Freaky Clown

FC has gone through extreme adversity and has come out stronger on the other side.  He grew up in a very negative environment, which unfortunately led to the development of complex PTSD. But from that emerged a unique talent, one that is both a gift and a curse: hypervigilance. He refused to allow his past define him and instead, leveraged the state of increased alertness to fuel his passion for security.

FC talks with us about his breakthrough into ethical hacking and physical security assignments, his 100% success rate at breaking into banks and other highly secured government facilities, the reason physical security engagements are NOT helpful to the business, uniting digital/physical/human-factor for optimal security, and the risk of investing in new tech. FC also details some truly insane stories, including the time he kidnapped the guard at a facility protected by ex-military Gurkhas. Finally, he reveals his advice for aspiring hackers and details on his soon to be released book, “How I Rob Banks: And Other Such Places”.

TIMESTAMPS
0:03:49 – The Origin of an Ethical Hacker
0:05:49 – Early Computing and Hacking Experiences
0:10:04 -The Cursed Gift of Hypervigilance
0:13:25 – Social Engineering and Physical Security Assessments
0:20:30 – The Inevitability of Security Breaches
0:22:38 – The Lack of Focus on Human and Physical Security in Organizations
0:24:35 – Challenges of Adopting Cutting Edge Technology
0:26:53 – The Impact of AI on Ethical Hacking
0:34:16 – Methods of Social Engineering
0:36:29 – Identifying Entry Points and Planning an Attack
0:42:07 – Security Breach Simulation at a Data Center protected by Ex-Military Gurkhas
0:44:31 – Advice for Aspiring Security Professionals
0:48:46 – Cybersecurity Education and Certifications

SYMLINKS
LinkedIn
Twitter
Cygenta
Hackthebox
Tryhackme
Pentest Academy
Book: Breaking into Information Security: Learning the Ropes 101
Book: How I Rob Banks: And Other Such Places

DRINK INSTRUCTION
KOMBUCHA MOJITO
1 Cup Kombucha
1 TBSP Honey
8-10 Mint Leaves
1/2 Lime (Juiced)
Club Soda
Muddle 8-10 mint leaves and 1/2 a lime, juiced. Add 1 tbsp of honey and 1 cup of kombucha. Pour mixture into a highball glass. Top with club soda and stir gently.

EPISODE SPONSOR
N/A

CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris: FC, aka Freaky Clown, is an author, keynote speaker, co-founder of Cygenta, and former head of offensive cyber research at Raytheon. As an ethical hacker for the last three decades, FC has helped thousands of banks, governments and other organizations advance their security. FC, thanks for stopping by Barcode.

FC: Thanks, man. And thanks for having me.

Chris: It’s an honor to have you on the show, man. So I’m curious to hear your origin story, if you don’t mind, talk me through your background and what ultimately led to your interest in computers.

FC: Yeah, okay. All right. The origin story. This is like a Marvel movie, right? We’ll do the prequel.

Chris: OK.

FC: So my origin was when I grew up in a very poor environment, very bad environment, physically and mentally. It was not a great area. I grew up in well, I was born in 76, so I grew up late 70s, early 80s, which was not a great time in England. And basically, computers were just about beginning to be a thing. So I delved into computing full force. I had no friends, no real family to speak of.

FC: Just computers. That’s all I had. And then something amazing happened. The World Wide Web came about. Hyperlinks. I remember seeing the first hyperlink and being astounded at what that meant. From there, it kind of grew my love for It, the hobby of IT got into understanding computers and hacking them. And it was a completely different world back then. Computers then came with a manual, it didn’t come with anything else. You had like a prompt and you had to write everything, you had to create everything.

FC: Now, my first computers had toggle switches, not a keyboard. Then we got into the ZX Spectrums and the BBC Micros and the Commodore 64s and the Amiga 500s. That was my journey. So there wasn’t really a computer industry then. There wasn’t a social engineering community, there wasn’t a hacking community. None of that existed. And I grew up as that came of age as well. So we kind of grew up together.

FC: So it wasn’t so much that I chose to be in cybersecurity, I was there when it evolved. So that’s kind of my origin story. It’s the same as cybersecurity, really.

Chris: So you had a computer in your home growing up?

FC: First of all, no. I used to go to other people’s houses and use theirs. And then my high school managed to get hold of a BBC Micro when I was like 14/15, something like that. So I managed to get a bit of time on that. So, yeah, I didn’t own a computer until the Amiga came out, actually, I think the Amiga or the Commodore, actually, it was a Commodore 64, I think was my first one that I owned myself.

Chris: Yeah, and like you said, computers were barebone systems then that you essentially had to learn on your own.

FC: Yeah, exactly. I mean, the computers back then, they came with a good inch thick manual of how to do stuff. I remember when I was a teen, we’d get like, magazines, monthly magazines, which would come with printed programs, like, literally order the lines of the program in the magazine and it would be like, line ten, do this, go to line 20. And then you would spend hours and hours typing out this code onto your computer and then have no way to save it.

FC: Eventually they came around to having cassette tape recorders that you could use to record them. And you’d spend hours just debugging code. It was horrific.

Chris: And you were the only one into it? You didn’t have friends into it?

FC: No one around me really had that. It was really when I got around we got into billboard systems, right? So you’d connect your laptop not your laptop. Didn’t have laptops then. Jesus. You’d connect your computer to a modem which would dial a phone number, which would connect to somebody else’s computer, and then kind of like a forum. Nowadays you could leave messages, you could talk on there, but some of the computers could only handle like eight or nine connections at a time.

FC: It was mind blowing.

Chris: So at what point did you become interested in hacking? And how did you get started there?

FC: That’s really funny, because back then, everything was hacking. To get something to do something, you had to make it do the thing that you needed to do, right? So you’d get these programs in magazines and then you would figure out if I change certain variables, then it would do different things. You could start to hack the code to make it do other things. So that’s really where I got into it. And then once you had websites coming along, it was obvious how you could inject code into them and stuff.

FC: The real hacking stuff, I think, from like an Ethical Hacking side, because I’ve only ever been an Ethical Hacker. People always assume that hackers nowadays have to go through this dark side to get to where you are. But no. I’ve always been an ethical hacker. And I think how that really came about as a profession where I was getting paid for it was I was doing a systems administration job for a small company and as part of that, I was making sure the website was secure and I found that the best way to do that was to keep attacking it, right? So I would go home and then attack our company website and so that sort of became part of my job, just because no one else was there to do it, we’re such a small company.

FC: That kind of led to doing it for other people as well. And so not only was my company paying me, but other companies were also paying me to do it to theirs. And that’s really how I got into that side of it, the professional hacking side.

Chris: Interesting. Now, were you focused strictly on hacking computer systems at that time, or were you also performing physical engagements as well. Or did that develop later on?

FC: No, that came along a little bit later. So I was doing this security role for a while. I then got headhunted for some security work, did that full time, and then as part of that sort of process, I would have to go onto site with whatever company, right? It wasn’t always over the internet, so we’d go on site and we’d hack into their network wherever. And I always have this thing about security that it doesn’t just remain in the digital realm. There has to be some crossover and we’ll talk about that a little bit later, I hope.

FC: But basically I noticed some security issues, some physical security issues with the clients that we were working with. And so I would write at the end of my report, so they get a big report saying, here’s how we hacked all your stuff, and this is how you should fix it. Then at the end of it, I would write a little note saying, PS, here’s some security issues that I’ve noticed around your building.

FC: And that section got a lot of traction from within the C suite, right? So the executives are taking note of this, and then every time we go in and we do something, that little section seemed to get bigger and bigger and eventually, one of our clients was like, Hang on, can you just do this bit for us? And it’s like, okay, yeah, I can do that bit. And then that evolved into, okay, well, we think we’ve got some issues here in another building.

FC: Can you go and see if you can break into that? And it’s like, yeah. Cool. Alright, let’s try and work out what that paperwork looks like. Because, again, that was a fledgling thing. Like, no one was really doing it back then. And, yeah, I got a bit of a reputation for doing that. And then clients were coming along saying, look, can you just come and break into our staff and tell us how you did it?

FC: So I did that for decades. I’ve done that for decades now and broken into literally thousands and thousands of places, physically and digitally, obviously.

Chris: Now, did you learn that skill on your own as well?

FC: Yeah, I mean, it’s pretty much all self taught, but like I say, I had some major issues when I was growing up that led to what’s known as complex PTSD. And that comes along with a wonderful thing called hypervigilance, which means you’re always on alert for everything, which is incredibly stressful, incredibly bad for you. Although, that allowed me to leverage those conditions to notice security issues. And it’s something that I still do, even to this day.

FC: And I’ve had a lot of therapy for all of that stuff, but I still have that ability that I picked up all those years ago to walk into a building and notice how many cameras are there without really even thinking about it. It’s just a background noise for me, is security. So whenever I walk down the road, if I’m walking through London or whatever, or through Vegas, which is where I live now, all of the security issues I see, they just give me heart palpitations. They really do.

Chris: Wow. And that’s a natural instinct for you?

FC: Exactly. I can’t switch off from it. It’s just there because I’ve been doing it so long.

Chris: And the effect is called hypervigilance.

FC: Right. The best way to describe it is one of my therapists said once, you know how when you see one of those little Chihuahua dogs and it’s just jittery and it’s just, like, looking around, it’s just like it doesn’t seem like a calm dog? Yeah. That’s what it’s like inside my brain. Wow. I’m always hyper alert when it comes to security.

Chris: Is it only with security, or do you notice it happen with other things as well?

FC: It comes down to situational awareness and the security of myself and others.

Chris: Got it. OK, so when you perform physical assessments, obviously social engineering is involved with that.

FC: Yeah, it is.

Chris: I’m curious to know, was that a skill set that came natural for you, or was that a skillset that you had to develop over time?

FC: Yeah, we’re always learning every day. But the circumstances that I grew up in meant that I had to talk people into giving me things like, let me have some food. That’s the simple, basic life things that I needed back then was like, Can I get some food here? Can I get some shelter here? It’s not great. So you end up not manipulating people, but you are able to pick out those people that you know will be able to give you the things that you need.

FC: And that kind of transitions nicely into social engineering, which is, can you open this door for me? Can you let me through to this place? So I think it was a natural progression of I don’t want to say skill or talent, because it wasn’t like that. It was just that I’m naturally personable. I seem to be likable. I don’t think many people hate me, which is nice.

Chris: That’s always good.

FC: Yeah. I’ve seen loads of stories about people sort of yelling or being angry to get their way into places, but I just use niceness. It’s a natural way, and people respond way better to it. 

Chris: Yeah. It’s so underrated.

FC: Yeah, exactly.

Chris: OK, so as you’re getting more involved with performing physical security assessments, was there ever a point where you got nervous going in? And if so, how did you respond to that? Because you are up against unknown variables, you’re up against unknown threats, and there’s no standard format for this. So I’m just curious, how did you find your Zen?

FC: All right, so that is a great question. I love that question. And there are multiple parts to this question. So, first of all, I never get nervous doing anything like that. It’s just something that I know I’m going to succeed at, right? And the reason for that is I’ve been doing this for almost three decades. So almost 30 years I’ve been breaking into places. I have a 100% success rate at doing this.

FC: 100%. Now, that’s not because I’m the world’s best at this. It’s because, to be honest, you’re always going to get in, you’re always going to win. So even new people that try this for the first time, they’re like, oh, my God, I got in. It’s like, well, yeah, you will. So we’ll get back to that a bit later. So the nervousness thing, that was weird for me, because I never got nervous, no matter what it was doing.

FC: The only times I ever really got a little bit worried was when going against places that had armed guards, but in general I wouldn’t get nervous until the whole thing was over. And then I’d go into the wash up meeting with the client at the end of the engagement and just be a complete wreck, like, sweating, just looking disheveled, like some freaking homeless person has just crawled off the street and gone, hey, I broke into your fancy bank.

FC: And it would just all come out afterwards and I never really understood what that process was until I started getting a load of therapy and the therapist revealed that I had some mental health issues from being a child. That meant that I dissociated. So I have a dissociation issue, or used to have anyway, where under a high stress situation, I would completely dissociate myself, my inner self. It’s almost like having a different person and that’s a much bigger complex topic for maybe a different podcast, I don’t know.

FC: But basically dissociation meant that basically in a high stress situation, my brain would just shut off and I would just be not quite a different person, but just completely segmented. And I think that’s what I used to do in my social engineering is I would just dissociate straight away, go in, do the thing, and then after it’s done, the stress levels come down and then I become me again. And then it’s like, oh my God, what the hell have we just been doing?

FC: So yeah, that’s how I used to deal with stress was my brain would break.

Chris: Jeez, man. So when you disconnected, was it like an out of body experience for you or were you cognizant enough to realize later what had happened?

FC: It depends on the situation. If it’s a highly stressful situation, like a really bad turbulent flight, for example, which I absolutely hate flying, then I would completely dissociate and just not remember anything. There’s a whole trip to New York that I have no memory of. So yeah, in the social engineering things it was I don’t know if it was just I knew I was going to succeed, so I wasn’t too stressed or I was dissociating, I don’t know. But I do remember a fair bit of those engagements. So I don’t think I was fully dissociating.

Chris: That’s interesting. I’ve actually heard interviews with real bank robbers and it’s often that they say their mentality going in is also success by any means necessary and understanding their motivation is obviously different than yours was. I think it’s ironic that they also have that failure is not an option mentality.

FC: Yeah, but unless something seriously goes wrong in a real bank robbery, you are going to go over it. The insurance is going to cover it. The people that are working there are told our policies to give over the money and get you out the door as quickly as possible. So, yeah, they are always going to succeed as long as they don’t do anything stupid. And I’m always going to succeed because whenever there is any security system, a security system is basically an access control mechanism.

FC: It means that some people are allowed in and some people are not allowed. And you’re just filtering out the people that aren’t allowed. So if there is a way for someone to use that equipment or physical space or digital space, then there is going to be a way in, for someone to circumvent that filtration system. So, yeah, you’re always going to get in. It just takes time. That’s the only real thing.

Chris: So nobody’s safe?

FC: Not really. I mean, if you think about like, even digital security, you can spend millions, absolutely millions on cybersecurity, right. But if someone finds a zero day in, you’re out of shell, then they’re in. It only takes 1 zero day, and that could happen any moment, and it circumvents everything. And we see that pretty much on a monthly basis now. So you’re only ever 1 zero day away from being attacked.

FC: That’s it. I’ve worked with many clients that have spent six, seven figures on security, and yet I physically walk in and I steal their computers. That hasn’t helped. All of the money hasn’t helped. So that’s why we kind of started Cygenta, was to bring together the digital, the physical and the human sides of security. Because if you don’t have all three of those absolutely locked down, you’re not secure. And we’ve shown that time and time again.

FC: I’ve got many, many stories about breaking into places and getting past all of their security systems that they had spent time on and focused on just the digital side. They hadn’t focused on the human side or the physical side. So it’s crazy to me that people don’t see this as a homogenous thing that has to be dealt with rather than siloed areas.

Chris: So what do you feel most organizations miss within their defensive controls? Is it the lack of focus on the human side?

FC: Yeah. And it all comes down under different areas of the business and they’re not seen as security. You go into a building and you’ve got the IT team or the IT security team that manage the digital security, but they never talk to the facilities team that is running the physical security. We’ve done several assessments of smart buildings. And smart buildings are great because they really show what I’m trying to say in one picture. You have a physical building that is connected probably to the Internet and interconnected in such a way that it makes life of the employees and the users of that building to be easier, except no one’s talking to each other.

FC: And oh, man, the stories I’ve got of smart buildings where you can go in and you can hack a desk from the Internet to allow you access into the physical space of the building. It’s just crazy to me that they haven’t seen this as, like I say, a homogeneous security object. They just see it as different siloed bits trying to work together.

Chris: Is this occurring in one specific industry versus another?

FC: It covers everywhere. So this is the thing. It’s like everyone is doing this wrong. I’ve worked with huge companies and some very small companies, and they all have the same problem. It’s ridiculous. A lot of the financial institutions that we work with are getting better at this. They’re slightly ahead of most sectors, but that’s mainly because they’ve got the money to deal with it.

Chris: Yeah. So what are you seeing in terms of organizations adopting new cutting edge technology and what are the challenges you see associated with that?

FC: Everyone does this, and this is the biggest issue I have, is people see the latest, newest shiniest blinking box and they buy it. And they’re like, this is going to solve all our issues. If they just stopped just for a bit and thought about it, thought, hang on, why don’t we get the fundamentals right then? Anything else we add on top of that is great. There’s a great Monty Python sketch in one of their movies about building a castle in a swamp and it’s very much you cannot build a secure environment based on bad fundamentals. If you do not have the foundations correct, anything you place on that is going to fall over.

FC: So get the fundamentals right, then worry about the smart, new, shiny, expensive thing that’s going to fix all of your problems. Which it won’t, by the way. Yeah. That’s my biggest bugbearer, I think.

Chris: So while on the subject of cutting edge technology, I’d like to hit on AI and AI within the offensive security realm. Do you trust it in an area where so much of your execution is variable, or do you feel like AI will augment your workflow? I’m just curious to hear your thoughts on that.

FC: OK, right. So without disparaging AI too much, let’s dig into it a little bit. So AI, as we see it, is not really artificial intelligence. It can’t think for itself. You have to train it in a series of nodes and then it can infer certain things from that. But mostly it’s just regurgitating stuff that you already know. It’s not learning new things, it’s not thinking outside the box and going, oh, actually this is a new thing, so it doesn’t make up new things per se, in the same way that we would.

FC: A good way, I think, of showing the difference that AI is going to make is probably right. At the moment, we as ethical hackers, we have lots of tools, lots of automated scanners. You have, like Nessus and Acunetix and OpenVAS and OWASP zap. We’ve got loads of scanning tools. I would say that maybe 20% of the findings that I find in a web app test will come from those scanners. The rest of it will not be found by automated scanners. And I believe that AI is going to basically be the same.

FC: It’s never going to replace the human for that type of offensive thing. Now, it is going to do a lot of work for us, a lot of the low hanging fruit stuff. It’s going to do that for us very much the same way that scanners do. So my reports aren’t going to become really massively amazing because AI has found all of these crazy new things that I’d never even thought of. So I don’t think AI is going to impact us in that way. I don’t think it’s going to suddenly find new ways of attacking things that we haven’t found already.

FC: It’s just going to help us in very much any way that any tool has ever helped us since the Industrial Revolution. So it allows us to do more quickly, but doesn’t necessarily allow us better things that we had never thought of. The weaving machine didn’t suddenly invent a new way of weaving. It just meant how we were weaving was automated and it became quicker and cheaper to do. I think that’s my take on AI.

Chris: So, regardless, you’ll still have nontechnical aspects that will require human interaction.

FC: Yeah.

Chris: OK.

FC: Yeah. And it’s not going to really change the physical assessments either, because whilst if you gave it a photograph of an area, it could say, okay, there are seven cameras in this area, it won’t pick up that there’s not cameras in areas that they should have them, for example. It’s just not able to do that yet. Maybe one day it will, but it comes down to teaching it what has to happen in certain situations. And I think there are too many variables at the moment in a lot of those areas.

Chris: Yeah. And you still have to consider the synthetic or the false data being fed into those AI systems. Or new information that AI has not been trained with yet. So, yeah, personally, I think that it will augment or possibly increase speed of certain tasks, but it will never become a complete trustworthy system.

FC: Yeah, exactly.

Chris: But, yeah, I’m heavily involved with AI tools now and I think it’s amazing how fast it’s progressing.

FC: I love it. It’s great. I mean, I do use it weirdly not for security related stuff. I use it for Bing have just released an image creator, which is fantastic. I use that for making thumbnails for things. I use ChatGPT for rewording things or giving some ideas. It’s never the final product. It’s a way of when you start with a blank piece of paper, that’s the hardest thing in the world, right. Whenever you’re trying to start writing something.

FC: So that gives you a little prompt of like, okay, out of this 90% that it’s generated, I can take 2% of it and start rewording that and start using that as a basis for something else. That’s kind of how I’m using it at the moment.

Chris: So in terms of ChatGPT and its capabilities in writing malicious code, do you think it’ll ever get to the point where it’s intelligent enough to become a malicious entity on its own? Or do you feel like, again, you’ll always need to have that human element involved.

FC: OK, right. Let’s get into the crux of this. Will AI become the bad actor? No. It is a tool very much like any other tool that we invented. Humans are the bad thing. Humans can make it generate bad code. Sort of malicious code. But ChatGPT is not going to go and send that to people. It’s not going to email people. It’s not going to do anything with that code. It’s just going to generate it.

FC: What people do with that code is the big issue. So I don’t think AI is the bad guy. I think humans will be the bad guy in leveraging that tool. And that’s the same with any tool. We have ethical hacking tools that are misappropriated and misused by bad actors to do bad things. It doesn’t mean that we shouldn’t make them, because it allows us to play this cat and mouse game with criminals.

FC: And AI is going to be the same thing. It’s going to be another tool. It can write good tools as well. It’s not just a bad thing. So we have to understand it as a tool, not the ends of the world.

Chris: Yeah, it’s just like any other tool in the toolbox.

FC: Exactly.

Chris: I agree. So in terms of what type of work you’re performing now, are you still performing physical security assessments or what’s your focus on now?

FC: Yeah, I am still well known for that. I’ve written a book about it. All of these exploits I’ve done. Not exploits as in zero day exploits, but I mean exploits as in stories and anecdotes. So, yeah, I’m well known for it. But as a company, Cygenta, we don’t do social engineering. Now, that sounds ridiculous when I’ve been talking about these three areas that we cover. Like I say, I’ve been doing social engineering for almost three decades.

FC: I’ve learned a lot from it. And one of the things that I have learned is a waste of time and money for the client. As I said, I have 100% success rate at doing this, and I’m sure many other social engineers around the world have 100% success rate. They’re all very good at their jobs. The issue I have with it, and the issue that I’ve learned from it is we used to have clients come to us, and they would pay us X amount of money for X amount of days of breaking into this place.

FC: Now, as I said, timing is everything. Time will always get you in. So you’re always going to succeed because there is going to be doors that are left open, windows that are left open, people that you can manipulate under certain circumstances to let you into wherever. So you’re always going to get in. So what I found over the years was clients would come to us, they’d pay us for this, and I knew I’d get in.

FC: So I would pick the easiest route in. Generally what that involved was a lot of recon. So we’d do a lot of reconnaissance of the target, and then there’d be one or two days that I would pick to go and actually break in. And what that would involve is I would get through a door or through a window, or I had to climb down a lift shaft to get into whatever floor I needed to. That would end up in the report, and the report would say, okay, we got in via this method, using these tools in this way, and it took this long.

FC: Now, how is that helpful to a client, really? If you think about what that report is, they get a report that says, our side door or our loading bay is vulnerable, so let’s spend some money and fix that. Great. What it hasn’t told you is the 15 other ways that are into that building that I didn’t use or that the other social engineers, when they’re doing it, have not used. They’ve always chosen that one way in.

FC: You don’t break into the same building multiple times to test all these different ways. So the client only gets a report that says, this is one way into your building. That’s it. So I decided, actually, do you know what? For the same price, I can work with the client in a much better way. And now I do physical assessments. And we’ve had many clients go through this process, and they find it absolutely unbelievable that they were doing it the old way and they were paying other companies to do it the old way.

FC: Because for the same amount of money, I will rock up on site and speak to the client, and we will walk around their entire site and I will point out every single security issue with that building. So instead of a report at the end of the day that says you have one one door that’s bad or one window that’s bad, or one receptionist that wasn’t trained correctly, you now get a report with 50, 60 issues that you can now go away and really secure your building.

FC: And that’s why I don’t do social engineering anymore. It’s because it is a waste of time and money for the client. And all it does is it boosts the ego of the person doing it because you know you’re going to get in. So you’re like, yeah, I’ve done. It great. But it doesn’t actually give value to the client, and that’s what I want it to do.

Chris: Plus, you lower the risk of getting a gun pulled on you.

FC: That’s also a bonus there.

Chris: I definitely see the value there.

FC: Yeah. And it costs actually, it often costs less because we just have to book one or two days onto their site rather than a week of recon and then two days, and then the report, unfortunately, is a much bigger thing for me, I have to write a lot more.

Chris: With your physical assessments, you say you had 100% success rate. I feel that you are confident enough that if you were to go back to those locations, you’d have another 100% success rate.

FC: Yeah. So the interesting thing is, actually, I know I said you don’t often go back and break into the same building again. I actually have had that a few times. And there was there was one time where it was a government building in England and they asked me to break in and it took me an hour to break in. And we came out and they’d paid for the whole week and they were a little bit like, well, can you break in again but do it a different way? So I was like, all right, yeah, cool.

FC: So I ended up breaking into that building five times. The same building five times. It was massive, though. Five times, five completely different ways. And it’s like, well, I think that completely makes my point. So it’s ridiculous. And then there was another time where I was doing a series of high street banks and it was all across the country. I think we were doing five or six, maybe actually eight a week. I can’t remember quite off the top of my head how many were it was a lot. I was doing basically one or two a day that’s breaking into a high street bank and getting behind the counter to where the valuables were.

FC: So I did this. It was smooth as anything. It was great. And the client was like, well, that’s going to work on all of them, and that’s a waste of time for us. So come up with different ways, different stories to do the same thing. So every day I was coming up with a new plan, a different way of getting into doing what I needed to do. And it was always successful and it’s like, well, what’s the point?

FC: You’re always going to succeed like this. This isn’t helping the security of the banks. This is just finding one route in and then finding a different route in and then a different route in. It’s like, I want to tell you about all of the different routes in and then you can go and fix all of them rather than just fix this one thing that I’ve pointed out, this one floor.

Chris: Yeah, I never thought about it like that.

FC: Yeah, no one ever does. And so when we get clients that come along and they’re like, well, we do social engineering because we heard your podcast or we’ve read your book or we’ve seen your talks, it’s like, no, I’m not doing that anymore, because it’s just going to waste your money. I’d rather do it this way. And then they’re like, oh, my God. They have an Epiphany.

Chris: In regards to your physical security assessments, talk to me about identifying your entry point and your plan of attack. How does the recon phase impact your overall plan of attack?

FC: Yeah, I mean, there are times when you’re doing the recon, you spot an opportunity and you just have to go for it. That’s why it’s really important in all of the contracts and the scope of work, et cetera, that you do specify that the time that you are doing recon, you’re allowed to break in as well, because you never know when you’re like, you’re walking past the door. I’ve done this many, many times where you’re walking around a building, like, late at night, and suddenly someone’s left a window open that night.

FC: They haven’t any other night, but just that one night.

Chris: Then you’re in.

FC: And then you’re in. Yeah. You just have to make a quick decision. I’m going in now. We’re doing this, so you have to be ready to do it. But no, I’ve done all sorts of things. I remember driving a car through a set of gates, through a hedge, over some curbs to kidnap someone and then get out again. So, yeah, that was cool. So, yeah, it’s not always stealthy. Sometimes you have to go the difficult route.

Chris: You said to kidnap someone? Was that in scope?

FC: That was prediscussed that it may be an option, and that is very rare.

Chris: Did the person know about it?

FC: No. So the story of this is this was a data center that was protected by ex military Gurkhas, and they were very, very confident about their security there. Now, Gurkhas are incredibly fearsome warriors, unbelievably brave. Now, the caveat to this is they didn’t have guns or knives. They’re just civilians that contracted to work security. We had been in discussions with the client for some months over what was permissible and what was not.

FC: Again, this isn’t something that you should go and do on your next engagement if you’re doing this. It takes a lot of paperwork, a lot of legal back and forth on things. But, yeah, the kidnapping of the guard was allowed. And how this happened was I was doing recon outside this building, and I spotted an opportunity. Drove my higher car through the gates, took off a wing mirror and over some curbs through a hedge. Screamed up beside him, jumped out, grabbed him, chucked him in the back of the car, and drove out pretty much the same way before he even knew what was happening.

FC: And we got outside. I stopped 500 yards down the road from where it was, explained to him everything, and he took it like an absolute chap. He was brilliant. Honestly, if I ever get kidnapped, I hope I react like that, because he was just totally calm about it.

Chris: Were you alone?

FC: Yeah, I often do these engagements alone. So, yeah, he understood the whole premise of it, explained it all to him. He gave me his security badge that I could go back in and use it like I would have done if it had been a real kidnapping. And the best thing is, the great thing about this story is years later, I had to go back to the same building to do an internal pen test. I was just doing digital stuff, not physical.

FC: So we rock up and I go in and I’m going through security and I suddenly see the guy that I’d kidnapped. And you saw him see me and his eyes just like went wide and he came running towards me and I was like, oh shit, this is going to go down, this is not going to be good. But honestly, just as he got within like a few feet of me, massive smile on his face and he was so excited to see me, he was jumping up and down. He’s like, oh my God, you’re the guy, you’re the guy. And then he drags out all of his colleagues. He’s like, this is the guy that kidnapped me.

FC: I’ve never seen someone be so happy about meeting their kidnappers. It was brilliant. So it was great. He was a lovely guy. So, yeah, that was the first time I ever kidnapped someone.

Chris: That’s crazy.

FC: It was a fun time.

Chris: So I want to get your advice for listeners that may be interested in getting into this line of work, whether they’re new to the workforce or possibly transitioning into this industry from another industry. And then for those on the educational path, what are some aspects you feel aren’t taught in a standard curriculum that aspiring security professionals should be aware of?

FC: Yeah, sure. So the biggest advice I can give to anyone trying to get into this, and even if you’re a CISO looking to employ people like this, is don’t worry about the skill, the skill you can learn. It’s your attitude that is more important. The attitude to want to help, the attitude to learn things, not thinking that, you know, everything is going to be key. And hire for attitude, not skill.

FC: You can have the most skilled people working for you. I’ve had some great teams over the years, people with just outstanding ability, but you wouldn’t want to put them in a room with a normal person because they just can’t deal with it. I’m not going to go into specifics, but attitude will get you everywhere. Be nice to people and then worry about the skill stuff.  If you join a big corporation, they’re going to have training that you’ll go through. They’ll help you get through that.

FC: As for what skills you should learn, well, there are plenty of places out there to get free training. YouTube is fantastic. I wish we’d had YouTube when I was a kid. I would have saved so much time. I’d have probably wasted a lot of time as well, to be honest. I still do hackthebox, tryhackme, penTest Academy, that list goes on. You just have to Google it. And that’s probably the biggest thing I’d say, is don’t expect someone to give you the answers. And that comes down to that attitude piece.

FC: You have to be driven to go and find things yourselves. Because if you come to me and say, Will you mentor me? Because you’ve been in this industry for X amount. No, I don’t have time. I’m running a company. I’ve just moved country. I’ve got my plate full, and I’m still trying to do stuff. I’d love to help people, I really would, but I don’t have the time, and a lot of people won’t have the time. So you have to kind of be self motivated is probably what I’m saying. Just Google stuff, like how do I get into this? 

FC: A good friend of mine, Andy, wrote a book on Learning The Ropes 101. Go and read that book. There’s always hacker groups out there now. There’s always defcon groups nearby. If there isn’t one nearby, start one. I did that when I when I moved to Gloucester. I started a DC group. Within the week of moving here to Vegas, I went and joined the DC group here, went and said hello to them.

FC: There’s always like minded individuals out there to sort of group up with and learn from. So just absorb some stuff. That’s probably all I can really say on that, on how to get into it, is be self motivated. Google some stuff yourself.

Chris: Yeah, thanks for sharing that. I completely agree. If you’re passionate about it, then you’ll get to where you need to go.

FC: It will reward that. If you’re passionate about something, there is a niche for you, man. No matter what you’re doing, whatever you think, nobody else is looking at this. Someone else is. It’s great. There’s always someone that will be as enthusiastic about it as you are.

Chris: In terms of education, I’m curious to get your take on educational tracks and industry certifications. Are you a proponent of certs or do you feel like there’s a place for them?

FC: There’s a place for them. Definitely. Same for educational tracks. Be aware that with things like certs and education, there is a time lag of getting them up to speed. If you sign on to a university course now, that course was designed two or three years ago, maybe two years if you’re lucky. Maybe a year if you’re in a really good one, but you’re a year out of date, no matter if you’re being taught that, you’re a year behind.

FC: So just be aware that there is a time lag between that and real world experience. But I completely understand why some people need to go through that. The other side is they don’t always teach the fundamentals. They’re trying to squeeze all of that knowledge into a two or three or four year course. And so they skip over a bunch of stuff. I remember once when I was at the Raytheon and I was hiring for the team, there was a chap came in and we gave him some basic tests and it came down to some binary, he had to decode some binary and he said, oh, I know binary, we did that in our first year.

FC: I was like, great, okay, so do some stuff. Turned out he couldn’t remember any of it, he hadn’t built those fundamentals and he couldn’t do it, so he didn’t get hired. So you’re going to skip through a lot of stuff very quickly, which may come back to bite you if you aren’t self motivated enough to learn more and go deeper into each bit. So, yeah, be aware of that. With education courses, with certificates, I tend to shy away from them for a couple of reasons. One, I don’t need them. I don’t need them in my career. I run my own cybersecurity company that’s pretty big.

FC: I’ve got a very good background that people can look at, so I don’t need them to differentiate myself from them, from other people. You may need that if you and four other people are going for the job and you have more certificates, that’s going to stand out. So depending on where you are in your career, you may or may not need them. The other reason I shy away from them is I just don’t have time. I don’t have time to sit down and study for an exam that I don’t really need. It’s kind of crazy.

FC: I could probably sit down and do the OSCP if I needed to. If I spent a couple of weeks going through it in my head and doing some of the training, I could probably do it. But I don’t have time to sit down for a 24 hours exam. There’s no way I’m going to have that amount of time to dedicate just to the exam, let alone all the training stuff. That isn’t to say that I don’t do training, I just don’t have time for the certificate part.

FC: So, yeah, it comes down to that thing that I don’t need them, so I don’t really care about them, but I understand that other people do need them.

Chris: And it could be that a certain employer requires it.

FC: Yeah, I mean, some jobs do require you to have certificates and actually that works on the company level. Sometimes companies come to us and say, look, what certificates have you got? And I’m like, golf. You’ve come to us and now you’re asking, do I have some certificates? Like, no, you’re not who we want to work with. And almost always, I can probably think of maybe two or three that this hasn’t happened on almost always, they will still find a way to work with us because we don’t actually need those certificates for you to prove that you’re doing this.

FC: So, yeah, it’s very interesting how people bend their expectations in order to work with you, if they know you’re good enough.

Chris: So I understand you’re an avid reader, and now I know that you have a golf cert. I’m curious to know what interests you outside the lines of security.

FC: Man everything. I’ve been described as a bit of a polymath. I’m good at a lot of things. I’m not brilliant at anything, but I’m good enough at a lot of things. So things outside of computing, I don’t know, everything relates back to it. So no matter what I do, it still relates back to computing somehow, because that’s the core of me. My soul is into that. But, yeah, I’ll read books on absolutely anything and everything.

FC: And people ask me, like, how do you read so much? And it’s like, well, you have a lot of spare time in your life. You just don’t know it. You don’t utilize it correctly. Like, whenever I’m waiting for someone, I’m reading on my Kindle. If I’m at the gym, I’m listening to audiobooks. If I’m in the bath, I’m listening to an audiobook. There is so much time that people waste not learning stuff that it astounds me when they’re like, Well, I can read two books a year. It’s like, well, yeah, that’s great, but you could probably do that in a month if you really focused on it.

FC: And I hate being idle, doing nothing, sitting there in silence, doing absolutely nothing, and just sitting in front of the TV or something. I’ve maybe watched, like, an hour of TV a day. The rest is YouTube or audiobooks or reading a book or there’s always time you can find it. Just don’t have that excuse for yourself that there’s no time.

Chris: I noticed that you picked up Bruce Schneider’s latest book, A Hacker’s Mind, which is a phenomenal read. And I saw you got a shoutout in that book.

FC: Yeah, man. So this book here, which the viewers can’t see because it’s on camera. Yes. So a couple of years back, it was 2019. It was RSA 2019. Just before everything went to absolute shit, I met Bruce. We were in a closed room discussion that I can’t talk about. And I said some things, and he came over, and he’s like, Dude, I love what you’re saying. Will you help me write a book? And I’m like, Let me think about it for half a millisecond before I say no to Bruce Schneider writing a book.

FC: So I was like, yeah, absolutely. So we spent the next few years back and forth on Zoom, chatting about things. I’d give him ideas. Give me ideas, and we’d talk about things. And he was writing it all down, making some notes. And I was very privileged to be able to read through some of that book before it’s published and privileged to have some of my words in there somewhere. And Bruce very kindly acknowledged me at the back of it, so I was very happy to see that.

FC: So it’s weird, like reading a book that you’ve already read, even though it’s slightly different, and it’s the same with my own book. I’m waiting for that to come out. I’ve written that book for the last ten years, just keep adding stories to it, and it’s now in the final stages with Wiley to be published very soon. And I know it’s going to be the same. Like, I’m going to get the book and I’m going to be like, oh, my God, I have to read this book, even though I wrote it, because it’s just going to look and feel very different.

Chris: So, yeah, let’s talk about that for a second. Your upcoming book is titled.

FC: How I Rob Banks and Other Such Places. Yeah. So you can go and preorder it.

Chris: And it’s officially dropping June 7?

FC: I think so. I have no idea. I think we’re hoping to launch it at Defcon. It was the plan anyway.

Chris: And what can readers expect from that book?

FC: So it is currently 70 chapters, which is split between anecdotes of things like the kidnapping, things like stealing helicopter, stealing gold bars, running through pornography shoots.

Chris: Oh, man. Well, I’m definitely looking forward to reading those crazy stories.

FC: Yeah. In between all of those little stories, I’ve tried to put in little tutorials on how to do things like how to pick locks, how to break into a safe, how to bypass RFID, how to bypass alarm system. So there’s loads of little tutorials as well in there that just break up the stories. Otherwise it’s just 70 odd stories of me doing stupid stuff.

Chris: I can’t wait to read it, man. So where can our listeners find and connect with you online?

FC: The best place to find me is Twitter still. I don’t think Mastodon survived. I think that’s all shut down now or whatever, I don’t know. Twitter hasn’t self imploded, so you can still find me on there. That’s where I hang out the most. So, @_freakyclown_ because I can’t remember the password to my other freaky clown. Where else can you find me? You can find me on LinkedIn if you search FC or Freaky Clown. Just one word, by the way.

FC: Yeah, they’re the two major areas that you can contact me on or you can find me on the website, https://www.cygenta.co.uk/, because as you can probably tell from my accent, I am British, but I live here in the US now.

Chris: Yes, you just recently relocated to the US. How’s that going for you so far?

FC: Yeah, it’s great. Love it here. We did bring a bit of rain and snow with us to Las Vegas. It does rain and snow here, unfortunately, but the weather is 100% better. It’s not raining constantly like it used to in England. And it is warmer. I’m getting a little bit warm here. Sat in my hoodie because it’s now getting into 11:00 in the morning and it’s starting to heat up. But no, we absolutely love it.

FC: We have traveled pretty much everywhere in the world and we decided that after the Pandemic lockdowns got lifted, we were like, you know what? Let’s pick somewhere where we really love, where the weather is good and lifestyle is great and business will be able to come to us, find us a little bit easier.

Chris: So I’m curious, what’s the best bar venue you’ve been to there in Vegas?

FC: Yeah. I would say my favorite place bar that I’ve been to here in Vegas is actually the one at the top of Mandalay Bay. That is so good. A great friend of mine, John, he took me up there for the first time and I freaked out because it’s the 31st floor and I have a fear of heights, so yeah, it was great, though. I absolutely love it.

Chris: Oh, yeah, I’ve been up there.

FC: Yeah, it’s a great view down the Strip. It’s fantastic.

Chris: OK, so I just heard last call here. You got time for one more?

FC: Yeah, of course.

Chris: If you opened a cybersecurity theme bar, what would the name be and what would your signature drink be called?

FC: Man, that is a great question. I think as a hacker, I wouldn’t open a bar. I would just take over somebody else’s and then serve whatever they’ve already got in there. I use my own resources. When someone else has built it for me, I’ll just go in, pretend I’m the owner, and then that’s it.

Chris: The hacker mindset, baby. I love it. Your signature drink could be whatever they’re serving.

FC: Exactly. It’s cheaper.

Chris: Well, FC Man, thank you so much for stopping by. I truly appreciate it. I wish you the best as you continue to get acclimated here in the US. And hopefully I’ll see you at Defcon.

FC: Yeah, man, definitely. We’ll catch up soon. It’s been an absolute blast.

Chris: Take care. Be safe.

To top