Cybersecurity Bullsh*t

For those that know me, you would know I've been frustrated with Cybersecurity for a long long time. I've spoken as a keynote speaker at many events on the subject.

I'm not too often invited back to speak on the subject of Cybersecurity as not too many people like what I have to say. I tell it how it really is. I was told by one event organiser that I can't 'tell them the actual truth as there are too many people with a vested interest in Cyber'.

Before you ask... Who am I to speak on the subject of Cybersecurity and Hacking? In 1998 I was sentenced to 18 months prison for a hack that was very similar to the Optus hack in 2022 (in case you are reading this later). Similar in that it involved 1200 details of customers including Name, Addresses, Date of Birth, Drivers Licence, etc etc. The motivation was very different however. My acts were altruistic and back then the AFP didn't care about small hacks, so I went to the media to expose the situation and get awareness so the bank customers would be made aware and not liable for any fraud made on their cards.

This was in 1995 - 27 years ago.

I was on bail for 18 months while the AFP tried to figure out how to prosecute me, and eventually I just changed my plea on advice from counsel and that ended up going bad for me as home detention was expected.

There had been numerous people arrested and charged for hacking at the time, but most of them were in Victoria which had a concept of 'Suspended Sentences' (I am not sure if that is still the case). NSW, however, did not and when I was sentenced to prison for 3 years (18 months in jail, 18 months parole), I became the holder of title of 'First Hacker to go to jail in Australia'. I won't go into too much detail here, but it was a shitshow. When the magistrate asks, 'Can someone please explain to me what this Internet thing is?', you know you are screwed. There were no previous cases of much use as a reference, so my case ended up becoming the case which provided precedents to many other cases going forward.

I will note. I was never accused of fraud in this matter and simply, the key reason I did what I did (expose the hack to the media) was that I knew 'carders' (as we called them at the time) had the data and were actively using it. I think they did around $400k in fraud with those details. People are barely aware now, imagine back then. The reason I went public was about 6 months before that I worked with an ISP who got hacked and we went to the AFP who said they weren't interested unless it was over a certain value.

After serving my 18 months I was approached at the end of my sentence by 3 "agencies" to work for them. I would have been interested except all the offers involved moving to Canberra and I think the best pay offer at the time was 52k (like wtf). I ended up working building Networks in Aged Care (thanks June).

In the following 25+ year I went on to work for Legal Professionals, brief lawyers, judges, prosecutors about hacking, motivation and interpretation of the law. I've advised state and federal government minister and the staff of the leaders of 3 countries in Asia.

Over the years I've advised and taught Local Police, Federal policing agencies, Intelligence Agencies, the Australian Military and the Militaries of 3 foreign countries, law firms, courts and state and federal levels and many security companies on the weaponisation of technology. I've also guest lectured at half a dozen universities over the years, been on many radio, TV shows (i.e. https://www.sbs.com.au/ondemand/news-series/insight/insight-2020/insight-s2020-ep29/1777418819586 ) and written for many newspapers, magazines and so on.

Oh, the NSW Government data leak of Covid 19 locations with all addresses including sensitive sites such as Police and Military locations - that was me. I broke that data leak, AFTER approaching the NSW Government to let them know about it and getting zero response. So I had to call ex-AFP friends and military people directly to get action, then gave it to the media.

So, that is why I am qualified to talk on this topic. I don't have a PhD, but I don't think I need one.

Back to the topic.

Cybersecurity is a joke. Most companies have little to no clue. The education of cyber is a joke. I've been a guest speaker at universities, TAFEs and met many hundreds of Cybersecurity students. While nice and well-meaning, 99% of them don't get it, will drop out or go into other areas. Many of the students I've talked to gave the reason that it looked like a growing field to get into with high earnings. Cyber education is only a small part of succeeding in Cyber in some spaces. Raw talen is the key.

The Cyber 'Industry' is also a joke. Most professionals that become the 'CEO' or Chapter President or other exec of some random 'Cyber blah blah Association' have little to no actual Cyber skills.

Cyber isn't just tech skills. It is policy, procedure and so on and there is a very valid place for people with those talents. The problem is that the Cyber industry is weighted 90% to Cyber 'business and policy' people, who they think with their CISSP, qualifies them to decide Cyber policy, while having very little to no actual practical technical skills.

I will go into the skills needed to succeed in Cybersecurity in another post, but suffice to say, some 1% of people in the Cyber industry, would have the appropriate skills to actually do the job.

The area I now focus on, has 0% of people focusing on it and I believe is FAR more dangerous than the details of a bunch of people being exposed as in the Optus hack. I am taking about Cybersecurity that kill you. That can result in real-world death, damage and so on, and is so easy to accomplish that a 12year old with pocket money can walk down the road and buy without any restriction.

The Cybersecurity industry is a joke. The amount of focus on 'old security' (firewalls, ransomware, virus, phishing, etc) takes 99% of the Cyber industry focus, while the Future of Cyber is not only utterly terrifying, but there is almost no-one ready to deal with it, much less any education, degrees, etc to prepare or it. Btw, when I say 'Future', I mean tomorrow, next week... it is here now, and we have no defences ready. The government has no clue, the big Cyber firms have no clue. Businesses have no clue. Very few people understand just how bad this is going to get. The Optus hack will seem like a picnic in comparison.

As for the Optus hack. Meh. This is same hack I went to jail for 27 years ago (different motivation). What have companies/governments/people learnt in the meantime? Nothing it seems, and Cyber professional are just making it worse with their use of FUD (Fear Uncertainty and Doubt) to justify keeping the jobs, adding Cyber to the title and getting paid more for doing less than they ever did.

I've been planning on doing something for a long time. I want people to be able to ask questions and get a TRUTHFUL answer by someone without a vested interest.

I am not 'in' Cybersecurity anymore. I am no longer a network architect, although I still have a good working knowledge of the areas. After a gig with the NSW Police Intelligence unit, I founded the 'Future Crime Agency' to focus on education and awareness on weaponising modern technology.

But I want to go futher. So I am kicking off something called 'TechTrooth'. It will be a Social Media thing (YouTube, Twitter, etc), where people can ask questions and get an honest answer from someone who isn't trying to sell you something or have an agenda (politicians, banks, etc). I don't know everything, but based on the bullsh*t the public (including companies) is being fed, I am quite sure I can give useful advice on the topic.

I am sure some people will criticize this post, just as they've done at events where I've spoke the truth (btw, they don't say I'm wrong, just that I shouldn't say it). Bring it on. All I ask is you be REAL.

In the next couple of weeks, I will make an announcement and start kicking off TechTrooth. I hope you will see it as a useful thing.