Hackers to Founders

Jordan Wiens (@psifertex)

Welcome to Episode 1 featuring host Chris "REal0day" Magistrado and special guest Jordan Wiens, @psifertex, co-founder of Vector 35 and creator of Binary Ninja.

In this episode, we discuss Jordan's journey from network defense to founding Vector 35, the unique features of Binary Ninja, and the evolving landscape of reverse engineering tools. We also delve into pricing strategies, sales processes, handling administrative challenges, and the impact of market dynamics on tool preferences among cybersecurity professionals.

Key Highlights in This Episode:
- The importance of not negotiating low-value licenses and setting a minimum threshold for negotiations to streamline sales processes.
- Experiences with prolonged purchasing processes in financial institutions and the lesson learned in reducing bureaucratic processes.
- Market entry strategies and navigating competition with free tools like Ghidra.
- Enterprise sales and managing complex contracts for larger deals.
- Impact of competing tools on revenue and strategy for commercial vs. non-commercial licenses.
- The philosophy behind student discounts and nominal pricing.
- Future plans for Binary Ninja and continuous commitment to its development.
- Insights into the upcoming "Re-verse" conference in Orlando, Florida.

Social Links:
Jordan Wiens (Special Guest)
X - https://x.com/psifertex
LinkedIn - https://www.linkedin.com/in/jwiens
Vector 35 - https://vector35.com/
Binary Ninja - https://binary.ninja/

Chris Magistrado (Host):
LinkedIn - https://linkedin.com/in/cmagistrado
X - https://x.com/REal0day
Articles - https://medium.com/@real0day
Recruiting Agency - https://TopClearedRecruiting.com
Podcast - https://hackerstofounders.com

Hackers Mentioned:
Rusty Wagner @D0ntPanic - https://github.com/D0ntPanic
Jayson Street: - https://www.instagram.com/jayson.street/ - https://www.linkedin.com/in/jstreet/
Jeremiah Grossman - https://x.com/jeremiahg
Mike Frantzen - https://www.linkedin.com/in/mike-frantzen/

Conference Details:
Re-verse Conference: https://re-verse.io/
Date: February 28 to March 1
Location: Orlando, Florida

Companies and Tools Mentioned:
Binary Ninja - https://binary.ninja/
IDA Pro - https://hex-rays.com/ida-pro
Ghidra - https://ghidra-sre.org/

Miscellaneous Tools and References:
CUI Standard - NIST Guidelines: https://csrc.nist.gov/projects/protecting-controlled-unclassified-information
Capture The Flag (CTF) Competitions: https://ctftime.org/

Connect with Us:
Twitter - https://x.com/HackerToFounder
Instagram - https://instagram.com/hackerstofounders
TikTok -- https://www.tiktok.com/@hackerstofounders
LinkedIn - https://www.linkedin.com/showcase/105189100
Discord - https://discord.gg/2TnH6hkuTG
Website - https://HackersToFounders.com
Spotify - https://open.spotify.com/show/5BgjVtDJc7xoyiQlbhKmL6?si=af728a2b3cb74d8b
Apple iTunes - https://podcasts.apple.com/us/podcast/hackers-to-founders/id1771903476
Amazon Music - https://music.amazon.com/podcasts/e34efad3-bf38-431d-be45-348ef6838262/hackers-to-founders

Subscribe for more episodes and insights from cybersecurity professionals who have transitioned into new ventures.
Like, comment, and share if you found this episode useful.
Follow us on social media for the latest updates and episodes.
Watch, Learn, & Grow in Cybersecurity!

(00:00) - 1 [00:00:00]: Introduction to Jordan and Vector 35
(00:00) - of Jordan's role and dedication to solving ongoing problems in the reverse engineering field.
(00:00) - to the podcast and the guests, focusing on the guest’s background and company journey.
(00:00) - Chapter 4
(00:00) - 2 [00:01:00]: Founding of Vector 35
(00:00) - of the formation of Vector 35 and its 10-year journey.
(00:00) - into the DARPA CTF contract which gave the company its start.
(00:00) - Chapter 8
(00:00) - 3 [00:05:00]: Binary Ninja's Development
(00:00) - of the development history of Binary Ninja from an internal CTF tool to a commercial product.
(00:00) - transition from Python to a full C++ rewrite to enhance capabilities and performance.
(00:00) - Chapter 12
(00:00) - 4 [00:10:00]: Early Career and Education
(00:00) - Wiens’ formative years, education in math and computer science, and first job experiences.
(00:00) - journey from university IT support roles to a focus on network security and forensics.
(00:00) - Chapter 16
(00:00) - 5 [00:20:00]: Network Defense and Security Work
(00:00) - recount of early projects and learnings in network defense at the University of Florida.
(00:00) - examples of handling security incidents and implementing automated security measures.
(00:00) - Chapter 20
(00:00) - 6 [00:25:00]: Capture The Flag (CTF) Competitions and Impact
(00:00) - introduction to CTF competitions and their significance in his transition to offensive security roles.
(00:00) - development of a strong skill set in reverse engineering and exploit writing through CTF participation.
(00:00) - Chapter 24
(00:00) - 7 [00:35:00]: Evolution and Experiences in DEFCON CTF
(00:00) - evolution of DEFCON CTF from informal beginnings to a structured and competitive event.
(00:00) - examples of strategies and shenanigans used in CTF events, highlighting the excitement and challenges involved.
(00:00) - Chapter 28
(00:00) - 8 [00:45:00]: Business Lessons and Pricing Strategy
(00:00) - discussion on the importance of pricing strategies and administrative efficiency.
(00:00) - learned from engaging with large institutions and the shift to a no-negotiation policy for low-value deals.
(00:00) - Chapter 32
(00:00) - 9 [00:55:00]: Product Competition and Market Position
(00:00) - Wiens’ perspective on competing with established products like IDA and Ghidra.
(00:00) - continuous improvements and new features in Binary Ninja to maintain a competitive edge.
(00:00) - Chapter 36
(00:00) - 10 [01:05:00]: Future Plans and Conference Initiatives
(00:00) - goals for Vector 35, including potential growth strategies and product announcements.
(00:00) - of the reverse engineering-focused conference "Reverse" in Orlando, Florida.

Creators & Guests

Host

Chris Magistrado

Host of @HackerToFounderOwner of @TopClearedRecSecurity Researcher. Defcon is fun. CCCamp is a trip.

What is Hackers to Founders?

On the Hacker to Founder podcast, we are joined with our host Chris (REal0day) Magistrado, who interviews hackers who have reached the pinnacle of their cybersecurity journey and have ventured into the world of startups and/or investing.

Like, okay, is this what I want to keep doing? And the answer was absolutely.

Like, I really I want to keep doing this. Like, I'm not, I don't feel

like we've solved the problem. Like, IDA is still the major dominant tool, you know,

technically there's still problems that I want to solve. I

think we're the product itself is at a spot where it can now,

replace side up for the vast majority of users. And so now we just gotta

go, like, show everybody, like, convince them and, like, demonstrate it and be like, hey.

Listen. You can you get all these advantages. Let's let's let's get

everybody switched. And so that's super exciting. Like, I feel like

we've we've done some of the hardest work, and now we can reap the rewards.

This is Hackers to Founders, a podcast about cybersecurity professionals who

have reached the pinnacle of their cybersecurity expertise and have a ventured

into new frontiers. Whether it's launching innovative start ups or making

impactful investments in our industry. My name is Chris Manistrato,

and I'm a vulnerability researcher best known for traveling and meeting hackers

from all around the world. And I'm using what little extrovert

skills I have to introduce to you hackers that are

changing the world. Today, we are joined by Jordan Wines, a cofounder of Vector

35, a long time DEFCON CTF participant and winner of

multiple years, who will share with us a unique story, a binary

ninja, its creation, and where it's going to go into the future.

This is hackers to founders. Alright. Welcome,

everybody, to the show. My name is Chris Medistrada. I'm joined here with Jordan

Weins. Did I pronounce that correctly? You got it. You got it. Is

it German or what's your name? I think it's I think it's originally

like Wines, but, like, we've always pronounced it Wines, so my family has spelled it

that way. My grandfather's brothers were born in Germany. But

Okay. That's so funny. Like, mine's a magistrado, but I think it's, like,

technically maestrados, but, like, I'm like Yeah. Filipino

Anglicized. Oh, that's funny. Excellent. Yeah. We

were just talking about, different processes in in terms of, like,

starting a business. I'm one of the founders of Vector 35. It'll be 10 years

this January. Which is bonkers to me.

But yeah. So there were there were 3 of us originally and,

like, 3 technical cofounders. 2 of us sort of split all the administrative duties,

which is I was also really nice. Having another cofounder that, like, could we

could each be part technical and part administrative actually helped a ton. So we've been

able to grow, I think, really a lot bigger, you know, like I said, even

sort of lacking as much administrative as as maybe we could have a lot because

of that. Because Peter and I split that role and that that helps a ton.

It's also just nice too to feel like, you know, we're engineers trying to figure

out marketing and pricing and, you know, contracts and Yeah.

So like all the books and things and trying Yeah. Especially 10 years ago, there

was there even a lot of, like, cybersecurity companies,

startups, or even resources to learn about how to work with governments on

that? Yeah. It was like, we had well, so what we did have was we

had a sort of, like, mentor network. So we had Mike Fransen from

KuduDynamics, who we had

previously worked with, at at back back at Raytheon before

that. And, in fact so we got our we got our start as

a company, working on separate grand challenge. The the DARPA

CTF, like, robots playing CTF, like, automated. They you know, the the winning winning

team went to go play in the Defcon finals. So that was, like, our first

contract. And it basically was a matter of, we were Peter and

Rusty and I, the 3 cofounders, were all working at Raytheon at the time. And,

they CGC basically needed help running, like, the

visualization side. So they had a game company that was contracted to, like, build visualizations,

but they didn't know anything about capture the flag or security. And so to be

like, hey. Make a dashboard, make a visualization,

was was, like, not easy for them, and the people running the game didn't have

time to, like, translate everything or to, like, babysitter, like, work with not

babysitter. It's a bad it's a bad way of saying it. Really, to work we're

closely with the game company. Educate. There we go. It's a much better one. So

that was we basically got brought on to that. So Rusty and I started on

that contract, and, like, that was the start of our our our company. So Mike

Fransen was one of the people working that. We were I remember I don't think

we directly subcontracted to him, but he really helped us to a ton.

Gave us his rate card. He's like, here's how you structure it. And here I

mean, we we had, you know, working right then, we had a lot of some

intuition. You know, we were we're technical, you know, tech leads,

so we knew a different contract type, contracting types, and and scheduling

a proposal process and stuff, but we were not the program managers doing some of

the details. So we had, you know, a little bit of learning curve, but certainly

less, I think, than if we had started from scratch. And so it it helped

that we we we had that kind of basis and and that's yeah. That's why

we started the company with that contract, basically, paid the bills with that, and

then, you know, like, it's not like a startup where, like, you grind the startup,

like, 60 hours a week on your your product or you take on VC money,

whatever. We did, like, 40 on our contract, and then Rusty

dropped down to, like, 3 quarters time. And so he was working on Binary Ninja

on, like, the the other 3 quarters as well as extra time. And so, you

know, we were both, like, working working extra hours, but, you know, the

bulk went to the contract to pay the bills. So we, you know, we took

a salary. We had a nice benefits, and we had a budget, and we had

a rate card, and then we could do that. So so the the actual product

for, like, binary binary ninja, was this already in place where, like, you

guys were developing it and saying, like, we already have Yeah. It's it's part of

the contract or it's part of a buyer already. It was a part of the

contract, but it was a part of our design for the company. So we in

fact, you know, like, that was one of the pitches, like, when Mike first reached

out to us. He's like, hey. Do you wanna go build that binary ninja thing?

You've been you've been thinking about it. We're talking about it. So you guys We're

talking about it. I really wanna build this thing anyway. Well, because it it so

it existed. Yeah. It actually there in fact, it's there's even an open the the

original version is is still out there in open source. It was a GPL Python

version. In fact, we had somebody accuse us of, like, ripping off a Python. Like,

you know, how dare you rip off this existing project? And we're like, 1, we

wrote it. And 2, we don't have to we can relicense it however we

want. And 3, it's rewritten completely. The new one's all c plus plus. So we

have, like yeah. We had written Binary Ninja for CTF. I don't know, Rusty. First

started it. Maybe 13 years ago, 12 years ago. Like, it

was built internally just to help our CTF team. And then

it had a so so some of, like, the design that kinda carried

through the name carried through, but that's about it. Like, the actual code

was, like I said, completely rewritten. It was all Python before, and it was

completely rewritten in c plus plus. It still has, like, a the Python plug in

API now, but but the all the analysis is c plus plus. So

rewriting it basically was our first, you know, order of business, and we

basically started that. Like, even just, like, right as we started the company, we're

actually doing that in the side. And then it was about a year after we

started the company before we launched the first version of it, which I'm almost embarrassed

now when I look back at, like, the features it had. Like, people paid us

money for that. Like, we didn't charge a lot less, but, it's crazy how far

it's come. Nice. Beautiful. And, like, so you guys

were developing the company and the product app while you guys were still at

Raytheon? Was No. No. So we yeah. Well, so the Python version.

Right? Like, the open source Python version was was was built at

Raytheon, and then, basically, we quit there, started back

to 35 January something, whatever I guess. And so it's by the way, it's

vector 35 because we were all 35 years old in 2015.

So it makes it easy to keep track of the yeah. Yeah. So 2025 will

be would be a decade. Yeah. But Peter, Rusty, and I were all born in

1980. So so we, yeah. That's

that's how we started. And then we we basically rewrote it then,

ourselves, like, a sort of, you know, clean code base, for the

ground up after we after we start the new thing. So, like, I know, like,

like, certain companies, it's like if you do, like, Apple specifically. Like, if you design

anything while you're working at Apple and then even, like, sometimes it's, like, 5

years after we started to own that. They owned all that stuff. Yeah. So

Rusty didn't didn't have that agreement because he started so early.

His stuff wasn't locked up. And they had they had gotten some people. In fact,

I didn't have one either. I was I was one of the last people that

was hired before they started doing that, for employees. So

we never had those agreements, and so we were pretty flexible,

with with the IP one. They also had like, you could also declare a thing

and be like, I built this on my own. It's independent. You don't own it.

You could submit that paperwork even while you were there for them, which you may

have even done even though you didn't need to. I don't think. I don't

remember the the the specifics of it. But, yeah, there was a web. But, yeah,

Apple is notorious for, like, you don't touch open source while you work for Apple.

You don't do any other side stuff. Like, you are completely locked down. Yeah. It's

completely wild. Like, I have I have like friends that are like

leaving their it's from the security aspect and they're like, yeah, I gotta like wait.

And this is before I can even make my product and things like that. And

they'll be like doing red teaming at, at Apple and it's like, yeah, I got

something good but I gotta wait the 5 years before I can even create it

which I don't know cycles innovation creativity. But Yeah.

I they I love Apple products. I'm a huge Apple, like, fan as a

consumer, but, I don't know that. And and I've heard a lot of good

there's some good things about the structure with their like, the impact you can

have when you go work there. There's a lot of great people, a lot of

good friends that work there, but, yeah, I'm not a huge fan of, like, the

way that they approach stuff like that. Their secrecy, the, the

lockdown kind of requirements. I do know one person right now, I'm not gonna

name, who's trying to, like because there is supposedly a way you can commit contribute

to open source while you work at Apple. And, like, you can get approval and

go through a process and give us a second. He's working it. So we'll see.

We'll see. I wish him I wish him godspeed. But Yeah. I'm I'm happy, like,

we started this this conversation. We kinda just jumping into it. Yeah. Straight

in. You We're talking about entrepreneurship. You're talking about your company, back

to 35, and then even a little bit of government contracting.

But the audience, maybe they don't know too much about yourself, and, like, how

you entered into our our industry. And then

Yeah. Even, like, what you did and where you started at Defcon as well. So,

like, we'd love to hear a little bit more about your background because there's it's

been there's a lot here and super interesting. Yeah. Thank you.

So so I was always into computers. I went to college thinking like,

oh, well, now I'll get a real degree and do something else. I got a

lie in my head this was this was a thing. Were you

playing with computers at your house before college? Like I yeah. I

just grew up. I grew up. My dad my dad had a computer. I I

was always I was, like, very straight laced. Like, I never

smoked like, I was just very, like, straight edge kinda, like, as a kid. And

so, like, I never did anything illegally, like, hacking wise, but I was always super

into it. I was really into computers. I was, like, running,

running Linux at home and, like, you know, I started kinda, like, teach myself

programming from, like, 3 to 1 contact magazines in the back. So I was kinda

into What languages was that? Basic. Just like old g

GW Basic was the beginning. Yeah. I wish you know, it's funny because Rusty, my

other cofounder, is was highly technical. He wrote his first emulator at the age of,

like, 14 and it was bought by TI. Like, he Texas Instruments bought

his emulator because it was better than their official one, like, licensed his

tech. So he was, like because he was doing the same thing. How did you

even have a conversation with TI about that? Like they reached out to him as

as I understand it. Like, yeah. It's it's kinda crazy. You can in fact, you

can actually find I was writing stuff for the TI, like, all the old, the

Usenet forums like ticalc.org and the old, forums and

stuff. But I was running base TI basic programs, and he was in here, like,

hand coding assembly, writing writing emulators for the

hardware, like, you know, pre Internet. You also were selling to to TI,

teenage age as well? No. No. I was just in the same, like, the TI

calc programming scene, like, writing little apps because, you know, you you would write apps

and post them on like, at the beginning of the Internet, like, early, like, go

for even days and use that and that kind of stuff. So I was that

was kind of part of what got me, like, online a little bit, but I

was not no. I wasn't nearly as good of our programmers. I I was good

with computers. I was very good with computers, and I had to, like, a lot

of, like, IT jobs. My first job was selling dial up Internet accounts from the

mall. I started doing tech support for them. Or a different variety? It was a

it literally called Internet in a mall. It was a very brief they went out

of business long after. It should be a kiosk in the mall, you you do

it from. And I worked for gateway computer tech support, for a while to, like,

phone support, which is the worst. So we're, like, an outsourced reseller. So they would

call up, and we didn't even have the customer database. So we'd have to be

like, okay. Open up your case and read me serial numbers and look up in

a physical book to find the model numbers to get the download URLs to, like,

drivers and stuff. It was it was abysmal. But but

it was, you know, it's a good learning experience. Actually, I met Jason Street of

all people who is is active in the security scene. He was, like, my boss.

And we discovered this, like, 20 years later. We're, like, wait a minute. I know

you. It just it took us forever to figure it out because we just, like,

didn't go back far enough. For those who don't know Jason, who's

Jason? Yeah. Jason Street is, it's very, like,

famous, pen tester. Does a lot of stuff, in

the the security community. Just Google j a y s o n street. You can

see a ton of talk show, man, really. Excellent present, presenter

as well. Yeah. Great storyteller. Good presenter. Yeah. So,

so yeah, he was like my boss, like literally in 1996 or

something. And then, yeah, I went to college

thought like, okay, I'll get a job. Didn't think about

computers. I was dual math, computer science, but I started working for the

university. You said dual math. So are you doing, like, applied

mathematics? Or It was number theory. I really

loved so I wanted to work for the NSA.

I just thought I read a lot of spy

novels as a kid. Yeah. I just, I read a lot. I read a lot.

I read a ton. I love spy books. And so I studied,

Mandarin in college. I was a math major and a computer science major. I was

like, because they hire 4 they at the time, they hired 4 things. I heard

hardware engineers. I didn't wanna deal with that language, math, and computer

science. And I was like, well, I got 3 of the 4 covered. I ironically,

911 happens, and I I dropped off a resume at the booth, like, that came

to a career for when I was already working for universities. I started working part

time for university. I turned into a full time job. So I dropped off a

resume, never heard back. I who knows what what

happened with it? And then and then years later, I was working for them as

a contractor. It cost them a whole lot more money. So that would've would've saved

the government some some cash if they would've just, gone through that. So

yeah. So I I started working, like, IT jobs at the university, and I had

a server set up set up this, like, Red Hat Red Hat Linux 5,

not Red Hat Enterprise Linux, like, Red Hat 5, the old school. It was

like I still remember that when you set up your sound driver, it would be

like, my name is Linus Torvalds, and I pronounce Linux Linux. Hello.

This is Linus Torvalds, and I pronounce Linux as Linux.

Like, it's Linus, but you pronounce it Linux because there was a big debate.

And Yeah. Yeah. Like, that was the that was the sample file that would play.

So, yeah, setting up that and, it got popped. Like, somebody

had, like, a a print server bug that they were that they I set up

the server, like, overnight, didn't finish the updates or something, came back to work the

next day, and it had been unplugged. There was a note from my boss, like,

hey. The security coordinator for the university says this was sending spam.

They got reports that, like, overnight, it was served the weekend or whatever it was.

It was sending some spam out, and I was I was like the Internet and,

like, someone on the on the So got it or was it Yeah. It was

it was Internet. Everything was public IP at the time at the university. There was

no, like, firewall. Oh, no. This was, like connected. It's public? It's

public. Yep. Go live. Unless you had your own map. If you unless you unless

each department like, the universe the dorms had a map, for example, or, like, certain

departments maybe have, but, like, by default, just, like, yep. It was all

there. So, it was the Wild West, and and that was, like,

all that would happen. Like, you, like, you would just send spam. Like, that was

that was the only, like, malicious thing that would happen basically at the time. It

wasn't it wasn't even, like, botnet era. So this is, like, 2,000, maybe 2,001.

And so I was like, woah. I got hacked. This is so cool. And so,

like, I did some kind of basic forensics and, like, her upload report for my

boss. He forwarded on to Kathy Bergstrom, who was the newly hired, like,

university security coordinator. And she was trying to hire, like, a security engineer, and she

was like, oh, are you interested in this position? And then she was like, oh,

you're a student still. Like, I don't want a student. I'm like, no. No. No.

Please. Please. The security stuff's amazing. I wanna do this. I've always wanted I just

never had an excuse to do it. And so, anyway, I talked to her into

it, and that was my my first security job was doing,

like, forensics, instant response, network. I got to do, like, the the

firewall and set up, like, a a had a 10 gig IDS system we

had built back in the day. I mean, you know, like, we had serious pipes.

Yeah. So as as a research university, you know, we were on Internet too,

whatever it was called, a bunch of different names for it. Like, we had

really high speed, connections. So trying to, like, buy

a IDS that could even go that fast. We actually built our own. We ended

up using a bunch of different stuff. We used, you know, row at some

points and sort and bunch of different things. But, like,

these NDAIS, I think with the the accelerated video cards, you can actually

put rules on the the the NIC itself and do it like an FPGA, basically,

so you could do line rate, detection and filtering and alerting.

And so, yeah, it was a super fun gig. I got to do kind of

a lot of, like, a lot of stuff. What was the first task or job

that they assigned you to as soon as you got the the role? Do you

remember? Oh, that's a good question. I

think the first thing I did was,

I automated what was the vulnerability scanner? I

I ISS from, like,

IBM or one of the, like, one of the early, app scanners.

I it wasn't Nessus. And maybe at one point, we switched out to Nessus, but

I basically, like, did some basic kinda, like, scripting and automation. I wasn't much of

a programmer, but I was really good at, like, scripting and shell scripts and,

like, kinda cobbling things together. And so I automated, like, this always on

scanner for a couple of things that were, like, really common at the time that

were causing us trouble. And so it would just automatically sweep all of our IP

space constantly and then either send emails or, you know, take some kind of

automated action. And then, like, we eventually several of us built,

like, this this sort of, like, automated response system. Like,

I sort of predated SIM or SIM or whatever. It was kind of a little

bit of that where it would pull from, like, pull from the the campus

captive portal logs and pull from, like, the dial up IP logs and pull from,

the map of which network administrators have which IP space and, like, have this

database, and then combine that with abuse complaints or

alerts from our system or the MCA complaints or whatever, like, all this different stuff.

And it would just automatically have a bunch of rules and send emails for us,

like, our little ticketing system internally. So, yeah, just trying to automate as much as

as much as possible, and then getting to build out, like, the IDS and actually

go and physically, like, deploy it like all the different pops all over campus.

You know, this this this IDS box. We had Dragon, IDS way back in the

day, Ron Gula, and that was that was a it was a good idea.

Yes. I enjoyed I enjoyed working on that. But yeah. So that was my network

defense, my first my first security job. Now I'm building a lot of tools

internally at the at the college and setting it all up and, like Yeah.

I haven't, like so, like, jet I have, like, 2 questions. 1, like, how difficult

was it to keep those, like, pipes open in terms of, like, the data flowing?

And then 2, when you left, was it easy to hand over all of the

things that you had built? Because this is, like, a whole, you know,

program. Yeah. Thankfully, there were enough by the time I left, there were about 4

or 5 people on the team. And so we had grown the team, and so

I wasn't, like, the only person running stuff, for quite a while. And so there

were there were definitely enough. I didn't feel like I was leaving them in a

lurch. There were a lot of other people. And that system was still

running up until a couple years ago. I don't even know if it is right

now, but I went back and visited the campus and talked to all the guys

who was still there who who I was has stayed around. That's right. It I

mean, it's both terrifying and it feels good. A little bit a little bit of

both. Yeah. Exactly. Like, it was, I mean, this thing was written in. There was

Pearl in there. There was some shell scripts. There was it was

it was a whole but, like, you know, if it ain't if it ain't broke.

And the concept I think, yeah, to this day remains really solid, like, to

really just get all of your logs. Even, you know, a great example is I

remember at one point we got early flow data and, like, just gather everything. You

never know what's gonna be useful. Like, the the the week that we storage for

it all? So we had decent storage, and we would only keep,

like, a week of it or a couple days of it or whatever. Right? Like,

we didn't need because even even a week worth of full flow data for all

all of campus was fantastic. And it was it wasn't like all the

internal routers, you know, necessarily. It was that, like, some of the main there was

a couple of main main pops, like, on campus that we would we would get

the the c flow d firmed or whatever. And so when we started aggregating all

that, like, we actually had a a loft student who left

a laptop plugged into a, like a podium in a in a

classroom overnight, sent spam for a local club to a bunch of

emails he had harvested from the campus directory, and, then

came back in the next day, pulled it, and and, like, took off with it.

And he had remote controlled it over, like, and he did

something where basically we were able to, like, correlate the,

the only what had happened because he had remote

desktop into it from his, like, campus,

portal account from some routes on campus. Right? So he had, like, use elsewhere on

campus, and he had, like, RDP'd, VNC'd, or whatever it was, into the box. And

we solved that flow, and then we can look up his logger for the original

machine. So it was only because we had like, otherwise, it would've been this ephemeral

IP that shows up since spam is offline. Like, where in the world did that

come from? Right? So Investigations are happening within that week span of, like, when

you have Yeah. Like, I mean, we we got, like, spam a bunch of spam

complaints, like, immediately. We had headers, and we pulled the logs, and we know exactly

where the machine is. We can tell like, this ephemeral thing. The MAC address hasn't

been seen on a wired port before on campus, and, it's gone

again. But then I was, like, oh, we got this new, like, flow data. Let's

go look at it. We can see, sure enough, all the app on us in

DP, and then an inbound RDP, and it's, like, oh, hello

there. I was still disappointed that they apparently like, the guy was, like, not

really punished their that's a lawyer. They they really should have

the the rule book thrown at them. Like, they know better. Like and it was

clear that he knew what he was doing was not okay. Right? Because he he

went to great lengths to obfuscate what he was doing. Right? Like, he didn't just

do this from a machine he was logged in to. He intentionally wired into a

different network, controlled it remotely, and then and did it that way. So I was

a little disappointed that they didn't, the punishment wasn't wasn't particularly

severe, which was a little bit disappointed, but that's what it is.

Yeah. Interesting. Wow. Yeah. The, the my

experience of working at not working. Well, before working. So I was

at Georgia Tech at the Institute of Information Security and Privacy working, like,

a 150 servers for the PhD students that were, either

malware research or vulnerability research and No. Wait. Was that

Georgia Tech Lab the same one that just recently got, in a little bit,

like, the news for NIST 80171,

stuff with the I don't know. I'm gonna reach out to you if I Google

Google Georgia Tech and NIST 800171. It's for what it's worth. I'm on the university

side. That's a whole it's a long story. That's actually, that's a really separate interesting

topic about sort of, like, the over classification slash the creation of, like, this

new,

class of protected data called CUI or CDI, which is really, I think,

a problem for small businesses. Like, the big contractors love it because it's gonna

lock out small businesses from doing, defense contracting.

The here we go. CUI, control, unclassified

information. Is this a new standard or requirement? Yeah. So it's basically a new

requirement that, there was I forgot what it's it's an executive order that

basically was, like, the safeguarding defense material. Like, a lot of I mean, it

came from good intentions. Right? Like, after the, OPM breach and stuff like that,

where they're like, oh, we need to protect information.

The problem is, like, it's unclassified information, but they

still wanna, like, make sure it's taken care of well. And so they asked

NIST to write a whole bunch of, like, rules about,

like, how would you do good comments as practices. And, like, a lot of it's

fine, but the problem is just it's a 122 pages of government

specification that you don't have to read and conform to and, like,

do an audit or self assess and a test. And, you know, it's

like, I I understand how to run a good secure network. But,

like, as a small company, I'm not gonna, like, clap on those

ankle irons to, like, slow down how I do development

or how my, you know, engineers work. So, like,

yes. Two factor auth and everything? Absolutely. Password change policies? Maybe

not yours because, like, there's a lot of debate as to what's a good password

policy, but, audit log and review, certain, like, you have to look

locked out. Yeah. It was just a bunch of stuff that you have to do

that makes makes contracting hard. Anyway, let me back up on my my

my bio for a second too. So, like, that was network defense at UF,

and I started playing Captions Flags. And that's what, like, got me into offense.

I did. Yeah. So I started I went to, like, a Sands conference, like, when

I which I forgot what Sands course it was in Orlando, doing,

like, offensive security stuff. And I was like, oh, yeah. This stuff's fun. Again, I've

always wanted to, like always wanted to do it, but and this

is like a a legal way. Exactly. Exactly. And so, like, that was

super fun. In fact, one of my one of the people in the class was

was Atlas, a dear friend of mine to to this

day. And he, like, went on to play Defcon

CTF that next year. And I was like, dude, how did you like, I met

you. You were not that good. Like, no offense, man, but you were not that

good. He's like, no. Like, I did this whole boot camp. I guess somebody else

mentioned me. I wrote my first exploit and started, like, you know. And so he

kinda described this process, and I was like, I'm in.

It wasn't an official boot camp. It was more like a mentorship program, like, you

got somebody else to, like, just reach out. And he basically offered you the same

to me. He's like, hey. I'll I'll give you, like, some challenges. You can work

through it. Like, you can join I'm putting together a team. And, so we

we started a team and then we play so he he he

played as, like, a road. That was the last year that you could play as

an individual. You could show up and play as an individual at Defcon. From then

on out, last 20 something years,

There were still several 100. I mean, that would have been

actually, you know what? I have a, a, a Google Sheet where I

track the history of DEFCON CTF.

Yeah. I don't know if I've added this last year, but,

out here, it's history of Defcon CTF. Yeah. I'll drop a link, if there's a

yeah. Let's check here. Yeah. Yeah. I see it.

Alright. It says whisper backstage, but there you go. You should be able to see

that. So, let's see. So that would

have been so let's see. The first time I played Defcon CTF

was at the Alexis

Park in 2,000

and 1. Yeah. So I played kind of a one off,

yeah, at DEFCON CTF. Like, I barely just turned 21

even. And, that was, like, pickup. It was a pickup game. You could

just walk in and sit down and, like, go. It was it was kinda wild

and crazy. Right? The

yeah. I mean, it was still a a oh goodness. I don't

know. Yeah. I mean, it was it so the Alexis Park as a hotel was,

like, very different. Right? Like, it was kind of, like, apartment style, like, hotels that

spread out, like, more resource style. And there was, like, literally a tent on

the roof. Like, can you imagine a Vegas? Like, a tent on the roof. That

was the year, like, Cult of the Dakar released, like, I think, b o two

k or something. And they announced that from from

one of the rooms. That was Dimitry Skalirov, the

PDF. He reversed the year that they were, like, rot 13. Like, that

was their encryption, and, like, he was arrested by the FBI. That was that that

same year. Route 13 was the encryption? Yeah. It was basically

it was basically route it was a little more than that, but it was basically

route 13. And then, like, he announced it, and then the FBI arrested them. And

then and people got a ton of flack, and Adobe's like, no. We're not person

charges because they don't like, they suddenly realized it was, like, against the, like, public

perception. But yeah. So it was Defcon 9, 2001. But then I I I didn't

go to it for the next couple of years. And then I came so then

Atlas was 2,005 when he basically soloed, like, played as a as a

Ronin. And then it was 2,006. That was the last year. 2006 was the

year you had to, like, qualify. The only way you could play was to qualify.

It was only teams that, only has teams. So that was the 1st

year I played, and we won that those

next 2 years. And I was also on the team that won in in 20,

2009. So first year you're 3 You just like you you

didn't win, but you were you're getting No. We did. We did win. Yeah. We

actually yeah. I got lucky. Well and so I yeah. I got with smart people.

Right? So again, we had Atlas. We had Doc Brown. We had Burfra, like, a

bunch of really good people in the team. And,

so it was 7 or 8 of us. And yeah. It was like when that

was, like, really when it started to, like, evolve. Like, it

went from, like, it's all sort of own art form. Right? Like, DEF CON

became very kinda, like, more specialized, and, like, the game was getting tuned and tweaked,

and, like, people really kinda, like, honed in on what made Defcon CTF Defcon

CTF. And that was really, I think, when it when it even actually

the year before. I would say, 2005 is when it really started that process when

Ken showed up to take it over. Oh, even get, you know, hackers. Maybe 2,004

began it, and then it but really the game as it existed in 2,000, 2005,

2,006, hasn't substantively

changed. The only real difference was, like, the CGC introduced brokered,

where basically, it it used to be you just got a server and your route

you logged in and you defended your server. Right? And then there was some other

mechanisms that the organizers had. There was that This is for well, this is, like

yeah. So it's always been attack so the actually, the first 5 years or 6

years of it were, like, just kinda, like, show up and plug a machine in.

It was, like, really poorly structured. Like, plug a machine in and see what happens.

Like, that was the CTF. Yeah. Hack each other. Like, run some stuff, I guess.

It was it was a little little weird. And and it was it was the

last year at GitHub Hackers and the 1st year at Kensho. Do when they really

started to, like, no. No. No. We're gonna give you a VM image preconfigured. You

have these services. We've custom written like that happened really then and

started to kinda mature. And then really the only you know, there's been a lot

of changes in, like, OS or network or, you know, stuff over the years. There's

been a couple of new innovations like, King of the Hill style challenges,

where, like, it's you can iteratively, like, whoever solves it with the fewest bytes, and

then you can continually kinda do it. And so there's, like, a sort of a

separate style challenge. But mostly, it's been yeah. Attack depends. You've got a

server, attack it, and defend it at the same time. So you're writing

patches for your binaries. You're you used to be able to put network firewalls in

place. That's part of the game that's changed. They sort of removed that. People got

too good. Like, people figured out too many generic defenses.

Right? Like, if I can just run my server, I'll just virtualize your

entire thing, lift it to something else, and then emulate it or put it in

any kind of thing that's doing Cisco tracing, and I'll block all access to the

key file. Like, ta da. I've secured your server. This is so much of boring,

like, become Superman defenses. And so this the the changes lately

require you to submit your patch to your binary to the game infrastructure

that it's deployed for you. You're not root on your box, so you can't totally

rewrite. Yeah. And often, we'll limit the size of the patch or whatnot. So that's

the trend, the last few years post post CGS. Going

forward in this type of fashion? You know, it's different. I,

it's not better or worse. It's just different. I miss like, there was all sorts

of amazing shenanigans you could pull when you had a full real box in the

full shell. And, and as both an admin and an

attacker, it was so many you'd find things that other teams have forgot or teams

would have wrong permissions or it was all sorts of really cool stuff you

could do, and that's that's gone away, which is sad. But at the same time,

they kinda had to. Because like I said, too many teams had figured out these,

like, just generic Superman defenses that you just could never score them, and that's

really boring. Like, yeah, everybody can do one generic wrapper that just doesn't let

the key get red and then deploy to all their services and poof. You can't

now score on them like that. That's stupid. So, yeah, it's hard to

to to kinda strike that balance. But I do miss I do miss the shell

shunning. I that was my main specialty. I was really good at, like, just weird

oh, yeah. Shenanigans. I loved I loved that stuff. Like like,

when you're, when you're we could log into the scoreboard

using a key that they dropped on our box at the beginning of the game,

and the key existed in 2 places. Like, it was in a database that was

in the file on the file system, and no team

removed it in both places. Like, some people would, like, fix the file permissions to

make it not readable for the file, but they would forget the database. Some people

cleared the database, forgot the file. So we had, basically, everybody's login to their score

server, which, like, I could log in as them and score for them, I guess,

or I could log in you know, it's like, what what can you do on

that? Well, one of the things you could do is reset their overwrite token. Alright.

So you you have an overwrite token that when you exploit somebody to prove you

have write access, not just read access, right, you would take your overwrite token

and put it on top of the flag file, and the hypervisor, whatever's doing the

logging, would would detect that and be like, oh, okay. You get points for an

overwrite. Right? So it was just you could both seal a flag and overwrite or

some services maybe you could only overwrite. Right? Depending on the the challenge.

And, so we, for example, click the button

to, like, refresh the override key from School of Root and we would

watch them and wait till they notice. And, like, 45 minutes later, an hour later,

you see them all, like, looking around. Who who did? Who hit the button? No.

Who did the button? No. They go back to work. Wait till they're not paying

attention again. Do it again. So we denied them, like, overwrite points for

a period of time. Like, you can't, you know, you can't get that back. You've

missed that that that time with us. That was really fun. We also logged in

as a different team and gave them points from us because that was back in

the day where you had, 1st Blood. So the first person to score a particular

service got, like, an extra bonus points, and then it was just over time how

many time slots could you could you score in essentially. And so we intentionally gave

low ranking teams first blood against our services that they

hadn't actually done just to deny those points to other teams because we

knew we couldn't solve those challenges at the time, and we were we were afraid.

Yes. There's a bunch of shenanigans. Like, that one's actually a little questionable, I think,

in hindsight. We did ask the organizers at the time, and they were like and

they were like, well, you you did a hacking thing. You got everyone else's logins.

They didn't secure it properly, and you're using that to get an advantage. Like, it's

fair. So there and I I that one actually didn't matter in the end either,

guy, because it turned out that that none of the other teams were actually close

to solving the ones that we gave those points to. But, you know, sort of

defensively, we we thought it might be. So, yeah, I love that that side of

the the game. It was it was fun.

A lot of people have. Yeah. Absolutely. I never I again, I said, I was

always kinda straight. So, like, if I ever was do I love the shenanigans, but

I would always just ask. I'd be like, hey. I wanna do a thing. Can

I do a thing? And, you know, occasionally, they'd be like, yes. Occasionally, they'd be

like, no. Like, it's we've we've gotten both and so, like, there were years that

1 year, when, legit BS was running at their 1st year, I think,

actually, like, denial of service attacks were kind of a thing. Like, it sort of

unintentionally opened the door to that. And usually, you don't let any DDoS because one,

DDoS is technically uninteresting. Right? And dumb. Like, yes, you can flood your

opponents. Nobody cares. Right? Like, that's not interesting. No. No. No points for

style. And so there's, like, a certain amount of things are just forbidden by rule

and if they catch you, they'll penalize you. And they sort

of, like, one team found a kinda cleverish way of doing a DOS

using infrastructure, and they allowed it, and we're, like, oh, fine. Well,

we have this other thing where we can half close a socket and spoof a

thing from somebody else and, like, trigger it, and it will cause them to flood

somebody else's traffic. Like, sounds like fair game. Right? And they were, like,

yeah. We did sort of open up the rules for that. We're sorry. And they

they ended up basically saying, like, no. You can't do that. We're gonna

give you some points. We're gonna have the other team that's doing the other thing

a little bit of points, and then just stop doing it. Right? So they gave

you a little points for a school idea. No one can now do it. You

had the first person idea. And so, like, that was kinda how they how they

did it. I've seen people get kicked out because they cut courts though. When your

one team was so angry, they've literally went into under the table and cut another

team's court. They were just, like, bad bad manner, and they were they were kicked

out of the they should've been kicked out of the whole whole convention, but at

the time, it was just they were kicked out of the CTF. There have been

people who who explicitly were denial of survey, servicing

before that they were, like, stop it, knock it off and if you don't, we're

gonna kick you out. You're hosting now as well. Right? So you might be, doing

that and that's your host. So you're able to see a lot more of what's

behind the scenes now. Somewhat. Like, I I'm actually I'm so busy with

with so I'm I'm doing live CTF which is, like, sports casted

e sports commentary. Yeah. It was like a 4

hour video too. It was like, oh, it's, it's exhausting. Yeah. And we, thankfully

we have a team of people this year that groups grown a little bit. So

I like the 1st year I was literally on camera the entire time. But now

we can we can we can trade out. Yeah. I just like being, like, you

know, enthusiastic the entire time. Yeah. High energy

and, like, you're you're pretty exhausted by the end. But, I mean, it is it

is exciting. It's fun because you're legit watching some of the best hackers in the

world. You get to watch their screen live. It happens. So, like, it is it's

pretty great. But, like so I'm I'm, like, in with the organizer, you know, the

main, you know, Nautilus Institute team that's running it. I'm not officially

on the team. We do we just kinda like to do our live CTF stuff

sort of sort of separately. We just have enough nothing to worry about. We do

technically have access though to to what they're, to what they're doing. We, you know,

we we talk a fair amount. So we do hear some stuff, but we're just,

yeah, so busy with our little kind of side quest, that that I don't I

don't, I don't worry about that a whole lot. Anyway, I wanted to to go

well, and I'm kinda keeping keeping ear to things. But yeah. So,

like, so so CTF was, like, my my introduction into office. Right?

That was where I was, like, okay. Cool. Like, this is this is fun. I

like write writing exploits. I like reverse engineering. I was starting reverse engineering at the

university for, like, an hour analysis a little bit. Right? Like, I had an audit

copy back then. And I wasn't very good, but, like, I like the idea. Learning,

like, what resources were you using at the time to to start your reverse engineering

journey? I mean, at the time, I don't yeah. I don't remember a whole lot.

Just Here's the details. Right? Like Just kick off the office. No. Literally. I

have I have absolutely highlighted Intel books still sitting on my shelf at the

office, for, like, you know, it used to be a game to find who who

could find the most typos. There's a bunch of like little either typos or like

errors depending on which version of the books you had. And books they don't ever

they don't ever expect people to actually read them. And like they'll just have

like, oh, so this does the thing. Like, don't worry about it kind of thing.

It's like, I wanna learn. I think I think they do. I think they

do. Like, they did fix them. They would you could send them in send them

in, and they did, do a lot of editions of it. And I I don't

know if any of the typos that I found are still still there in the

the online versions. Because the same same docs are now. Still PDFs

online. But yeah. So I like, I literally I I just would

go through and and learn opcodes and, you know, look at

disassembly, look at look at decompilers. And,

I actually I I taught, an assembly language course at when I

was working at Raytheon. But yeah. So so the the story was I went from

network defense at at UF, Sharpen Capture the Flag, and then turn that

into a job at, a small company called

SI Govs, SI Government Solutions, which then Raytheon bought and they

became Raytheon SI, Raytheon CSI, Raytheon

CodEx, and now they're spot Nightwing is like the the company's had a million different

names. That's the origin of Nightwing? Yeah. Nightwing was well, so so

SI was is not is a part of of Nightwing. But

Nightwing Nightwing was, like, all of the cyber business that Raytheon had kinda spun

off. So it was a bigger business unit, but, like, a big chunk of it

is, yeah, is is is what was originally SI Government Solutions.

And they say government solutions, that was reverse engineering? It was all vulnerability

research, reverse engineering. There was a frame out of tool dev and stuff as well.

The thing I loved about about SI, was that, like, back in the

day so even, like, several of the I'm not gonna call it explicitly. People I

was playing CTF against or with, at the time, we're working for

other defense contractors, and we're doing the same kind of work. Right? Like,

there were there were folks involved. And, so even some of the

CTF challenges came from, like, ideas or problems they had or stuff, which is really

fun to kinda, like, you know, find out about that. But the thing that

SI did really differently was and by the 3rd by my 3rd

year, of of winning, the 3rd one I had was with

basically a bunch of SI players. So I I switched kind of

from, the original team I was playing with, and and was playing with them.

And, as I had, like, this focus on tool development, like,

not just find the bugs or, you know, do whatever, but,

like, invested a lot of time into both, like, the analysis harnesses and the

fuzzing tool sets and, like, the fuzzing corpus and fuzzing harp like, was doing

more, like, infrastructure around it, which was really fun. So we actually had a pretty

good sized staff of, like, just raw developers. There's people building

tooling, and then we had it was kind of this internal split, which I think

now there was some some issues with that in terms of, like, the, you know,

the vulnerability research or hacker cool kids were kind of annoying and the developers were

like the adults in the room, like, y'all grow up. And now I'm the developer

going, oh, I'm so embarrassed about the way some of some of us behaved.

But, like, it was but it was great because we did have that that balance,

which I think a lot of a lot of companies didn't. And so that was

and yeah. So they hired me because I was doing tech writing for for magazines.

Yeah. So going to that, I I Yeah. I was reading that and then I

think, there's a talk that you gave recently in Germany at one of the institutions.

I Yeah. That video and I was like, how did you go from,

like, technical writing and say like, oh, I I wanna actually do this. And do

you just run to the manager? I'm like, okay. I'm your guy now. No. The

the funny thing is I didn't even know that was the plan. Like, literally

so what happened was I was, you know, I was playing CTF. I was getting

a security. And at the time, like, SI was like, how do we hire people

who can get clearances and write exploits? Right? Like, that's a pretty rare

it was people that you could write exploits, but maybe they weren't clearable or, you

know, vice versa. Exactly. And that's where our company, Top3d Recruiting,

comes in. Finding the right cybersecurity talent with the necessary clearances

can be a major hurdle. Did you know that it could take 8 to 15

months on average to hire somebody with a TS SEI plus full

polyscope? At top creative recruiting, we have a network of 1,300,000

cleared professionals ranging from CNO developers, reverse engineers,

and data scientists. Whether you're working on offensive operations or

data analysis, we connect you with the elite talent you need

fast. Visit topcoincruiting.com, and let us help

you to find the perfect candidate already cleared and ready to

go.

This was in 2,005 maybe or what what time frame is

this? Yeah. So this would have been, I think, 2,007.

Right. Because it was my daughter was yeah. My daughter was 1. So that was

how I that's how I remember it. As I started, it was it was 2,007.

I met a couple people. I can met somebody at at RSA. So I was

I at the university, I it was a there's a guy in town,

who was a writer for a bunch of different magazines, and he would kinda part

with the university because we had lots of data, lots of networks, you know, stuff

to test things on. And so he had a long standing partnership for just, like,

network year to come in and test and work with them. And he started to

when when I was in security stuff, he said, oh, do you wanna write for

some of these magazines? I'm like, yeah. That sounds super fun. So, anyways, it turned

into, like, a sort of side side career of writing for, like,

InfoWorld and Information Week and a bunch of, like, computer

network computing magazine. Bunch of these are all, like, you know, out of print now.

Were these big ones at the time? At the time, they were they were they

were very well known. And they were, like, CMP was the parent company for a

bunch of them. They owned Black Hat at one point. I don't know if that

was still the case, but they were literally, like, bought. Black Hat, the conference was

owned by CMP Media. Yeah. Like, this big media publishing house. I don't I have

no idea if that's still the case, but I I know that, yeah, at one

point that was, they actually bought officially bought it out

from from Jeff. And so, yeah. So, I mean, it was, like

so I I went to, like, Defcon or Black Hat on, like, a press pass

for several years, because I was a I was a reporter. I went to RSA

on on a press pass, because I was it was actually, you know, writing for

magazines. And, in fact, I won, like, there was actually an

early prototype for, like, live CTF, like, a head to head competition

that the the precursor to SI govs was called SI, and

they actually split to do commercial stuff and SI govs went to the government stuff.

And so SI, Security Innovation, ran a,

like a thing at RSA where it's like a web hacking challenge where, like, you

were on screen and your screen's above your head, and you're competing with somebody else

and somebody's, like, with a mic, like, you know, heckling you and talking about what

you're doing and you're racing. I'm like, it's always very similar. It's really what inspired

a lot of the a lot of CTS stuff I've done since. And so I

won that and, like, the headline was, like, literally on slash. That was, like, you

know, network computing reporter when Yeah. With your press

badge, you're like, yeah. Blah blah blah blah. Who is this? Yeah. People were most

of all, like, Jeremiah Grossman at the time was I I became good friends with

him as a result of, like, like, he was he was, like, wait. Yeah. I

interviewed him for the magazine. He's, like, didn't you just, like, do that competition? I

was, like, well, I, like, I do real work too.

Like, but, you know, so I was doing writing. And so the yeah. SI gov

is basically I went down I wasn't even, like, in a formal interview. Like, I

just went to visit. Like, I had talked to them, or at least I didn't

know it was an interview. And, at the time they were maybe 30

people. They looked at my

resume and were like, Oh, he knows security stuff. He's writing for magazines. He'd make

a great tech writer. Taking our reports on vulnerabilities or things we're

doing for government report writing. He could do a really he'd be a really, really

good tech writer. But, like, nobody told me this, and I was like, yeah. I

wanna I wanna write exploits. This sounds great. So as soon as I started, like,

I was in the engineering group. I just they just assigned me to start doing

reverse engineering, start writing exploits, and I wrote my first, like, QuickTime exploit in the

1st, like, week. Because QuickTime, you could just sneeze that and it would fall over

back in the day. Started straight into it. Did you still have to write the

technical part where they wanted you to do? You're just like, oh, I'll do that

too, but then you're also No. Like, literally, the person who thought that never

talked to the engineering lead that I ended up with. I was just a straight

up, like, engineer. I mean, I did I did do some role that they were

looking for originally there. They hired somebody else. We don't really do. They did hire

somebody else. Yeah. No. It was literally, like, a while later that they admitted to

me. They're like, you know, we didn't originally hire you. I was like, what? Like,

I had no idea that that was the intention, but, like, the. Yeah. They,

so, I mean, I I did do some, you know, I did proposal writing and

some other kind of writing, but I was not like, there were other dedicated, tech

writers that were hired afterwards. That's crazy. I I'm trying to figure out if there's

any, like, lesson that, like, if any listeners, like, how do I, you know, get

my first really technical job? Yeah. Yeah. Yeah. Seriously, like, is there any lesson

you can come from that other than just, like, apply this a technical position

a technical writing position? I don't know. Yeah. But you ship you over? Type

confusion attack and you just get them to, you know, you just start doing the,

the other stuff. Like, I I will say, like, you know, a lot of a

lot of positions become what you make of it. Right? Like, no matter what your

role is, if you demonstrate the skill in something, I feel like you can you

can shove stuff around. I've seen I've seen that happen, you know, more often than

not, where somebody if you're if you're good at it, if you can do it,

just just do it. And the the company will will value it. So Let's let's

dive into that. I feel like some people might actually have questions. Maybe for a

beta, of course, getting the first role, but let's assume, like, they're in a company

and then they're like, okay, now I wanna go over to this this department. What

Yeah. Did you have you seen some people that have shifted over and like how

have they done it? Yeah. Yeah. I've seen I've seen it work, both ways too.

I've also seen people who are technical who get burnt out and go to non

technical roles too. Right? Like, and I think both are are healthy. Right? I've seen

people who are like, you know what? And and, like, for

example, like, QA, for example, can be, like, looked down upon, but really

good QA is super valuable. And so some people, like, find their fit

not doing your the development they were hired for, but in in QA or in

in tech writing or in these other stuff. And then other times, you know, you

see somebody who starts as a as a tech writer and then,

like, very quickly is just writing, you know, hand coding assembly, for

exploits. I yeah. I I don't know if there's,

like, a a manual or a map for it. For for me, I was just

I just did the things that I found fun. Like, if I liked it and

enjoyed it, I just did it when I was doing it. You know? So I

was at home. Yeah. Playing capture the flag and doing things. And when you're,

yeah, doing it, when you have the cape capability,

if you communicate with your with your your management, you're like, no. Like, this is

what I wanna do. I think I think a good manager too, you know,

like, right now, we have we have one on ones occasionally with with employees and,

like, we've sort of 2 different ones. We have, like, status of, like, what's your

on this project, and then we have a separate one that said let let's frequent

interval. It's just more just like, hey. What are you doing? Are you happy overall,

like, with what you're doing? But I think a good a good boss is, like,

your job is to, like, find out does this person wanna take on a leadership

role? Do they wanna take on more technical, less technical? Do they wanna like, they're

not happy with this part of the product they're working on? They wanna do less

of the Python API. They wanna see people else. Yeah. Whatever whatever it is.

But but I think it goes both ways. I think you as an engineer should

be communicating, what you wanna do. Now it's not always

gonna work out. Right? Sometimes you gotta every I've absolutely had to slog through things

I didn't wanna do because it just need to be done. Right? Like, that totally

happens. But, like, over a long enough time frame, don't, like, do

something you don't enjoy. Like, I've I've left my jobs when

they became not enjoyable or when something else presented itself. It's it was

it was, like, 7 to 8 years at the university. 7 to 8 years at

Raytown. That's a long time. Yeah. In general, now in this world,

like, 2 And now year and a half, 2 years people are out. Yeah. And

now it's been 10 years for me at the current one, and I I don't

I this the role has changed. The company is growing. Things are, like, I'm still

so excited about Pioneer and Ninja, what we're doing. We're starting this conference. Like, so,

like, I have no desire to go anywhere else. It's because I just yeah. You

know, it's it's a cliche, but, like, love what you do and you'll never work

it in your life. Like, it's Yeah. Very true. I I'm just very, very

lucky that I've just always loved what I did and that could, you

know it paid the bills. Like, we're you know, pretty much makes sense. Let's let's

get in more into that. So you so the I wanna hear about the origin

of vector 35 and, like, what was the deciding factor? It's

like, let's let's get into this. Let's start building this out and

grow. Mhmm. So so for us,

you know, I could we talked earlier, like, minor engine was like the CTF tool.

Like, we were playing capture the flag a bunch inside the company, and that was

great because, you know, I just love playing capture the flag. It was both my

hobby, but then the skills directly translated when I was doing for work. We used

it for recruiting. Like, we would somebody interviewed me. Like, well, we can't really tell

you, like, exact technical examples of what we're doing. Like, we had multiple pony

award winners that weren't, like, the public version of the ponchies. Like, they were,

like, we either beat a pony award winner to the research and just it was

never public or so, like, you can't, like, you know, show people what you're

doing or you're working for a government contractor, unfortunately. But, like, we could be, like,

yeah, but we won Defcon or we were 2nd place this year or and they

were, like, oh, like, okay. Like, you have legitimate skills. Like, that was, like, a

useful thing to indicate to people. Plus, it was just super fun. It was great

team building. It was great. Like, we tooled that. Like, we

built we built technologies for CTF that we were like,

know, actually, this would be really helpful for this, like, real world problem that we

have over here that we port or rewrite or adapt. I mean, much in the

same way. Again, Binary Ninja was a a sort of toy application

built for CTF, because I you know, it wasn't, at the time,

originally built to be a better decompiler than IDA, but it was meant

to be a faster patching tool and quicker analysis and for triage and, like,

you know, you didn't a lot of people still, back in the day, didn't trust

decompilation anyways. It was more of like a yeah. It's good when it's good, but

something's just wrong. And the, What's the premise on it now? Do people, like,

generally say, like, yeah. It's it's fine. Or they're like, I wanna write my own.

Like Yeah. I think right now, you're relatively foolish if

you never use a decompiler. Like, I mean, there's reasons where you can't because of

an architecture or whatever. But, like, yeah, people that started 20 years

ago, the decompilation quality wasn't very good. Like,

just I mean, and and that was amazing that it worked at all. But there

were all sorts of times where it would just be straight up wrong. Conditional's inverted,

code not shown, code shown, you know, like, just consistently wrong. And so like

the error rate was high enough that people would in fact, actually, I like it

a lot of like AI stuff to the same sort of thing where people are

like, yeah, AI is like wrong all the time. It's like, well, yeah, now. It's

super early. Yeah. I Right? Do the exact same thing. It's like we're we've gone

like through 1 year, and it's like we're already getting to the point of, like,

they're generating videos and images. They're already providing some value.

Yeah. Yeah. It's it's gonna be new wild west with

our guys. And so, like, you know, we're we've got Sidekick, which is our AI

based plugin for binary ninja. We've been working on actually originally, like, 4 or 5

years ago, we started it, internally as as research and finally launched it about a

year ago. So the LLM yourself, you guys just check CPD rap? So we

started we started with all of our own models because there was no opening the

time, and we had, 6 different, like, sort of techniques or models. About, like, half

of them, we sort of threw out when when OpenAI came out because it was

just so much better. So we're, like, oh, we should not be trying to name

variables ourselves or summarize, like, decoupled code. Like, those two

things, we're gonna use the better models. But we

had thankfully, we had enough internal models that was, like, structure recovery and other things

that we were doing that were still better. And so we the

hybrid approach has worked really well for us. We have kind of kind of a

little bit of both. But, like, for people that are sort of, like, a skeptic

in reverse engineering in particular, I I like it to the same thing as decompilers.

Like, do you use a decompiler now? And 9 times out of 10,

9.59 times out of 10, right, it's yes. Like, people use

decompilers because they're just so effective. Like, maybe you do both side by side, but

there's a reason that Ida, Binder Ninja, and Ghidra well, actually, I I might be

the only one that doesn't know. I think about this. Like, default to decompilation. Right?

But, like, to me, the default should be decompilation because it's just that

good. That should just be the default most users want. You could change it but,

like You know, this this actually this actually probably brings up a specific thing

in my learning of, like, reverse engineering because, like, I well, I started with

radar and then I went to Ida. I tried to do both. Yeah. Yeah. I

went to, r2con in, like, 2017, met pancake and

Mhmm. Had a great time. But yeah, like I I would use for DAR and

then I also like try to use IDA and I just never used decompilers because

I can start to defaulting by disassembly. I'm like, okay. Cool. Let me just learn

this. So Yeah. It was just straight assembly. You can you can tell when

somebody started their their career versus engineering based on what they default to. I really

do think it's a sort of generational thing. And then Model that people now especially

with the with the availability like Ghidra. Right? Because Ghidra has just, like, good

decompilation on the box. And and we are gotten better about the in

fact, there's even you know, Cutter's got, like, the GEDRA integration and and for decompilation,

and it's an option now. But it sort of depends on, like, where

you started as to what you prefer. I see the reason that, like, even when

I'm debugging, I have, like, a separate debugger. I don't use Binary Ninja as a

debugger even though it supports it. I know a lot of people who don't use

IDA as a debugger even though it supports it because they're just used to, like,

a debugger and the decompilers being separate tooling. And maybe you'd sync your your

location or whatever, you know, but, like, so there there definitely, I

think, are are sort of, like, generational tells. Yeah. Using Versus

Versus VM? Yeah. Yeah. I I use both. I use both.

Yeah. Yeah. Yeah. You install install the new of them layer on

Versus Code. Is there is there a layer on

that? Yeah. Yeah. You could tell the use, new of them integrated into Versus code

and get full VIM bindings. It works quite well. Okay. There's very few things that

that I miss from, from real VIM. That's great. I use I

use Space Max for a while. I use lunar VIM on the command line. Like,

I've tried a bunch of bunch of different ones, but so yeah. So, like, the

decoupling, I think, is I I think it makes sense that people are,

going to use it. And I think AI, ultimately, people will be using it more

and more. It but I I get why people are hesitant now because, like,

yeah, it hallucinates sometimes. This is wrong. And, like, the question is

how what does the error rate have to be before it's worth your time? And

it's just a default thing. You can change it. You can override it. Right? So,

like, at what point is it is it is it where

you're gonna be like, oh, nope. I'm just gonna leave this on by default. And

if it makes a mistake, it's fine. Like, no tool is perfect. No disassembler is

perfect. No. You know, even disassembly gets wrong sometimes. So,

there is an error rate. There's an error rate. And, like, it's also,

like, outside of it being, like, error or whatever, I

think like there will be the talk about like how some of them are

political or like like how they will have some political bias in some of

the things that they say or whatever the case. Even though like there's no factual

evidence to suggest one way or the other. A decompiler? No. No. No. I'm sorry.

I'm talking about AI. Alright. I'm really confused. I was really confused. I'm like, I

don't think my decompiler's got a full of compilers. Oh, yeah. Yeah. Yeah. No. Like

AIs for sure. For sure. I'm talking about like chat gbd. A lot of the

people on one side will say like, oh, this is specifically

providing some type of information or, like, in in skewing. I think I think it

was what was it Bing's or, there's, like,

you you type in, like, the president, like, George Washington, and he would be black.

Like, it was Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Somebody was trying a little too

hard to to to kinda skew it. Yeah. I I, as a kid, I read

a lot of books from authors who I disagree with politically. And I think it's

super important that, like, you're able to, like, consume Do you want some of those

big references? I I don't wanna no. I don't

wanna highlight my bias too much. Well, I'll give you I can give you a

mixture of some I agree with and some I didn't. It ran it ran the

gamut from very, like, libertarian stuff from,

like the the Cobra series. I like all sci fi and fantasy stuff. The Cobra

series was really good, from such as these

dead, Timothy's son, maybe. And then Ellie Modesitt has

very, like, kind of more left leaning,

ecological and economic books that are that are great.

Like, I I like to read things from perspectives

that I don't always agree with because I just think that that's an important

skill in in society that we've that we've lost. So I I don't mind so

much. I think it's funny and stupid and silly when when the a's are doing

and they're skewed that badly. But at the same time, like, again, if you can't

think for yourself, like, you know, like, grow up. It's okay.

You're not gonna agree with everybody whether it's an AI or not. Like, figure it

out. And so, you know, I think you wanna use caution and good

judgment, and, not trust,

the the things. But that, you know, that applies to everything. It applies to

news. It applies to, whatever. You know? Yeah.

So I I don't mind that so much. Like, I I think it's

it's dumb. I think it's definitely it's gonna tell correct. It already has, you know,

just to some degree. I think I think it's quite that crazy anymore, but no.

I I like that I like that that people have the option to do that

now. And I think that, like, that sort of balance of, like, you know, we're

gonna get a bunch and, I I do worry that it's a little bit of

a bubble. Right? And you're gonna get this sort sort of self reinforcing. I it's

an interesting idea if you've heard of, this is a heavy self reinforcing.

Yeah. Everything you say about Chat TV, I wanna have this idea. That's a

great idea. There's never it never tells you it's a bad idea. Right. Like,

oh, the market's fucking really heavy right now. You might need like, you know, few

investors for this. It's like, yes, that's a terrific idea. Go for it. So it's

I don't know. It's it's never that like maybe you should do some more research

on this Like Yeah. Yeah. And so it's a little bit like the the the

sort of fallacy of, like, a ruler or a CEO that only has yes men.

Right? Like, that's what you surround yourself. So I and that's where I think that

people need to be need to be critical, and you need to,

like, embrace not conflict, but differences of opinion.

Even just like so, you know, back to to my company. You know, my cofounder

Peter is much more, like, growth focused and, like, future focused. And I'm much more

here and now focused and the vibes and the ride kind of thing. And so

it's a really healthy, tension between the 2

because, like, neither one at the extreme is healthy. Both can be extremely

unhealthy when when you go too far. And so I think that that's

really, really a good thing to to to look for in in a

in a cofounder. You want somebody you really can work with and you trust and,

you know, you have ultimately the same vision for, for the problem you're trying to

solve and the difference you're trying to make. But, like, not necessarily

having the same philosophy on how to get there, I think could be could be

really useful,

respectfully disagree, and you could figure it out and make a choice and move on

together and and kinda, like, you know, decide and go. And it's like I said,

it's 10 year 10 years in, still going strong. It's awesome. Businesses

generally don't last longer than a few years and, like, gets

yeah. It's amazing. I'd love to hear, like, a little bit more about where you

guys are at right now after 10 years in your journey. Yeah. What have you

guys been doing up to recently? And then we can talk about the future.

Yeah. Absolutely. So, you know, let me start at the

beginning because the goal was like, our stated goal was,

like, I I like Ida. I like Hexrays. I actually get along with the the

team there fairly well. I I'm I nominated, Olafact for his

pony lifetime pony award a few years ago because I just have a ton of

respect for what they do. But also, like, our our goal was to dethrone them.

Like, our goal was like, we really wanna take what we think we can we

can do this and, like, you know, I've I've I've told them this to their

face. It's not surprised they know and, you know, sort of wish I I think

the market as a whole will benefit from from healthy competition.

But, like, that was our that was our goal. We love that. Yeah. Yeah. That

was that was our goal. Right? Like, it's out of the out of the gate.

I wanted to I I thought they had not had enough competition and does

not force enough innovation out of them. They're seeing and now with Giro by Ninja,

you're seeing them make tremendous changes to their pricing, to their product

lines, to they're really really finally reacting. It's gonna be like

$5,000 for a key for for Ida or something. Right? I mean, it's

actually it hasn't gotten cheaper unless you're a non commercial student or whatever.

Like, it actually is in fact, they're about to, I think, do their their,

subscription pricing, which they've been doing for a while too, which we'll see. I think

for some people, it'll be cheaper. For some people, it'll be more. The total cost

will probably go up. I mean, so, you know, they were acquired by PEO,

last year. Last year or years not long ago. And so, like, you know,

there's necessarily gonna be a return they're looking to get on that

investment. And so I think that's gonna make them, you know, make certain choices,

in in the market. But,

but but yeah. So that was kind of our goal. Like, we just feel like

this this market is like, we can we can disrupt it. We can really come

in, like, do something new and different, and we made some, you know, conscious design

changes and differences, in in how we built Pioneer Ninja, like, with the goal

of doing this. And then we had kind of along the way, like, okay. We

lost the collaboration version. We actually both IDA and Pioneer Ninja announced a

collaboration plugin, and then ours came out, like, a whole year in advance, basically, of

theirs. Like, we were much sooner market. Because we had built that in we

from the beginning, we started the company, like, collaboration's gonna be a killer feature. We're

gonna put that in an enterprise version of Binary Ninja, and it took us 5

years or 6 years. But, like, we knew it from the beginning.

And so For people that don't know what the collaboration part is, what is that

exactly? Yeah. So it just I mean, much like, you know, with source code, you're

still, like, get where you can, like, you know, work with multiple people and see

differences and merge changes and deconflict if there's conflicts.

That hasn't existed in the reverse engineering space. Ghidra, actually, it

was the really the first tool to market that had there were actually plugins that

tried to do it at NIDA. They were very brittle. They would we used them

back at at at right now. Like, they would corrupt your database consistently because it

was really wasn't it was, like, hacked on. It wasn't really part of the model

and didn't didn't work really well. And so Gidra actually

had really had the first version of this, you know, the open source n s

NSA tool. And both now IDA and Byterinja have this where you

can, as a team, collaboratively reverse engineer, on the

same kind of kind of kind of binary remarking of different pieces of it.

And so that was, like, you know, sort of our first, like, new product beyond

just like Binder Ninja. And then we launched our Sidekick, the AI thing a year

ago, you know, and that was, like, another new product. And so we're we're at

a really good point now because it it took us 10 years. Like, it took

us 10 years to really get our decompilation quality, our features that our

architecture was kind of, like, to where it needed to be to really compete with

with with IDA originally and now and now Ghidra. And

so it feels really, like, we're the product is much is

finally at the maturity level it needs to be, where we can sort of

like, we're not like a superset. Right? Like, we have things that they don't have.

They still have, you know, some things that we don't have. We're working on them.

It's I think it's a small list now at this point. But,

but, like, now we can really start building on top of it in ways that

are more interesting and fun, and start solving new problems or problems in a different

way, and kinda push push beyond it. And so that's that's really exciting.

And like I said, I like that we've that was always the plan and we

we did that. Like we said, we did the collaboration, we did it with, you

know, with with AI integration. Our design of our ILs is this distinct

nobody has anything like that. And I think, you know, there's a lot of other

advantages like that, the API. So anyway, it feels like we're at a

point right now. We're seeing a ton of people switching. We really are

at a point now where a lot of folks are like. And and Ginter

makes things tough just as a free price point, but I think having, better

UI, faster analysis, the real Python API, bindings for other different

languages, better better API, program analysis, the IOs in between, you know, all these other

things. People are like, okay. Yeah. This is the so, like, totally worth the the

1500. If you're a professional, $1500 for a tool that you spend, you

know, 68 hours a day and it's like like, come on. Like, it's not even

that's it's underpriced. It really is. And you just have a student discount as well

for students that want Yeah. So we actually have about it. Right? A hobbyist license

for $300. So if you're, like, just somebody doing at home, it's $300 so you're

still professional but just in another field or whatever. And then we have a student

discount, and you can apply to either one those other two licenses. And that brings

it out to, like, $75 for the noncommercial student license,

and then, like, 3.50 or 400, I think, if you're, like, a student that wants

the there's a couple of features in in commercial

that that don't exist in in noncommercial, but, like, I think at this point,

there's only 2. We've actually that's another thing we do well. We set the beginning.

We had a couple of features in commercial that we trickled down into noncommercial, which

I'm really, really pleased with. Like, it was like a a promise we made at

the beginning, and then we we delivered on it. We did over, like, every couple

years, we add new feature. We drop it down. In fact, for a while, they

were like, okay. We have to add a new feature in a commercial only. It's

worth, like, we run out of, like, things to, like, include.

So when we had a project support, we added that just a just a commercial.

But, yeah. And so, like, for, like, the vision,

kinda like where we're going and where we're at, I mean, the the question now

is, like, how big do we wanna be as a company? What is our you

know, 19 people, like, if we keep growing, we we need to now, like, kinda

restructure a look at that. Or do we try to keep, like, at a at

a flat size where we can, you know, stay this? Or do we try to,

like, you know, grow bigger but keep it do like a a valve sort of

thing, right, where they notoriously have, like, a a a very flat no org chart

and yet a a bigger group. You know, what could that look like?

So that's, like, our sort of next thing is trying to figure out where do

we do, where do we go, and then we've got all these ideas for actually,

we are launching another new sort of product here pretty soon just in the I

don't we've even maybe public has said this before, but,

Oh, you're welcome to now if you want. Yeah. Yeah. Yeah. It is it is

that. It's still I mean, we're very transparent about it, but we've we've we've definitely

told told a number of folks individually. We started selling a couple

of architectures as separate architectures just in the last couple releases.

And that's different from us. So till the very beginning, we took, like, the GEDER,

like, model of, like, every architecture. You can write your own. You can add your

own, fully extensible at one price. We didn't do the, like,

per architecture pricing that that IDA has always done for the decompilation.

And, we had a couple of people, like, reach out and be like, hey. Can

you build me an architecture for Nano Mips? Like, I really want this.

But it, like, just wasn't popular enough that, like, it was

gonna justify itself by just a few extra $1500 purchases.

That makes sense. Right? So, like, we were like, well, like, if we do it,

we have to charge separately. This is the only way it makes sense. And so

the last two releases, and this will also be true in this release, we're

releasing one extra architecture in the in the all the products, and then one

architecture that's only a paid thing. One extra architecture, you know, makes really the same

thing. So to 2 architectures. We're basically gonna take all those paid

architectures. We were kind of charging them like a la carte, and we're instead just

gonna have, like, binary and digital ultimate. We're gonna have, like, a new addition. It'll

be $3,000 instead of $1500, but it will include these more esoteric niche

embedded, Tricore, C Sky, and Nanomeps, and we're gonna add, some

some more as well in the future. So we are gonna have, like, that that

kinda comes soon. So that's kind of another thing that's on on the horizon. So

for the things that you're looking at in terms of, like, potential growth into the

company, are you guys looking at the number of users that are using it and

paying for on commercial side? Or are you guys also looking at government contracts

where you guys are bringing more money in through through that? Which one or both

of those avenues do you guys look at for KPIs? Yeah. That's a that's a

that's a good question. So our we don't wanna be too skewed,

basically. Right? Like, we so, yeah, to be clear too, we're we're getting we're fully

transparent about this. We've we've got some, like, research contracts essentially

that we're doing prototype development of of capabilities. So

we demoed, for example, firmware ninja, a few months ago on, like, one of

my live streams, which is a new plugin. It just does a bunch of firmware,

specific things, like automatically find MMIO and,

I don't even remember if I oh, it we actually one of the features that

we we built for that is now the base product, which is the automatic, base

address detection. So open up a former blob, and it just will try to

scan, find pointers, predict base addresses, guess them, check the the string

references and function references. Like, so it's, it will just find me the base

address. Right? This is a very useful feature. So that was actually originally

developed, for prototype on a on one of our research

contracts. So, you know, we don't do, like, vulnerability research or, like, you know,

we're not, like, using the tooling. Yeah. Exactly. It's more

like we we have done occasionally a couple of those contracts before. Actually, it tend

to be commercial as well too. Every now and then, we'll we'll pick up one

of those because it's it's nice to force yourself just to use the tool to

get things done occasionally and just and kinda keep the skills fresh. So very occasionally,

but we really don't usually we actually often turn down work work like

that. But, like, yeah, we've got a number of research contracts. We're building these prototypes.

And then if it works well, like, we still have the rights to be able

to ship the product or ship us a new plugin or a free plugin. So

several of our our architectures and plugins, you know, that we've least open source

were were, you know, basically funded on these research contracts in the past. So we

do have, you know, about half the company, doing

researchy things on that. Even though half the time there's research to think

just our features or plugins or stuff that goes you know, it's all all

binary ninja focused. So as long as we keep getting these contracts that are,

like, the government's happy to pay us to build a prototype for a thing that

we can then roll into the commercial product, we'll probably keep going. It's just funded

r and d. But we do yeah. We don't wanna exceed it too

much. If 80% of our team is just doing that kind of stuff and 20%

is doing product, that feels like an unhealthy split. So we really try to keep

it kinda kinda 5050. That's really what difficult balancing act,

to the last 10 years of doing so. Right? It's been it's not been too

bad, because mostly, we we just say no to a lot of things. Like, people

will be like, oh, hey. There's this new contract. I want you to come help

me do this thing. We're like, well, if we don't have a good idea for

a binge of feature or analysis or plugin that we would build to solve that

problem, like, it doesn't make sense for it. Like, we just yeah. It was really

it give us a lot of clarity for the type of work that we do

and don't do. I think if you're just starting a general defense contractor, you're like,

you're like, hey. Whatever we can get, it's it's serve you know, it's just a

labor based contract, and you get your your, you know, markup on

top of that. And and yeah. Because we had this kind of very specific vision,

we just said no a fair amount, to things. Like, no. We're full or we're

good. Or even so now the work is good, and we're like, yeah. But we

don't have the people to do it, and I don't wanna, like, lower the bar,

and I just hire anybody just to get it done. Like, we're we, you know,

very beneficial about our growth. And so so some of that limits us,

that limits us as well. So it's kinda a case by case basis. It depends

on the contracts. It depends on what comes up. It depends on,

yeah. And but and then, you know, how the how the sales are going. All

I would love to be able to just just do the product. Right? And let

the contracts kinda go. Because even at their best, they're still you gotta do

monthly reports and, you know, invoicing. Like, it it's

kinda nice to just have a product where you're just sort of, like, it's separate

from, like, development and the the road map, and you can just as long as

people still kinda buy and renew, you just keep going, keep building and adding stuff.

Whereas, you don't have quite as much flexibility to contracts, but

it's worked so well and, you know, everyone's as every kind of wins, the government

gets, like, a prototype that a lot of these, like, research contracts,

it's like a one off thing that doesn't go anywhere, never transitions, nothing ever happens

to it. It's, like, mostly DARPA work too to to to be clear. Like, a

lot of these a lot of the work that we've done. And,

it's nice that we are able to, like, have it be something that will be

around for 5 or 10 years. Right? Like, they have a a sense that Right.

Any built up under ninja is gonna last. It's not gonna be like this one

off prototype, which happens unfortunately more times than than, you

know, you might like as a citizen when the government pays for some research that,

like, this contract when they built the thing and then it disappears. Nothing ever happens.

So it happens far too often. And so when they when they purchase

your guys' research and then of a prototype or something and you guys integrate into

your tool, do they then purchase your tool, afterwards?

So so when it's DARPA, not necessarily. Right? Because their whole job is to, like,

cause it to happen and then it's other people within the government that they want.

Like, their job is just to get the DOD or other people

in the the government to to be using the research that they develop. They

don't aren't direct consumers of, and they might use it like in some follow on

research contract or something. But generally, like, DARPA wins

if they get a bunch of other groups within the government using

the things they've developed. If they transition and it now is a follow on contract

in the Navy or the Air Force or whoever, whatever has, like, some other

contract that they will sign to get you to, like, continue to do that thing

or just buy if you're yeah. They're buying Miner Ninja, and then the thing that

the research contract paid for is now available as a plug in. That's even better

for them because it's cheaper than a government contract. Right? So Right. Yeah. Like, that's

what winning looks like for them to a large extent. If they're if they're really

improving this data, if they're solving problems that their community has and and getting

that stuff actively into the hands of of other government people.

Got it. So, what what's next for Vectrus 35? And what's

gonna be on the road map for the next how how deep do you guys

look? You got, like, 1 year, 2 years, 5 years, 10 years?

So, I mean, on the one hand, we have had, like, you know,

Sidekick has been a 5 year thing. We knew 5 years ago, we were gonna

have a some AI based thing. And what was that gonna look like, and how's

it gonna work? And let's just go plug it away. So for the 1st 3

years internally, and then finally get some customers to get prototype and, you know, iterate

on it. So sometimes we have we have stuff like that out there. We have

right now on our road map, I feel like it's a little more near term

than it's ever been just because we're kind of, like, we've been burned through a

lot of this stuff. Mhmm. And and so now it really becomes a

question of, like, we have a lot of ideas for business problems we could

solve with our technology. And do we now

pivot or do we license or do we work with other companies to, like,

build, you know, wrap binary inside of other products,

or or sell an enterprise security product that is been powered

in in some way. Do we do that? Do we partner? Do we license? Like,

what does that look like? So that's something that we're continually

kinda kinda tinkering with and talking to folks, and we've had several different kind of,

you know, experiments like and we build it from the beginning to do that. Like,

from the very beginning, Binge is just a library that you can, like, easily wrap,

and so that's that's really I like IDA has 9.0 coming with, so it's gonna

have headless mode. Like, that's been, like, 10 years ago. That was that

was a part of the core design. Right? And it's first class. It works great

like that. We have one API. We don't have, like, a public private API, and,

and so it really it it works well for for exactly situations like

that. So, yeah, we might see some some integrations of

partnerships. You know, I think there's a lot of

there's a lot more to be done in terms of integrating AI. I think we

are absolutely the most mature thing in the space. Like, most the other like, any

other AI plugins. Like, well, we decompiled it and we copied and paste the decompilation

into an LN, then we asked the question. Like, okay. That's cute. But that's not,

like, really you know, that's just the very, very beginning.

We have a lot more deep integrations already, but I think we've we're still barely

scratching the surface. You know, how can we integrate an LOM, for

example, into changing 2 things that are equivalent

into the one that's more readable. Right? If I have an if statement or if

I have a switch statement, now I'm reordering the blocks and things like you can

do is a lot of things you can do to improve readability that

are, semantically equivalent, like, they're they're the same thing, but, like,

one of them just more intuitive or more readable. Little stuff like, you know, is

it less than or, is it greater than or equal to, to 1 or is

it greater than 0. Right? Like, which one is more understandable? Well, it depends

on the context of what the thing you're talking about is, and whether it's in

Erika, you know, there I don't know. It depends. And so that's where I feel

like that there's a lot of interesting things potentially that we can leverage, machine

learning and integrate it more deeply into the the

decompilation, like, at different stages of analysis, which is also where, like, our

exposed, ILs and, like, the

stack of them that we have make us really well suited towards that. So I

think that's that's gonna be particularly interesting, but we were really worried about export

controls on decompiler technology, and then the NSA open source to put on

GitHub either. We're like, okay. Oh, we should be fine. Yeah.

Clearly clearly, the the government doesn't think that this is a,

export control technology if they're open sourcing it on GitHub. So, so

that was actually that was that was kinda great. Yeah. In terms of AI, I

I don't think so. I you know, we'll we'll see what happens with it. But

Yeah. Let's let me ask you a little bit more about the the most difficult

challenges you had in Vector 35, like, as an entrepreneur

and shifting from very, very technical.

I mean, you've been a technical lead as well. So you've been able to have

different types of leadership as well. But there's there's, like, a mentality

shift of, like, okay, I'm a technical person. Now I gotta put on my business

hat and then the sales hat and then, like, how has that been in

that transition? And what are some of the challenges that you've faced as the

entrepreneur or the cofounder of your company? Yeah. I think some of the hardest

things for us were around pricing and marketing. Pricing and

marketing? What does that look like? We have zero experience

competitors out there to be like, okay, we know them and them. That's like, yeah.

Right? Yeah. Yeah. We've got GEDRA and X rays. That's that's exactly it. One's

free. And the other one's been around for 30 years. Like, okay, what does this

look like? So I, I think it's, you know, this is one where, where, you

know, we can read books, but like, I don't know how much their advice is

really all that relevant a lot of the time. And so that's been super

challenging figuring out how we do our, you know, there's definitely, there was certain bits

of advice we got like, that sounds good. Let's try that. Like, never discount. Like,

you know, there's a lot of different theories in discounting or whatever. And I think

there's sort of 2 ways either you really bake in discounting and have a, you

know, a high initial price and then you can, you know, segment your market that

way with with discounts of sales and you can get people or just never ever

discount at all because that way people know that's just the price and that's just

locked in, and we've kind of gone on that route. But I don't think it's

this inherently right or wrong. I just we're like, yeah. That sounds good, and it

also sounds easier because I don't like negotiating them too hard. Like, I'll just give

things away. So, like, just just lock it in.

So I think, like, for and yeah. Pricing in particular as we move to the

higher ends of the market, move to our enterprise tier and and some, you know,

more much more expensive versions, like, dealing with business sales practices that we're

still figuring that out and still learning. You have to negotiate

on you know, at the lower price point. I will say one of the lessons

we learned, I wish we'd learned earlier is when I'm selling a $1500

license, don't negotiate ever on anything. No. Like,

we would have companies early on, but, well, we can't agree to your standard EULA.

You need to sign our custom terms. And I would I would read them or

I would hire my, like, outside consultant contractor, my lawyer to, like, review the thing.

And it's like, no. If you don't spend so now we have a minimum and

we keep raising it. Right? It's like $15,000 now. If you're not spending $15,000,

I will not review your terms. Take it or leave it. Because 9 times out

of 10, they're gonna take it. Like, they just want Binary Ninja, and they're gonna

get them a reseller or somebody else or go down for. Right? It's it's not

even so much that they will go down. It's just that there's parts of, like,

you know, the engineer just wants it, and then there's the purchasing department that just

has all the stuff that they're required to do and required to try to to

to make people agree to. And so, yeah, they want you to agree to all

this stuff. And so we just say, like, nope. This is our policy. We will

not fill out your paperwork below a certain dollar threshold. That was liberating. That was

so huge because that freed up so much of our time that we were wasting.

Like, it is I remember in particular, there was one large financial,

a very large well known financial,

bank that's, it also was very British.

It really narrow really narrows it down. Yeah. But

they Bank. We had there was some good

engineers and some people I really respected, like, in the

engineering, but I've never worked with a more dysfunctional purchasing system. Like

in the course of them buying a product, it's like 6 to 9 months.

And it feel like it would turn out Is that normal? No,

no, no, no, no. Very, very few. Right? And and, I mean, if you're selling

a $100,000 or several $100,000, sure. 6 to 9 months.

Okay? And you got the negotiation, whatever. And they bought 2 licenses. So they paid,

like, $3,000. Right? To be clear. Maybe me at the time, maybe even have been.

Right? Alright. Like, you put your credit card and go swipe it and move on.

Like, what are you guys doing? And this is where we first were like, this

is insane. What are we doing? Because we literally have email threads of over a

100 emails of, like, this back and forth. And what happened is the person that

purchasing would quit. A new person would come. We would have to reteach them everything

we had already taught the old person because they can't read the email thread apparently.

And, like, it was the most painful they want us to agree to their

their human rights violations ethics documents. Like, you as a subcontractor. I'm like,

I'm not a subcontractor. You're just licensing my software. Please just purchase

and move on. But they literally wanted, like, hundreds of pages of, like, documentation

read and approved. And and and that was the last one where I was

like, never again. No. I'm not even go I will not even

look at your paperwork below this threshold. And even above that, I'm much more willing

to just be like, nope. Have you calculated the amount of time and hours, like,

it took for you guys to I $6,000 deal? Refused

to because it would be depressing. We learned we lost a lot of money. And

it was like, not even 6. It was less. Right? So, like, yeah, it, it,

it was, that was, that was a really important lesson to learn is it's at

the beginning, you feel like every sale super matters and you have to get everything

in that, you know, you you do. But like also and it helped for

us to be cheaper too. Right? Because we didn't come out of the gate with

a 6 figure or 5 figure product at the beginning. We were 3 or, you

know, 4 digits, initially. That helped a lot too. It's

it's the realization that, like, wait. Why would we bother to no. We're just not

gonna do that. That was that was probably the most important lesson I think that

that we learned. And I wish I wish we would have done it sooner because

it would have saved a lot of headache with that particular organization. Yeah.

A lot of people, though, looking in market share by releasing a product for

cheap or free. I think that's what PayPal did and they Absolutely. The market

went on eBay. And then by the time they integrate integrated,

like, 2%, 3% fee, then everyone have already been started using it.

They were like Yeah. So that depends exactly on your pricing strategy. Right? Like, if

you are gonna start with just enterprise deals and sales where you're you're 5 or

6 from the beginning digits, you know, sales, then you don't really have that

flexibility. Like, you're gonna have to deal with the lawyers and the purchasing department contracts.

So it's gonna take 6 to 9 months, and that's just I mean, depending on

exactly where in that, like, lower fives, maybe not, depends on,

depends on who who you're you're selling to. But that's definitely something that that

that we've we've we've we've had to learn. What have been some of your, like,

biggest contracts, that that you've gone through and worked on in

terms of, like, selling in bulk for you guys' software?

I think we have a a particular telecom company, which

kinda out of the blue reached out and got, like, 40 licenses a couple years

ago, which is a pretty large one. We have

nowadays, it's larger, not so much in total seats of licenses, but

it'll be like an enterprise customer with, like, 10 floating licenses. Right? So I don't

they could have 50 people. They could have 10 people. I don't know exactly how

big they are. But they're but they're buying the enterprise with floating

licenses and so it's a much higher price point, it's a higher support tier. Is

the majority of the the revenue on the product side

commercial versus non commercial?

So historic oh, you know, I should pull I should pull that spreadsheet

up. Let me see here. We do

have a like an active license count that shows that the

splits between commercial versus noncommercial. And this

and this is interesting too, especially when you when you look at, like,

GEDRs it back to the market too. Right? Because, you know, our sort of, like,

part of our game plan yeah. Part of our part of our game plan initially

was, like, look, if we just get students and hobbyists and just

wait, we'll take over. That was 100% our strategy.

Right? It gets the item from the very beginning. And then that is where really

Geter really hurt us the most. Right? Now there are absolutely professional and corporate

environments. They're still using it and we're we're kind of competing with because again free

is hard to compete with. But, like, yeah, that was

where, like, we like, 1 year, like, Seesaw as, you know, CTF for

for students. It was, like, Binja was, like, taking over, and I was so excited.

The next year, it was, like, all Ghidra. And actually, after that, ironically, it

was actually back to, like, Ida and Ghidra, because it was more it's, kinda, more

chaotic. It was sort of a mix, which is interesting, as as things change.

But, yeah. That's where, like, it can really making sure that

we're active. The student discount has helped a bunch, and so we do

we have a surprising volume of, student discounts. We've really thought about,

like, should students be free? Should we just get free student licenses? We've really wrestled

with that. Yeah. Like, incorporating it into,

like like, education systems or or institutions where the teacher

then utilizes it and teaches it with it. So that way, upon leaving,

everyone's already using it. You know? Yeah. And like I said, early on, that was

our sort of strategy, but we didn't make it totally free. We still made it

cost something cost because I I just sort of ended. I'm kind of a stickler

on, like, I wanted to have some value, in particular if you're a student. If

it's super discounted and you get a student discount, but you've paid your real money

on it, you're gonna put the time in to actually use it and evaluate it.

And if it's just, like, oh, just totally free, well, more

likely. You're you're much more likely to because that money is much that money has,

like, real value to you for the most part. Like, you I would say. That

was, like, $75 you had to pay. You know, that's that's a that's a PS

5 game. Right? So, like Yeah. You know, that like, I I at least

that's theoretically. That's my that's my logic on why we we still

charge. And and, like, so we have,

about 1.5 times

the commercial licenses and noncommercial licenses.

Okay. So you guys are heavy in noncommercial. So we have more noncommercial. But, again,

by revenue, commercial is way more. Right? Because commercial is 2 x.

Right. The or no more than that way more than that. It is like, 4

x. Like, it used to be 2 x at one point, and we just randomly

doubled the price of commercial, left noncommercial alone. And we're like, let's see what happens.

I do think there are a lot of, commercial company. We we'll see a commercial

email go bought fast on a noncommercial license occasionally, and we'll shoot them a note

and be like, just so you know, like, you're using it. Like, you it might

be fine because depending on the the terms of, like, how you're using it, you

you can use it at work. And we have, like, specific terms, like, describe, like,

okay. This is considered commercial. It's considered not commercial. We'll

just kinda kinda let people know. But, but yeah. And it

actually it looks like it looks like noncommercial continues to

actually grow at a faster rate than commercial, which is interesting. So that's been

even in the face of GEDRA kinda flat for a while, and then it's it

sort of picked up again post GEDRA. Can you see, like, the

the the point when, like, Gija was there and then if you guys grew was

pretty much the same or dipped? Oh, yeah. No. It totally it

was about 6 to 9 months of flat growth, like, no growth whatsoever.

Right? So yeah. Yeah. Yeah. We went for, like, 10, 20%, like, consistent growth.

Feeling and thinking at that time? Well,

that was that was the time which we took on a very small outside investment

for equity just for, like, 5% of the company in just so we

have more in the bank because we were really worried about, like, do we need,

in hindsight, we didn't need to do that. So it wasn't,

wasn't totally required, but we thought that maybe we would.

And so we we kept a little more kind of in the coffers.

Would you advise, entrepreneurs to

to do that same move or maybe adjust? Yeah. That's be

different. That's so hard to say. Right? Like, you know, our

product was technically far enough along that we looked at Gator and we thought, okay.

I think we can weather this. Like, if that happened a year even a year

or 2 earlier, we probably wouldn't have been able to. But we had, you

know, 6 years of of development. The product was already mature enough. We had, you

know, enough things out there. Like, okay. I think we have enough advantages over

it. But, it was, yeah, it was it was

a little it was it was very concerning for sure. We were we're definitely kinda

keeping an eye out for it. I you know, I feel like every situation is

different. Whether you should be pivoting, whether you should it depends on what, like, we're

like, VINJA is our our baby. It's our passion. It's why we, like, we could

be making way more money, like, working for any of the

major tech companies. Like, everybody at my company is highly

skilled. We're very good at development, reversing their security. Like, we have skill sets

that could actively double our salary maybe

somewhere else. Like, no question. But, like, we all

really like what we're doing, and, like, who we're

doing it with, what the problems we're getting to solve. And, you know, like, as

the product is better, we get bigger bonuses. Right? So the goal of the dream

has always been, like, well, just get, like, more product sales, without growing the size

of the team, and then we can just continue to to bump everybody's salary up,

which is, you know, this year is looking is looking really good for. So it's

been nice to to, you know, see that kinda dream coming to to fruition.

So we're we're gonna keep doing it. We've talked

about the the origins. We've talked about the what's happening right now.

We've also talked about the future. What's the future for you? What what

what are you what are you gonna do in the next 5 to 10 years?

Yeah. I I really took a it surprised me last year

when it was, like, you know, eight and a half years. I was like, oh,

wait a minute. Didn't I leave my last few jobs after 7 years? And,

like, am I Was that like a wake up or, like, am I gonna do

it again kind of thing? It was just to, like yeah. Like, me, I took

stock. Right? I stepped back. I was like, okay. Is this what I wanna keep

doing? And the answer was absolutely. Like, I really I wanna keep doing this. Like,

I'm not, I don't feel like we've solved the problem. Like, Ida is still the

major dominant tool. You know, technically, there's still problems that I wanna

solve. I think we're the product itself is at a spot

where it can now, replace Ida for the vast majority of users. And

so now we just gotta go, like, show everybody. Like, convince them and, like, demonstrate

it and be like, hey. Listen. You can you get all these advantages. Let's let's

let's get everybody switched. And so that's super exciting. Like, I

feel like we we've done some of the hardest work and now we can reap

the rewards. But I also don't feel bored. Like, I feel like, you know, we're

launching a conference just next year. Tell us more about the conference. Where's

it gonna be? What's it gonna be about? Speaker, CFP So sort of thing.

Yeah. Reverse, r e dash verse dot I

o is, is the conference name. We just yesterday put the

website live and, the the CFP is open starting

immediately. You can go submit your your talks, please. Submit talks. It's gonna be in

Orlando, Florida, March, sorry. February 28th to March

1st is the conference. In hindsight, we really hate that it splits. It's really annoying

to have to split 2 months for the the date, but it was it was

very weekend for the hotel. So, it's it's it's a little bit

like infiltrate, really. We just took a lot of inspiration from, like, how infiltrate was

run. How did you run? There was a an event. In fact, we

hired the event coordinator in Belinda who ran outside event.

So, yeah, we very much were like, oh, hey, Linda. You wanna you wanna go

do this? And she was excited because she loved she loved Infiltrate, the community, the

people involved. So it's gonna be, it's gonna be more reverse engineering focused. The Infiltrate

was very offensive, security focused, so exploits vulnerability research. Ours will

have some of that, but it'll have also malware analysis and hardware reverse you know,

reverse engineering will be a little bit more just reverse engineering. It's not Bingeacon.

So to be clear, like, you know, several of our trainers are using Ghidra. Tox

can use either a Ghidra or a Ghidra. Like, that's totally fine. We're not,

not just trying to show show binary energy here. We want literally the

best, you know, the research and presentations. But but the thing that that

Infiltrate did 2 things really well. 1,

like, the hotel, the food, everything was top notch. It was really

well done. We're going to have really good, like,

logistics and planning, and you didn't so infiltrate was in South

Beach. You didn't leave the hotel because everybody stayed there. There was meals

there. There was, like, big gatherings out in the open lawn, which is beautiful in

Florida in February. Right? It was, like, a nice time of year to be outside.

And so, you know, it was really a good time

for, like, just connecting with other people that were at the conference. Like, it was

very, like, close knit. And that sort of vibe, I

think, is really, really important. And then the second thing that Infiltrate did super well,

which I thought was great, is not a lot of conferences forced dry

runs beforehand of the presenters. Every accepted speaker has to do a

dry run a month before the talk, the actual conference, and

then the review board or the conference organizer gets

basically a feedback. I'm like, oh, you should do this, or what about this question,

or what about this, or, you know, this slide is hard to read, or, like,

just all that stuff. And so just that little I mean, just having

me being forced to have your slides done in advance is a little bit

right. Just like you're always making changes, but if you have an internal deadline that's

earlier than the conference, because if you know, I do this all the time. If

I have a deadline, I will, right up to that deadline, be working on it.

But by forcing people to do it earlier, you just get so much higher quality

presentations. And so that's another another thing that we're we're we're

bringing back as well is I really I really there's just a ton about you.

And even as somebody who present a ton, like, I'm a very good presenter. I

can off the cuff, I can just do something quickly live. I could put together

the week before. It'll be a a good presentation. It's still important

to have had that earlier deadline to go through and try run it once. And

so, like, I'm not gonna name names. I remember somebody, like, do you knew who

I am? Like, your presentation's all the time back during the infiltrate days, basically, was

was saying this for that process. And sorry. Like, this is

to your benefit as well as the audience's. Everybody wins when when you

have to do this. So yeah. You said that you wanna keep it

very community and tight knit. Is there, like, a certain number of tickets you're gonna

sell? We we, offensive con, and there's only a certain amount of

tickets that always sold. Yeah. So Offensive con sells out real fast. Offensive con, I

think, is about 600. So they're a little bit bigger for our 1st year. We're

we're sticking it at even 400. So even a little bit smaller than that.

And so I'd rather sell out and really have it be be

tight. We might if there's a ton of interest that sells out, well, you know,

we'll see. We could go a little bit. The space we're in could actually grow

much bigger. But, like, you know, probably because it was our 1st year, probably just

because again, yeah. Like, I don't want it to be some huge Defcon like experience.

Like, Defcon is fun for other reasons, but it's not a community. Right? It's

hundreds of communities that are all kinda, like, you know, colocated. That's

probably a better way to put it. I I would say that Defcon is a

community just because of the comparison to Black Hat. Like, I don't Sure. That's

fair. Feels about community at all, but Defcon does feel. But you're a

100% right that the micro communities are not the size of what Defcon used

to be. Exactly. All the villages itself. Right? Oh, yeah. No. Every

village there is is as big or bigger than, like, that It's its own conference

at that point. So Yeah. They they have their own agendas and track and speakers

and awards, and, like, they they're a 100%. It's dozens of

separate cons kind of kind of in one. So Yes. Yeah. But this

is this is meant to be kinda small. It's meant to be, sort of more

boutique, really, really nice high end. It's also Florida in the summer, which is a

great time to visit right near Disney and Just in the summer? You said Yes.

Not in the summer. No. Sorry. Not summer. It's no. Florida in the summer is

when the worst time to visit because it's too hot. Yes. Florida in the winter

when it's a great time to get out of cold climates and come visit Florida.

So Track 1 track, 2 tracks. One track. Yeah.

One track for now. I remain really skeptical

of 2 tracks. I love again, product community, knowing everybody is there for the same

talk and the same thing. Same talk. Yeah. Maybe we could do some fireside or

some workshops, some other thing eventually. But I think for 1st year in particular, we're

gonna keep it simple. I I like One Track. And if there's a topic you're

not interested in, well, you can go outside, and that's a good time to talk

to people. And, but just knowing that everybody is is sort

of there for the the same stuff, I think is I think is is valuable.

So that's part of the part of the appeal. What you know, little other

stuff that, like, a viewing room outside, right, where you can also listen to the

talk, not in the main conference room. You wanna talk to people, but you still

wanna hear the talk that's going on or occasionally tune in. Offensive Condos, like, great.

I think that's another thing that we we love. You know, so there's a lot

of little stuff we've been thinking about. We've been talking about doing this for for

since we started the company. It's really been something we've been toying with. Yeah. Move

for you guys. It's a very exciting thing to to be doing. Feels like it's

it's time. Yeah. We're we're we're ready to do it. So, hopefully, we'll and it's

it's just there's been, you know, a lot of conferences in the US have shut

down. Shubukan last year is is coming up. Yeah. Infiltrate. Oh, they're just

burnt out, I think. They've been running that thing for so long. Right? Yeah. Yeah.

Yeah. Yeah. Yeah. I know. I like it. And, actually, I ran the CTF for,

like, 6 years, back in the day with with Heidi and Bruce. They're fantastic to

work with, but it is just a huge investment of of

energy and, time and they're, you know, they run is like a it's a nonprofit

too. And so, it's like their their

laborer's costs are covered, but, like, every year they sort of start fresh, kind of,

with with the budget and with, you know, just yeah. It's

it's just a ton of work. They've done it. It's been a very good

benefit. So there's DistroCon too, I wanna shout out. There's another conference starting up

actually just a week before ours in DC, which they're kinda trying to, like,

inherit the ShmooCon mantle. We kinda wanna inherit the infiltrate mantle. So that's that's

kind of the the, you know, but I think both are needed. I think there's

a lot of value in, in more cons in the US because

Hexagon, offensive con, recon, a lot of the best conferences right now are not

in the US. So I'd love to At least offensively. Kinda return that. Reverse

engineering. Yeah. Yeah. Yeah. Even even, like,

just the kind of a, you know, technical detailed depth, like, there's b sides.

And in the US, like, you just don't see as many as many conferences I

feel like. Oh, you have a massive amount of b sides. Sometimes you

get good technical talks. You do. But, like, I sometimes say, you don't have, like,

the like, I just feel like if you look at tops info site

conferences, Blackhat and Defcon are really some

of the only ones you see in the US. It's just not can you think

I yeah. What can you think of? Like, can you think of a good

really I mean, a summer con is more of a drinking con. It's fantastic and

fun, but it's not, you know, the it's explicitly not the highest

technical content, talks. It's a you know, another we're

actually talking about, like, conferences and talks and and and, other places to go

drink at, like, it's really divided between because I've I've given

talks nationally and internationally at, you

know, conferences, but then also at camps. So like Yes. And it also depends on

the the the audience that you're looking for, right? So if you're talking and I

think it's like split between like, commercial based

things, government based things, and then more grassroots,

Yeah, Yeah. Community. Exactly. Hacker. The old school. Yeah. What Defcon

was a long time ago and hasn't been for years. Like the fact that, like,

there's sponsors being tweeted out for I literally tweeted those recently. Like how weird it

is that, like, Defcon villages tweet out sponsor lists. And this is

bizarre to me when, like, you know, corporate logos were

anathema for the longest time at DEF CON. It really was, you know,

a counterculture thing. And it it clearly hasn't been for you know, it's just it's

changed so much. And again, I don't make it as as a judgment. I don't

think there's it's inherently better or it's just very different than than it

used to be. Are you guys having sponsors at your guys' conference? We we do.

In fact, we already have, 4 that like, it's crazy to me. We actually 4

signed up before we even launched the website. People who are like, yes. We're excited

for a conference. So we've got binaurali as our platinum sponsor,

celebrate, Ursa secure, and,

our II research innovations is the, the, the other one. So

Perfect. Yeah. Give them give them their plug now. But yeah. No.

It's it's cool that, like, people were willing to sponsor us, like,

sort of sight unseen. Right? Just trusting that we would we would do it. So

that felt that felt really good. It's building the brand. That's that's the 10 years

of building guys' brand up and and being a salesman in the industry. Yeah. I

think that's exactly right. Is there anything else that you'd like to share? The only

other hobby I do is speed cubing and I haven't been practicing as much lately.

So Speed cubing? Have you been doing competitions for speed cubing? There's not enough in

Florida, but, yeah. Like, I I go to most of the ones in Florida. But

the the last was in Tallahassee. It was just too far of a drive, so

I didn't didn't go. State champion yet? Not even no. I'm an old man. Are

you kidding me? Like, there's literally a separate league for people over 40. Like, there's

actually a separate scoreboard because I, at one point, was like 69th

in the world, over 40, but, like,

I'm 30 thousandth or something if you count everybody. Like,

I am very slow. Yeah. Like, relative to like, my fastest times

are like 12, 13 seconds usually. And, like, that's not even

enough. It's doing 6 seconds, 5, and 4? They're down in the

fours. Yeah. They're down in the fours for, like, yeah. The top the

top the the top spots, but any any regional It's just

there's no, like, algorithm, like, advantage. Everyone knows the algorithm

of the fastest way to do it. Right? Or

yeah. For the most part, yeah. What what what, there are you can

memorize more and more algorithms. And the more you memorize,

the the more options you sort of have available to you. But, also Okay. At

first, the more it takes to recognize which other game you should do. Can they

can't just lay you down? So there's that trade off. The best people know all

the algorithms and also have zero pauses and just go straight from one of the

other. There is a little bit of creativity in one of the earlier sections. It's

it's kind of fun in terms of decision making choices. Like, there's absolutely strategy. It's

not just a hard and fast. This is the optimal way always, and you know

it. There's a lot of, like, different techniques, and different people will solve

it, a little bit in the earlier in the earlier phases. Towards the end, it

tends to look very, very similar, with exceptions for, like, how

many memorized algorithms you have memorized. But common algorithms just, like, you know, sequences

and moves for particular cases, like case case case solves. But, no.

It's fine. It's it's been my and now it's happy. It's been a been a

good thing to pick up and It's been a good thing to pick up and

It's been a good thing to pick up and It's been a good thing, like,

I've I've wanted to do my I remember one of my best friends in

high school, he knew it, how to do he solved it and I was like

I wanna learn, but I wanna learn on my own. I

don't wanna follow an algorithm. And then I just now I'm 30

what? 3? Whatever? 30? I don't know. And now I haven't done it and I'm

like ah, shit. I maybe I should just learn the algorithm. Shouldn't just learn it.

I can do it. Rusty, my my my third cofounder, did that

where he was, like, I wanna learn, like, intuitively. I wanna get a sense for

I just wanna play with it for a month or so. So he he did

that. Like, I was just straight up, like, I was just gonna memorize. He didn't

solve it though. That's the thing is he made it to the last layer and

it's it gets exponentially more difficult. Really? The because

because the the closer you get to being solved, the less freedom you

have to, like, make moves without disrupting what you've already solved. And so that's where

it becomes easier to, like, just memorize an algorithm or look

up the correct answer to, like, get those last those last little bits. But, like,

the first two anybody can and should just play with it for a couple

weeks, and you can learn enough to get the first two layers. Like, to get

a whole lot of face and to get like the size and the edge. Like,

you can figure out just by I got that part. Doing that. Yeah. Exactly. Then

the last layer, it's obviously, there's people who figured out their own. It's been solved

before by people at that point, but I'm not one of them and that's yeah.

So so I just memorized. A lot of good old ones.

About games. So, like, do do you

do you get any interest in playing, like, games like mafia or werewolf where you

have to, like, pretend to be someone? Yeah. My son is a huge he's literally

right now is playing that out of school. Every day at lunch break, they play

they play werewolf. Yeah. We have all of the variants at home. This new one,

by the way, if you haven't looked at the Kickstarter called, either werewolf in the

dark or mafia in the dark. I think that looks really, really fun. It's like

an in person kinda big group gameplay. Anyway, yeah. So I'm

very familiar with with with those games. Do you play these ones as well? Do

you like these ones? I I do to a certain point. I'm a pretty good

liar. Like, when I when I need to be, which is weird

because I'm not naturally a liar. Like, I'm very like, I just am super

I default to the truth just all the time, which is also part of what

I do. Because it's like long term relationship, something else. It's never worth

it. It's almost not yeah. It's like yes. Exactly. So

If somebody, like, will ask me my opinion, I'm gonna tell you my opinion. Even

if it you don't like it. Because I'd rather you know the truth now than

it, like, it just it's one of those things that we're just practically speaking. I

think it's always best to tell the truth. Always. And so I'm scrupulously

truthful and even just how we run the company, we're very transparent. We have a

GitHub database with all of our issues and our roadmap in future. Like, we don't

hide or have secret plans. Like, we just we do everything in the open as

much as we can. It's just kinda like our philosophy on doing this. I really

think that's just a better way to do things, but, Yeah. No. I

I'm usually pretty good at mafia, like, in lying, about, like,

whatever. I can I can keep a pretty good face? Yeah. I prefer I I

like it a lot too. I've noticed we've been playing I got, like, Catan right

here. We've been I taught my girl Catan. And she loves

it. She loves playing it. And I've what I've realized is if you

are like let's say let's say I go to your house and I'm playing with

you. Right? I'm more likely to screw you over because I know

you and I don't really wanna screw anybody else over because I don't know them.

Yeah. So, like Yeah. The person that you invite over always screws you over. Not

always, but most of the time will you over more so. So you already you

have this, like, disadvantage. Like, as soon as the game starts, I've noticed. I was

like it's a it's just one of these, like, quirky things about, like, how the

game dynamic's set up and, like, how human human behavior is,

regardless of the rules in the games. It's it's interesting to do with some people,

like, my mother despises mafia or werewolf or any of those

games. She just because she always gets mafia and she hates it. She just doesn't

like lying. She doesn't like being the one that's gotta hide what she is. She

just it is the most painful. And she literally just for the her mental

health. We just stopped her. Yeah. Exactly. She's just too nice. Like, it just doesn't

so she just refused to play now. So now we'll like, big family gatherings will

always play play around the mafia. And, she is

she is excited. Play. Nope. Grandma grandma doesn't play. She just and it's

everyone's just that's fine. Grandma doesn't play. But all the cousins, all my my

my siblings, and my, you know, my dad will will do it. So

yeah. We'll play games. We we always play family games as well and whether I'm

playing fam actually it's when I play games with new people. If I if it's

a game that like I almost a 100% sure very very confident that

I'll win. Sometimes I'll like decide if like I'll just purposely lose

so Yeah. That the next time in series that we play They wanna play. Yeah.

Yeah. They wanna play. Yeah. Yeah. Yeah. So, it's just another level of I

like I like co op ones. Table co op like there's a castle panic and

there's, you know, there's a couple of the the the tabletop games that are explicitly

like cooperative. I think that's a really fun genre. There's a there's a bunch of

those which I I really enjoy. I I am I'd like to see some of

those and learn about those. I we've never done those. By by nature, I'm too

competitive. If I so I I could that that by just not caring and not

not be competitive at all. Because, like, once I start being a little competitive, it's

bad. Like, so I've I sort of, like, have had to, like, over the years,

I've mellowed out and I just I don't try because once I, like, it's, like,

I'm either on or off and, like, I Yeah. Yeah. Just better if that happens.

After the game is done and you're like, that's you're like Some years ago this

guy No. For me, no. I'm I'm very I can disconnect, but other

people Not perfect. No. Because I I was the person that ruined it. So like

there are consequences afterwards even if they're not direct to my Oh,

right. Yeah. Right? I've had this too. I played a game or whatever and then

like I don't trust Chris because Ever again. He did something with this game. I

was like, we're playing a game. Yeah. Yeah. So that

that's the consequence. You gotta you gotta watch out for that. Yeah. You gotta look

out for that. But, alright. I don't wanna take out too

much of your time. I really enjoyed this conversation. I'm hoping, a lot of people

also gained a lot of insight from this. Well, I think what the plan is

what I'll do is, we're gonna get a few episodes, created, then we'll start

rolling them out so that way I can, like, push one out. It could be

something like that. But Yep. Schedule now. We'll keep you in the loop and Sounds

great. Everything like that. So Jordan, thank you so much for your time, man. Really

appreciate you being on here. We're excited to, you know, see what

more comes from Vector 35, yourself as well, and then your conference coming up.

So I appreciate it. Hopefully, we'll sit there. Thanks. Take care. Of course. Bye

bye. Cheers, brother.

More episodes

Chapters

Creators & Guests

What is Hackers to Founders?