Share this
dnsUNFILTERED: Luther "Chip" Harris
In this episode of dnsUNFILTERED, cybersecurity expert Chip Harris shares his extensive background in IT and OT security, detailing his transition from military contracting to cybersecurity. He discusses the critical differences between IT and OT security, the importance of disaster recovery, and practical tips for businesses to enhance their cybersecurity posture.
[00:00:00] Mikey Pruitt: Welcome everybody to another episode of dnsUNFILTERED. Today I'm joined by Cybersecurity Guru Chip Harris. Chip. Say hello to the folks out there.
[00:00:09] Luther "Chip" Harris: Hi, Everybody.
[00:00:11] Mikey Pruitt: So this may test the limits of our unfiltered name of this show. Chip is gonna try to keep a lid on the the profanity, something might slide. We might have to throw a few beeps in, but Chip, why don't you just tell us a little bit about. You're background 'cause you, it's a, you have a very extensive career in cybersecurity and I want the audience to understand your expertise.
[00:00:32] Luther "Chip" Harris: Yeah. I've been doing this 28 years, going on 29 in August, so basically my entire adult life.
Since I got outta college how I got into it. And OT is, very interesting because, I started off my IT career as a bench technician at Comp USA fixing computers, which most people in this generation don't understand that you had to go to a computer store to buy a computer, they, and same thing with parts. There was no New Egg, there was no, some of these things didn't exist. You had to physically go to a location, to buy a gateway computer to buy a Sony computer, which was being made at the time, or an HP or a compact, or.
Apple even, that's how I got started back in the nineties, 'cause I was working my way through college and that was my part-time job that turned into a full-time job. And I got my military contracting license, because I wanted to eventually work in the military field.
And I was, about to go into the military. And then nine 11 happened, and then after nine 11 it was like, oh. You've got your license and certifications and you get all these Microsoft and Compt of certifications and you know you have questionable morals. Okay, can you come work for us?
You're
[00:01:49] Mikey Pruitt: like, we need you,
[00:01:50] Luther "Chip" Harris: you're with us. And no, they were hiring and they said, how much do you want an hour? And I said I make $13 an hour. And the lady was like no. You'll start at $250 an hour and then go up from there. And I was looking at this from a monetary standpoint because I owed, $75,000, plus.
In college, 'cause I had to pay for my college. I grew up poor. I grew up dirt ass poor. So college was on me. I had taken out credit and loans and, everything I could, and I was in debt, like high level credit card and to, school tuition debt.
And I said, okay, I'm gonna try this for, six months to a year to see if I can get enough money to pay my way out of, all my college debt and tuition that I owed. And I got my, first paycheck after my first tour. And I was like, oh yeah. I'm gonna be doing this for a while.
This is doable. This is nice. So student debt and nine 11 catapulted you into I believe you phrased it as in the rear with the gear. And you're, oh yeah. Military adjacent career.
So I was, and I was, I worked, with the National Security Agency and I worked with, tailored operations.
I worked with Syncom, I worked with all of the intelligence apparatuses to be able to feed people into the field, what they needed, and I was in the rear, with the gear and arm to the teeth, I mean to the teeth, and I was, working with the 501st Air Cab outta Fort Campbell, Kentucky.
I worked with the Night Stalkers unit. I worked with a lot of different special forces teams, and when you're 21 years old, that's great, but then when you start wailing towards your forties, you're like, I am sick of getting shot at. This is not on my top 10 list of things to do anymore.
I wanna go do something else. And I came back to the states and they said you gotta finish up. Your contract, because I had been hurt over there. I had been shot twice, stabbed three times, hit with an IED and I was like, I have had some metal put through me and in me, and I am ready to, come back to the life that I wanna live, with the money that I had saved up, and so forth.
And they're like, yeah, we, you gotta finish out your contract. It's with the DEA. And I was like, oh, okay. That's cool. I got nothing against that. They go you're going to Mexico to investigate the drug cartels for two years. And I'm like, a little
[00:04:07] Mikey Pruitt: side hustle against the drug cartels. Nice.
[00:04:09] Luther "Chip" Harris: Yeah. I was like, okay, yeah, this, okay. They, wow. Then I got down there. I was like going, dude, I. So safer and Kabul than, being in Mexico, I imagine. And I was kinda like, okay. Did that for two years. And then I came back and I said, okay, what are the two things that need the most, cybersecurity help, period in this industry.
And the first one from an IT standpoint was dealing with banking. And the other one was dealing with healthcare, from an IT side. And I said, I can really help on the IT side on that, on the OT side. I said, what can we really deal with on that? And it's, gas, water, light, and electrical.
And the other one is nuclear. So those are how I spread myself into looking for, a career, physical nine to five day job, working in cybersecurity and there's not a lot of OT cybersecurity in these companies. I found out. It was very very interesting.
I ended up working for Dell, as in, in their government division, to help them out with, healthcare, which was one, and then OT side of healthcare, which is a right. Very interesting little animal that's very micros segmentated because hospitals use gas, water, light, electrical water filtration, just like you know everything else, but it's in a bigger location building than your house, and then a lot of that now is, integrated with what they call BMS Building Management Systems and those BMS systems. Are very unique vendor, vendor driven, vendor owned and operated, sometimes depending on the facility, and very hackable, all the stuff that I had learned over there in war, I started applying to, with Dell.
And working with some of the companies I was working with, to start doing counter, counterintelligence, counter-surveillance, espionage, ransomware, what would hacker gangs be doing, and then of course, terrorism, either internal external terrorism from the United States.
'cause we do have bad actors in the United States that, for that are, involved in domestic terrorism that want to do harm. To people and yeah. So you. Heard electrical grids and so forth.
[00:06:16] Mikey Pruitt: So let's talk about that OT versus it, and that was a term that I actually hadn't heard.
And when I looked into it it's basically like the physical infrastructure, obviously security too, and that's your specialty.
[00:06:27] Luther "Chip" Harris: Yep. So it is, I deal with transportation a lot. So I deal with trains, planes, and automobiles. And I also deal with, power water treatment, electrical facilities.
Nuclear power plants. We got 53 of them here in the United States and building more as they come along. It's totally different than, working in a data center, or working in a server room or working at a desk in a cubicle waiting for the suite release of death, i, I didn't want. That been there, done that, got the t-shirt, don't wanna do it again. I said I could do this remote, from home because as long as I have an internet connection, I can be wherever you want. And immediately in, right before the pandemic I started working for the NIH and the CDC and they were like, Hey.
We got a mess. Like a real mess. And you never are supposed to have your IT and your OT touch like integrate. You want it over here and you want OT way over there in a whole nother galaxy. Not even the same ballpark, not even in the same league, but
[00:07:31] Mikey Pruitt: aren't they? We're blending now, like everything wants to be on the internet.
[00:07:35] Luther "Chip" Harris: Why? I don't know, but it's happening. It is it okay. It is an initiative. And don't get me wrong but there are some things that are not supposed to be, OT wise put on the internet, for example, a water treatment facility, internally Yes. For an intranet inside the system.
Yeah, absolutely. But most of those, are sensor driven, fly by wire. And guess what? You don't want those things to be remotely managed by somebody somewhere else in a whole nother state that's not there where they can physically, oops, that's wrong. And then turn the knob right or left.
You see my point? Yes, it does have, it advantages to have some of the stuff on the internet, but there are some things you do not ever want to be put on the internet and you want those to be standalone based systems. Now the rule of thumb is its latency issues. Latency is very big, not only in the IT world, but in the OT world, it's even worse because a lot of these systems, are SCADA based systems.
A lot of these are PLC systems, so if they lose their instructions, and their connection, they immediately go into a safe mode. So they stop. You know the example I've always used, it's like a, an arm that's on a belt, like in a manufacturing. So there's the manufacturing line that's running and that arm pushes that box off.
To go to UPSA million times, right? Or FedEx a million times. If it loses those instructions, that arm just stops. So those envelopes and letters will start piling up, so just imagine if that was, chlorine that I was releasing into the water, as a bad actor from Russia.
'cause I'm able to see this OT system, on the internet and I flood this entire system with, chlorine or bromine or. Hydrogen peroxide, which then, you know, or bleach, to, because we do use bleach in our water systems and or fluoride. And I turn that into a chemical release that's into the water system now, and I poison a town.
[00:09:37] Mikey Pruitt: So you're. An expert at knowing how the bad guys operate, but how do you counteract that? I believe you have a team of your own, and you guys are wreaking havoc all over the place. How does that work?
[00:09:49] Luther "Chip" Harris: It's like this, as I've explained it more than once, is that, if I can do it from here at my home, the evil doers can do it from somewhere else.
So my job is really to do a lot of threat hunting, a lot of cybersecurity, like pen testing in a way. But, we are a red team, blue team in purple team all wrapped up in one. So we are the, all the different flavors or the Skittles version of whatever they come up with next labeled.
And that is what my team does. We look for, and we say, okay, we are going to audit the system. We're gonna take a look at it, we're gonna look at the vulnerabilities. We're gonna see where, what the good things are, the bad things are. We tabletop a lot of that, then we look at what the vendor has, done or not done in lot of scenarios where their, physical standing is, in the physical world, like how old is your infrastructure? Is it 20, 30 years old? 'Cause we deal with a lot of those systems, and then what do they touch, and then who and whom is in control of those systems? And then that boils down into us testing, to see how bad actually is and how bad we can be.
So we are relatively evil in a way. Yes. To see what the bad guys can do and then how do we stop that, and then that builds into the report that we, and that me and my company give to them and we say, there it is, and do as thy will, which is the whole of the law. So you're either going to do it or not gonna do it.
As we say, our check still clears on the first and 15th, we're good.
[00:11:27] Mikey Pruitt: And I totally forgot to mention that. Your headgear is freaking awesome. Thank you. Thank you. Chip is currently operational, but like what's up with that headgear?
[00:11:37] Luther "Chip" Harris: I am under multiple SLAs. NDAs in the fis, FISA court orders, so I go to very great links to protect my identity.
From an opsec, from an opposite standpoint as well as, protecting not only my identity of the people I work with, but my family because I was doxed by the Chinese and the Chinese came from me. They came from my wife. They came for my dog, my cat, my mom, my dad, my grandmother.
They came for everybody. And they tried to have me and the Justice Department just laughed their ass off when they saw this was they tried to have a red notice put on me from Interpol to have me arrested and deported to face charges in China. And my lawyer was like, not, no, but hell no.
You're not gonna be. Deported to a communist country to face charges. And this all started off because of opm. The Office of Personal Management got hacked, and all of our identities, social security numbers and home addresses leaked all over the internet. And I had to
[00:12:41] Mikey Pruitt: gotta move.
[00:12:42] Luther "Chip" Harris: You move.
The CIA and the FB. I said, okay, congratulations. I know you just bought your house two years ago, but you gotta move now within four days. Literally it was a moving trucking company that showed up within four days and said, okay, you're moving wherever you want to go, you're, you can't be here.
And it was like, okay. I moved, from the Midwest to the south, to where my parents are and my family are. And I, started my consulting company, here actually out of this room. And I was like I can see a terrorist from a mile off down here.
So that kind of was a very good thing, that kind of, happened. Now my wife was pissed, but, I was like, the federal government said, move honey. This is part of the JOB, you knew when you married me, this is what you got into. This is part of the train ride.
[00:13:24] Mikey Pruitt: So I'm curious of, so the audience for this show, a lot of them are managed service providers or IT teams and corporations. So what you're, what you do is like on a nation state level dealing with governments protecting ours, which I'm glad to have you there. But I'm curious, what do you think the practical tips are that kind of trickle down to the private sector on a smaller scale?
[00:13:48] Luther "Chip" Harris: It, we work with nist csa, we work with all the regulatory bodies that are out there that try to tell you like, this is the way things should be. We know they're not. I'm just gonna be honest, we all know this from an IT and OT standpoint, they're not. A lot of it boils down to is I tell, businesses, it's have you thought about your, you're talking all about your cloud and your IT and your firewalls and all this kind of stuff.
What happens if I just turn the building off? And it's relatively simple to do because Schneider Electrical, has a, base password for all of your power strips or a PC power strips, and no one ever changes. The no one changes that. And as long as I can find out what that internal, if I can get access to your internal network and do a dump of your ips, of your data center, and then I find out exactly, oh, look, here's all your power strips and here's your APCs and your Schneider electrical systems.
I can just go into the web mend. Type in that, password, and then congratulations. I can just turn all your power strips and your, UPS is completely off and you're basically screwed. So I hope you have a lot of extension cables and extension cords that you can run everywhere.
'cause guess what? You're gonna have no power to any of your, applicational servers or whatever you that you've got out there. So look at your, it, as I tell people, when you're looking at your it, you need to look at your ot. You need to look at, oh, what is our DR plan?
Physical Dr. Plan. And how I learned that was through Katrina, Katrina I was sent down to, take a look at a hospital and they swore up and down they had a DR plan and it was rock solid and there was nothing that could, destroy their network and their server and their services, including their buildings.
And I said, okay. All right. And I went down there and I did, you know what I do best? And my little evil doers were able to do what we do best. And I said, you've written, some pretty good stuff. You got some good stuff here, but here's some variables you need to look at. And, we told 'em about a hurricane.
Like what happens if you had, a, a level four or five hurricane come through here? And there was one called Katrina, and it came through and it just whacked them. And everything that we told them to do, they didn't do. And, we were kind, brought back in after the fact and they were like going, okay, we learned our lesson.
Can you tell us more about what we should have done to make things better? And that's what, we had to do from a business perspective, is take a look and see, okay, what are, who are the shareholders? Okay, the patient. So if the EMR system goes down and you lose oxygen, to the wall, you're immediately gonna have people that are in the ICS that are gonna start dying as well as the nicu.
So babies are not getting oxygen. You've got people in the ICU unit that's not getting oxygen as well, that for life carrying devices and so forth. And then, for example, we over flood the toilet so we back up. The water and the water pressure to where the toilets are overflowing and we immediately, oh, you're in the middle of July.
So we're just for, let's say August and turn off really hot down there in New Orleans, as they say, we're gonna turn your HVA system from cool to heat and turn it up to 120 degrees. So not only do you have, babies that are dying, people in the ICU that are dying, you've got regular patients now that have to be evacuated manually.
You're either gonna take them out by helicopter or you're gonna have to run them through on paper, out the actual er, and then have them taken to another hospital while the toilets are overflowing, and you're losing oxygen. You've got no power. The heat is on, and congratulations.
You have to literally take them down the stairs, because I'm gonna turn all the elevators off. So
[00:17:22] Mikey Pruitt: how in reality, that is a, maybe not the worst case scenario, but pr pretty close. How would you actually protect against that?
[00:17:31] Luther "Chip" Harris: So this really boils down to how your, information your network, your segmentation and the vendors that you use, are built into a security plan.
As my job is to really come in and run those worst case scenarios of what it is I can and can not do based on what you have right now. What is your real time, real world environment now? And then what can we do to protect, secure and update and control and maintain that? That's the secret in the sauce as they say.
And the one key thing that you know, we are ramming our heads against, especially in my line of work, is we hit that vendor wall, that SLA, that NDA, that vendors use to say you can't touch our systems and whatnot and blah, blah, blah, blah, blah, because we want to have it control.
Old and so forth. We try to take a lot of that away from them and give that back to the shareholder to where they've got control over that system and not necessarily, the vendor, because the vendor doesn't really care. They get their money on the first, the 15th and the 30th no matter what.
So if the system goes down, yeah they can patch control and maintain it, but they're not guaranteeing you uptime, they're not guaranteeing you Dr. They're not guaranteeing you. All those things. As I tell you, you really gotta get your infrastructure people, your maintenance control people and legal involved to sit down and say, okay, Schneider Electrical, Siemens, A B, all these other people you like.
You gotta list out literally what it is that you're trying to protect, and those are your physical assets that are in your entire infrastructure. From your server farms, your data center, your cloud operations, down to your building water, light, toilets, sewer, septic, the list goes on and on. So you see how that builds into, that's also fire suppression, that's also your elevator systems.
That's also, all those things, that are in that building management system. And I do a lot of walkthroughs, where I find them in a closet under the stairs.
[00:19:25] Mikey Pruitt: Yeah. Just per reference. I come from the world of electricians and I have worked on a few BMS systems, fire suppression systems, and like fast food chains.
Oh yeah. And those things are exposed and. Just vulnerable to any sort of physical and technical attack, via T-C-P-I-P or whatever. They are very exposed.
[00:19:46] Luther "Chip" Harris: Oh yeah. It's if I do what I call the screwdriver test. I take the screwdriver right here and I pop that wire.
What goes off? No, we don't know. We don't mean you're supposed to know. And yeah, these systems are horribly abused, to where they should be treated. If it was your, payment enrollment system, for to pay all your employees, it should be treated.
Exactly. That's a really good
[00:20:09] Mikey Pruitt: point. Like they're. They're overlooked. Yeah. And the glory goes all to the technology, to the, the apps running that you purchased for a lot of money, probably from a vendor. And then you've got this, computer that runs the entire building sitting on the wall.
[00:20:24] Luther "Chip" Harris: Yeah. Buried in a filing cabinet somewhere, that it's under a desk, that you never would think of. So I got pictures. I got pictures of ones where they're literally in bathrooms. They're in, old bathrooms. They're like, there's this full half rack server sitting, completely exposed in a bathroom.
[00:20:41] Mikey Pruitt: They did like a remodel and they
[00:20:42] Luther "Chip" Harris: couldn't move it. Yeah, they couldn't move anything. Yeah. But it's yeah, and it's comical to me because, I've seen, I've just mean because I've been doing this for so many years. We don't think about water, that comes out of the faucet until it stops.
We don't think about the electricity, until we flip the switch and it just doesn't come the, the bulbs do not come on.
[00:21:02] Mikey Pruitt: Yeah. No one thinks about DNS until it doesn't work either.
[00:21:05] Luther "Chip" Harris: Yeah. So I turned the DNS off. Woo. That's where the real fund begins, and it's, you can run through those scenarios a million times, and at the state and the government level.
It literally sits in a binder, a three ring binder that's normally white on a shelf somewhere and nobody cares, right? So it's fire and forget. And that's one of the things is I, tell these shareholders, it's this is, it would be no different than your house.
If your house burned down to the ground, what do you lose? And it's if you wanna talk about Dr, with a company, set the building on fire right next to it, that's how you really get 'em to start talking about disaster recovery. And then how, excuse me, how those systems can be affected.
So it is, it's, what do you see that's preventable and then what do you see that's gonna be in response to that, to be able to fix those things so that, that's what, I bring to light, to a lot of these issues. And the good part is I got to hire my friends.
It's, so I got to hire my friends that, I've known for years at Defcon and Black Hat and all the conventions I go to, and it's a great, and then the thing though too is it's a really, 'cause I've known these guys for 20 something plus years and most of them are.
Got questionable tasks for some of the things they've done. I'm not gonna lie to myself, and their political beliefs are not necessarily mine or anybody else's, which is to each their own. But, I don't judge a book by its cover. They're really good at what they do. I've got a DNS guy that's really good at DNS.
I got another guy that's really great at networking. I got a really good guy that's, a 99.999% social engineering score. He's that good. Excuse me. I have a really good team. I have a really good team of people that I work with, to explain these things to Joe, like we would if we were testifying in a child pornography case.
Because, I work in a lot of different arenas. Not only do I work, in it, in criminal investigations as well as, everything from. You name it, drug smuggling down to logistics, operations, to working against, state and federal, criminals, real angels, let me tell you that I deal with on a daily basis.
But, we're also dealing with a lot of, government infrastructure, state infrastructure, national infrastructure, that's been neglected for 30 years. The last infrastructure bill that we had was in 1996 when I graduated high school, so it's now we've got a new.
Past administration, this current administration, and I always say that because I'm b political, I blame all of them for the past 30 years of, we really have got to concentrate on, fixing roads and dams and electrical, in those things. And though, do they need to be upgraded and updated?
Absolutely. Do they need to put it on the internet?
[00:23:52] Mikey Pruitt: Don't do it. So I have a, I have another question for you about, like the kind of new crop of buzzwords, ai, which I'm you, I'm sure you hate, and I'm sure you have a opinion about Oh, set me on fire. Fire. But I wanted to preface this with something, with a question.
Have you ever worked on railroad Pro, railroad crossing project in Missouri?
[00:24:16] Luther "Chip" Harris: I know what you're talking about and the answer is yeah, kinda. I can say some things about it, but not much, okay. We did have our own version of Chernobyl,
[00:24:28] Mikey Pruitt: and let me show you what I'm talking about.
'cause this, okay. So I used AI because like you said, you have a. A past which is clouded in mystery. You're wearing a mask. So one of the sources that AI got back from a, cursory search on your name was this document for the Missouri, what is it from the Missouri budget, fiscal year 2024. And I don't even know if this is what you're talking about, but, so I pulled up this document, I'm like, what is this?
So I searched your name, Luther. Martin Luther King. Okay. All right. And your the name, you go by Chip. Where's that? Oh, the chips act, blah, blah, blah. And then your last name Harris. It's oh, the Hereto State University. It's like your name was in this document and AI thought it was associated with you.
Oh, yeah. I have a feeling it's not
[00:25:22] Luther "Chip" Harris: there. There's a couple things that we've been working on the state of Missouri with, so I didn't know if you were pulling from, some of the documentation that we have. 'cause the we work a lot with BSNF, and BS NF they're great guys, and we work a lot with, trains, planes, and automobiles.
'cause that's the company I work for, the company. It's called Allied, and I love you guys. Hr, I love you so much. This has nothing, this is my own personal beliefs. It has nothing to do with the company, but, we work a lot with, trains, planes, automobiles, through different states.
And we've been working on a lot of. Different, projects. But, AI has its tool, it has its place, but I get asked so many questions about ai, it's geez, just set me on fire in my front yard and put me out with fire ants in a, from a five gallon bucket, because.
AI does what you tell it to do. AI is not Terminator. It's been around forever. It doesn't have syn, it doesn't have a physical being, and all these conspiracy theories and all this crap around it and everything. It's no, no different than a really big, like you just showed search engine.
Okay. It, it does what it tells us to do. You can, you could go out there and try to Google my image and Google it, but yeah, guess what? You're pulling up stuff from 25, 30 years ago. I don't even look the same anymore. I wish I did, but I don't, I have, don't we all, I have not aged well, like wine, more like vinegar, i'm just getting more. I think
[00:26:39] Mikey Pruitt: that's the point. You know that AI is, like you say, a tool and you have to use it with skepticism, just like any other tool.
[00:26:48] Luther "Chip" Harris: I take everything with a, just, huge grain of salt because in this industry, it's very fluid, what were we talking about five years ago?
Cloud then what we were talking about before that. It, you, it's a circular argument. It's like the snake eating its tail. It just goes around in a circle, same thing in cybersecurity. Those buzzwords don't change that much, but it's we talked about data lakes and then data pipes, right?
Then we talked about sim, and then we talked about cloud, and now we're talking about ai, and then before that we were talking about data centers, and then we rolled back 10. You just look back in our history, hell, we can't even fix password issues for Christ's sakes. As I tell people, we have a.
Horrible, long-term memory of some of the things that we have not done, and I tell that same thing about ai. AI is not the end all, be all fix for all things, especially if you have a fly by wire standalone system, you're not gonna put AI on it, aI is good for a lot of things.
Self-healing networks, right? Topology issues, high levels of dealing with network communications and VLANs and segmentations because in OT world, we start at zero level. We start at the device level. We literally at the component level, and we go up to level three, up to level four sometimes, and then after that we don't care.
We don't care about the rest of that. On the ISO model. But we really do care about, as level two to level three because, we really look at network trans translation because most of these systems are not set up on TCIP. They're set up on TMP and UDP, we're looking at session time, we're looking at latency issues.
That's why most of these things are fiber driven. They're not, some of them are cat five, cat six connectors. The other thing though, too, is some of this, these systems are completely old. Some of them do need to be driven, by fiber. Don't get me wrong. I'm all for that. We have, if we do see something that does go down and we need to be able to do a hot swap transfer and everything before the human can do it, the computer can do it. I'm all for that. That's awesome. Ai. That a job, boy, attaboy, we say in the south, that's what you get. You know that little star right there next to the ai fixed it before I could.
Or caught it before I could. That's even better. Because guess what? That gives me the ability of saying, Hey, I'm paying gobs of money to this OT vendor to fix these things, and it magically got healed without me having to lift a finger to be able to do it. Now, would I like a report on that? Yeah.
Would I like to see a warning and a flag that some of those things actually did happen? Absolutely. And you've got your clarities and your nasos and your waterfalls. You got lots of companies out there, even dracos, Rob and I have a kind of love hate relationship, you got your dracos that are out there to help provide those kind of, help, helps in your systems, and to audit those systems and make those things work.
And that's where AI really is going in this, at least in my opinion, in this industry as a helper. Not a, not an overall solution, but something that can help me do something right. And it can help me get me my data and information more safely. And security, and secure encryption right now is out the window.
AI is breaking encryption, breaking cipher, because we do have quantum computing now. And when you're dealing with ai, you have serious, security issues dealing with Shaw one, Shaw two, issues that we actually see on old servers and systems. And as you can also see, AI is being used to attack SQL and net and vbs, like on a whole nother level.
That we've never seen before. Because you know what? Those IT and OT systems, guess what they build into a database. And of course Microsoft is gonna be running that database normally nine times out of 10, or open sql, or some form of sql, MySQL doesn't matter what it's, and these programming languages that we use are old.
We're talking 30, 40 years old. They use G Code. And their instructions are not in Python. They're not, some of them are even in, in FORTRAN and Cobalt, if you can believe this language and these systems, are old and antiquated, and do we need to control, do an EOL process do where say, yeah, we need to get that end of life system completely ripped out and put something new in.
Absolutely. But you know what that is? It's what we call a green paper problem, and you know who controls that green paper. Taxpayers.
[00:31:13] Mikey Pruitt: Yeah,
[00:31:14] Luther "Chip" Harris: uncle. And that's where the politics, kick in and I step out.
[00:31:20] Mikey Pruitt: So you mentioned something pretty interesting in there about passwords, and I've hear heard you say this before, that the, you're not a big fan of passwords, but I am curious, do you, what do you think of the new pass keys that are like an encryption key for websites?
Do you think that's sufficient?
[00:31:37] Luther "Chip" Harris: Possibly, what happens if I lose it, or I compromise that, how do you, how fast and how quick can you reset that, that's always the thing that I tell people about. Whether it's UB keys, any of the things that are out there, there's tons of manufacturers that sell 'em out there, whatnot.
But, when you're dealing, with encryption and cing technology, especially when you're dealing with high level veer encryption to, you, we still have a lot of systems that are. 24 bits, 64 bit, encrypted. They need to be 1 28, 512, if not 10 80, for some of those higher level systems.
And, those credentials are very sensitive and there's only a certain amount of people that should have those credentials. And, if you put those onto something, something that you have and something that you are, and you lose one of those, that's a very bad day for. Everyone for the reason being isn't something I know, which is the password, something I have, which is that actual key, and then something that I'm going to put it on, which would be the actual system itself.
If I lose one of those three things, it's that toll chain's broken. It's no different than blockchain. It's no different than anything else. It can completely be intercepted and vulnerable susceptibility to attack. Now, some people say that's a low level, but still it's a level. Low hanging Fruit is low Hanging fruit.
Yeah, exactly. You know what? I love some low hanging fruit because guess what? That actual fruit's connected to a brand that's connected to a tree that's connected to the trunk of the network. It just takes time and people nowadays are not patient. I am, I will wait six months for you to log in, for me to steal your credentials.
Most people will not. I'll,
[00:33:18] Mikey Pruitt: we've seen a lot of breaches or hacks, I, whatever you would wanna call it, about people stealing tokens to, for a website like Oh
[00:33:27] Luther "Chip" Harris: yeah. Tokenization. Yeah.
[00:33:28] Mikey Pruitt: Yeah. Yeah. Just taking the token and now you are that person in the browser, so it think you're
[00:33:33] Luther "Chip" Harris: them.
[00:33:33] Mikey Pruitt: Identity theft, basically.
[00:33:35] Luther "Chip" Harris: You hit all that except cookies. Just wait for it. It's just a matter of time, and we've seen a lot of browsers that are having issues right now. Google's having, updates what, every two weeks now, just like Patch Tuesday, Firefox, same thing. Doesn't matter if you're using the Onion, onion browser or Tor, I mean you, you're still having to do some massive updates because a lot of those systems, even though they say they're.
Encrypted. They're not really encrypted if you're accepting all the responsibility and the cookies, and the tokenization for that. So you know, that goes back to the wells. Should we put this on the web or not? I'm on the not category.
[00:34:10] Mikey Pruitt: I introduced myself to the managed service provider space on a Reddit post with a video where I gave them the guaranteed way to not get hacked.
And it was a video of me throwing my phone in the inlet across the street from my house, a body of water, and obviously got a lot of hate because you don't say guaranteed cybersecurity tool on Reddit, but
[00:34:32] Luther "Chip" Harris: anyway, oh yeah. The haters will come out, oh yeah.
[00:34:34] Mikey Pruitt: It was. It was brutal. I got banned for 28 days.
It was fun.
[00:34:38] Luther "Chip" Harris: Oh yeah. It's just this is your wallet, whether people want to admit it or not. If I own this, I own you. Exactly. It's that device. And if you've got your company's passwords in plain text on this, or this connects to, some kind of authentication based software, for your company, you're just asking for it.
It's just a matter of time. And I've done this, many sessions before, you know where IOT devices, and tablets we don't even let in some our facilities for the reason being is we don't want those tablet and devices even connecting to the guest network. 'cause we're afraid that there might be malware or anything like that.
One of the first things that I did with the company I'm working with now was we banned this from being charged on any computer. You can't plug it into, any computer to get a charge off of, to get your charging cable, get your power strip, plug it in that way we're not gonna let you take that device and tether it to where it might have rooted based malware on it, to infect our machines for the company.
[00:35:35] Mikey Pruitt: Yeah,
[00:35:36] Luther "Chip" Harris: you can consider
[00:35:36] Mikey Pruitt: every networking device as hostile.
[00:35:39] Luther "Chip" Harris: Oh yeah. Do we allow? Nope. So that was one of the, and the thing though too is I tell people, it's like, when was the last time you looked at your firewall rules? When was the last time you reviewed that?
When was the last time you ski for open file shares, on your SharePoint? And then they're like, oh my god, my job is, to be the adult in the room and sometimes to deliver pure nightmare fuel to these people, but
[00:36:02] Mikey Pruitt: nightmare fuel.
[00:36:03] Luther "Chip" Harris: And it is, it's not some scare tactic either.
It's not that I'm a very scary person and I am, and I can be, you can ask my 12-year-old that, she's very scared of daddy. Sometimes when daddy gets in a bad mood, she, and, but it's the same thing. It's someone's gotta be in the adults in the room and deliver the bad news.
Most of the CEO and C level, they want the 30 minutes of good and the 10 minutes of bad. That's not my job. My job is to tell you what the evil doers are going to do to you. And this is how bad can be. Now, you not might wanna hear the truth, you might wanna stick your head in the sand and deal with that.
But the nightmare fuel that I deliver normally has a price tag that's associated with it. So is there a way to fix the problem? Yeah, it just takes time, effort, energy, and manpower and money. You're not doing this for free. I'm not doing this for free billable hours, baby. Trust me. I'm than you're not.
I'm worse than a, I'm worse than a lawyer.
[00:37:08] Mikey Pruitt: So when you're not delivering nightmare fuel for cash, I understand that you do a lot of, what you could call evangelism in the space, which, but you don't deliver the good news. You deliver the bad news.
[00:37:20] Luther "Chip" Harris: That's right. 'cause guess what? The devil's in the details and the devil is real and he does believe in you.
And guess what? I have to do the devil's deed sometimes, that is my job. That's what I've been trained to do. That's what I like to do. And sometimes people don't want me you to do those things, but it's look, you know these people that are doing this against you. Do not care about safety, wellbeing in the, of not only you, but of others.
Their intention is to, first off monetary, 99.9% of I deal with deals with greed. It's just simple, common, economical, greed. They want to steal money. The really bad ones that I have to deal with don't even care about that. They just wanna murder in maim and cause havoc and watch the world burn.
Those are the ones you really have to watch out for, because guess what that means? That their monetary means, that means nothing to them. That means everything that they wanna do to the real world, that affects everybody is built on one single thing, revenge. It is built on, the evil things that we don't wanna talk about.
Murder and death and destruction and, having bodies piled up by the dozen, it's pretty bad. And those things can happen. I mean it, to give you an example of Kansas, one of the worst, train disasters we ever had spelt chemicals all over the ground, and, Palestine, and it just, it was horrible.
Was it preventable? Absolutely. Did we do anything about it? No. Now you've got, chemical exposure in the ground that's gonna be there for 25 to 30 years, no far, no matter how far they dig down. People's property values dropped overnight. And, they're looking at, chemical exposure, through that ground into the environment.
And not only to themselves for 20, 25, 30 years, just no different than Chernobyl did. And then our solution was let's drop Napalm on it and make it burn even faster. So
[00:39:10] Mikey Pruitt: I'm no scientist, but that doesn't sound correct.
[00:39:12] Luther "Chip" Harris: I am. Gonna say that was a bad idea. That's not saying from a scientific standpoint of view, but just burning it off with napalm, just to get in the ground, even if it was in the ground, it'd make it burn quicker.
Not necessarily the best job there. Government, and the people that made those decisions to do all that. It's done. It's done. And it goes out of our new cycle within 24 hours. So it, it's a lot of these things until they really physically affect us, and one of the things that just set me off like a rocket this year was, and we're not even that far into the years where you had huge swaths of Los Angeles and Orange County on fire, and you had firefighters going to a fire hydrant trying to turn it on, and no water come out.
That is a failure of infrastructure, not a failure of thinking. That is just because there should be water pressure coming out between 200 to 300 PSI, depending on what pipe size it is, outta that hydrant to be able to put out a fire, in Los Angeles. And we watched, all these people lose their homes, and now we're dealing with what?
Mudslides. Oh, yeah. And all the toxicity that comes out of a home that burns down to the ground. The magnesium, the chloride, the cobalt, everything like that. All the building
[00:40:29] Mikey Pruitt: materials, gasified. Yep.
[00:40:30] Luther "Chip" Harris: And guess what it's gonna do? It's gonna wash right into the ocean. And guess where they get most of their filtered water from?
The ocean. So yeah. From their desalination plants in Los Angeles, in the greater area. So yeah. Thanks. It just, it's a preventable thing that could have been done that was not done, that had nothing to do with cybersecurity. It had everything to do with just basic, practical infrastructure. Yeah.
So if we would've put that on the internet, would that made of anything any better? Probably not. There I will always. And always believe this and I will preach and I'll, give the evangelism to this. Is that in OT Cybersecurity, the first thing that you think of is safety.
You know that on my, my safety, the personal safety, the, stakeholder safety and the public safety, that, that is what spawns out of that. And we use what's called the bow tie model. And the bow tie model has an event, and when that event is triggered, it bow ties out in sprawls out into how that fix actually gets done.
So as I tell people that are in our industry, take a look at those things, you know our key thing in OT land versus it land. It land cares about data, right? Data, monetary stuff. I get it. Banking statements, personal data, password, so forth. Ot, we care about, security that's based in safety.
The safety of the person, the safety of, the power plant, we don't want it to blow up. That would be bad, especially if it's a nuclear facility. That would be really bad, for everybody. That's why we have safety controls that are set up, the safety of the general public.
And the safety of the person. The safety of you. We wanna make sure that you don't have to think about this when you flip on the switch, turn on the water, or flush the toilet, right? We want you to kindly go on with your life not having to worry about the evil little things that these bad guys are trying to do behind the scenes.
We kinda live in the shadows, live in the curtains, of the evil things that they actually do and are actually are driven. And when you're talking about DNS yeah, that is one of our major, endpoints right there because, DNS security is always top of our list because, we deal with a lot of those things that have to integrate with those IT and OT systems that affect not only, SQL databases, the DNS, and some of the infrastructure that you see mostly on it.
Some of that sprawls into OT as well. And we really wanna make sure that those things are safe and secure and not put in, a broom closet somewhere on the fifth floor that nobody knows about that's buried under last year's tax records and a whole bunch of legal boxes.
[00:43:12] Mikey Pruitt: If you need to get some more DNS security, I know somebody just let me know.
But hey, chip, I think you are the the best giver of bad information. Like I could see, I could just picture like a boardroom and people in suits or whatever and you just come in and wreck their day and I just wish it was on video.
[00:43:32] Luther "Chip" Harris: Yeah, I've had, people's lower colons just basically expel in the room, where there's, many a gold brick being laid and, and many people having a cow.
And, especially when it's politicians, I try not to scare 'em as much. It is what it is. Because I tell people I don't really sugarcoat a lot of the stuff that I have to tell you. 'cause it's the truth, and that's the one thing that we, that all cybersecurity is based around is the truth.
Every bit of it. If I'm not telling you the truth, I'm telling you a lie I'm not necessarily the most. Eloquent people or person that you would wanna put in front of a Congress and congressional hearing. It's happened a couple times before, and they they get scared because, it's look, if my five guys can do it, think about what a team of 30 people in China that are in a building, and that's what they do on three shifts a day.
That's their whole job. Like a job, like a normal nine to five job is to hack our infrastructure, find the problems that are with Alan Bradley, find the problems that are with Rockwell automation, find the problems with, and then how they can exploit those things to affect a dam or to affect a power system, or to affect a power grid.
You know these are the people that are out to do US harm. Russia, China, Iran. We call 'em the dirty 30. There's 30 different countries that are running 24 7, 365, that have, weaponized cyber divisions that you know are trying to affect our infrastructure 24 hours a day, seven days a week.
If you don't believe me, I can show you some of the firewall rules that I have to deal with that I present to people. It just scares the living poop out of them, and it should. And it does because they're not looking at, our best interest. They're looking at their best interest, and then what they can be able to do to us.
But it's also tit for tat warfare, if they can do it to us, we can do it to them. And we have yet had that happen in our industry. Is it coming? Possibly stucks net was the first shot over the bow that kind of did that, that showed a cyber weapon can be deployed to affect the physical world, and there's been many of books and people have talked about Stucks net for years now, but that was just a shot over the bow.
We have not launched a full scale cyber, initiative war based on infrastructure yet. People that have Russia. The Russians are really good at it. They've been doing it to the Ukrainians for years. That goes back to sand worm and a lot of the people that can affect, the physical world through older, xp up to window seven based systems.
The Russians are really good at it, and they really like doing it, and they really like doing it to, nation states and use them as a test bed. And, they've used Ukraine as a test bed for a lot of their, cyber war, weapons to be tested onto a nation or a nation from a nation state.
And the history of that just goes beyond what you and I could talk about within the, an hour. That's a whole lecture. Basically. But I give a lot of people examples, of how bad can be and then how bad it can happen to you. It's just depending on, your level of commitment.
'cause this is a financial commitment normally in the millions of dollars to get some of these things fixed in the short term. I can put a bandaid on the bullet wound, but still a bullet wound. You're gonna bleed out sooner or later. My running rule is, and you probably, a lot of people have heard me say this before.
You pay me now, you pay me later. Still gotta pay me. Simple as that.
[00:47:03] Mikey Pruitt: Chip, I am so glad that you and your team are getting paid by our team, so yeah, keep doing the good work that you are and I appreciate it and I thank you for coming on the podcast and telling us some really thrilling stories.
[00:47:18] Luther "Chip" Harris: Oh, no problem. Anytime sir.