Speaker 1: 0:00

This is the art of network engineering, where technology meets the human side of IT. Whether you're scaling networks, solving problems or shaping your career, we've got the insights, stories and tips to keep you ahead in the ever-evolving world of networking. Welcome to the Art of Network Engineering podcast. My name is Andy Laptev and I am joined in this episode by the one, the man, the myth, the legend, the one and only Jeffrey Clark. How you doing, jeff?

Speaker 2: 0:24

No complaints. It is a Friday when we're recording this, so that's a good day.

Speaker 1: 0:29

It is a good day. I'm going down the seashore shortly. Tomorrow I'm going to go to the beach. You doing anything this weekend?

Speaker 2: 0:35

I'm driving up to Maine. We're going to spend a week up there, enjoy a little cooler temperatures. It's not that bad. It's like a six-hour drive, it's fine.

Speaker 1: 0:43

Okay, You're reading my face. I'm like, oh my God. Well, that sounds like we have some really fun weekend plans. So today we are not talking about Maine or the beach. Today's guest has secured more than networks. He's built a massive online community teaching people about IT, cybersecurity, ubiquity. I mean, you name it. If you want to learn something in IT, this is your guy. From firewalls to YouTube fame, we're diving in with Tom Lawrence of Lawrence Systems. How you doing, Tom?

Speaker 3: 1:12

Fantastic, and going to the beach does sound pretty good. I know it's not today's topic, but it does sound nice. Where are you at? You're Michigan, right? Yeah, michigan. So there's a couple lakes around us, something great lakes. Some little ones, just some real little ones there, just some little ones.

Speaker 1: 1:27

Do you guys go there Like we go to the beach, because it's two hours from here? Do you go to like the lakes to go hang out?

Speaker 3: 1:32

Sometimes Right where I'm at, just south of Detroit not so much. If you came here you go. There seems to be a lot of factories parked on where you would normally see beaches. I'm like that is correct, this is not beachfront, this is factory front property right here. It's interesting, you gotta go a little bit north, uh. But then, yes, uh, you get north of detroit. There's beaches and there's things to do south of detroit. You're like this is just industrial. Yeah, they must have built some cars here or something I went.

Speaker 1: 1:59

I went to a fun little side story. I went to a wedding with my wife years back somewhere and I want to say sheboygan, but I don't know if that's accurate, but anyway it was a good place well, it's this beautiful place on the water and like, but the hotel we were staying at.

Speaker 1: 2:14

I didn't realize when we walked to a convenience store up the road. We shouldn't have been walking hifter dark. I don't exactly know where we were, but we're walking down the street and I noticed all the. It's like 5 30 pm, the sun's just starting to like set, but all the shops are closed. The cages are down. It's this four lane road and I'm like where are all the people?

Speaker 3: 2:33

you were not in chevrogan, you were in detroit, yeah I think so in detroit in that case?

Speaker 1: 2:37

and then I walk into the pharmacy and I I'm like, listen, I don't want to sound funny, but but is it okay that I'm out walking around? She's like honey, I would get home as quick as you can and don't stop anywhere. I should know better. I was raised by cops, but anyway, sheboygan was beautiful. So if you recognize Tom's voice or see his face, you should.

Speaker 1: 2:56

The way I came upon you, tom, this is kind of like such cool, what would you call it, not kismet? So I had someone give me a ubiquity system. They gave me a udm pro and an ap and like uh, thank you. Uh, mike, you know who you are out there. And I tried to install and I didn't really know what I was doing. I mean, I know it's supposed to be an intuitive ui and it's easy and all. But I'm like what is this thing? Let me check, this isn't a cisco or juniper cli. So I'm like I'm not used to a gooey, right, I'm an old school. Give me a cli, let me do a thing, right.

Speaker 1: 3:26

So I I started youtubing and googling, which I do like how do I do a thing? And you kept popping up. And not only did you pop up, but like stellar content well produced, super concise, super like. You got right into what I needed immediately, which is it can be a rarity when you're looking for good content like you got to listen to the guy for 15 minutes keep saying he's going to get to the thing, so your content is just stellar.

Speaker 1: 3:51

I mean 375,000 followers on YouTube for context. For a comparison, we've been doing this podcast for five years. I think we're up to 7,700 YouTube subscribers, so dude kudos to you. I appreciate it as a content creator. That's amazing. So I'm hoping what we could talk about is like how you you know what you've done right. You're a very successful content creator and we talk to a lot of content creators through this show. You, I guess, own and run an MSP, so we can kind of get into that. You know what's an MSP and you, I guess, own and run an MSP, so we can kind of get into that. You know what's an MSP and you mentioned right before we started recording it's a $600 billion business that a lot of people don't even know what it is, because I even said that, like I know, I should know what an MSP is.

Speaker 1: 4:35

So maybe start there, like what do you do as your day job? What is an MSP and what do you know about tech? I mean, how do you know everything? Because your YouTube channel shows that you know. If you have a question, Tom Lawrence knows the answer.

Speaker 3: 4:47

Generalists and you get specialists and I'm a little bit more of a generalist and that just comes from the fact that my tech career starts. My first tech job is like 1996. I start my company in 2003. Somewhere in between I spent a few years doing some corporate work. I don't know there's a love-hate with corporate. It paid really well. It also was a bureaucracy, which is also what we were kind of joking about just before the show started. Like yeah, working in corporate has got its pluses and minuses.

Speaker 3: 5:15

But bringing it up to fast-forwarding a little bit, I kind of loved public speaking. I've always been an open-source nerd, linux nerd. I was a Linux sysadmin, a mail server admin, so I always had like one foot in the open source world. But brought me to the open source community. That brought me into public speaking and kind of fast forward to.

Speaker 3: 5:32

Where this went to YouTube was someone says hey, I can't make it to your talk, you're going to be doing an open source firewalls, can you throw that on YouTube? I was like sure, of course I can throw that on YouTube. I'm a technical person. There's a way to record this. It turns out. A lot of people watched some of my early videos where I'm just going through slides. The same slide deck that I would use at the conference to do your talk would become the slide deck I used. It's not really well recorded but it also got thousands of views.

Speaker 3: 6:01

I'm like well, that's more than the person who asked me to put this online. That seems to like this, and I threw spaghetti at the wall for a little while. I had a retail store at the time so I started saying maybe I'll teach people how to repair laptops and other things I do. As I always said, the consulting side of my company, the MSP side, didn't start until like 2015. Actually, somewhere in between I had an electronics store. I decided that was a good idea to do electronics repair, but that actually died out because electronics are not worth repairing anymore. So that was 2005 to 2009,. Tom.

Speaker 1: 6:33

Wow yeah, so I've had a variety. Oh my.

Speaker 3: 6:37

Yeah, just a little variety of things. It's like this seems like a fun idea and I bought an existing electronics company because I needed a place for my retail computer idea. That was called PC Pickup and the idea was people don't know how to unplug computers, so I hired some people that would run around picking them up for people and delivering them as part of our service, which then got easier because then people were just having us pick up laptops. But then, yeah, you know, remember the market around 2008, 2009? Yeah, we decided to get rid of a few things.

Speaker 1: 7:04

So you're an entrepreneurial spirit, huh, you've been getting after it and starting businesses for 20 years.

Speaker 3: 7:08

Sometimes yeah, I only do it because after working in corporate I was so angry because I was on top of the world. Corporate went sideways. They made some really poor choices that we'll just say ended in two years of IRS depositions and me learning a little bit about what Cayman Island accounts are, and they learned a whole lot about what Cayman accounts are not. I was mad because people above me took a good thing and tried to break it and that broke the business. So I was like I shouldn't work for someone because that's dumb. Turns out great idea in theory.

Speaker 3: 7:42

In my head it turns out going I know how to fix computers or I know how to solve your network problems and fix your business. They don't just call you out of the blue for that. Um, turns out marketing is a real thing. So I had to learn what is marketing and what is not marketing and how do you get a client, uh. So yeah, after I figured that out and kind of got processes around, it made me a little bit more of an entrepreneur. So somehow I've been unemployed now since 2003 without having a real job so how did you when?

Speaker 1: 8:11

so this is going back like, let's say, 2003. We're in 2025 now, like I don't even think social media existed yet. How were you marketing yourself then? Was it like white pages, yellow pages, like newspaper ads?

Speaker 3: 8:23

yeah, white pages, yellow yellow pages uh, you would buy flyers. Um, the other ways you would do it was chamber of commerce going to any events and that also kind of went into me learning I could speak at these events and, uh, I had a whole long list of talks I would give that were not necessarily technical. This actually came up with a fun discussion with some friends today. We were talking about doing tech adjacent talks to get in front of customers as a suggestion, because I can tell you, youtube is our current, as it stands, the 2025 primary inbound lead generation. But I can't just tell everyone to start a YouTube channel. It's a long game, it's a hard game and I'm more than happy to help anyone who reaches out to me to take them down that path. But I always warn them this is really a lot of work.

Speaker 3: 9:06

But things you can do is tech-adjacent talks, and I did a lot of tech-adjacent talks. For example, I gave lots of talks on social media. Turns out, chamber of Commerce would love you to talk about social media and teach a bunch of business owners on it and you would just give them the. I mean you don't have to go in-depth up this. This is what facebook pages are because I was doing this in like 2010.

Speaker 3: 9:26

You know the most basic, rudimentary things. You could fill a room full of people. You're like, oh, you know a lot about that stuff. Oh yeah, I'm an it person, I can take care of your it needs. So you now got a you know, opener conversation started, a reason for them to engage and talk with you, so those kind of talks led to that. I also did technical talks that were at the level that people could have some takeaways and understand. I've done some AI talks as that came out. So I still do some of the public speaking events that are not the deep in the weeds that I do for YouTube, but for audiences that are like that. That's still a good way to get business. Is some of the public speaking stuff.

Speaker 1: 10:00

How did you get started in tech? I don't know if you're a computer science guy, so you sound like me, like a hardware guy. You like tactile stuff. I'm gonna work on laptops. I'm gonna upgrade your disc or your ram like what. What got you started?

Speaker 3: 10:13

though kind of serendipity. Um, I did not. I grew up on a small farm. Money was not really what we had, so there wasn't the access in the 80s when I was growing up, so I was born in the 70s, grew access in the 80s when I was growing up, so I was born in the 70s, grew up in the 80s. There's no computer access. My dad did not use technology, neither did my grandpa that I live with.

Speaker 3: 10:29

So what happened was there was a retraining program through General Motors. My dad was a factory worker. Actually, I am the only person in my even extended family that wasn't just a factory worker. That's what you do here in Detroit. If you didn't know. If you're in the Detroit area, you work at one of the many factories that are scattered around here. But they had a retraining program and it was a gift certificate, essentially. That they said you can go buy a computer from Radio Shack. That's the only thing you can buy with this. And so my dad's like I don't know. My son seems to take everything apart. Maybe one day he'll learn most mad about me taking apart. I used to help my grandpa fix all the tractors and mechanical moving parts. Oh, that's something I just will play with forever. But the computer I was hooked with the TRS-80. It was just mind blown. I can do so much I got every programming book.

Speaker 3: 11:21

I could, and, man, I just loved it. So I got out of high school and jumped right into computers. I just went and found anywhere. I went everywhere and banged on any door if it said computer in your name in the yellow pages. Because that's what you did. Then I just banged on every door until someone said I'll give you a chance and hire you. And it's kind of just escalated from there. So my path didn't there's's. No, it's like high school knock on doors, just find a job where someone will let me play with technology.

Speaker 1: 11:46

I didn't care if they paid me, I was just like this is what I want to do I was working pizza jobs at night just let me play with computers during the day used to like taking stuff apart as a kid did you ever hurt yourself oh yeah, I, I mean, I electrocuted the hell out of myself so quick, quick, quick aside.

Speaker 1: 12:03

I share that passion of taking things apart and trying to figure out how they work with you. My stepdad had a reel-to-reel I don't know if you remember that, but it was a magnetic tape reel-to-reel and his broke. So I took it upstairs to my room and I opened up the back and I started tinkering. I left it plugged in because I thought I don't know whatever. What were you thinking then? So I'm cross-legged on the floor and I have it on my legs like I'm a table. And the last thing I remember I remember the fuses go bad. I remember hearing that I was like seventh grade however old you are. Yeah, I grabbed the fuse. That's the last thing I remember. I don't know what happened, yeah, but when I came to, the reel-to-reel was on the other side of the floor or on the other side of my bedroom. I'm on the floor and it felt like god punched my kidneys, like I don't know what happened in my back. But yeah, that was the last time. That's how I learned about electricity. So you're gonna get hurt.

Speaker 3: 12:55

taking things apart I have taken the tv apart and that's where you learn about what a flyback is, uh-huh and what's a flyback.

Speaker 1: 13:01

Is that something that holds voltage?

Speaker 3: 13:03

It's the 30,000 volt inverter that you will that connects to the back of a tube TV of my era. They don't exist anymore. You know of the air when I was growing up and you definitely are lucky if you fly back when you touch them, cause the other option that happens is if you grab them turns out you can't let go. That hurts a lot more.

Speaker 1: 13:25

Did you? Get zapped by one of those. Oh, yeah, yeah. Yeah, I'm guessing you got thrown back.

Speaker 3: 13:29

Oh, yeah, yeah, you come to going where. What was I doing a few minutes ago?

Speaker 2: 13:34

oh wow, well, you know it's interesting I was gonna say is is I'm listening to you talk and um, yeah and andy, as he said, we, we interview other people who are content creators, and obviously a lot of people in the tech field, and it does seem like there's a. There's a real talk and, um and andy, as he said, we, we interview other people who are content creators, uh, and obviously a lot of people in the tech field, and it does seem like there's a. There's a real commonality that, uh, anyone who's been in this field for a while or really has made a successful career of it is, it's one. It's just about a lot of curiosity. A lot of us are tinkerers by, uh, really as a passion, not just as a job, but as something that we would do on our own.

Speaker 2: 14:04

I remember when I went to work in a data center for SunGuard for the first time, walking in and being like I would have paid you to let me come and play with all of these toys. So I noticed that with you, the same thing seems to be true of content creators, not just tinkering, but they really seem to be very tenacious people, people who are willing to put themselves out there, aren't afraid to, as me and my boss, doug, call it fail loudly. You know go out there and be willing to be the. You know the public failure and you know figure it out in front of people. So, as I've seen your content, that's something that I've watched on there. The other thing that I did find interesting I was curious about was you said that you use your online content as lead generation, but your videos don't feel like ads at all. But that's, that's great, that's brilliant marketing.

Speaker 3: 14:54

Yeah, the, it's a very if it was a deliberate strategy to not be shilly and salesy, I actually, because of an aggravation I had had I don't ever want to give more popularity when I call people out for calling them out, because it's sometimes what they're looking for. But someone had said we'll just call them self-titled creator, coach, buy my course, I'll teach you how to be a creator, blah, blah, blah, whatever. But they said something that really angered me and it was that you don't want to give the full solution so you can pitch yourself as the solution and they should buy from you. And I'm like. I so disagree with that. If you see and I posted on linkedin the other day it says lead with value.

Speaker 3: 15:32

It's a video I did. It's a short video, about a minute long, and I always do that and it's amazing how many people still it is. This is not something new. It's not something I invented. There's a lot of books about this that go back forever, about if you lead with value, people will go oh, I wonder what that person does. They really taught me something. Let me explore them more. They're interesting people. So if you do something interesting, you help someone. People remember who helped you and I think I said that in the video. People remember people who helped them, not people who threw them in a sales funnel.

Speaker 2: 16:04

Yep, that is a hundred percent correct. Yeah, like I said, I find it. I did find it really interesting as I'm watching the videos and I because I had no idea that that was the lead generating source for you until you said it there. But it makes sense because, like you said, if you show value in one thing, nobody ever needs just one tech problem solved.

Speaker 3: 16:22

Right and I watch, as probably all of us do. Let's say, something broke on our car, our vehicle, whatever that might be. But you know, a perfect example? Um was my friend brett. He had to be somewhere. Uh, then he's like, oh, my water pump's leaking and I'm supposed to be. I gotta get down to texas. He's going on a road trip and he's like there's no places to it.

Speaker 3: 16:40

I'm like, all right, I got a background in mechanics. I had a full mechanics style. I used to build hot rods. There was a time in my life when that was a fun thing. But I said I can swap a water pump. I've done it on my old Chevy. Well, good news is YouTube.

Speaker 3: 16:51

The video was 30 minutes long. I thought that seemed long for a water pump video. Turns out, everything in that truck has to come apart before you can get to, saved me from even turning the first bolt because I said this is not a me project and this is not a today. This is not my old Chevy. Apparently, dodge has decided to put everything in a way, but someone on YouTube took the time to make those videos. And that is sometimes the case when I make a video where, hey, I have a 35 minute video on how to set this up. And someone goes yeah, I am not going to twiddle all those knobs and click all those things and type all those commands. I'll just ask this guy who seems to know all those commands and types all those things. So it's not that I have some direct intention not to show you.

Speaker 3: 17:31

The video is feature complete. It is start here, end here, thing work. But if you decide that you don't want to do all those things and there's this weird concept and this is the thing that I like to really nail home to people is they think well, if you show them how to do it, they won't pay you how to do it. I'm like the person who is determined to do that is happy to find your content. If not, they'll find some other way, they'll find some write-up, they're going to do it anyways. They were never going to pay you, end of story. So you're only benefiting but never hurting you from it. You've now given them instruction. There are those who will never pay me and I'm perfectly fine with those people watching. I have somehow helped them. They figured it out. They never planned on hiring me, cool, whatever. There's always enough percentage of people who go. I'm just not clicking that.

Speaker 1: 18:25

How do you determine who to charge and who not to, and what I mean?

Speaker 3: 18:27

I'm looking at your YouTube, youtube video and you have a wall fishing tools and how-to video with 1.2 million.

Speaker 1: 18:30

yes, I need to do a new one of those. Well, listen, I have spent. I spent five years as a as a isp cable guy, fishing stuff, and it never occurred to me that if I made a video about it I would get a million views. But I guess what I'm where I'm getting at is I've had two or three like friends and like extended family members over the years that have asked me like, hey, I just moved in and I wind up spending a day or two pulling ethernet throughout their entire house. And I guess because up front I didn't say, hey, listen, like I do this for a living, you should pay me. We get to the end and they're like, oh, thanks, that's great, and and I don't get paid. Like I just did it six months ago with a friend. I just we were talking it so like do you do freebies for friends and family? And then how far does that go? Is it cousins?

Speaker 3: 19:10

like you charge everybody I charge everybody, uh, the only that's what you should do. Yeah, I have um me and my wife. Between us we have six, five kids and I don't charge them. They get whatever they need done is done. I just take care of things for them, and I have one sibling and I'll take care of them and my wife's siblings, but that's it. There is no more.

Speaker 1: 19:30

Don't do things for free, because I'm starting to get frustrated that we're friends and we're hanging out and they need help and I'm like I'll come help you, I like you, and then at the end I mean I guess that's fine.

Speaker 3: 19:44

Yeah, friends, anyway, I've always been clear on where those lines are. It's just like, especially now that I'm pushing 50, I'm like don't call me if you got to move. I'm old, my back's going to hurt at the end of the day. I'm not 20 anymore. I can't help you move. Call a moving company.

Speaker 1: 20:00

It's really amazing Some of these videos like 1.2 million, like doing PF sense and you you mentioned earlier. So there's a couple of things I wanted to hit on and, jeff, jump in whenever you said like you got into open source and Linux early on. Why? I guess because I'm now getting into that again. We're around the same age and I'm just now coming around to the open source Linux and seeing the value.

Speaker 3: 20:30

Did you get into that early? Yeah, I mean early in. I just was fascinated by Linux. So you know we all use Windows. It's the 90s. We're loading it on floppy disk Windows 3.1 and all that fun stuff. Then comes Red Hat was the first one. Slackware was probably around the same time, but Red Hat's the one that I had access to, the. I think it was four or five floppy disks and I hadn't tried to get my X server running and it was really difficult.

Speaker 3: 20:47

But absolutely fascinating to me it was just something about this free and open source and community of developers and people I met and I'm close enough to University of Michigan and we had the WLUG, which W actually stood for Washtenaw, the county that the Ann Arbor school is in. The WLUG was an awesome place to go hang out with all these cool engineers and nerds and people. I didn't have a college experience to lean back on, so cool. The academia place supported us. Let us use the room for free. We used to do install fests once a month where everyone just bring their computer in and we teach each other how to install Linux and it was just like an addiction. It was like I can build my own kernel, I can modify what's in this and fail at it miserably. Every time I tweak something I don't know, see, but it was still so much fun and so that's what led me into it.

Speaker 3: 21:42

Then, once I got into the corporate world, which my first corporate job was in 1998, that's where I started getting into that. Then I ended up being a mail server admin and at the time I was not a fan of Microsoft Exchange and it was. I don't even know was Exchange around exactly then. I think it was in the early days of Exchange. But I was all in on SendMail. I was really good at it. I used to write proc mail recipes and do spam filtering and all that fun stuff.

Speaker 3: 22:04

And once again I leaned on my Linux community to be able to be really good at building these systems and managing them. As the company I was working for scaled up, my budget was really huge. I mean when I was in corporate by the time I was 2001, I'm in my early 20s my budget was $1.4 million that I had control over to do what I want with to make sure the company did really well. So and this was just my, my nerd stuff. From then it was solved all my problems. I developed stuff in it. Uh, it was just yeah yeah, I've never lost that.

Speaker 1: 22:34

I guess there's limits to like. So I'll dive into a reel-to-reel at I don't know 11 years old and electrocute myself. But the first time I saw linux I was like whoa it just it seemed inaccessible to me. Where, like you, jumped right in and you're in the kernel, do you? Do you know some programming languages, I'm assuming? No, I'm terrible at all of them.

Speaker 3: 22:52

Uh, so I can muddle my way through things. I can usually look at something that's built Chad he concepts like the only the last language.

Speaker 3: 23:07

I really did stuff in was turbo, pascal and basic, so like really old languages, yeah. But once you understand generally languages, you can then go through and understand other structures, the languages. So I understand all the concepts. Uh, and I used to on my staff when I worked in corporate. We're developers, so I will sit over the shoulder. I'd understand the concepts we're doing. Maybe maybe not some of the nuance, but that allowed me the understanding of the structures was enough to be able to be effective with it, to understand what needed to be done, what those limitations were and how to work around them.

Speaker 2: 23:35

That's me too, tom. I've been more on sysadmin side. I'm with you, I can read it, I can chat to your team man, we get into some great conversations. I mean I'm building stuff in NNN right now, so what's your latest passion stuff? I mean, I've seen some of the stuff on your webpage or on the YouTube channel. There's a lot of it about ubiquity lately. But for you personally, what's the tech you're really into? We talked LLMs, ai, earlier. Is that something that you're big into?

Speaker 3: 24:04

Oh yeah, I'm getting. We talked LLMs AI earlier. Is that something that you're big into? Oh yeah, I'm getting more into LLMs self-hosted ones, because I think that's amazing. I'm working on a talk Open Web UI yeah, Yep.

Speaker 1: 24:13

Open Web UI is just outstanding. I don't know what any of this means. What's a self-hosted LLM?

Speaker 3: 24:22

You can self-host these. You can grab the different language models, run them on your graphics card and then it's self-hosted. I was showing my wife because I wanted a teaser with some of it. I was showing her and she's like you're going to get on the list for asking that. I'm like ah, it's self-hosted. So I forgot.

Speaker 1: 24:39

It's my own element. Don Don't you have to train models and all that Like how is that? Where's the intelligence coming from?

Speaker 3: 24:46

Well, you run. So all these companies offer these models. So they've done the hard part, the training part. They've stuck all the data they inserted, wikipedia and wherever else they pilfered all their data from. They build these models and then some of them are built more specific, like some of the code. Ones are really good and they're handy to have. And you may want a more specific model because you want one that can run within the parameters of what hardware you have. I don't have the same, you know, super expensive. Well, actually, I have a couple of them now, but generally people don't have access to some of the really expensive high end cards. Therefore, you want a model that it's going to lose a little bit of context, but it'll fit within there. So a little bit of context, but it'll fit within there. So that helps a lot. Ollama is one of the easiest ways to get started and, by the way, not something you need a lot of command line for. I'm talking like copy paste a couple commands.

Speaker 1: 25:34

So do you install the model, like the pre-trained model, locally, and then your GPU will do the calculations for you as you talk to it. Okay, is it huge? Is it like installing the internet routing cable? Is?

Speaker 3: 25:41

it like installing the internet routing cable 20 gigs, 23 gigs.

Speaker 1: 25:44

It depends. I mean that's reasonable for what? You're doing, oh yeah reasonable for a download.

Speaker 3: 25:47

It's kind of. The thing that fascinates me is that it's just not that big. It's not as big as you might think it is to be able to have this corpus of knowledge because of the way the training works on there. I'm a big self-hosted advocate, and the internet shouldn't be four companies with four big websites with screenshots of the other three on them. That's not how the internet was made to work, but that's usually what we have right now.

Speaker 1: 26:11

You just brought me into that question. So what's the advantage of self-hosting your LLM? Because I guess I'm paying OpenAI $20 a month, I guess. So self-host you're not right.

Speaker 3: 26:23

Right With self-host you're not, and I do pay for the. There's things that I can do better with, especially, chatgpt5 just came out and so I was playing with it this morning. There's things you can do that are at a different scale. That operates for you know your large language models that you're paying subscriptions for. They have more access to power and right now I tell people take advantage of it. They're losing money on every time you click on this thing. It's a deal at 20 bucks a month. It's a deal at a couple hundred dollars a month to use Claude Code or any of these other ones. They are really. It's amazing how fast they are, because I don't get that same level of performance locally, but what I do get locally is absolute privacy.

Speaker 3: 26:59

There's no concern, and if you didn't see in the news, there's been a bunch of privacy leaks and concerns with you can now uh, 135 000 were found on archive or messages and people's conversations, and it's not ideal. Uh, facebook had a big oops with their system. Uh, accidentally started surfacing people's usernames along with their conversations they had, which, it turns out, people had some really personal conversations with their uh, which is unfortunate. But with self-hosted you get more autonomy and it kind of leads to the hacker ethos I have where I like to own it all myself. You own it, you pwn it, I get to do it. And if it all went away today, my data center on the other side of this wall I'm sitting here at still. As long as I can figure out how to get electricity to it, I can still keep using it.

Speaker 1: 27:50

Yep, how to get electricity to it. I can still keep using it. Yep, this might be a dumb question to ask, but when I hear so, I I understand that you don't want your data, like certain data, to get you know into the models. Yeah, and let's say the the facebook messages is an example. I understand why that's bad, but how would andy, standing at his desk in chat gpt access any of that like? How would I even find that in the model? Like just because the data goes there? What, what? Like? I'm trying to understand the, the attack vector, and maybe this is a segue into like cybersecurity. But how would I ever find that data the chat GPT ingested and use for my own nefarious purposes? Cause I don't know how to find it.

Speaker 3: 28:21

I've looked there's a lot of times and I think the Samsung was one of the big companies that had an incident, maybe as a year or two ago, when he realized that the people were using it at Work to Samsung kind of indiscriminately putting in a lot of the company secrets and they came surfacing elsewhere in other people's chats. Now it's not easy to shake chat GPT and get out of it what you want, but one of the things that you big picture consideration here With ChatGPT or any of the LLMs, you think about control planes versus data planes. When we're talking about networking, we have a control plane where I can make changes to the system and a data plane where we transport the data. In the early days of the phone system this was one piece, hence the 2600 whistle we used to blow and get free phone calls and all the phone freaking that went on through the 70s and 80s and things around that. Well, we're kind of back to that again with the LLMs, because now we have the control plane and data plane being the same thing, all the data is also the same place as all the controls. So, as I pound away at these controls, this is why we're seeing all these hacks with even the latest MCP stuff.

Speaker 3: 29:22

I don't know if you've seen ChatGP announced this morning by the afternoon. There's a guy on LinkedIn. It announced this morning by the afternoon. There's a guy on LinkedIn. It was awesome. He already jailbroke it. He's already found a way to get that Defcon. Yesterday someone or Black Hat yesterday they kicked off found a way around Copilot to get access inside of Microsoft, like escape the model and get inside where the model runs.

Speaker 3: 29:45

So there's a lot of different ways you can kind of coax things out of it and a lot of it is. There's no good sanitization. It's the early days of SQL. We just well, let's expose SQL. What could possibly go wrong? Oh, sql injection, that's what went wrong and that was just like for years it took us before we put good security controls and engineering around it. And that's kind of those early days. If you really start looking at people who are jailbreaking and getting around the security mitigations they have, we're still in the early days of LLMs and there's definitely people able to shake a lot out of them.

Speaker 3: 30:16

So I'm always careful Anything I do in a public. One worst thing you'd get is all the stupid puns I make, sometimes using chat GPT, if someone were to steal my account, it would be someone would go. This is really what you use it for. To steal my account, it would be someone go. This is really what you use it for. I'm like yeah, yeah, it does make a lot of. You're like you send all these dumb images to your friends every day. It just makes the most absurd things. I made my friend look like zoidberg and send it to him. He's just like why.

Speaker 1: 30:41

I'm like because the hacking stuff is fascinating to me and I wouldn't even know, like the entry point, like somebody we had somebody on who's talking about, like hack the box, like so and how, like I would have no idea. I mean, jeff works for a security company and I know you've, you've mentioned to me before, like cyber security is a big thing, oh yeah, like it's. How, how can I learn? Let's say, I want to shake an llm, like or however however you put it. I mean mean, so what is cybersecurity? Because I know that that's one of your specialties and it's something I know little to nothing about. So can we just define at a high level, like, what is cybersecurity? What does it do for a company? And then, what could a nefarious person do to try to get, like you said, shake out an LLM? Or maybe I want to get into Tom's data center and find some cool stuff that he said publicly.

Speaker 3: 31:27

I was thinking about. Sometimes I feel cybersecurity is just me stating the obvious a lot use multi-factor authentication and quit using the same password everywhere. But cybersecurity overall is calling yourself a cybersecurity practitioner. We kind of blend it in with the MSP service because we say you can't be an MSP, I can't be fixing your network without thinking about security. I can't be updating or managing your servers without thinking about security. So, as a practitioner, we look at it as frameworks and aligning to them. So we're going to say, all right, we're a practitioner, we're going to align you to these frameworks, we're going to follow these practices, we're going to stop lateral movement or mitigate it as best we can. We're going to say we're going to put MFA everywhere, we're going to lock down your networks, we're going to create segmentation, we're going to make sure these servers have a process, that which we not only patch them, that we validate and continuous validation of that the patches are loaded and that's protocols are being followed. So it's kind of this all encompassing tooling around. It's not just installing the server. It's like all right, what are the best practices?

Speaker 3: 32:25

I always complain a lot and rant a bit about this, where I think we spend too much time as practitioners fighting Microsoft. It is like all of us are excited because Microsoft reduced the time that session tokens lived a little bit less and we're like great but still not awesome. Like you did your move in it, but not where we want. My friend Kelvin he's a Microsoft MVP, kelvin Telgar he's known online as CyberDrain, but he's got a great talk he's given a few times called Don't Trust the Defaults and it's all about how to secure your Azure environments and it's kind of a weird thing to think about and we juxtapose this a lot with the car industry being here in Detroit. My friend Matt Lee's done a really good talk on this, but I want to title and do a talk with him. We want to call it unsafe at any click because, if anyone knows automotive history, there was a book release called unsafe at any speed. It highlighted the problems with the automotive industry. If people keep getting injured in cars, the automotive company said look, man, there's nothing we can do about this. We cannot make these things safer, it would just bankrupt us.

Speaker 3: 33:23

Now safety belts are in every car. Your airbags are on by default. You ever had to turn your airbag on Matter of fact, it's really hard to turn an airbag off. There's several steps you'd have to go through, but we're the opposite side in the software industry right now. Unfortunately, it's not just install a server. There's a hardening guide by insert name of company and you kind of think that's a weird thing to do. We don't need a hardening guide for our card.

Speaker 3: 33:47

Airbags are turned on. The safety belt thing will drive me bananas if I don't click it. But I can plug in a server or I can set up your Azure tenant and look how long it took to go back a number of years with Amazon. How many times were we left the bucket open? Why? Well, that's why Amazon set up every bucket until you took the time to do it properly. So a lot of cybersecurity is unfortunately checking those boxes, putting the things in that the software vendors have not, because they have a EULA that will absolve them from any wrongdoing. If something happens, they just get to say whoops. But here on page 27 of the EULA, our lawyer said we are not responsible for whatever it is that happened. So cybersecurity is that. I know it's kind of a long winded answer.

Speaker 1: 34:27

No, no, it's really helpful, like I thought of so many things as you were talking. So cybersecurity is that I know it's an older code and I know the vuln and then I can get in and start doing things. And then you said lateral movement, which means once you're in, you move around the system. So you got honeypots. I guess I've heard of you want a micro segment, like you said, with vlan, so if you're in one place you don't go to other places. So it's, I'm fascinated by that world and it's just because of my career. It's nothing I got into. I worked at these huge companies with like cyber people, right.

Speaker 3: 35:10

They have a department that just makes sure you're following. Yeah, I didn't want to let you deviate from them.

Speaker 1: 35:14

Right, but it's so fascinating to me. And then I've been tracking in the news a lot of the LLM cyber type stuff, meaning like I think Replit just got hit the other day. I can't follow. Like I read it and then I'm like, what are they saying? But something happened in Replit where, like it wiped out 2,000 customers because of some open code AI thing that somebody hacked. Then there was something else with Amazon Q, but it seems like the new hack seems to be somehow leveraging the LLM built-in functionality and devs are like somehow using it to you know, destroy functionality. And devs are like, somehow using it to you know, destroy everything. Like, hey, the next commit you get destroy all the accounts. And then they find again I don't know cyber, but they're finding ways in through these weird llm functionality. Like have you tracked any of that?

Speaker 3: 36:00

like the amazon q thing, the repla thing, yeah you know one of the things that's really handy if you want to understand and I wish, and just being my cyber security friends love this topic um, ntsb, if a plane has an incident, we have the national transportation safety board and all of us wait because it's a slow, methodical process, but when it's done there's a very detailed explanation in the software industry on your hand. You know, if you make the equivalent joke here, it would be like the plane crashed when it did the thing. Can we just try doing a thing a couple more times to see how many times it crashes until we get a baseline of it? I mean, it works so much different in software but we don't have enough requirements for it. But there are some and the breakdown is referred to as a differ report. That's the NTSB equivalent in the software world, where what happened and there is a site called the differ report and they publish anonymized in a way of we don't know what company it was, but that's not relevant anyways.

Speaker 3: 36:52

It's a great breakdown of walking you through initial access. How did they first find their way in? What did they do when they have that information? How did they pivot from that information to the next step? And then how did they eventually get what their goal was? Was it a ransomware attack? It was espionage, it was taking something. So different reports are kind of your path to breakdowns that are in very relatively plain English because they're not meant for only cybersecurity people, they're meant for people to read and go in and along. But these are the detailed breakdowns of everything that occurred to lead up to this event and those are very helpful because you can look along there as a practitioner and go what would have stopped it along the way? So let's walk through a different report of oh, they got here but it wasn't stopped because they didn't have this mitigation, they didn't have a compensating control that would have stopped this. So you kind of rattle through there and figure out what landed there and then work it backwards to go what tooling do I need? Or what notices do I need? To get to the point where I don't have those, because we had an incident that I covered and it was with my company, not us. Well, one of our clients, specifically so my company client we serve incident happened. We got it, but they did get to a point. But that's why I tell people here's what happened and here's the point where they got. But here's where we got them and this is how we mitigate it in the future. It where they got, but here's where we caught them and this is how we mitigate it in the future.

Speaker 3: 38:11

It was a flaw in a commercial piece of software that's used in the construction world and we found it. We stopped them the moment they got on because they issued a SQL command to elevate their privileges to start a shell. You go wait a minute. Why did someone try to make a shell off SQL? That seems odd. So we have detection tools that go yeah, that's abnormal. Also, we learned that the company when we contacted them, and my friends Huntress have a great write-up on this because they're the tool that caught it. They also dove deep into this. They're like hey guys, and they've been working with this company, you have a flaw. And they're like, yeah, maybe we'll fix it. And the company still hasn't fixed it. There's not good medications for it, there's still a commercial company. The name of the company eludes me now, where I'd say I'm, because I don't mind calling them out, because Huntress already called them out and said hey guys, your SQL port that you tell people to open is part of your instructions. Perhaps you shouldn't do that.

Speaker 1: 39:02

And there's software that tracks all that stuff. I forget what it's called. One of you will tell me, but it looks for like weird behavior, like, oh, the SQL thing did a thing it shouldn't have.

Speaker 2: 39:10

Yeah, is that?

Speaker 1: 39:11

like IPS IDS, or is that something?

Speaker 2: 39:13

EDR NDR.

Speaker 3: 39:15

Yeah, yeah, yeah yeah. Edr, ndr, xdr, xdr is the combination of we enrich network logs along with our endpoint detection response.

Speaker 1: 39:30

Then you've got your sims, we could go down. Yeah, you want to go down the side looking for behavior and like strange things like why?

Speaker 3: 39:33

is this thing doing a weird thing that it's doing right yeah, it's moved to that because in the early days we had signatures, because we had predictable, like the I love you virus and all those wonderful things that were in the early days as things have progressed. And live off the land is a popular term. What it means is powershell exists on servers. I don't have to bring my own binaries that might be suspicious, for hey, why are you putting that on this computer? I can do a lot with powershell and if I can get access to powershell through sql and I can spawn a powershell that has full admin privileges or system level privileges, I can do a lot of things. So living off the land evades any type of detection of I'm looking for this application being run on there.

Speaker 3: 40:17

Behavior analysis is really where all these companies have had to move to, because you just go why did your SQL spawn a shell? It doesn't do that normally, so that kicks off an investigation by your EDR vendor to go. That's very suspicious. And they go whoa. That seems really suspicious because it came from an IP address that we have in our list of bad IP addresses that have done this before, and then they will put a stop to that noise.

Speaker 1: 40:42

And you mentioned being an open source advocate earlier. Are there open source tools for this kind of like cyber stuff? Or do you have to pay somebody a bajillion dollars?

Speaker 3: 40:49

Oh yeah the good news is I have two good videos and I said I didn't have a lot of cybersecurity videos, but I actually have two of them. I got one just title open source threat hunting and I cover three different tools, which is going to be Greylog, Wazoo and Security Onion. I also did a standalone deep dive on Security Onion. It is a sock in a box, if you will. It is a sock in a box, if you will. It is an entire threat hunting platform, fully open source.

Speaker 3: 41:11

The team at Security Onion is amazing big open source advocates. I'm big fans of what they've been doing. They've been around for a year, 10, 15 years doing this, maybe longer and you can download it, you can set it up on your system and you can begin your career in your home lab, 100% self-hosted, 100% free, and it is used by commercial companies. It has an entire SOC analysis. They're starting to build in some AI tooling that will basically look at the threat and go I don't know a lot of hexadecimal going across the screen. What is this? And it'll help do some determination for you to lead you along the way.

Speaker 3: 41:44

I haven't played with any of the new AI stuff that the team have put into it. They just haven't played with any of the new AI stuff that the team have put into it. They just haven't gotten back to it as we don't use it commercially. We have some commercial tools we use for that, but it's one of those things. I look for tools like that to say hey, you student who may be watching this video, who says I'd like a career in cybersecurity, what do you guys actually do? Because it's a broad topic and I'm like start learning. And, by the way, you are probably time rich and cash poor right now. So download this free, open source tool. Grab an old box. It doesn't require a ton of hardware. Grab a used computer that you have laying around. Turn your old gaming system into the security union box, Tap your network with a port span and start collecting some logs, and then go panic because you're like my computer's going where Install Kali Linux?

Speaker 2: 42:28

You could man. There's all sorts of stuff you could do so fascinating.

Speaker 1: 42:32

I think if I was 20 years younger and I could do it over again, I'd probably get into the cyber hacking. I see my friends at DEF CON and stuff. It just looks like so much fun. It's this cat and mouse game and it's a puzzle. It really looks like a lot of fun trying to get into things and secure things, and even I just looked at the different reports. They're fascinating.

Speaker 3: 42:53

Yeah, I see you stare and I'm like okay, he's opened up the different report.

Speaker 1: 42:56

It's fantastic. I mean, I could spend forever in here. It's just amazing what you can learn. Here's what happened and here's what they did and here's how you protect yourself. But it's an endless cat and mouse game, right? Oh yeah.

Speaker 2: 43:07

You know where your biggest vulnerability, though, is in your organization.

Speaker 1: 43:11

What's that?

Speaker 2: 43:11

The people, the people it accounts for the vast majority of cybersecurity attacks is something from the inside, where somebody either left a port open because they went and they changed something up in AWS, or they opened up an email they shouldn't have.

Speaker 1: 43:26

Your people are where a lot of your cyber phishing email a couple weeks ago and I consider myself pretty darn good at not doing that stuff. I yell at my dad like dad, don't click any links in any emails and and son of a gun they got me at work. They have, I guess, things that they try to see. If you know you did the thing and they're like, oh, this is a phishing thing, you shouldn't have done that. I'm like, oh god, yeah, like they're really good. Some of them are like I forget what it was, but it I clicked the thing I shouldn't have.

Speaker 3: 43:52

I'm, I'm, I'm embarrassed yeah, you know, um, I don't always self-title myself a hacker because I've always considered myself blue team my my job has always been on the side of protection. But I love hacking conferences. I have friends that work in it, and one of the reasons why is I think to be a better blue teamer is I have to understand how people are breaking things, so I've always hung out with all those people. I love going to events. Next week I'll be at Hackers on Planet Earth in New York. Those events are so cool. I'm going to be at GURCON as well this year.

Speaker 3: 44:24

I love the smaller events. There's maybe only like 800 people going to be at these. I don't know. There's probably about 400 people at Hackers on Planet Earth. I'm not sure. The reason you're not sure is they're not like your normal events, because you think about social media and post it and you go hell. There's not a lot of pictures of DEF CON, despite 27,000 people being there. I'm like, yeah, if you go to the smaller events, if you would like to leave those events very forcibly, go ahead and start filming buddy. They're generally not a thing they do. We made jokes at Wild West Hacking Fest. We was there last year with some friends that did a talk, but we always like to do these selfies up on stage. My friends were talking. They're like hey, going to do a selfie. I know it's not welcome here, so everyone that cares about their identity duck and all the heads went down like this and we took a selfie with people's heads down. It's funny.

Speaker 1: 45:12

So I know this is like probably a silly question to ask, but why? So I've made certain decisions right, like I do not post pictures of my children anywhere public for reasons. Yeah, my wife might have a different thing right, but, like, for me, I'm like, okay, well, I'm known in certain circles, in smaller circles, and I just don't think for a lot of different reasons. Even the AI stuff you see, and what they can do with pictures, oh yeah, I'm like you know what? So I got to lock behind stuff. But what's the vulnerability? Why can't you take a picture of yourself at a security conference? Like what's that going to do? If I see a picture of tom behind jeff at like defcon, like how am I going to use that for?

Speaker 3: 45:52

nefarious purposes. It's just a lot of people they're. They're much more privacy oriented and jack reciter dark net diaries, pretty famous. Um, I've had friends that have met him and it's funny because they took pictures of each other's shoes. It's the stupidest picture I got, like I metcyder. He sent me a picture of their shoes together. He's like I can show you his shoes. He told me I'm allowed to.

Speaker 1: 46:11

Is that a hacker culture thing? Like, don't put my picture anywhere.

Speaker 2: 46:14

Yeah, yeah, kind of a culture thing.

Speaker 1: 46:16

What am I going to do with your picture Like?

Speaker 2: 46:18

now I know what you look like.

Speaker 1: 46:20

What does that mean, jack Recy?

Speaker 3: 46:25

Yeah, there's a lot of people who are very anonymous. I'm friends with a lot of people at Huntress and they don't have LinkedIn. Some of the people that work there that are currently presenting at DEF CON they don't have LinkedIn. They don't talk about where they work. They lead a life where they do it. I don't know, it's a nature.

Speaker 1: 46:44

Is that to reduce their attack surface? Is it a strategic thing?

Speaker 2: 46:48

Some of it is that to reduce their like attack surface, like is it a strategic thing? Some of it is that I have another theory on that, which is some of the people I've met that are more on the red team side of things. They're curious by nature, which means sometimes they poke around and whether they're, whether they're doing anything that ends up, you know, stealing, they often will poke around. There's just, there's just a desire for anonymity by people who like to to tinker. It's sometimes a walk, a fine line between what you should be doing, you shouldn't be doing yes, gray hat would definitely describe any of them.

Speaker 3: 47:19

Uh, they are. They are not public about what they're doing all the time and it they're doing it for the right reasons, but it's uh. Yeah, I remember there's a couple people when, when there was several leaks we found out, several prominent people in the security industry go we didn't know, you worked at the NSA. And he goes what does this say? We're not talking about where I worked, there's just a gap in my resume we don't talk about. And some of those it's really interesting. You meet some of them. He goes by. I'm not going to say his name. I shouldn't say because I think he's buried it again.

Speaker 1: 47:48

I don't need anybody knocking on my door tomorrow. Man, this podcast is registered to my address. Let's not say his name.

Speaker 2: 47:55

Side story on that Side story on that. I have a friend of mine that works in the NSA building and I was having a beer with him one day and I jokingly said to somebody else yeah, he's my buddy, he's a spy, works at the and he goes, jeff, because I kid you not, I have to report this, that this was said because it is actually. I have to, because it's not even a big deal, because no one cares. That guy's drunk, he's not going to remember it, but I actually have to go in and say hey, by the way, this came out.

Speaker 3: 48:26

Right, yeah, there you go, jeff. There's rules, there's a level of anonymity. There's rules. Uh, they, they. There's a level of anonymity. Uh, jack reseller's talked about it a couple times on his podcast that he really enjoys the fact that when he shows up at ifcon he puts a mask on and a hat and he everyone knows who he is by his disguise. But when his disguise is off he just blends in with the crowd and he says there's something freeing about that where everyone wants to talk to him because he's jack reseller of dark knight diaries, which is awesome. But the other side of it is fame has a price and being able to be anonymous by taking the hat off, taking the mask off, and no one actually knows what he looks like. So I think he represents a lot of people in that industry. I made a conscious choice to decide what I do or do not share about myself being a public figure. It's really hard because I do so much public speaking.

Speaker 3: 49:13

A lockpicking lawyer. If you look up lockpicking lawyer, his DEF CON talk which is strange because he says no pictures, of course, and they go through his slides but the first three or four, maybe five slides are all the stalkers. He has People sending him trackers, air tags, you name it People trying to follow him to the PO boxes that they ship things to to watch who goes in and out and like he has a lot of people. He's actually leveled it up because of so many people trying to stalk him. It's just weird. But because he's chose to be anonymous, there's more people that want to know him and so it's become a cat and mouse game. Yeah, uh, he's had numerous people hire private eyes and it turns out because he's a lawyer, he knows the the private eyes are and he thinks it's fun when they people reach out to his friends like hey, someone hired me to track you. Do you take their money at least?

Speaker 1: 49:57

oh, yeah so is that like red teamers just trying to find out who he is just for like street cred, or like just yeah, I think that's what it. Is it just it?

Speaker 3: 50:05

becomes a cat and mouse game. I've I've had some weirdness. I mean, we built a new house a couple years ago and I was not thinking I did not set up a special trust for it and I should have, and I know some of these things because I got some very deeply private friends. But ah, then someone messaged me like your new house drove by. I was like, yeah, thanks.

Speaker 1: 50:24

Random person on discord yeah, there's so many levels of it. I guess, like your name is on a deed and like you know, like I don't really think it through even myself, like I try to be, I try to keep my kids anonymous online.

Speaker 2: 50:35

But yeah, I mean some of these. It's a challenge, it's a challenging thing wanted yeah not only that, you really want to go down a rabbit hole. Look up jose monkey. This guy is someone who he'll you could go in and ask him to find your location based off a video. Yes, he's amazing at geoguessing is wild Geo-guessing yeah.

Speaker 3: 50:55

It's its own remedy.

Speaker 3: 50:57

Yeah, you can grab some little piece of information and they will geo-guess it. When I've done CTFs, kind of bringing it back to the hacking conference, the CTFs usually involve multifaceted things, finding security flaws in things that are set up. At the CTF It'll be at a hacking event, but there's geoguessing and lockpicking and all those things I can do the lockpicking I do some of the geoguessing. I'm terrible at some of the other hacking stuff. But our team won two of the last conferences that we participated in. We dominated, which was awesome. We have some really smart people. My business partner, jason, is just a brilliant reverse engineer and watching him, and another guy we have named damon. They just hack stuff. Man, I love watching them go. They're just like leaderboard top notch. They're like grabbing the flags.

Speaker 1: 51:43

I'm just like yes because we're getting close to the hour here. I'm going to try to get us toward a, toward an ending here, because you're you know, you're one of those guests I could talk to forever. I'm like whoa tom, there's so much cool stuff and so, uh, this is, this is um, this is so much fun for me. I don't want to let you go, but I know I should. So, yeah, um to. To circle back to the content creation, we'll try to wrap up there. What was the first video that took off for you and did you expect it? Like, did you have one that just blew up and you're like whoa, that was kind of not surprised not particularly, but generally speaking it's a firewall videos.

Speaker 3: 52:15

I just didn't realize the interest there was going to be on youtube for the firewall videos. That really kind of surprised me. So that is the views that took off the any of them I've done. On cabling, um generally have done well one. You know, if you really are teaching people cabling, that's done well. That was also a surprising one. Uh, there's, we're recording that at like eight o'clock in the evening. Uh, me and cory are, and that's done well, that was also a surprising one. We're recording that. At like 8 o'clock in the evening, me and Corey are, and that's why there's a beer in it that we pull out of the wall. If you've seen the video at the end where we pull a beer out of the wall as part of a joke, we were just hanging out and I'm like, oh, let's just record this. I have this idea.

Speaker 3: 52:47

The little amount of effort that was in that video was just so low effort Me and Corey hanging out after we had gotten finished pulling wire somewhere and decided to. When we built the little wall for it, we actually built the wall with the intention of doing it, because we built the little half wall. So there was some intention, but it wasn't like well scripted, it was like I don't know, let's just do this and see how it works, let's record this, and so those ones are kind of surprising to To me. They got the views it did, but overall it's just a brute force of putting a lot of content out there, and most of my content is related to what I'm doing being a practitioner, whether it's virtualization, networking or those things. There are things I'm managing these projects, doing these or design and do an engineering for them, so they kind of flow easy where I'm just talking about a lot of what I'm doing, you're doing it anyway, right, but you're just sharing and teaching.

Speaker 1: 53:32

I love what you said earlier. I was going to finish with it but people remember people who help them. You're really just showing people what you're doing and teaching and then helping people, which then just draws them to you, I think.

Speaker 3: 53:43

Yeah, there's an enthusiasm for I figured this out and a second enthusiasm I can share what I figured out with others hacker ethos as well. Matter of fact, if you look at the history of hacking people, this is how they always seem to get in trouble. They can't stop talking about the thing they hacked, the history of how hackers got caught. They tell everybody it's like robbing a bank and then telling people.

Speaker 3: 54:03

Yeah, you know it's gotten better now that we put structure on it. We do bug bounty programs and things like their name in lights for it going. Hey, we found these bugs, we were paid for them, they could do write-ups. They're up on stage legally doing it, um. But kind of back to the content creation side. There's just an enthusiasm of being able to help people. I've got to meet all kinds of cool people. Now I'm sitting on a podcast that I've listened to with some cool people like it.

Speaker 3: 54:24

It takes you, uh, places and that just makes it kind of fun to me. That it's like an added bonus that helping people also turned out to. You know, I got to. I have a video where I filmed a data center and a lot of people have messaged me how'd you get the camera in the data center? And I'm like, well, the guy doing the tour is normally the guy who tells people you can't film in a day center because he manages all the data centers, but turns out he likes my youtube, so he gave the tour because he knows what can or cannot be said.

Speaker 3: 54:49

What he would do is he would actually tilt me aside a little bit because you can't show what's on these dials here, like it's just voltage, he goes. It's tuned to a very specific frequency. It is tuned perfectly. He goes. The trade secret is how I've got that tuned or how my team tunes it. So move over this way. It was kind of fun, uh, the behind the scenes of it, of what got cropped out essentially, but uh, he, he's the one that makes the decision. So he gave the tour. It's a really cool tour about the power systems and the liquid cooling and how many gallons they have on site. Lots of details you wouldn't think they could share. But it was fun to be there and hang out, not just like usually a data center. If you go there, it's loud, you go to the rack that you're allowed to go to. You cannot just wander around and you certainly can't point and ask what's that and we'll and it's going to go. None of your business. That's what that is.

Speaker 1: 55:37

Go that way how do you handle negative comments on videos or on socials um?

Speaker 3: 55:43

you gotta hug your haters, uh, but never more than once. So I will reply sometimes, once, but at some point you are rolling in the mud with the pig and the pig loves it.

Speaker 1: 55:53

So you got to troll, so you'll say that again You'll hug the haters, but not the haters, but never more than once.

Speaker 3: 56:02

Yeah, I will comment on them. Occasionally. I will engage in a little bit of a debate with someone if they're really wrong, and I think there's a value in it and the value is it's a mindset. The value and I do this a lot more on LinkedIn the value is not arguing with the person, it is creating an audience and I know the audience may not think about this issue, so the person throws an opinion this way on it. They're wrong about it, they're not very in depth on it. So I'll have a more careful, good thought out response and it's for the people watching and I actually always make sure to say that I'm going to reply to you. I'm not here to change your mind, but I know there's other people watching. That is the first line I give and then I give an explanation of why they're wrong and it infuriates them, which also makes me happy.

Speaker 1: 56:47

Well, you're going to do something good with it. I mean, you're going to use it as a teaching moment, right which?

Speaker 3: 56:51

yeah, they didn't want.

Speaker 3: 56:52

They wanted to make you mad and get your attention, and yeah I have made a lot of people mad about my passkey video lately, so that's been a fun one explaining to people how passkeys can bypass 2fa. And people like but tom the spec says I know. I said, oh, I know, you can use it properly. I'm talking about companies, not small ones. We'll use github, an example, who lets passkeys bypass 2FA without forcing you to certain standards. That is to me a problem and a lot of people are not aware of that problem.

Speaker 3: 57:22

So I made a video about it and it turns out it made a lot of people mad. I got a lot of messages on that one. I don't know why they're so mad. They're just telling me well, if I have two-f factor on my password manager, therefore that's the, that's mitigating. I'm like no, at some point your password manager has to be decrypted and then the passkey is a single point of login because it can be exported out of your password manager. That's all I really said in that video. It's really simple and I gave examples. But yeah, that uh turns out gets you some haters yeah, see, this is the.

Speaker 1: 57:48

This is the problem with talking to you, because now I had one more question I'm going to finish it, but now you got me thinking like, so wait, are you telling me my master? I forget what they call it, but I don't want to say the name because of the these listeners that are now hackers. But let's say I use a password manager, not named password manager, and let's say I have, you know, uh, one thing I type in to get to all the other things. It's encrypted. Yep, did what you just say. That's not secure and that somebody can get that and I'm exposed.

Speaker 3: 58:17

The risk model is for logging into the password manager. We have something we know our password and something we have. It's a TOTP, it's a hardware key, it's a UB key, whatever you might be using. So we've got two factors of authentication on the password manager. You've got two factors of authentication on the password manager. Inside that password manager we have usernames and passwords. What we shouldn't have is that other factor, because I log into Google, I log into GitHub, it's going to say username, password. My password manager goes hey, username, password, I got that, let me fill that in. Then it says what's your TOTP? Give me that rolling off number or touch your YubiKey to finish your login. And that is all great. And what they're talking about here is that second factor is the compensating control.

Speaker 3: 58:56

Inside of the password manager lies all these credentials. So let's walk through a risk scenario where someone has figured out a way to extract all that data out of your password manager and they can get my username and password. That would be tragic. But the tragedy stops when they hit GitHub and go ah, I got his username, I got his password. I don't have a second factor pass keys. On the other hand, pass keys allow for single login. They're cryptographically secure, they're phishing resistant those things are all wonderful security features of them. But once you store them in a password manager, github is easy example we'll use here again where that password manager now stores a passkey and you can go export my passkey out of my password manager. So we've gotten into password managers Somehow. We don't know any way to get into them. They're great fortresses but hey, anything, every fortress has a crack. We get that data out of there and then you can log into my GitHub or anywhere else that accepts a passkey without asking for a second factor.

Speaker 3: 59:49

That's a problem to me of the way the implementation is. There is within the implementation, within the FIDO2 standard, a rule that can be set at the level of the website that says don't do this you force people to use Whenever you want to register FIDO2, there's a list of devices and you can say I'll only accept these devices that you know. Hold on the pass key or a YubiKey in my hand. It says no, only devices that require you to touch them, because that is a really solid way. You have to be sitting at your desk, so even if you're on my computer, I have to touch the blinky light on my YubiKey here for you to do this. But the implementation used by the password managers allow falsifying attestation and this is kind of a security bypass. So attestation means touch the blinky light and a little piece of metal on here to let you know I was there. Password managers can do that on your behalf.

Speaker 3: 1:00:39

Now, the way the password manager I use does it is. It does prompt me and I have to click on it. But if someone was physically on my computer having remote access, they got to click on it too, and so it's not much of a competency control. So right now my password manager is logged in unlocked. If someone took control of my computer when I wasn't looking I'm wandering around my studio they would just be able to log in. But if it's critical, I say use a hardware key, use a totp number that's rolling on your phone. So now there's an extra step. So just sitting at the computer they wouldn't be able to extract it. That's all it. It really is what people seem to be angry about. But, tom, you're dumping on passkeys, and they do to improve security.

Speaker 3: 1:01:16

I said the first sentence of that video is passkeys have done a lot to improve security. They're great. This is not telling you not to use them. But for those of us that are security minded, for those of us that have 375,000 YouTube subscribers and be really worried if someone were to oh I don't know take over my channel and shill some type of crypto looking at you linus tactics, who did not have proper mitigations for that and he was very transparent about it, so I can say his name. You know someone took over his channel with several million subscribers and used it for scams.

Speaker 3: 1:01:45

Uh, you should have, if you know you are very hot target, actively targeted, because you have called yourself a cyber security guy on youtube and people go. I'm going to prove that guy wrong because that's how humans work and so you want to make sure you've done everything you can within your power, within reason, to have all compensating controls to have people not attack you. That's all. That's my point of the video. People took it out of context, but I I hopefully speak to a lot of people and other people I met that work places, that they work at high security environments. They work at some facility where they know, even if they're not a public figure, there are people going. I'd love to get the secrets that person has, because they have a job that has those secrets.

Speaker 1: 1:02:26

Once again I'm learning something I didn't know. My password manager has been recommending passkeys. I assume that they know more than I do, because they do, and I figure, oh, I get like I don't even know what a passkey is. I couldn't explain it to someone, but I've been. There's a whole video on sites, well right, but but to hear that it's it's not.

Speaker 2: 1:02:45

The passkeys are bad, well, it's circumventing 2fa right, it's circumventing two-factor authentication.

Speaker 1: 1:02:52

Where it doesn't, yeah, which which I didn't realize. So, again, this is important and it's great, and I'm glad you're teaching me this, and maybe I shouldn't be using passkeys because they circumvent 2FA. I don't know. I got to look.

Speaker 3: 1:03:03

The term used is risk tolerance. So I have lots of places I use passkeys. I am completely risk tolerant. If I use a passkey at my pizza place because they had one and I could order pizzas and if you broke into my pizza place I'd be annoyed, you could probably order pizzas or see my order history, I don't know, I'm not worried about it. I like the convenience they offer in certain places where the risk tolerance is high. If you got into those random forums that I use, like you know, I like motorcycles, so I've got a couple of motorcycle forums. If they have a passkey login, I'm doing it because I'm lazy. I don't feel like pulling a TOTP up over each of these and if you broke in there, oh no, you'd see my public posts or some DM. I had talking about my Honda. So not a big deal. So there's lots of low-risk sites that not, but things that are critical.

Speaker 3: 1:03:44

If you're a developer, github is obviously a critical piece of your workflow. You better have that really locked down. We know developers under attack. We know supply chain attacks, especially against open source developers, are quite high. Google's finally put some good mitigations in for people who are developing extensions or doing private key signing for each one of their posts or each one of their updates. Google has very clear instructions. You don't keep this in your Google account. So we're getting better at it. But still, if you lost your Google account or lost those developer accounts, those are critical, especially if you're. You know. I work with a lot of open source developers. If an open source project is popular, there is someone gunning for it and trying to get something inserted into it because it's got a big user base and it presents an opportunity for those who wish to do mischief. It's a great place to be mischievous.

Speaker 1: 1:04:31

Tom Lawrence, this has been an education. It's a great place to be mischievous. Tom Lawrence, this has been an education. It's been entertaining, it's been awesome. I have so many more things that I would like to ask you, but we're well past the hour. It's a good episode when we go over. So thank you so much for coming on. Where can people find you if they're living under a rock and they don't know about Tom Lawrence?

Speaker 3: 1:04:46

Easiest way everything and all my socials, whatever they may be at the time you go there, or at launchsystemscom, I just link everything there, even my gaming profiles there. Someone says are you on Steam? I'm like, I'm there too, so I linked it there. If you want to play games with me which I don't play games too often, but I've made all the opportunities there for whatever socials I try to be on all of them that are within reason, so I'll try to meet platform you're on.

Speaker 1: 1:05:11

Awesome, tom. Thank you so much, jeff, always good to see you For all things. Art of NetEng, you can check out our Linktree at linktreecom. We have a Discord server. We have some merch. What else is on there, jeff? I don't know.

Speaker 2: 1:05:22

Not pictures of us. We're still working on that.

Speaker 1: 1:05:25

Jeff's fixing the pictures. But yeah, for all things. Art of NetEng, check out our Link tree. Um, I like to call out the discord server. It's all about the journey where you can go when we have study groups for just about everything. I don't know if we have a cyber in there, and if we don't, somebody should spin one up, but um, yeah, as always thanks so much.

Speaker 1: 1:05:43

Huh, so I think, is there a cyber? Yeah, if there isn't, we're going over to tom's. Tom's, don't you have? Don't you have, like, your own forum of like? I have four?

Speaker 3: 1:05:49

I do run forums uh, yeah, I don forum Forumslaurencesystemscom. I get a lot of visitors here, about 80,000 a week right now I think. Last I looked it's insane.

Speaker 1: 1:06:01

When I found you and then hit you up on LinkedIn and we started talking, I somehow signed up for your forum and I'm like I couldn't believe how deep and dense and how much interaction was there. It's an amazing, amazing place.

Speaker 3: 1:06:11

I've been building them for a number of years. Kind of back to what we said earlier. I own that platform, I host it myself, I manage it myself. I've always done it for free, turns out running a platform is not too expensive. So yeah, and that way I can control it. I don't like building on other people's platforms that is essentially self-hosted, but on a public-facing server. So, and they can find that through tomlawrencecom. Oh yeah, same easy, they're free to sign up. They're free to view. If you don't want to sign up, feel free to view it anonymously. Most people do because they're just looking for a solution.

Speaker 3: 1:06:40

When I do write-ups for my videos, I often link them to my forums. That way you can, just because who wants to type all those commands that they see me type on youtube? Copy paste, man, make it easy. Um, you'll also find all my news files. I. I'm back to being transparent. Anything I do, if I have a Docker config I use, or I have an OPML list for all the people. Where do you read the news, tom? Here's my OPML file. You can actually download it and stick it in your RSS reader and I keep it up to date. All that stuff is just thrown all over my forums. I just try to give it all away. That's always been my attitude. No reason, just want to to help the community, and by doing that I've learned a lot. People usually give me suggestions on some of that stuff too, like, hey, did you know about this? I'm like add it to the list.

Speaker 1: 1:07:18

Yeah, words of wisdom from Tom Lawrence people remember people who help them. I love it, tom. Thanks so much for coming on. It's great to our podcast and your favorite podcatcher. You can find us on socials at Art of NetEng, and you can visit linktree forward slash Art of NetEng for links to all of our content, including the A1 merch store and our virtual community on Discord called it's All About the Journey. You can see our pretty faces on our YouTube channel named the Art of Network Engineering. That's youtubecom. Forward slash Art of NetEng. Thanks for listening.