Jason: And what’s fun about that is I can feed that. I know where that is and I can feed it, so I do. And I have a lot of fun feeding it. So I’d be like, hey man, I.

Kevin: Was kind of thinking and I know.

Jason: Where it’s going, right? I don’t have to do all the work because I can just feed it. So I’m like, hey man, I had this thought, like how about we do something like this? Blah blah, blah, blah, blah. And I know it sounds stupid as all get out and he’ll bite on it and he’s like, oh yeah, wait a minute. How about this? And he’ll come up with something and I’m like, oh, that’s solid. I like it, right? And he’ll run with it and it ends up becoming something great because I can just throw something crazy out there and he’ll take it and imagine it and turn it into something super awesome.

Jason: Likewise, he does that the same thing to me. He’ll say, hey, man, I had this idea. This is what I was thinking about. What do you think? And I’m like, oh, well, maybe we could do this and this too, or throw that in there. And then that feeds him again and he takes off running with it. So I think those two strengths really bode well in the things that we’re doing, especially when you start talking about technology aspects. So for our podcast, there’s two or three key aspects that we have that we try to present.

Jason: One, it needs to be as real as we are and we joke around with each other every single day. We’re having a conversation. We’re real. We want that to come through. Second thing, it needs to be actionable and have value. So we need to have a broad audience, be able to understand the complex terms that we’re talking about in a way that they can identify with it. And that can be hard. So we have to be very creative in our thinking and how do we present that message so that a very technical person can understand it or a nontechnical person can kind of get the general understanding of it at the same way?

Jason: And then the last one is we want to have fun, right? We really want to have fun doing this, and we want to help teach people. And if we’re not having fun doing it, then we need to just quit. So you’ll see a lot of that. I always know it’s good when I’m editing the podcast and I’m laughing at what we’re doing and while I’m editing it, I’m like, man, that is hilarious. I just did this in the last one too, Kevin. I was cracking. We had laughed so much in that podcast, and I find myself laughing again even more.

Jason: And so for me, that’s great. That’s gold, that’s value. That’s us having fun, for sure.

Kevin: And I’ll just add something real quick to that. I mentioned earlier my background was really in advertising, graphic design, marketing, that kind of crap. So I didn’t get into being technical until well into the late 90s. But having that background and having that more of a right brained approach to how I think made it easy for me to come into this and say, okay, Jason, let me make the podcast look and feel.

Kevin: Just get you just get deep into gory details about some of this technology with me, and we will make this thing cool. And so Jason kind of I didn’t even have to ask, and he said, okay, well, I’m going to start editing this first episode, and I’m going to crank this thing out. We’re going to jump on on Sunday. We’re going to take a look at it. We weren’t even planning on dropping our first episode. We were testing equipment, but he edited and he goes, hey, you know what? This is not terrible.

Kevin: Let’s just go ahead and release it. This could be the first episode. We actually ended up calling that episode zero. It was about 20 minutes long. And really the whole purpose was just to see what it get the feel for things. I don’t even think we recorded at High Def. I think we recorded at Low definition on accident. But it was funny because he did all that. And I’m over here focusing on, okay, who can we book, what topics do we need to cover?

Kevin: What can we do about swag so that we look like professional, somewhat professional? What are we going to do about social media? How can I set us up with a Twitter? How can we get our name out there when we’re at these events like Black Hat and Defcon? So I focused a lot on that stuff while Jason took on the more technical aspect of creating the episodes from the stuff that we recorded.

Chris: Did either of you podcast prior to.

Jason: Yeah. Yeah. Well, we did our due diligence. We had a current podcaster who does that professionally. That was his job. He actually trains people on how to podcast. We met with him a couple of times and got guidance, figured out what tools we needed to use. How do we implement those pieces, how the flow should flow and how it should flow in a podcast. So we did all that due diligence before we even tried our first one. And so like Kevin says, and when we started that first one, we had all of our equipment in, we was like, let’s just try this out. If we like it, then we’ll move forward. And if we just realize we’re not cut out for this, we’ll be done.

Jason: And it turned out pretty good.

Chris: Did you ever have any issues creatively in terms of determining new topics or new ideas for episodes?

Kevin: I honestly feel like that topics came even easier in the beginning because nothing had been covered yet. Not in our way of covering it.

Jason: Right, yeah.

Kevin: So we hadn’t talked about ransomware, we had not talked about Zero Day Trust, we had not talked about APIs, we had not talked about social engineering, we had not talked about the sysp, we had not talked about defcon. Now that we’ve talked about all of that, yeah, it’s a little bit more difficult, but being in this industry, man, things move so quick that I feel like if you ever ran out of topics as a podcaster, you’re just not looking hard enough, man. Because stuff’s everywhere. Things are changing so quick.

Kevin: And now with AI and everything else, there’s always something that you can talk about. Even if it’s the most recent breach, you’ve got something you can talk about.

Jason: Yeah, absolutely. I think probably our biggest challenge wasn’t the content, but again was how to deliver the content to as brought up audience as possible and also do video and audio. Right. Because as we’re building this out, we’re building this out primarily starting from video, but we have to also be cognizant that if we run audio, the purpose and meaning might be received differently because there’s not a video representation to explain it.

Jason: And so we have to maybe change our script a little bit or explain a little bit more. So it’s little things like that that we found are more challenging throughout the whole series. But even that right. If you’re looking at a broad audience and you pick a topic, what’s the right topic? Because if you go too deep on a topic, then you’re choking your audience down to a smaller segment. If you go too broad, then the technical people will be like, yeah, this is not that great.

Jason: So trying to find the sweet spot and we don’t do a great job of that. We just decided, you know what, we’re going to do the topics that are interesting to us and let the people come to it as they will because that’s just too hard to do.

Chris: Yeah, I agree, man. I think if you focus on what interests you, it just drives your own interest and it causes you to increase your own research into that specific topic so it just furthers your own development.

Kevin: I can say one thing. About that is that if we stick with the format we do today, because we both have full time jobs, and for Jason and I both, that means that on a good week, that’s 45 to 50 hours. So if we stick to the format as we do it today, and we will, because this is the way we enjoy doing it, I can’t see us honestly ever getting to the point where we’re releasing 20 episodes a year. We could never take on that much. It’d be too much volume, too much bandwidth to take on.

Kevin: Our sweet spot is somewhere between twelve and 15. And we realize that because if we go any harder, we’re going to burn out. If we go any less, we’re probably going to start to lose some audience, which is the last thing we want to do. So we found a sweet spot that we kind of like that we can maintain, and then we end the season with that. This year will be 14, I think is what we said we were going to do this year. That’s what we did last year.

Kevin: So that’s kind of the magic number right now. And then we can still take holidays off and start back up early in the year and crank it back up.

Jason: Yeah.

Chris: And you guys really focus on quality, too, which takes time.

Kevin: Oh, dude, absolutely.

Jason: Yeah. I give myself headaches over this stuff, right? Trying to get this all worked out, have my headphones on. I hear the slightest little thing and I’m like, oh, man, I got to go fix that. And then I fix everything that I thought I fixed, and then I’ll run a render and I’ll say, Kevin, review this. Kevin comes back to me with a list of things. I’m like, oh, man. Yeah.

Kevin: One bad thing about it, Chris, is that it’d be like locking two perfectionists in a room, know, saying, Write me a song. Right? And there’s no way we’re going to agree on everything, because my idea of perfection and his idea of perfection are completely different. But we’re both perfectionists. It’s crazy.

Jason: Yeah. I personally think, though, that I found this cadence with Kevin that when we go through this process, I can appreciate, highly appreciate our complementary perfectionist behaviors. Because at the end of the day, even though it’s like running a thousand miles and being out of breath the whole time, when we get there, I can look back at it and say, that was a good work. That was good work, man.

Jason: It’s a piece of art that we put together that years from now I’m going to go back and look at and still laugh about or enjoy and relisten to and think, man, that was some great times, man. I’m really glad we had an opportunity to pull that stuff together and share that with people.

Chris: Yeah, it’s so important. Okay, I want to steal this next one, actually. I want to actually steal it from you memorable guests that you’ve had on your show.

Kevin: Oh, yeah.

Chris: Give me one at the top of your mind, Jason.

Jason: You oh, I knew you’re going to throw that one on me.

Kevin: I’ve got several, and I got a whole laundry list in my head right now.

Jason: We’ve had some pretty good guests that I’ve had a lot of fun with. One immediately that stands out to me was the CTO at Zscaler. And so we got Zscaler to sponsor us one year before we were going to Black Hat, we brought on the CTO. We had a pretty technical conversation about Zero Trust, but we were able to pull it off where it wasn’t delivered in a technical way. And this was what the kicker was. So prior to having this show recorded, we met with this guy and we said, hey, I’m Jason. This is Kevin. This is who we are.

Jason: This is how we operate. This is our philosophy. This is the type of show we want to put on, and we like to have fun. So we want you to come prepared to have fun. Oh, yeah, man.

Kevin: Yeah, I could do that.

Jason: Dude, this dude has so much fun on this show. There was a comment he made, and I have to go back and relook at this one again to see what he says, but I don’t remember the words exactly, but it stuck with me. He was referring to a way to think about Zero Trust. And he’s like, yeah, man. He’s like, I’d like to say Zero Trust is like, easy on the streets, but better in the sheets, something like that.

Jason: I’m like, oh, my gosh, that is so hilarious, man. I mean, this guy was having a lot of fun. We were having a lot of fun. We were delivering great content. We just had a good time doing it. Another one that stood out to me.

Chris: Was we had that quote alone is.

Kevin: So at the time, it was just so random. It was just like, we weren’t expecting him. And Jason did butcher the quote. You need to go listen to the episode on Zero Trust to hear it. But it was pretty funny when he said it.

Jason: Yeah. The other one is, we interviewed a social engineering expert, and was she in Norway? Kevin is that right?

Kevin: Yeah, Norway. Bridget Sengen.

Jason: So she had a fascinating story. She had many fascinating stories. But we did this on a Saturday because of the time difference, I kid you not. This was easily a four hour plus interview with this person because the majority of the time we were talking shop off camera, we wasn’t even recording. We’d have to be like, oh, no, wait, time out. Let’s get this on camera. We need to start recording it, man. We were just having a great connection, talking shop and going deeper into stuff, and we had to keep pulling it back. And like, this really needs to be on camera. We got to get this recorded.

Jason: And finally, the only thing that broke it up was at the end of the day, her husband comes, knocks on the door and says, hey, Bridget, our kids are running wild. You’ve been in here for 4 hours. It’s time to come back. It’s time to come.

Kevin: Yeah, he stole her from us.

Jason: Shut it.

Kevin: Yeah, yeah. I’ll throw a couple other ones out there that know we had a lot of fun with. So obviously, Chris having you on was a lot of fun because of being able to see you in action in Las Vegas, too, and seeing the live show. So we’re like, man, this dude is he’s putting out a good product. He’s having fun doing it. He’s working on Hacker summer camp week. Not only once, but twice. Dude, give this guy some props. He’s doing this stuff live. Not easy.

Kevin: Not easy at all. So we were like, when we heard you were going to do the Barcode podcast at Barcode in Las Vegas, we’re like, we’re there. We’re there. Philip Wiley. Shout out to Philip. He’s a great guy. He runs DC 940 in Denton. And that’s how I met him. And that’s how he ended up ultimately inviting Jason and I to that event. So that was a lot of fun. And one of the other ones that really is kind of personal to me is we just did it.

Kevin: We just had on Luke Ahmed. He was one of the first guys that actually stood up on a soapbox and promoted our podcast to his Facebook page as this is different, guys. This podcast is done differently. The content is good. If you look at this episode they did on CISSP, this is legit content. They’re spewing the truth out there. So he got on we didn’t even ask for this. And dude’s got a Facebook page with almost 60,000 members on it.

Kevin: And we’re like, man, thank you for that. That was actually an honor that he did that. So we literally just bestselling author on Amazon. He’s a CISSP instructor, has just accolades beyond accolades in the world of teaching the CISSP. We brought him on for a two part episode that’s two weeks ago. And it was great. It was great. So that one will be dropping pretty soon, too.

Chris: I can’t wait to hear that.

Kevin: Yeah, it was fun.

Jason: That was another one where we probably went 4 hours in that interview. I mean, it was late. It was 01:00 Central time, so it was like 02:00 Eastern time. We’re still talking to this guy in the morning. In the morning, right? So that was one of those talking shop type of deals. But true story, how we even crossed paths with this guy is I was studying for the CISSP, and I had already failed at once, and I was pissed. I was like, I left my glasses in my truck and I wasn’t going back for those damn things. I was already inside the test center and they weren’t letting me out, and I was fired up, man.

Jason: And so I called Kevin. Kevin’s like, just chill, dude. It happens. Just take some time off and come back at it. So reluctantly, I did that. And when I came back at it, I’m like, I need new content. And I found this guy’s book on Amazon. And I’m like, this is interesting because I think this changes my perspective of how I might go after thinking about this test. Because his perspective was how to think like a manager when taking the CISSP.

Jason: And I was a manager, but maybe I was doing it all wrong. So I got the book and I start reading through it, and I’m like, absolutely mind, like, light bulb goes off. I’m thinking about this all wrong. Not that I wasn’t on track before, but now I know I’m on track because I get the concepts that I was missing, right? And so I looked him up, saw him on Facebook, told Kevin about it. Kevin got his book.

Jason: We started reading it. We started chatting with this guy, and now I passed CISSP, we started our podcast. We started talking to this guy further, know if he’s okay with us posting content on his Facebook page. And it just went from there. And great is that episode. When we drop that episode, it’s going to be extremely interesting for people to view.

Chris: Nice. So producing a high quality podcast or video show consistently involves, as you know, a ton of work, and it’s no easy task at all. And since I only produce an audio version of my program, you guys have both a podcast and a YouTube channel, I imagine that our workflows differ quite a bit. So would you mind walking me through what your standard process looks like in order to take an episode from conception to its final edits and release?

Chris: I’d love to hear the steps that you go through to create and publish your content.

Jason: Yeah, so we record, and immediately when we’re done recording an episode, I start pulling down all of the recordings. So while we’re closing up with our guest, having final conversations about when it’s going to post, all this kind of stuff, the semantics about the episode, I’m pulling that stuff down. And then when we’re done, Kevin and I will stay on and I’ll start to string all of the video together in a template that we’re using that will give us an outline of how long this episode is going to be.

Jason: And then Kevin and I jump back on and we record an intro based on what we covered in that episode. And so we’ll sit back and we brainstorm an intro on the spot. This has to be we’re doing it tonight. It needs to be done. Come up with some ideas. So we start shooting ideas based on the content and we’ll come up and it doesn’t have to be corny, but it needs to be entertaining.

Kevin: Which means it’s corny.

Jason: Yeah. By the time we’re at the end of a recording like this, we’ve spent a lot of time on the content, so we know it very well. We may have had a couple of drinks and we’re having this conversation. It typically comes out pretty hilarious and we’ll do some things that we wouldn’t typically do, too. We’re like, oh man, that’s so funny, and we’ll throw it in there, I take that intro and before we’re done that night, I have that intro spliced together and working.

Jason: Sometimes it’s switching back and forth between both of us. So I’m cutting video quite a bit to do that, or it’s just a straight shot of whatever we recorded and I’ve got to clean it up. But before we’re done that night, I have that intro working pretty well and I’ll run it through and we’ll review it and we’re like, yes, we like that. We’re going to go with that. And then the rest of it is just putting the rest of the pieces together. So I’ll finish, put the rest of the video together.

Jason: I leave space because we do pauses or breaks in the middle of the segments. And the purpose of those breaks is, and this isn’t secret sauce, but people can do this, right? But it’s because we want to create an opportunity to break down the difficult conversations into easier takeaways. And so what we’ll do is we’ll have a break. We’ll summarize that break in a talking points, summarization points that if someone jumps all the way through and goes to the break, they can get the gist of what we just talked about.

Jason: And so that’s why we do that. And then we’ll start the next segment and go on and on. So I leave space for those recaps that we’re going to put in there and have the structure all put together and then I render it and I send it to Kevin and I said, review it and let’s come back. So while Kevin’s reviewing it, that’s where.

Chris: It comes back with the red line.

Jason: Well, yeah, but before that, while he’s doing that, I’m cleaning up all the audio. So I go back and pull the audio out of all of the video. I separate it. I then inject the audio in another tool that I use to then scan through all of the audio, look for background noise, things that we’ve picked up, dogs barking, all that kind of stuff, door slamming, kevin flicking his fingers on his desktop and clean all of that stuff up. And then it’s like a four step process now to clean all that stuff up.

Jason: But once I run it through those four steps and rerender and run it through and rerender and get it where I need to be at, it tunes the audio as if you’re in a studio. And then I can take that, reinsert it back into the original video, replacing the original audio with the new tuned audio and then rerender the video with the audio as a part of it and then replace it into my setup. And so I do that for every video cut that we have for all three of us. So me, Kevin, and whoever our guest is.

Jason: And that takes hours. And then once I have that together, I run another render. I say, Kevin, go for it. And then that’s when Kevin comes in. Like this is good, man. Sounds good. But look, I noticed I heard this little tick at, like, 21 seven. Can we fix that? And then I noticed that over here we had a little glitch in the video. My picture doesn’t look as good as yours. Can you make me look prettier?

Jason: Yeah, come on, man. I can only do so much with that.

Kevin: I have never said, make me look prettier. I’ve said a lot of things, but I’ve never said that. Never said prettier.

Jason: Anyway, so I go through all that, we run it again, I have him review it again. He comes back, he’s like, oh, yeah, man, this is good. Can I publish it? And I’m like, I guess if we have everything done, let’s go and we’ll publish it.

Chris: So how long did it take you to learn that process?

Jason: The whole first season.

Chris: It sounds like it’s a very complex process, but it sounds like you got it down. So I assume the time that it takes you to do that just has gotten better over time, too.

Jason: Oh, yeah. I keep finding techniques. The same thing with technology. It keeps evolving. So the tools I use get new updates. I got to review those again, learn those new implementation of those tools, and apply it and put in a process that works for me. But, yeah, I’ve got a pretty good process now that I can just run through it and know that it’s going to come out the way we want it to come out and then publish and render it.

Jason: It takes me about a week after we record to finish, go through everything and put everything in place. And by the end of the next week, I can get a render going for Kevin to review.

Kevin: One of the things we do spend a lot of time on, though, is once we get it looking and sounding good, we also want to make it where each episode is a little bit unique from the last or from all the others. So we’re always trying to think of creative ways to tell the message in addition to just looking at us talking about the message. So we incorporate a lot of things like little doodleys where the little hand comes up on the screen and it’ll draw the animation of what you’re talking about. We use that a lot for, like, network diagrams and things like that, but we use a lot of really cool imagery and graphic design just to give the episode more pop.

Kevin: Oh, yeah, that can take a long time, too. But usually by the time Jason’s done tuning the audio, I’ve got most of that stuff done.

Jason: And this is how it goes, Chris. This is exactly how it goes.

Kevin: Right.

Jason: So sometimes we embellish a little bit on that, especially if we’ve been working on this for a while to make it unique. We’re like, I don’t know, man, what do you think? And so we’ll get to a point where we really want to make a point consistently throughout the episode. And so one time what we did was I don’t even know what the topic was, but we had this talk. Someone must have said something about a prince. Oh, we’re talking about the social engineering.

Kevin: Yeah, social engineering episode.

Jason: So we put on the screen every time someone said something about a Nigerian prince or anything related to a prince, we put a picture of Prince, the recording artist on the screen with a background sound going.

Kevin: And on the audio only version. When you’re listening to that on Spotify or something, like you’re at the gym or something, you’re listening to that episode. Oh, my God, it cracks me up because it’s out of nowhere, and it’s like she said, Bridget said Prince like, three times in that episode, and every time she said it, we would kind of giggle. And I’m like, it wasn’t until later when we were editing, that we said, I know the perfect thing for this right here.

Chris: That’s perfect.

Jason: Yeah, it’s one of those things if you wasn’t paying attention, you got to pay attention every time that went off.

Chris: Yeah. Do you have a little picture like Prince coming into the side of the screen?

Jason: Oh, yeah, right in the middle of the screen. Right in the middle of the screen.

Chris: All right, I will definitely have to watch that. Now, we talked about deciding show topics, and I’d just like to know if there is any specific topic that you’d like to focus more on moving forward, or are there any aspects of Cyber that you’d like to zone in on?

Kevin: I’ve always been kind of fascinated by the Defcon experience, and we just got to do an episode on that this past year. This year, actually, and I really enjoyed that. We did kind of our own version. You’ve seen the definitive guides to Defcon. Many people have done episodes on that topic, but we had a really good time with that. We brought on Lewis Deweaver for that episode, and he was the perfect guest for that because we’ve hung out with Lewis a lot at You’ve. Anybody who knows the guy knows he’s just off the hook. The dude’s crazy, but he’s a lot of on LinkedIn and in his corporate life, he’s a professor, he’s a doctor in Cybersecurity.

Kevin: The dude’s got the skins on the wall, but you get him out in an environment like that, you get a different Lewis. Man, I’m telling you, this guy’s nuts. He is so much fun. So, yeah, Defcon was a fun for me, and I’m also kind of into the badge life thing, so I enjoy the hackable electronics type stuff, too. So anytime we delve into that side of the world, of the industry, I enjoy those episodes.

Chris: So since we’re on the topic, then, tell me, from your perspective, what’s the optimal way to navigate Defcon?

Kevin: So this may not work for everybody, but for me, it works perfectly. I go in, I always tell everybody if they’ve never been, just protect your device. You don’t want to get hacked while you’re there. But that’s really of minimal concern, to be honest. Download the hacker tracker app so that you always know which talks you care about that you want to attend. But for me, the most fun I have is after I’ve checked the few talks that I care about that I know I’d like to get to.

Kevin: I try to be very organic in how I navigate the landscape. While I’m there, you’re going to put 20,000 to 30,000 steps on your feet every day that you’re at hacker summer camp, going between whether it be Black Hat or whether it be Defcon, you’re going to walk your ass off. Because now this thing’s grown to the point where there’s so many attendees, one hotel can’t hold it all. So you’re going back and forth between three, four different hotels.

Kevin: Honestly, for me, pace yourself, because your body’s going to not only go through this physical toll from doing all that walking, but if you’re any kind of socialite like we are, you’re also going to partake in a few adult beverages along the way. Maybe one night, maybe two, maybe a few nights, I don’t know. But you got to recover, man. You got to be smart about it. So for me, enjoy the show. Try to be organic.

Kevin: Make sure you get to every village and just check it out, because each one has something unique to offer. And just don’t be overbearing with your time. Don’t be too scheduled, and you’ll have a great time.

Chris: Yeah, I completely agree. And for those that don’t know to help with that, at least if it’s Defcon, I believe they still have a media server where they publish their talks. They do, yes, post conference. So you’re not going to miss any content by not attending a talk there.

Kevin: Right. Great point. That’s a great point.

Chris: But yeah, stay hydrated.

Kevin: Oh, yeah, definitely.

Chris: Yeah. That’s my number one tip. Stay hydrated.

Kevin: We carry water bottles that desert heat will get you. Oh, yeah, man, it’s hot, man. And you spend a lot of time you wouldn’t realize it, but you spend a lot of time outside of the AC of these hotels and convention halls, walking from one place to the next. We had a bottle with Liquid IV in it every day.

Jason: Oh, yeah.

Chris: I love liquid IV.

Kevin: Yeah, man, that’s the way to go. Yeah.

Chris: Okay, so looking forward, where do you see Cyber Distortion podcast going next?

Jason: I think for us, we’re looking at a lot of different things. Primarily, this has always been, up to this point, has been a give back for Kevin and I. And at some point we have to take a little bit more of a step towards letting it fund itself and not make it for profit, but make it so that it can run on its own and we can continue to provide the service or maybe even expand on what we do from the service.

Jason: So we’re going to be thinking a lot about some steps along those lines. We’ve got some ideas. We’ve actually talked about incorporating real AI tools as a cybersecurity offering that could support then the podcast. We have some pretty unique, very good ideas around that that we are going to launch every year. We try to do something a little bit more. So this past year in season two, we ended up launching a swag shop, and the swag shop’s intent was to get people more awareness of what we do and how we’re doing and get the word around.

Jason: And so next year is going to be the next level of what other services can we offer to support Cyber Distortion and the podcast and continue to do this service and make it even bigger than what we’ve been doing? Nice.

Chris: I got my Cyber Distortion beer glass on the way.

Kevin: Yeah. Awesome.

Jason: Those are some awesome glasses. They’re pretty sweet.

Chris: Your marketing is right.

Jason: Cool.

Kevin: Yeah, those things are cool. We got to hook you up with one of our really cool looking lace up hoodies, man. We got some lace up hoodies year before last. You have to send me your size, Chris, so I’ll hook you up, man. But yeah, those turned out really nice. But yeah, we’re always looking. Aside from swag and a blog site, I’m already booking guests for next season because I want next season to be packed with really good guests and we’ve been fortunate enough to have that for the first two seasons. So we want to keep that trend going.

Kevin: And one of the things that is a dream of mine is one day create our own defcon badge for the Cyber Distortion podcast and we’ve tweeted about it on our Twitter, and when we put a poll up, it’s always positive. Yeah, you got to do this. Be so cool. And so we want to do one with maybe the logo. The ape with the glasses, put him out there on a badge.

Chris: The logo is sick, by the way. I love that logo.

Kevin: Thank you. Thank you.

Chris: That’s so cool.

Kevin: Yeah, we’ve tricked it out for season three too. I’ve already shown Jason my draft. Yeah, it’s going a little bit different direction next year, but it’s going to be really cool.

Jason: All right.

Kevin: Yeah. So we’re always thinking of stuff like that.

Jason: This has been a dream of Kevin’s now for a couple of years, to the point where COVID stepped in our launch. We were ready to launch badge, and I had it all designed. I mean, the technical guy, I had everything built, had it ready to go to the fab shop. I was just working on pricing, trying to negotiate so I could get the right deals and we can find the right price break to make these at and COVID hit, and everything fell through.

Jason: Couldn’t get the right parts. Everything was overpriced. There were tariffs that were issued against any parts you were getting from overseas. The price just went through the roof. And I’m like, dude, we have to take a break. Let’s see what happens next year. And we were never able to get back to it. So, needless to say, those electronics now have migrated into upgrades, so we’d have to try to go through all that again, learn what components need to match what components and all this stuff and rebuild it.

Jason: But we were all the way to the finish line and had to pause.

Chris: Because of COVID Okay, so tell me how that works, then. To create a defcon badge, do you need to be part of a village, or can you just create one? To create one?

Kevin: No, they’re actually called yeah, they’re called the unofficial badges of defcon because they’re not affiliated with any specific village and they’re not official defcon badges. So these are creators and makers that just have decided this badge life movement, I’ll call it, is where their heart’s at. That’s what they enjoy doing. So they design new cool badges every year. And really, none of these guys are out there to get rich off this. They’re doing it for fun.

Kevin: They want to fund their project to where they can. At the very most. Some of them like to be able to go attend the conference paid for by selling the badges. That’s about all the most you’re going to get out of anyway, because it’s not a get rich scheme. It’s a very lengthy endeavor that requires a crap ton of planning, a crap ton of work and effort, and just a lot of things need to fall into the right place for you as far as timing and availability on parts, and things change.

Chris: Man so, Kevin, being based in Denton, Texas, I know there has to be a lot of good bars near you. If I were visiting there, where would you direct?

Kevin: So I could send you three different directions for that, and I’ll just make it real quick. In Dallas. You can go to deep, Ellen. There’s tons of bars down there, and every direction you turn, you’re going to see a bar or a microbrewery, and that’s cool. The same is true for Fort Worth. Downtown Fort Worth, but where I would send you for something unique and cool now is up a little bit further north in the Colony, on your way to Frisco.

Kevin: There’s a place up there called the Truckyard that’s pretty cool. They’ve buried all these old pickup trucks nose first into the ground, and they’re all painted up real cool. And around that’s, just on the entrance. So it’s like the old Cadillac Ranch out in the desert. I think it’s in Nevada. This is North Texas version of that. But it’s pickup trucks. And around the trucks are a few little bars. There’s a microbrewery. There’s a place for dessert.

Kevin: There’s live music. There’s a stage for live music. But the coolest thing about it, in addition to the food and the breweries and all the cool stuff around it, the food Trucks, there’s a place called the Toilet Seat Museum there. And if you’re ever in the area, you need to go check this out. Because it was started by a retired master plumber. He was 98 years old when he passed away in 2019. But he collected all these toilet seats through his plumbing career all his life.

Kevin: And I guess later in life, he decided it’s way too much stuff to just toss out. I need to do something with this. So he started creating unique pieces of art with each toilet seat. And now they’ve got much like, the flying saucer emporiums where they put the plates on the wall. Well, these are toilet seats all on the wall and on the ceiling, but they’re all painted up with his artwork. 1400 pieces of artwork made out of toilet seats.

Chris: No shit?

Kevin: No shit.

Chris: Okay, Jason, so hit me with where you’re sending me. In Des Moines, Iowa.

Jason: So in Iowa, in Des Moines, there is a classic, and there’s two that you would want to go. So there’s a lot of breweries and things like that. But those, I mean, you get that everywhere, right? And they have their own specialties and stuff like this. But what sets these two apart is like, they’re a staple. Everyone in Iowa knows where these if you’ve traveled to Iowa to do anything through Des Moines, you’ll know where these are.

Jason: But the first one’s called the Miller High Life Lounge. And the second one’s called El Bait Shop. And they’re connected. They’re right next door to each other. And the Miller High Life Lounge sells food, but they also sell authentic, original pint size bottles of Miller High Life. And you walk in this place, and there’s all original Miller High Life memorabilia all over the walls. Did you step back in time? When you go in this place, shack, carpet, 1960s tables, everything is original from that era, and they sell you these little pipe size Miller High Life bottles, right?

Jason: And even the food choices are like old school 1960 food choices. Then you walk through the doors and you go to the old bait Shop.

Chris: But they’re still charging you today’s price, though.

Jason: Oh, yeah. They charge you to take fifteen cents a beer? No, you wish it was. Yeah. You go to El Bait shop. El Bait Shop has like 150 taps on the wall.

Chris: Jeez.

Jason: And you go in there and you just sit there in awe trying to figure out what you’re going to drink because there’s so many choices. And same thing. They got old school memorabilia all over the place. They have all these artists that have visited there as they came through Des Moines. They’ve got their autographs on the wall and all this kind of stuff. But it’s pretty cool little atmosphere to go throughout both of these little spots. That’s cool, man.

Chris: So I just heard last call here. I got one more for you, Kevin. If you decided to open a Cybersecurity theme bar, what would the name be and what would your signature drink be called?

Kevin: All right, well, obviously it’s going to have Cyber Distortion in the title, so I’m going to probably have to go Cyber Distortion Spirit Emporium.

Chris: Where you leave feeling distorted.

Kevin: Yeah, very distorted, yes. And we talked about the badge thing earlier and how we were going to do the Defcon badge back then. We didn’t have the podcast the first year when we started talking about the badge. But when we’d get out to Defcon, we’d say we were going to get it turned up. So our badge theme was going to be the Turnt Up Crew Badge. We had a whole crew of people that we’d hang out with the whole week, and we called it The Turnt Up Crew. So for a drink. I’d have to call it the fully turned freak show.

Kevin: At the cyber. Distortion. Spirit emporium.

Jason: You got to use the Fully Turned, man, look at you.

Kevin: Were you going to use that one?

Jason: I’m sorry, man, I was, but mine’s going to be more authentic.

Kevin: Okay, good, because Chris picked me first. He picked me first. I had first dibs.

Jason: I did, by the way.

Kevin: I trademarked it already. I already trademarked it. You can’t seal it.

Jason: Well, I’ve got a backup. I’m going with my backup. My backup.

Kevin: All right, what you got?

Jason: Kevin will know what I mean when I do. I I found that as I got older, I like to do the concept of Easter eggs or this notion of things that the insiders know but others don’t.

Kevin: Right.

Jason: And so the name of my bar would be Ask Your Mama. So when people would be like, what’s the name of that bar? They would say, ask your mama. Why got my mama? I’m asking you.

Kevin: That is good. I like that, dude.

Jason: But my drink is more authentic. My drink would be sign act. Like the three way handshake. It’ll be sign act. The sign signal is you taking a drink and then it’s slapping you in the face is the Acknowledgment. Wow. See?

Kevin: Okay. You did take it fully Cyber, didn’t you?

Jason: Oh, I did.

Chris: Yeah. That was a legit answer.

Jason: I know.

Kevin: That’s very classy. I like it elegant.

Jason: Elegant. Do you know what? You can get that, though?

Kevin: Your mama’s.

Jason: Mama.

Chris: All right, so before you all go, just let the listeners know where they can find and connect with you online.

Kevin: Yes, sir. Man okay, so Twitter is at distortionsyber is our handle. You can see our blog site out at WW cyberdistortion.com. And just for YouTube, for the video based episodes, just go out to YouTube and search Cyber Distortion podcast. You’ll find us. And lastly, for audio, we’re everywhere. So if you go on podcast, if you do Apple itunes, if you do pretty much any audio basic major audio podcast stream, you’ll find it. Just look up Cyber Distortion podcast.

Chris: Awesome.

Kevin: Oh, one last thing. The swag shop. Cyberdistortionswag Shop.

Chris: Yes, sir. Cyber Distortion. Thanks for stopping by. Truly appreciate it.

Kevin: Thank you.

Jason: Thank you, Chris. We appreciate it.

To top