Mick Leach: Hello and welcome to SOC Unlocked, Tales from the Cybersecurity Frontlines. I'm Mick Leach, your host and guide on this exciting journey into the SOC universe. In each episode, I chat with various cybersecurity professionals about the latest industry news, emerging threats, practical strategies to keep your organization safe, and much more. And today I'm excited to introduce you to a dear friend of mine, FC. FC, welcome to the show.

FC: Thank you very much for having me, Mick. It's an absolute pleasure. I love spending time with you. Love chatting with you. So this is going to be a fantastic little episode.

Mick Leach: Yeah, I can't wait. First of all, for our listeners who may not know, we know each other. We have the opportunity to go out and do this road show occasionally, which occasionally has turned into a little more frequently. It turned into fairly often. I think we've done what? 18? Something like that now. Yeah. Yeah. It has been the best time.

FC: It's actually really hard to film. 18 cities, several countries. It's been amazing. Really has.

Mick Leach: Uh, FC, um, and I want your, I want your perspective on this too. We met, uh, at what RSA last year, 2024, I think it was. And I remember like one of our PR folks, uh, was like, Hey, Mick, I want to introduce you to, uh, to FC here. He's a, he's a famous ethical hacker. And I was like, Oh, and then they were like, and this is his wife, Jessica. And I was like, hi. And then Jess.

FC: Yeah, something like that, yeah.

Mick Leach: And our PR person started talking and then you and I started having the most amazing conversation.

FC: Yes, I believe shanks were involved.

Mick Leach: Yes, yes. That was definitely part of the conversation, but we got to have, we just had the best time talking and then your wife came over and was like, I can see right now. You two are never going to be allowed to hang out together or we're going to have like have bail money ready. So, so funny. So funny. Anyway, love, love, love speaking with you, working with you. So FC, first of all, you, that's not, you go by a different name, at least in the hacker community. What, what, tell me more about this.

FC: Yeah, so my name on my passport is FC, right? Which causes lots of issues when I go through, well, basically anywhere. Especially if I'm trying to get onto a government website and it's like, oh, your name must be three letters or more. It's like, well, that doesn't work. But my hacker alias, which I've gone by for the last 30-odd years, is Freaky Clown. They have no correlation between the two. It's quite a happy coincidence. I've had many hacker aliases in my life, but that's the one that became famous. That's the one that I'm known by. So that's the one I tend to use.

Mick Leach: Love it. Except your mom, who tends to call you Funky Clown, right?

FC: Yeah, yeah, she can never say it right, despite calling me calling me it for decades, she still gets it wrong even today.

Mick Leach: My gosh. Once I heard that, I will never, never unhear it. And it makes me laugh every single time. My goodness. So FC, for listeners who may not know you or have read your book yet, listen, tell me how you got into hacking. I know your story personally, but there are many who don't. You did an awesome Dark Knight Diaries podcast years ago now, right? 17ish?

FC: Yeah. Episode 66. Yeah.

Mick Leach: There you go. So go find that, which is great. But if folks haven't heard that yet and they don't have time to go chase it down, you know, what, drew you into physical security testing specifically.

FC: Well, this is a I have a very interesting way into this and it's It kind of trips me up a little bit because people always ask me how can I get into this injury? How can I do what you do? And it's like well you can't you can't go in the same way that I did because the industry a first one didn't exist when I started getting into this. So when I was a kid, I was a bit of a loner. I didn't really have my parents around, and I got into computers, now we're talking computers that had
toggle switches. They didn't have keyboards, didn't have mice. It was like toggle switches, and that was it. And then we got the ZX Spectrum, the Amstrad CPC, the BBC Micro and the Acorn and Commodore 64. Eventually, we got to the point where the World Wide Web was invented. And by that point, I was already tinkering with hacking. Now, the great thing is, back then we didn't really have the laws we have now.

Some of the stuff that we were doing, exploratory stuff wasn't actually illegal, which is really nice, right? You can't do some of that stuff now without loads of permission. So thankfully, I was always on the ethical side, the good guy side. But that meant I got into hacker circles like London 2600. And then I got into my first job was actually a sysadmin. And as a sysadmin, I was tasked with preventing anyone attacking us. Now, the best way to do that is to attack yourself. That still is the case now. So very quickly, I discovered I was quite good at that. And that held a lot more interests for me. So that's what I started doing more and more of. Eventually became a pen tester, eventually after many many years I became the head of offensive cyber research for Raytheon a massive military defense contractor. And then I eventually left there and started my own company. So now I live in Las Vegas with my wife. We run our own cybersecurity consultancy, and we work with people like yourselves.

Mick Leach: I love it. An amazing story. Backstory is awesome. I love it. Was there like a single moment or a particular job that made you go, I was this is what I was made for. Like I'm born for this.

FC: I can kind of remember where I decided I wanted to get into computers more and that was I actually went after school I went to college to study science I was going to become a scientist I loved physics and chemistry and stuff like that so I went and studied that so I did a course in physics I did a course in chemistry and biology I did a side module on nuclear physics
was where I was really interested in. And I got most of the way through that and I was in the computer lab and I was helping out some people with some computer stuff and I suddenly realized like that's that's way more interesting to me. I don't want to go into a job in physics, which I could have easily walked into according to my tutors anyway because I just felt like I
wouldn't go very far. It didn't hold my interest. My hobby was computers and my job was science but I was like, on I can make my hobby my job and I'm really really grateful that that grew up as an industry and I was already in it. I didn't have to try and get into the industry, it kind of grew up around me and all of the people that I had as peers back then have gone on to do some amazing things. So I'm really grateful, really very lucky that I was at the right point in life at that point.

Mick Leach: That's fantastic. So some of our listeners may not realize you're actually a pretty famous author as well. No, think so. will. Listen, I'm standing. I get the ones. I'm the one that has the microphone. I get to say the things. So I declare it to be true. No, it's absolutely true. You're such a humble man. But yeah, last year, didn't your book sell out at Black Hat?

FC: Yes, so I wrote a book called How I Rob Banks. I think I have a copy somewhere on the floor. Hang on. Yes, I do. There we go. I have one here. It should be on that shelf back there, but it's How I Rob Banks. And it's a collection of tales from my career. Obviously not all of them. There's a lot that I cannot ever talk about. But this is a collection of stories. And when it got launched, it was number one bestseller on Amazon, which was great. Hit number one and a couple of other sites as well, then it became the first book ever to sell out at RSA and then it also sold out again at Black Hat this year as well. So it's done well, it's done quite well.

Mick Leach: I agree. I agree. I have a copy myself, which you kindly signed. So thank you for that. Also signed one for my son, who is a cybersecurity guy in his own right. So as part of the road show that we're doing, FC does a live deepfake demonstration of me. So he has some incredibly audacious code that goes out and scrapes the internet. it grabs, one of the things it grabs is my LinkedIn photo. And then using some more amazing code that you have, as well as some open source tools, you deepfake me. Based and it's a live fake. You could turn your head and everything. It's you become me. In other words, we can even bring people from the audience up; they become me too. It's actually rather terrifying. It is terrifying. Listen, this world only needs one me and many people I've met aren't even sure one is necessary That said because he assumes my identity so routinely, I asked him to sign a book for my son and I said, he's into cybersecurity, he's an analyst, would you sign it for him? His name is Josh and he said, sure. So to Josh, I am your father, dot, dot, sometimes. And I was like, my gosh, this is hilarious. So I took it to him. Yeah, yeah, exactly, Star Wars.

And of course, as a good geek, right, I've raised them right. He is also big Star Wars fan. He read it and just busted out laughing. So now that is like an inside joke with the family and FC. So, and FC, you've met another one of my sons as well. So I love it. Too good. But so what inspired you to write the book though in the first place?

FC: Well, that was that was an idea that came around decades literally decades ago so I was doing a lot of physical entry stuff and I was making notes on some of the more interesting things that happened and I collected these notes At least for ten years And I would add to them every time I did another job that was interesting. I would add more notes this thing and then I was like, one day I'll turn this into a book and you can, if you can be bothered to go through my Twitter history, you can go back literally years and be like, he's saying he's going to write a book next year. He's going to write a book next year. And then, then COVID happened, right?

Now the weird story with this is if you've ever heard of a fantastic guy called Bruce Schneier, he and I met during a meeting somewhere and he liked what I was saying because I stood up to some four-star generals and he came over to me and was like I really love what you're saying and how you say it like will you help me write my next book so was like yeah cool and so we spent countless zoom calls during Covid going back and forth and I was helping him write his book at the time and we were talking about that and he's like, are you going to write a book? And I was like, yeah, I've got some notes, but I don't really know how to, how to get it started.

Now my wife, she's already written like three books at this point. And so I was like, okay, I'll, I'll have a chat with people about it. And then Bruce introduced me to his, his guy at Wiley and Wiley picked up the book, loved the title, loved the idea gave me a contract and then within six months I was supposed to have finished the book. So I worked really hard and notes are not the same as a book. And then 24 hours before publication, like they were sending it to the printers, they asked me for all the drawings. And I was like, you said you were gonna do the drawings. And they're like, no, you're supposed to give us sketches and then we'll turn them into professional drawings. And I'm like, can I do that? And they're like, no, you've got 24 hours to get us drawings. So I sat on my iPad and I drew all of the really, really bad drawings that appear in the book. That's the whole story of the book.

Mick Leach: My god. That's hilarious. I didn't know that about the drawings. That's hilarious.

FC: And the worst thing is I spent ages doing all different colours and they never told me that it was going to be printed in black and white. So if you look at any of the pictures they're really fancily different grey scales and that was not intentional.

Mick Leach: My gosh, that's really funny. So I know in your book, full of stories. our listeners, if you haven't read it, you absolutely should. It is a page-turner and absolutely hilarious in some cases. Also a little disturbing in other cases, as security penetration tests often go. But can you share one of maybe the most audacious physical penetration tests that you've ever done, maybe something that still makes you laugh or shiver when you look back.

FC: Yeah, I think that the one that springs to mind for that, I mean like if you pick up the book there's stories from stealing gold bars through to trying to steal helicopters, kidnapping people which I've done, so I tell the story about the first time I did that, that was quite interesting, but the one for audacious I think comes to, there's a whole thing that happens before you do one of these physical assessments right, so there's lots of paperwork. There's lots of legal stuff you have to get through. There's lots of planning. And the first thing you have to do is do a lot of reconnaissance of the building or the site that you're trying to break into. And I was slammed at one point in my career and doing back to back stuff. And this job came in and they were like, look, it's a government building. It's in a European country. So you're gonna do this one and I was like, okay, this is cool but I couldn't get there to do any recon.

There's not many photographs of this place and Google Maps didn't exist at the time. But it just so happened that one of my colleagues was in the country during this week where I was supposed to be doing recon. So generally recon is like a week long exercise and so I phoned up my friend and I was like I know this isn't what you do. You're just like a normal digital hacker, but can you go and look at this building for me? Just give me some rough ideas. Do you count how many doors there are? Count how many cameras you see? Tell me if there's a police presence there or if it's just like security guards. If so, count how many you see. Very simple, basic stuff. So I get a phone call in the next couple of days and he's like, ah. It's gonna be super easy for you. I can see loads of doors. I can count maybe one or two cameras and I didn't see any security guards and I'm like, a bit unusual for a government building. All right, cool. I haven't seen the building. I don't know anything about it. So I'm like, okay, cool. So I get to this country because at the time I didn't fly. So I took the train, drove, and got there.

And I looked at this building and I phoned him up. I was like, you're an absolute muppet. What, like, did you even look at this building? Like, did you go to the right building? Because I'm looking at this building, there are literally like two entrances. There's one at the front, which is heavily guarded. And there's one at the back, which is also camera-like covered, right? So there's cameras everywhere that there's literally, I can't even count how many there are that I've seen. Not only is that the case, there is armed police presence, right? It's not just like normal security, there's armed police at this place. So I'm like, what have you got me into? So I spend the next two days trying to work out how to break into this building. And it comes down to just sheer luck and timing, as most of these things do. I observed during my sort of recon phase, my new recon phase.

Yeah, that the back loading entrance, it was kind of like a ramp, a one-way ramp. And so I realized that during the early hours of the morning, the sun aligned, it was very much Egyptian, very pyramid-like and like stonehenge. Like the sun aligned perfectly down this ramp and you could see this like a shaft of sunlight. And I thought, do you know what? That's probably going to blind the camera that's covering it. So I timed my attack to go in down this ramp during this very sunny period. I had to wait an extra day I don't think I mentioned this in the book I had to wait an extra day because it was a bit cloudy and I needed it to be clear and sunny so I get go down this loading ramp the sun still on the camera I Whip in and I get in through the loading area and there's a big glass door and I'm like banging on it. And this guy walks past and he sees me. like, I've left my pass inside, like shouting through the glass. And he's like, all right. And just lets me in. And so later on, I'm talking to the security team about how I got into the building, how I compromised everything. And they were like, well, we never saw you on our security system and it's very sophisticated. And I'm like, yeah, but do you watch it 24 seven? And they're like, yeah, we do.

Mick Leach: My god.

FC: Like it's one of the very few places that does. We have teams that rotate out and I'm like, geez, all right, did you record it? Did you record the loading bay? So we went back and we scrubbed through the footage and we found one frame where you can see part of my shoe as I enter because the camera is blinded by the sunlight. And it turns out that my friend who saw no cameras was so far off the money. It was ridiculous. This building had 330 security cameras throughout it. And only one camera caught half of my foot as I went into it. So yeah, that's the most audacious one, I think, just because of how ridiculous it was. I didn't think I'd ever get into that one.

Mick Leach: My gosh, that's hilarious. So I love these stories. What's maybe the most unexpected way that you've ever gained access to a secured building?

FC: Oh actually there's one, alright this is a girl. There was a company that hired me to try and get into this new building. had brought this new building and they were in the middle of converting it etc and so they wanted me to do a quick security test of it and the one thing that really stood out to me was it wasn't a standalone building. It was a building that had abutted a cafe like a little restaurant thing, but it was kind of an all designery cafe and it had like these weird sloping glass like wall window things to look out of. And they were like this sort of angle, right? Like maybe a little bit more about that. And I just discovered that at night when no one's in the restaurant, you can just run up these walls like. Yeah, run up these walls.

Actually, Jess was there with me, like we did a bit of recon together. I ran up this wall, this like, like a reverse bit of Jackie Chan. You've seen him when he goes down the side of that building. It was the reverse of that. And I got up onto this little, little flat roof that they had. And from there, I was able to climb up onto the roof of the building, the target building that I wanted to get to. And then when I got up there, I found all of their HVAC system was completely passwordless. Right? So you could just open the cabinet, do whatever you wanted. You could like change Wi-Fi. You could do, there was even a network pinging on there just to make sure. So it was like loads of computer stuff already on the roof. And then I found one door and it was unlocked. And so I just let myself in. That was it. It was just like, I climbed up a wall and then just walked through a door that was unlocked. It was frankly absurd and a lot of my entries are absurd they really are like just ridiculous sometimes

Mick Leach: Okay, but in all that time, surely you've had a job go sideways. Maybe things didn't go as planned. So give me an example of where that happened and how did you handle it?

FC: Yeah, so in the 30 odd years I've been doing it, I've got 100 % success rate, but I've had two jobs that have gone sideways on me. And the first one is, it's not that interesting, right? Like I broke into this building, it was a government site, and I phoned up my contact and as I always do, I'm like, hey, I'm in your building. If you happen to be in the building and you see me, you know me, just ignore me, that's all you have to do. And so I went into a small meeting room to make this call and he was like, whereabouts are you? I'm like, all right, I'm in this meeting room again, if you see me, do not interact with me. So about two minutes later, he comes running into the room and I'm like, what the, why, why are you here? And he's like, I just wanted to make sure that you were in. I'm like, I told you I was in. I wouldn't have known about this meeting room if I hadn't got in. So I'm like, just go away, go and do your job. Let me finish mine. A few minutes later, I'm stealing a massive TV from a room, And so I'm doing that and then security come in and they're like, right, you need to leave. And I'm like, no, I'm meant to be here. And we did a little bit of patterning. He's like, no, no, no, I've been told that you're not meant to be in here. And I'm like, who told you? And they're like, we can't say I'm like, I know who it was.

And so yeah, this guy apparently had decided that he'd met me, realized that he was going to get in lots of trouble because it's his job to secure the building and decided to go straight to security and tell on me. The funny thing with that one was the where I was supposed to get to was incredibly well protected. And I think if he hadn't have sort of snitched on me, I probably wouldn't have got into that room. So I'd have probably ended up failing that one, but thankfully he got such a bollock in for that. He really did. Because he shouldn't have done it. And he ruined like weeks and weeks.

Mick Leach: Yeah, who hires somebody to come in and test their security and then is like, never mind, I'm just going to out you myself.

FC: Yeah, and this is a thing, this is something that I see a lot and I get pushback on a lot is people that think I'm there to make them look bad. And that led to the second time that a job was gone sideways. So I was enlisted by a bank to break into their high street shops, the banks that everyone goes into, right? They wanted me to break into one. And the idea was, to get somehow behind the counter and plug some kind of device into the tills. I'm like, okay, that shouldn't be too hard. Well, we've got a lot of them across the country for you to do. So it was a lot of travel, right? And I think I was breaking into about eight banks a week. When you compare that to like some of the well-known bank robbers like Bonnie and Clyde and...Jesse James and so on. Like I did more banks in that month than they have all done in their whole career put together. So I was breaking into a lot of banks and I was having a lot of success obviously and the client was like, right, we need to change this up because you're just doing this. It's making us look bad. So we want you to do a different approach, a different way in every time. And I'm like, this is ridiculous.

I'm in my hotel room with like literally like blueprints and printouts and literally everything apart from the red string. Right. So I'm planning, I'm planning all these different types of different things and we're doing different regions as we get down the country and we end up in this one area. And apparently one of the regional managers who looked after five or six banks, wasn't happy with this. He wasn't consulted or anything like that. And so he heard, heard about it.
and knew it was coming. Knew roughly within like a few days of when we were going to be there. And so I walk into this high street bank, it's my first one, I'm in his area. And I get a gut feeling that something's off because I'm kind of like pushed aside to wait in a reception area, which for the story I was giving, which I'm not going to give, I should have been ushered straight through. And so I was sat in this like little reception area waiting room bit. And there's a guy beside me and he is just moaning about this bank, right? He's on about how they're like making his life hell. He's got all this mortgage stuff to do and he's just, he's just venting at me and I'm like, I've got nothing better to do than just sit here and listen to him. So he's like venting, venting, venting, venting. Like 10, 15 minutes go past, 20 minutes go past and I'm like, this isn't going well. Something, something's gone wrong. And then all of a sudden police cars surround the bank, armed police come pouring through the door and I interrupt this poor guy and I'm like, excuse me, these guys are here for me.

And he's like, so I walk over to the police and I explain my job and what I'm doing and so we go off into this room and we talk with the manager and stuff. And it turns out that basically this regional manager had heard the story that I was coming, phoned up all of his branches and said if this guy comes in then immediately call the police like avoid all of the policies and procedures that we're supposed to go through and just call the police because I don't want this guy in my building. So he got really really chewed out for that because I'm sure most people know this but if you have a police presence that comes to your like on a call like that there's only so many times they will do that before, like on a false case before they're like, we're not going to respond to you anymore. So because we'd used up one of those false cases, the police were a little bit reticent to come back there the next time that there's a bank robber in progress. So yeah, he wasn't Mr. Popular. He really wasn't. And we highlighted the fact that like, yeah, their policies and procedures were not followed, etc. So, yeah, that was a fun, fun day.

Mick Leach: Okay, okay. Now this next one, I'm gonna be honest, if you can't answer it, I understand. But I'm gonna ask it anyway. What was maybe the most creative, because maybe you don't wanna give it away, and I would get that, but what is maybe the most creative sort of pretext or story or whatever that worked surprisingly well? Maybe you didn't expect it to, but it ended up working and you're like, huh, all right.

FC: Yeah, I tend not to use pretexts and stories like that, right? I find that the less you talk to people, the better. I remember one pretext that kind of went a little bit wrong. But so I was asked by this again, it was a bank, but they wanted me to get into their headquarters and they were like, okay, get into this building. Just let us know how you do it. So I turn up to this building and again, it's unbelievably easy to get into this building. So I phoned my client as I always do and they're like, it's taking you 17 minutes. So I'm like, yeah, I had to find a car parking spot. And they're like, okay, well you've got the rest of the day. Could you, could you break in again? I'm like, yeah, sure. So I left and went in through a different entrance. Got in and they're like, right, like it's not even lunchtime, any chance you could do it again, but this time can you like test this particular door? So I'm like, yeah, no, no problem. I'll come up with something. So as I'm walking around to the store, I walk past their very large like loading area and I'm like, this will be cool. So I grab an empty box, cardboard box, and I grab this thing and I walk into this like this back entrance bit.

I walk over and they've got these little sliding turnstile things I walk over to it and I don't have a badge in my pocket But I'm kind of like holding this big box and I'm kind of like rubbing against it like I probably shouldn't I'm trying to get my badge to work and the I wouldn't say receptionist but like the person overlooking it is kind of like can I help? I'm like, I just can't get through because my badge isn't working So I go over and I put this heavy box down and I like rest it on the corner. And she's quizzing me about this badge and stuff. And she, it was amazing, right? This shows how humans are not always focused on what they should be doing because she takes this incredibly heavy box that I've been struggling with and just moves it really easily because it's clearly empty, doesn't quite treat her sort of security brain a little bit. That was one pretext that kind of went a little bit wrong, but somehow... It's fine.

Mick Leach: My gosh, that is funny. Let me ask you. So I'm going to selfishly, only because it's one of my favorite stories. I know this story, but it's the gold bar story. You eased it earlier. You referenced it. Now you got to tell it. OK, it is one of my favorite stories. Tell me this gold bar story. How did you end up? And these are heavy, aren't they?

FC: They are like, so I've, I've stolen many, many gold bars over my career and gold bars are way heavier than you'd imagine, right? If you, if you had to pick up a five year old child, right. It's this big. It's incredibly dense. Almost every movie gets the weight of the wrong. see them like chucking them around and stuff that they can be quite sharp ish on like the edges as well.

So you have to be kind of careful with them. In fact, the only movie I can think of that got it right was Die Hard 3, Die Hard with a Vengeance. Yeah, where Samuel L. Jackson's carrying one and he's got just one and he likes to heave it through a window. Everything else seems to get it wrong. But anyway, these gold bars are very heavy. Anyway, the story you're after is the day that I kind of accidentally stole one. So I was asked by this bank. It's not like a normal bank. It's an investment bank. So they do keep a vault of gold downstairs. Now vaults are very, very big, very secure, very heavy. And so they're never on like the fifth floor. They're in the basement or they build the building around the vault. So when they said to me like, see if you can find the vault. It's like, let me guess it's in the basement, right? Yeah, sure.

So I'm like, right, so I get into the building and I go down to the, like after I've done a bunch of other little things that they want me to do, I go down the staircase and I get into the basement and I go into this basement and there's a very large concrete block in the middle of this like quite open plan room. And I'm like, that's clearly the safe. Our cat has come to join in the podcast. Hello.

Mick Leach: She loves this story.

FC: She does. So this concrete block and I'm like, well, that's clearly the vault, but I'm the wrong side of it. I need to get around to the front of it, which is opposite the loading area. So I walk around this big concrete monolith and I see the vault door and it's like you see in the movies with the big dial and everything and it's open. It's just a jar, right? Just a couple of feet. And I'm like, that's unusual. Kind of cool. There's no security around. Like clearly this client is having a laugh at me, right? Because this never happens. The vault is never just left open. There's no security. They know I'm coming into the building. They know I'm already in the building because I've phoned them. So they're clearly going to just like prank me somehow. So I stick my head into the vault expecting someone to be like, hey, surprise. But instead I just pallets of these wonderful bright gold bars like gold is like nothing else and their aesthetic in there was amazing. It was these bright gold bars and nice and shiny on these like blue trolleys and like the handrails are all blue. It was just it was really nice like whoever designed it knew what they were doing but I look in there like there's a lot of gold bars here so I'm looking around there's still no security anywhere. I'm going to step into this vault and they're going to shut it or something stupid. So I step in and I pick up one gold bar and I'm like, okay, this is cool. So I wander out of it. Still no security. Okay. This is kind of weird. I look around a little bit and I find a discarded backpack, right? Cause it's kind of like storage area type thing. Find this backpack and I'm like, well, if I put this into that backpack, it's just going to rip through.

So I took my jacket off, rolled up the gold bar, stuck it in the backpack and left and all of the way, all of the way out to the exit, I'm thinking I'm going to get stopped any second. I get out of the building, I go around the corner to this like little cafe thing and I'm like what the hell has just happened? I've just walked in and walked out with this gold bar. So I phone my client, he comes running through the door like this is a public building and he is like distraught and comes up to me he's like have you got it have you got it have you still got it on you I'm like yeah it's in my bag yeah so like come with me so we go back into the building he calls like this emergency C suite meeting everyone comes in I'm looking disheveled because the adrenaline dump afterwards of these things always makes me look a mess he's looking disheveled because he's going out of his head and the rest of the C-suite in this boardroom.

Now the boardroom is like, it's a proper, like sort of maniacal bank type boardroom, right? So they've got this like overly ridiculous, mahogany boardroom table and it looks gorgeous, right? It's shiny, it's very old. It's like, it's nice. They're all sat down one end. I'm sat down the other. And my client explains that I've managed to walk in and I've removed a gold bar from their vault and they're all like, never possible. So I'm like, okay. So I pull out the bag and I pull out my jacket and without meaning to the most movie-esque moment in my life, I lift up the jacket and the gold bar rolls out of it and takes a huge chunk out of their mahogany table, like two or three inches just straight in and I'm like, and like everyone is staring at this gold bar and I'm like, my God, I forgot to buy them a new desk or something. But there's this moment of like, where everyone is looking at the bar and they're like, what the hell do we do now? And then just chaos erupted for like the next 20 minutes as they tried to figure this out. I have no idea if they ever repaired that table or if they kept it as a kind of like momentum. Yeah, that was that was the time where I still want to go bar and that right. So I get a lot of shit for this this story, right? Because people always can be, oh, I work in a bank like that and that never happens. I'm like, yeah, it never happens, right? That never happens. So the story behind how it happened is just as fascinating. So I pick my day at random, right, that I'm gonna go in.

There's a window of opportunity that we put in for the clients. Like it'll be between this date and this date and that can be two months, a month, a week, couple of days. So they don't know when we're coming in. And so I said to them, right, this is your window and I pick a random day or whenever I think like, you know, I can be outside and be like, I wasn't planning on going in, but here's an opportunity. So I'll take that opportunity. So I got into this building on that random day and that random day was the day that an assay was sent there. Now an assayer basically checks that gold is gold essentially, right? So what they do is they turn up, they have this like big mobile van that they parked in the loading area and they got the vault open, security guards are there. They remove several gold bars at random and they take them out to the van and they test them. Now the two security guards that were with them didn't trust the assayers, but they trusted their building. So they were like, well, no one's going to get into this vault. So rather than lock it all up, we'll just leave it ajar and then we'll follow the bars out to the assayer. We'll watch the assayers do their things so that they don't swap them out or steal them. And then we'll bring them back in. So there was only like a, maybe a 20 minute window where they were outside the vault and just, it was just a perfect storm of me walking into that building on that day, at that time, and they made a really stupid decision. Because they shouldn't just shut the vault and then I wouldn't have been able to get in. But yeah, it was just one of those one in a million things. So we changed a few policies and procedures around how that, which was very valuable for the client.

Mick Leach: Okay. Yeah. So what are the biggest mistakes that organizations make when it comes to physical security? Yeah?

FC: Trust people trust security, right? Not just in physical stuff, but in the digital realm as well. Trusting people around you, trusting people that you're working with, trusting that basically if you're past the first security layer, then you're right, right? You must work here or you must have access to this. So I think yeah, that's probably the biggest thing I see is people trusting things that they shouldn't. Like almost every single digital vulnerability comes out of trust, right? Like if you don't trust the input from the user or from another computer, loads of vulnerabilities go away. So yeah, trust is probably the biggest thing that I see.

Mick Leach: Okay, so I want to tease this out because I think it's also true that even from a social engineering perspective, So interacting with other humans, trust still remains a key factor there as well. So the question I guess I have for you is this, how does human psychology and social engineering come into play with this kind of stuff, maybe as much as or even more than technology.

FC: Yeah, you know, this is very much my wife's realm. So I'll try not to struggle on their toes too much. Yeah, psychology is a huge factor, right? Because you've got most attacks will happen and leverage social engineering, right? All of the scattered spider stuff that's mostly based on social engineering and compromising people's MFA accounts and whatnot, right? So most of it does come back down to social engineering. And then you have AI powering social engineering emails and OSINT and stuff like that. Anything that you can leverage to gain some kind of control over another person and their emotions and how they react. That's a huge thing. And the same goes with physically getting into places. If you can cause someone to think outside of their normal ways that they normally think, then they will do really weird things to let you into places. Yeah, I think social engineering is huge. It's one of the largest areas I think that we don't really touch on enough.

Mick Leach: Yeah, agreed. And I have the benefit of having had your wife Jess on a podcast or a webinar with me and someone else before. And to be fair, like she has a PhD in this. Like she is a legitimate expert in the psychology around. Yes, yes. She's probably the more famous of the two of you.

FC: Yeah, I mean she won a medal from the King of England for this. Like it's pretty good. She's pretty good at it.

FC: 100 % it goes her, the cat, me.

Mick Leach: Yeah, I don't know if that's a hundred percent true, but I haven't met the cat. So I mean, I, it could be true, I guess, is what I'm saying. Next time I'm in Vegas, I'll come over and meet the cat as well and then confirm or deny the story. But, yeah. And so that's kind of why I ask because, you know, and you guys must talk about this stuff around the kitchen table or whatever as well, but you know, that's been our experience here is that we just see there's tremendous power in the phrase, I need your help. You know, it's wild. It can get people to do things to your point earlier, right? Whether you're moving them emotionally, whether they feel bad for you or they're angry at you and they do something. You can convince people to do things by moving them emotionally or asking for their help.

FC: Yeah, I mean that one of the one of the funniest little psychology triggers which you can all try you can try this on anyone you want right is If you want a big favor of someone ask them several small ones first, right? So if you're trying to get someone to let you in through a door for example or wave something you should be like, have you got a pen I can borrow all right, and they'll give you a pen to borrow right and then you're like, can you tell me what the time is?

And then by the time you get around to asking like, could you, could you let me through here? Cause I forgot my pass. Like it's got to the point where they're like, well, I've, I've done so many things already that now this extra thing, which if I'd have asked for straight away would have been too much. It's now, well, actually it's just an extra little thing. So there's loads of little tricks like that that you can use.

Mick Leach: Okay, I love that. So you're not just a one trick pony when it comes to penetration tests. You don't just do physical security, although you've done a lot of that. You also do digital.

FC: Yeah, exactly. I think this is one of those weird things where the physical security stuff is probably 5 % of my workload. But it's 100 % why I'm famous. It's because no one cares like, oh, I did an in-map scam for 20 hours and then found a port open and wrote a vulnerability to get through that. I wrote an exploit to get through that vulnerability.

Mick Leach: Okay. It's also the more interesting stuff, right? Because, I mean...

FC: No one cares, it's not fun.

Mick Leach: No, it's not sexy or interesting. I mean, it is tough people like us that do this for a living, but then you gotta get into the details of tell me more about the exploit. What service did you compromise, you know?

FC: Yeah, exactly. It's, uh, it's one of those things where 90 % of my job is just breaking into computers and then the rest is the cool stuff.

Mick Leach: Okay. So let me ask you this. set you up with this because I want to ask more around how AI is changing things. Is it changing? Are you seeing AI already changing things in terms of both penetration testing for, in other words, attacking for good, but also bad actors leveraging it to attack for bad? Are you seeing this?

FC: Yeah, I think we're just starting to see that cusp of where people are using it for good and for bad. And we must remember it's just a tool, just like anything else. Like you can use a car for good or bad. You can use a fork for good or bad. You can use AI for good or bad. I think we're seeing it actually being used more by the defense side, by the good guys than we are the bad guys, because the bad guys...don't really need to, right? The only area that I think that they're kind of utilizing it more is on email because a lot of people find or spot phishing emails and stuff like that because of bad grammar, because of how the elicitation happens. So AI is helping them create better emails but I think where we're seeing AI being used more is actually in the scale and scale is what changes over the course of the years right so when I started out gosh if you wanted to attack someone you would have to phone their telephone number and hope they've got a computer connected to the line at the time and and now you can you could text eight million numbers within an hour like it's the scale has changed, the threats and the attacks haven't really.

So AI is allowing people to A get into cybercrime easier because the level of knowledge they need is greatly reduced. It allows them to scale it. It can work 24/7, whereas like criminals can't, they have to sleep as well. It allows a single band person, just a one man person one female person, like attacking large infrastructures. Whereas before it would be an organized criminal gang. And what we've seen in the past now is these organized criminal gangs comprised of thousands of individuals, they're kind of saying like, well, actually, we don't need that. can scale back. It's just like any other organized company. If they go, well, we can get rid of this whole area because we can just use AI for that. It's fascinating how it is being used and it's not quite how we had expected it to be used.

Mick Leach: Okay. What is, in your opinion, the biggest misconception that you hear about in AI and cybersecurity?

FC: That it’s intelligent. So and it's like the placebo for every not the placebo but the panacea for everything like it's it's kind of like we have this problem let's chuck AI at it. AI is only as good as you train it to be. AI makes a lot of mistakes and it's not always the best thing to use. In some cases it is and it's really good at doing specific things then yeah great. But if you're trying to just stick AI into your product or into your company because it sounds cool, god you're in for a disaster. If you've built a product with AI in mind and I can think of one right now that is built from the ground up around AI then that is always going to work a lot better because that's what it's meant to do.

Mick Leach: Sure, sure. It's funny, you and I were talking about Dave Kennedy a minute ago, like a killer in the cybersecurity community. It's been on the podcast a couple of times. He and I were talking a while back and he was saying like, you know, folks that are trying to get AI to do the code, write the code for them. The resulting code often comes back with tons and tons of vulnerabilities, ways to break into it. And because it's just, it doesn't operate quite as, to your point, as intelligently as we were led to believe that it is or will be.

FC: Yeah, yeah, and it's great. It's going to be the gift that keeps on giving for pen testers for the next 10 years, right? We're going to be testing software that is just horrifically bad because AI is you tell it to do something and it does that thing. It doesn't think, hang on, I should maybe talk about should we have like MFA in this app? Like should we should we be storing this credentials in plain text? Like it's it's not going to make those decisions that an actual development team would.

Mick Leach: Exactly. Thank you. Because I get into this conversation occasionally with folks that are super into vibe coding, right? They're super supportive of it. They believe this is the path forward. don't hear what I'm not saying. Like there's value to it. It can make a good developer, you know, far better, faster, certainly in terms of, you know, scaling up what they can do. However, you know, they'll tell me, well, Mick, you see, you're doing it wrong. You just got to, you got to give it the prompt that says using best security practices and, you know, secure development, guidelines and all of these kinds of things. You got to frame your, your, your code, the right, you know, your, your prompt the right way. I'm like, I hear you. I do, but I also have asked, chat GPT in particular, this was the one I use most often. You know, I've asked it some questions and it didn't know and it just made up an answer.

FC: Yeah, that's the worst thing. It never says no, I don't know. And that's actually a good thing if you're hiring a real person, ask them a question they will absolutely not know and see how they react. If they say, I don't know, but I can find out, great, hire that person. If they try and make up some crap, then no, that's not who you want to be hiring. And it's the same with AI. AI will never say, I don't know. I can try and find out but I don't have the resources right now. It would be like huh okay here's an idea and because it's just predictive texting it's very odd.

Mick Leach: Where was this conversation earlier this week? So I had a conversation earlier this week. I was at a dinner in Toronto and the gentleman came up and he was like, how are you hiring people anymore? Because I feel like just everybody, we're all using AI to write the questions for the interviews. They're using AI to answer the questions for the interviews. Why don't we, the humans just step out and let the AIs talk and sort this out. Because he said, I just don't know anymore. mean, you get these wild, everybody's got an answer to every question. Where was this conversation where I could have said, ask them something that they couldn't know. Like, or maybe it's a trap. Maybe there isn't an answer. And see if, because to your point, AI will always come back. And if it can't find an answer, it will just, it will gladly make one up.

FC: Yeah, exactly. Yeah. And the number of people I've interviewed over the years for different jobs, where I use that as a way of weeding out people. So if you try and bullshit me, I'll know. So no, there you go. Yeah, I'm not having that. So another good question is, me about your home lab, right? If you've built something at home outside of ours, then that's a sure sign that you're going to be doing some really cool stuff.

Mick Leach: Right, yeah, somebody that hands on was tinkering and, you know, things with, you know, figuring it out, making mistakes. It doesn't have to be good. Just show me that you're trying, that you're trying to figure it out. Yeah, I love that. For me, that was always a red flag as well. Built and ran security operation centers for a long time. So I've interviewed probably thousands of people for SOC, SOC and all those roles. One of the biggest red flags for us was always like a confidently wrong answer. Like they just declare this is here it is. And there were a couple of times I remember feeling like, am I, am I being gaslit right now?

I mean, I've been doing this a long time. I'm, I'm a hundred percent sure. At least I came into this room a hundred percent sure this was the answer, but he said it so confidently. Now I'm starting to wonder, is he right? And I'm wrong because that's, that's terrifying. That's the worst thing you could have because, at least in my opinion, in terms of a security, security operations or analysts, SOC analysts that in, in a moment when they don't know they're just going to either lie or pretend or whatever you want to call it. Because that's how we end up with real serious problems in the talk. But, FC, this has been awesome. What a great conversation. If somebody can only take one key thing away from our conversation today, what would you have that be for them?

FC: It would be to have a healthy non-trust of people around you.

Mick Leach: I like the way you put that non-trust, like mistrust people. Yes.

FC: Don't trust implicitly. The people that you see in your building day to day could have been fired an hour ago, and you just don't know it. Or maybe they've got ulterior motives. So have a healthy suspicion.

Mick Leach: Yeah, I agree wholeheartedly. think as security practitioners, right? I don't know why we are the way we are. Maybe something has hurt us in the past. Right? Sure. All of us, I think. But that natural suspicion or mistrust, right? The reluctance to trust things makes us really good at our jobs. And I kind of wish everybody was just a little more.

FC: Yeah, it makes you question things, and I think questioning things is where you find answers.

Mick Leach: Couldn't agree more, couldn't agree more. FC, thank you so much for being on the podcast. This has been so much.

FC: Thank you, my friend, it's been an absolute pleasure, it really has.

Mick Leach: Indeed. Well, folks, this has been SOC Unlocked, Tales from the Cybersecurity Frontline. I'm your host, Mick Leach, reminding all you cyber defenders out there to keep fighting the good fight. You're the tip of the spear, so stay sharp. Thanks for tuning in. Don't forget to like and subscribe and check out our other SOC Unlocked podcasts. We'll see you all next time. Thanks, friends. Be well.