Episode 8: Whiskey, Quantum Computing, and Executive Protection
Welcome to Distilled Security Podcast, episode 8. My name's Justin. I'm here with Rick and Joe, and we have another guest on the episode here, Eddie Kubit. Thanks for joining us here.
Eddie:Oh, I'm thrilled.
Justin:So, yeah, so you have an interesting story. You've been 20 plus years into the security industry, worked with a number of different security vendors and everything, and you recently made a career change. Can you tell us a little bit? Yeah. Go ahead.
Justin:I would love to. Right?
Eddie:Because it's when I when I told close friends, they're like, you did what? Right? So, yeah, I have a history, right, or career in IT security sales. Right? Most recently anyway.
Eddie:Security sales?
Justin:Yeah. Or security in general? Like, this.
Eddie:Yeah. Yeah. Yeah. Like, back way, way back. Right?
Eddie:I got more gray hairs than anybody here, I think. You know, way back when understand. I had an engineering degree, an electrical engineering degree, and I started writing code for a company. Hated it. Right?
Eddie:And so I went and then got an executive MBA, from from Waynesburg and got in touch with, some consulting organizations. And I'm like, boy. You know, working with customers and being outside fit my personality a whole lot more than sitting behind a desk and writing code. Right?
Justin:Gotcha.
Eddie:And so then I took a job in, in sales for a security reseller, and then then in the industry. I've worked for Check Point
Justin:Okay.
Eddie:Quite a while. Short term with Cisco and Archer. And then most recently, my career has been with, Imperva. Okay. And then, most, most recently, D3.
Eddie:Right? And, it's been wonderfully productive for me. I was able to send 3 kids through college. One still in college, but, you know, we're we're still working on that. The track
Justin:record is going good. Right? Yeah. Yeah.
Eddie:It was wonderfully, you know, productive, like, and and and fulfilling, like I said. But, you know, it got to a point where, for me, there was, like, you know, the the take your kid to work day.
Justin:Mhmm.
Eddie:Right? And my daughter one time back goodness, a few years back said, well, all dad does is sit on the keyboard the PC and send send emails and talk to people on
Joe:the phone.
Eddie:How boring can that possibly be. Right? And, you know, she had a point. You know, but and then then there there was also this thing where, you know, you describe your job in one sentence or less. Right?
Eddie:And so I figured out the best way to describe my career as a salesperson. I badgered people until they signed a contract.
Justin:Oh, I mean, fair enough. Yeah. Anyway Right? And and I
Rick:know there's a whole lot
Justin:more to it. Right?
Eddie:But to me, there was little nobility. There was little things that I was proud of when I went home other than, hey, I closed the big deal and did an Aristocian the company. Right?
Joe:Yeah.
Eddie:You know, so anyway, I was let go. And so I had always planned on and thought of, once my kids were all through college, my youngest is still at Duquesne, but once my kids were through college, I wanted to build something. I wanted to to make something and and do something. Right? Rather than just, send emails and and phone, and, and and voice mails.
Eddie:Right? And I've always had a passion for an interest in distilled spirits.
Justin:Yeah.
Eddie:So I went to elementary
Joe:school. Podcast, by the way.
Justin:I'm sorry? You're on the right podcast.
Eddie:I got
Justin:this is why apparently what happened.
Eddie:I said to Justin, hey. Do you I'd like to join you guys one time. Right? Yeah. So, anyway, I went to elementary school at Our Lady of Grace, which is a parochial school in Scott Township.
Eddie:And there was always this one of those blue historic landmarks on top of the hill. And I was curious, so I walked up there one day, and it happened to be the location of General John Neville's Neville's home that was burned down to start the Whiskey Rebellion. Right? And it was Bower Hill.
Justin:Oh, yeah.
Eddie:And I started scratching my head because it was parochial school. Nobody talked about whiskey.
Justin:You say
Rick:your interest in spirit started in elementary school.
Justin:Right? You know? And and,
Eddie:like, the the the parochial school. So it wasn't, it wasn't supported, right, as a career goal for us.
Justin:Rough elementary school. But relaxing. Yeah. Right?
Eddie:And I had always had an interest in in in the local history
Justin:Yeah.
Eddie:Of the whiskey rebellion and, you know, and other things. And this area, like West PA, is steeped in history of alcohol or, like, distilled spirits production. And, you know, we you guys can I'm sure you have heard that. But A
Justin:ton before the prohibition and then
Eddie:Oh, absolutely. Yeah. Absolutely. And we can, you know, we can talk about that. But, you know, in the Whiskey Rebellion, that story is told very well by a number of distillers that are here.
Eddie:They do a very nice job. But, anyway, so I, you know, got very interested in reading and history of the area that I grew up in. So fast forward a little bit, and I've done some brewing and some winemaking, and may or may not have done a little bit of, you know, moonshining or what whatever it might be, and always had an interest in
Justin:Off the record. Yeah. Off the record.
Eddie:Always had an interest in in the distilled spirits. Right? And, so I actually wrote a couple of business plans together, and what would it take because my idea when I said to, you know, that after my kids went through college, I would love to have a small distillery. Yeah. Right?
Eddie:And, you know, so I did a business plan together, and the lowest number I could come up with was a 1,000,000 and a half dollars.
Justin:Yeah.
Eddie:Right? And I'm sure you guys can appreciate that. A distillery is a fantastically difficult business.
Justin:Right.
Eddie:Because to to do a bourbon, right, not only do you have to make it, but you have to age it, you mature it. So it's 4 years, 5 years before you have revenue. Right? So it's a very difficult thing to do. Right?
Eddie:So, anyway, fast forward to earlier this year, and my employer not so ceremoniously told me I no longer had
Justin:a job.
Eddie:Right? And I'm not special in this area, but, you know, my wife encouraged me. She said, well, you always talked about doing something. Right? So here's your chance.
Justin:I know the time.
Eddie:And I gave every I I absolutely. She's been I I said I'm like the wobbly wheel on the grocery cart of our marriage. My wife is
Justin:we've got us moving forward and all the time. Right?
Eddie:And she's like, well, you've always talked about doing something. I have every excuse that I could come up with. Look, our kids aren't out of college yet. She says, the 529 money's there. Our retirement she goes, we've got plenty of retirement.
Eddie:And all you know, everything, you know, that I could come up with, she had to she goes and then she actually found, and I think we were talking about this earlier, there's a, Point Bar College has a, a certificate program, for, brewing, brewing sciences. Right?
Justin:And I sent that to you. Remember when I signed that?
Eddie:Yeah. So earlier this summer, they did the first distilling 101 class.
Justin:Okay.
Eddie:Right? And so my wife sent it to me and said, you know, here, you should be interested in this class. And, again, I gave her every excuse there was, and she was like, I
Justin:don't wanna hear about it. Right? Either do
Eddie:it or shut your mouth. Right? Just shut up. So I took this class, and it was fantastic. So it was 10 weeks, 2 lectures per week, like, 3 hours.
Eddie:We started mostly going to Point Park downtown.
Justin:Sure.
Eddie:But the, the instructor is Matt Strickland, who's the, the the master distiller at Iron City, Distilling. And before long, we were going out to the distillery for class because it was way more interesting to everybody, and it was way more it was way easier to actually see the equipment, being used. Right? And so we spent the second half of the class really at Iron City Distilling, and I got to know the team there, you know, got to know some of the management. Excuse me.
Eddie:And, you know, pieces just kinda fell into place, to be quite honest with you. It was quite, remarkable looking back on it. But at first, there was a part time job that came up for doing tours.
Rick:Yeah.
Eddie:And again, I was idle, so I'm like, sure.
Rick:I'll do tours. Hang out here. Tours. This is great.
Eddie:And then, you know, then there's, like, hey, a full time job production role came up. Would you be interested? I'm like, heck, yeah. Because, actually, at the beginning of the new year, we're actually gonna expand production, and go, instead of 6 mashes per week, 8. Right?
Eddie:So we can get into that. But we're gonna need more coverage for for weekends and whatnot. And so just interviewed with the team and the guys, got to know everybody, and things fell into place, and actually was able to, you know, was fortunate to fall into almost the, the position of a distiller at Iron City Distilling.
Justin:And they
Joe:pay you for this?
Eddie:They pay me like whiskey, dude. Really? I'm serious. It's the greatest thing ever. No.
Eddie:I and it I describe it as, like, the physically the hardest work I do Yeah. I've ever done. Right? Because, again, I've sent emails and and made phone calls. Right?
Justin:But sometimes they're aggressive emails that you have to really force. Like, you can hurt your fingers typing so hard. You know,
Eddie:the hours are tough. I gotta be out in the crate in the 6 AM. So but it's it's really, it's it's it's a joy for me to to actually be a know the process. And not only just know the process. Right?
Eddie:Because you can know the process for making whiskey, but then you have the machinery. Right? And one wrong valve.
Rick:Oh.
Eddie:And you can spill out 1500 gallons of whiskey onto the floor. Right? You know, so there's a whole lot to know about the process, and and I'm the I'm the, like, the lowest level. I'm the the newest, of the team there. But I'm I'm telling you, I'm just lucky to have fallen in with the best distilling team in Pennsylvania for sure, if not this part of the country.
Eddie:That's awesome.
Rick:The facility's gorgeous too.
Eddie:Oh, it's fantastic.
Rick:I grew up right around there, and it is absolutely beautiful.
Eddie:Yeah. Yeah. Go ahead.
Justin:I was gonna just say that one of the unique thing about Iron City Distilling is they're doing it right. Like, a lot of young distillers make that kind of, you know, the the quick vodkas or something like that, or the flavored stuff and everything. You're doing it where you're sitting on it for Uh-huh. 4, 5, 6 years. Do have you produced one drop yet out of I think this is Matt's.
Justin:Right?
Eddie:This is Matt Strickland's yeah. Distillers reserve is stuff that Matt, had distilled at his previous
Justin:employer's previous
Eddie:employment that was purchased by Ironstone.
Justin:You're doing.
Eddie:The gin, we're we're making. Right?
Justin:We're making. Yeah.
Eddie:And we're selling that commercially, but only at the, the store. Right?
Justin:Okay.
Eddie:We have nothing on the store shelves. Yeah.
Rick:It is good gin. I really I did like the gin. Gin.
Eddie:You know the difference between our what what Matt does with the gin? So instead of that, you know, a lot of people don't like that juniper punch
Justin:Oh, yeah.
Eddie:And it's still juniper forward, but we use cask or excuse me, lemon drop hops.
Rick:Oh, that's right.
Eddie:So give it more of that citrus, almost a floral aspect to it, which is kinda gorgeous and makes an awesome, awesome martini. But you're right. So, you know, the the the management and ownership of, Iron City Brewing and Iron City Distilling, right, decided that, you know, we're gonna be a national brand. We're gonna be a top brand. We're gonna be a top quality product when we put it on the shelf.
Eddie:Right? So we're Which
Justin:is different. Like Yeah. Because it takes a lot of
Eddie:time to do that.
Justin:On the shelves. You know?
Eddie:It's it's a difficult financial it's a difficult business to be a customer. Right? Mhmm. So that's why you'll see, you know, some people selling moonshine. Yeah.
Rick:Absolutely. You
Eddie:know, because you have to get
Justin:But you understand trying to get the revenue, but then you kinda potentially ruin the brand, you know, or at least, you know
Rick:When you have less juice
Justin:to put in
Rick:the barrels.
Justin:Right. Exactly. So, yeah, you come out with not a great product at the start, and it's hard to get bent ahead to get reoccurring
Eddie:customs and all that stuff. Without question. Right? You know, so we are now and you wouldn't know it because we don't have any product on the shelf, but we're putting more whiskey in barrels than anybody else in Pennsylvania for sure. Yeah.
Eddie:We're we're putting up, at least between, like, 35 and 50 barrels per week. Yeah. So that's, like, 1200 to 1500 gallons of whiskey per week. We have, 2,040 was the barrel that we just put up today. So we have 2,040 barrels of distilled spirits just aging away at that at that location right now.
Eddie:Right?
Justin:And correct me if I'm wrong. Your first barrel that you're, gonna bottle, was it the end of 2025 aiming for?
Eddie:Oh oh, yeah. Yeah. Yeah. So there are you know, and we're regularly taking a look at how things are aging. Right?
Eddie:So it will be a rye whiskey, and it will be, because rye ages a little bit faster than than the the corn liquor to make bourbon. Right? And so there are a couple of barrels that are aging real nicely. Right? And so we're really hoping that by holiday time next year, so, like, October of 2025, you'll be able to still see Iron City Distill.
Eddie:It's probably the brand won't be Iron City, but you'll be able to see
Justin:Yeah.
Eddie:The bottles
Justin:on the shelves.
Eddie:Bottles on the shelf. Yeah.
Justin:That'll be awesome. Yeah.
Eddie:Because when one of their decisions about not being Iron City as the brand was that we're gonna be a national brand.
Justin:Okay. Not a Pittsburgh brand.
Eddie:Right. Right? Proud of Pittsburgh heritage
Justin:Yeah. Absolutely. But don't want to
Eddie:you know, if you're in Philadelphia, you're gonna buy Iron City whiskey.
Joe:That's right. Right?
Eddie:When you got to the other option.
Justin:In a different brand. Interesting. Yeah. What what's the brand? Do you know?
Eddie:Oh, I you know, I was told by my management that we have full, yes. I do know. We're gonna it's gonna be called, Bessemer.
Rick:Oh, clever. Bessemer. That.
Justin:See? Why is that clever? I don't know. Still local local tide. Oh, okay.
Eddie:Bessemer is the process for making steel. Right? But it's it's a softer it's round it's more, approachable Yeah. Than old iron or some of the other options that we have.
Joe:It's funny. Just at the restaurant I was at before I came here, there were 2 guys sitting at a table, and they had a Bessemer, shirt on.
Justin:Yep. Yeah. Yeah.
Rick:That's cool.
Joe:So it's funny you said that.
Justin:I like that. Very cool. And so and the one thing I, the other thing I wanted to talk to you about, you just got a new still as well.
Eddie:Oh, yeah. Yeah. Yeah. Yeah.
Justin:Very unique still.
Eddie:Yes. Yes. Thank you for bringing that up, because that is actually one of the things another one of the things that's gonna make Iron City distilling very unique, is that, and, again, the the the story of the whiskey rebellion has been told by a number, and they do it very well. Right? And and folks that do that make a fine rye whiskey, very good rye whiskey.
Eddie:Right? But Matt Strickland, the, master distiller, said, we're gonna tell a different story. Right? And so we're gonna celebrate the heyday of rye whiskey production in Western Pennsylvania. Right?
Eddie:From, like, 1840 You're
Rick:gonna say the before the commission.
Eddie:Yeah. Right? Where rye whiskey, Monongahela rye, Pennsylvania rye was the top dog on the shelves. Right? And I I I can't quantify that this ever happened, but I like to think that there was some civil war, you know, generals or people after they went into the saloon.
Eddie:They're like, I want the top shelf stuff that you have, and that's the Pennsylvania rye. Right? Or with, Pony Express rider out west
Justin:Yeah.
Eddie:Wanting the best stuff that they had, which at the time literally would have been, Monongahela rye or rye whiskey produced from this era. So a couple and I'll get to the still the question that you asked. So we are going to make the most authentic traditional rye whiskey, Western Pennsylvania rye whiskey that's ever been produced. So what do you what do you mean? What do you mean by saying that, Eddie?
Eddie:Right? So we are actually going to we buy a very large amount of rosin rye, which is the brand of rye grain. Rosin was a variety of rye grain that was typical at the time. And it was, how do how do I wanna say it? There was a a scientist.
Eddie:She was able to recreate and reconstitute what was
Rick:It was like the Jurassic Park
Justin:story. The, like, web rye.
Eddie:And and so she has license on it.
Justin:Turn on you
Eddie:at that point. Got it. And, like, we're like, the farmer that we, that we buy our grain from, in Bedford, he has, like, 500 acres, and we're buying 480 of of the rosen rye. Right?
Justin:Yeah.
Eddie:So the traditional rye.
Justin:So why not the 20 left? Oh, he has a home screen. That's alright. Farmer's gotta Just because he's paying. People's not.
Eddie:So the rye grain. Right? Then the other thing we're doing and and by the way, think about this. The, the rosin rye that we're buying, it's like 70ยข a pound. Whereas the corn for a bourbon distiller Oh.
Eddie:Is gonna be like 7ยข. Right? So we're making a premium product. That's what I'm getting at with, with talking about money. And then the other piece is we are well, we mash it kind of the same.
Eddie:Ferment is no there's no, special process with fermenting. But we are distilling that rosin rye on a chamber still. Right? So specifically, we have a 3 chamber still, which was typical for the area of the time, but fell out of favor. And we're starting to learn the reasons why it might have fallen out of favor.
Eddie:Very particular.
Rick:As you work with it?
Eddie:Much harder to work with than a pot still. Right? Pot still, you just heat it up and boil the the alcohol off. Right? The chamber's still ours is a 3 chamber still.
Eddie:And you're only really taking alcohol vapor off the top chamber. And then you take what's was left after the run, put it to the next chamber. Yep. And then to the bottom chamber, which is the one that's heated, and then the stuff, like, filters up through the chambers. Right?
Eddie:It's all under pressure. But what that does, it allows us to extract a lot of those gorgeous oils out of the ryegram, right, that you wouldn't get at atmospheric pressure or or whatever. So even the new make spirit, the the stuff that I love, that we we we would call, moonshine. Right? You can smell the difference
Rick:as soon as you
Eddie:walk in the building, whether whether whether running the the chamber still or the pot still. That's cool. So we're gonna take the rosen rye on the chamber still. It is gorgeous, by the way. Somebody asked me, like, well, you know, when I do tours, they're like, well, why copper for for, still?
Eddie:Right? And there are a couple of practical reasons. It's fantastic for heat distribution. Right? It also has, anti sulfur, pull sulfur out of the out of the distillate, and it also looks like a $1,000,000.
Eddie:That's And I think that's
Rick:got us
Justin:to Vendome who, got it for, like, which is, like, the number 1 Yeah. Still maker on top
Eddie:of the All Vendome. All Vendome gear. Yeah.
Justin:I did
Rick:our distilled. Antibacterial too.
Joe:I'm pretty sure. On the tour in Chamberstill, on the tour Mhmm.
Justin:At all? Because how many?
Eddie:Or There's 3 in production, that we know of. Right? That we know of. Right? There may be others, some smaller ones, but one is, out in Colorado, Leopold Brothers.
Eddie:Again, I I I don't mind sharing, other information. 1 is a rummage dealer in the Caribbean. Knowledge.
Justin:Yeah. Yeah. Yeah. Common.
Eddie:He well, they well, and Todd Leopold was the guy that was doing some research and reading. But, like, hey. What is it about these chamber stills? Right? And why were they popular then and not popular now?
Eddie:So he was the first one to commission the production of a chamber still from Vendo.
Justin:Mhmm.
Eddie:And it is gorgeous piece of equipment. Right? So we had the well, there's actually another one in in, the Caribbean producing rum. And then we have the 3rd that's in production making whiskey now. There are a couple that are under contract that they're making.
Eddie:Right. So they were getting a lot of calls from, other distillers that want to see the chamber still
Justin:in action. The opening of your 3 chambers still and everything that was up at there.
Joe:So you can see this on the tour?
Eddie:Oh, yes.
Justin:Yeah. Oh, yeah. Yeah. Yeah. Yeah.
Justin:The the floor there. Hey.
Rick:You heard it here.
Justin:Yeah. Yeah. I'm reading the news
Joe:on the name, and pussy.
Eddie:If if you're there, yell yell my name out. I'll come down. They'll I'll give you the the the the, the extra special to it. Right?
Justin:That's awesome. Yeah. And it's it's like, I I went for the opening, and it it's just a beauty, you know, type of thing. And it's gorgeous. It's it's not cheap.
Justin:I I heard a number that each one of the chambers were, like, 200 k from Vendome, so all in told Yeah.
Eddie:That I don't know. They're 200 gallons, for sure. I'd know that. I thought it was 2, 4, 6 that's probably yeah. Probably about right.
Justin:Yeah. It was, like, 8, 900 k for the whole thing.
Eddie:Probably. Yeah.
Justin:I mean,
Eddie:that I'm not writing those checks, but
Justin:Yeah. Again, going to sparing no expense, you know, type of thing. Like, you guys are investing so much into the quality of product, you know? Yes.
Eddie:Of course. And then it's all steam heated, by the way, too, which adds to the complexity and valves and gears you have to turn, to to do everything. Right? But, again, the the distillate that comes out of it is just gorgeous. It smells fantastic.
Eddie:So then after we distill everything, we take everything to our rick house, which is a, all it's all hickory. Right? And steam heated, which was the way that rickhouses were built back in that 18/50 to prohibition day. And we are barreling that rose and rye from the 3 chamber still in 40 gallon barrels. Again, it was the way that it was done at, by the way, at a low proof.
Justin:And what are the other gallon barrels that It's usually 53. Okay.
Rick:Yeah.
Eddie:So all of our Danko rye and our bourbon, all the the the single malt we can get into are just all all sorts of different things. We have all kinds of different barrels that we bring in, but generally about 53 gallons. So a 53 gallon barrel weighs about a ยฃ100, and we put about 400 pounds of liquid in it and put it on a rack.
Rick:So every one of
Eddie:those so when you walk through a rick house, think about it. Every one of those things weighs ยฃ500. So, that's where we're getting oh, so getting back to the traditional and the authentic Monongahela or West PA rye Whiskey that we're making, in a rickhouse in 40, 40 gallon barrels at a low entry proof, like 50.5 is the entry proof that we're putting stuff into new oak barrels. Right?
Rick:Okay.
Eddie:So I talked about the cost of the grain. Yeah.
Justin:The cost of
Eddie:the still that you brought up. Mhmm. Steam heat, and 40 gallon barrels at low entry proof. Right? So, again, all leading to the point of view.
Eddie:Manual effort
Justin:Yeah. Yeah. Yeah.
Eddie:It's all gonna be it's gonna be and it's gonna be a premium product. I'm convinced that we'll
Joe:So $10 a bottle for sure.
Justin:Yeah. That's what I'm hearing. You're already here. Yeah. It's not gonna
Eddie:be it's not gonna be crazy, but it's gonna be a premium spirit for sure. Yeah.
Rick:Yeah. It'll cost less for us since it's local.
Justin:Yeah. And you sponsor us. What would
Eddie:they say that, you know, I I heard a quote, and I'm and I'm gonna I don't know who said it, so I I can't give, appropriate credit. But somebody said, when you buy a, like, a craft whiskey or a craft, spirit, it's costly. Right? But if you buy a, an allocated bourbon and pay way too much for it, that's expensive.
Justin:Yeah. Yeah.
Rick:Yeah. But, I mean, but it is there there is something truth truthful about, like, if you don't have to ship a thing across the country. Right? That helps sometimes, especially when it's liquid in bottles. Notoriously heavy.
Justin:Yeah. So that's right.
Rick:So that's right.
Justin:That'll be your goal, like obviously you once you start getting the production out. You said national.
Eddie:Oh, yeah. Yeah. For sure. Yeah. We're putting we're putting low, like I mentioned to you, a lot a lot of liquid in barrels.
Justin:That's exactly right.
Eddie:More than we could sell here locally.
Joe:So in
Eddie:the Rick house
Justin:Yes.
Joe:And I remember things from the, tour in Kentucky I went on. So, the climate, the fluctuations in climate, how how does it compare here in the Pennsylvania to what, like, what people are Yeah.
Justin:Getting to?
Eddie:Yeah. No. That's that's a great question. And, first of all, I wanna talk about, like, when we talk about whiskey or bourbon, I as a distiller, we'd like to say maturing rather than aging because it's not just sitting in a barrel
Justin:for a while.
Rick:There's we're pulling out
Eddie:a lot of, like, tannins and and, like, some other stuff from the from the wood itself. Mhmm. So our Rick house, for example, we try to keep it at 80 degrees steam heat. There are big garage doors and doors, so I keep opening them up, and it cools off all the time. But we try to keep it constant temperature all year round.
Eddie:And 80 degrees on the floor on the floor, it's probably about 15 degrees hot hotter as you go up. Right? So we're racking at the top level. It's 90 degrees up there for sure. But we keep it at try to keep it at a constant temperature.
Eddie:It's a brick building, so the coefficient of whatever insulation is very poor. But, we try to keep it that that that steady rather than allowing it to get cold and then get hot in the winter in the summertime, right, and then cold again in this. Because there's a the you know, I've read about all the you know, pulls the liquid out of the barrel and then and the wood and then pushes it back in. I'm I'm not so sure that that's true and that's what's going on Mhmm. During maturation of, of spirit in a barrel.
Eddie:But, you know, anyway, so you the question that you ask, we're we're we keep it at a a constant temperature or try to at least, right, to mature the the temperature or try to at least, right, to mature the the whiskey that's in the
Rick:barrels.
Justin:Yeah. And some of the older Rick houses, they're, like, wide open to the elements even though they might be steamed Yeah. And everything. I think we were at Buffalo Trace. They had some of the old, like, steamed stuff, but Yeah.
Justin:You know, it's also wide open to the elements, you know, through that and everything.
Eddie:And they do that thing where they they like, oh, this area produces the best barrels, and No. And there there I there there's something to that. Right? I don't know what it is. There's other distillers that know a whole lot more about it.
Justin:BarrelSlide, but I thought there was always a science. If you're trying to get, like, the same like, a Buffalo Trace Yeah. Type of thing, they take it from all over the warehouse and get the right blend Right. To that.
Eddie:Right. Because you don't wanna have, you don't wanna have a glass and enjoy it, then buy that brand again, and then, like, oh, this isn't what I remember. Right.
Justin:Right. Unless it's, like, barrel select, barrel proof, whatever it is, you know, that type of thing. Yep. Yeah. So that's
Joe:very nice.
Rick:That's awesome, man. Really exciting. Yeah.
Justin:What's for
Joe:the place?
Rick:Where it's located, and
Joe:what are the hours that people come on tours, and
Justin:do they need to call ahead?
Eddie:Yeah. That's great. So there are public tours, and we just expanded tours. So it's Thursday through Sunday. Times vary.
Eddie:It's like 1 PM through 6 PM, I think. They're all available on the website, Iron City Distilling, I believe. Oh, in Creighton, Pennsylvania. You asked where we are. So Creighton is north of Harmarville, south of, New Kensington.
Eddie:If you live out that way, you probably have driven through and seen the beautiful brand new facility with Iron City Brewing, and It's
Justin:just right off the 28th there.
Eddie:Yeah.
Rick:Very close to Pittsburgh Mills. Yeah. Yeah.
Eddie:Yes. Yeah. The next exit after Pittsburgh Mills, as a matter of fact. And, yeah, it's a it's a wonderful tour for if the holiday's coming up, if you have friends in town, a great way to kill an afternoon. We'll do tastings.
Justin:Those are available on Eventbrite. You can actually go to Eventbrite and look up Iron City Distilling. And you have a number of classes, like, on Saturday. Yep. Do you have, like, a winter solstice coming up this Saturday?
Eddie:Solstice is on Saturday.
Justin:And then, like
Eddie:I know my wife and sister-in-law are gonna do the, the chocolate pairing.
Justin:Oh, yeah. Okay. Yeah.
Rick:Yeah. Which which
Eddie:if you don't realize it, chocolate pairs remarkably well with whiskey.
Joe:Yeah. I've gotten some gifts before that were specially made slabs of, chocolate that it even said drink it with or eat it with this.
Eddie:Yeah. And my wife loves, like, dark chocolate with red wine. Oh, okay. Very similar type of things. The oils or something.
Eddie:I don't know what it does, but it it pairs remarkably well. Yes. So my my my and Belinda, our, libation specialist, she's awesome. She makes, like, very craft cocktails, and she'll be guiding that, that chocolate pairing. So Belinda and Andrew, are the bartenders that are there.
Eddie:In the mezzanine, which the bar that you were at
Justin:Beautiful.
Eddie:Fantastic facility. Not open to the public, but just through tours and events, that are, you know, available online.
Justin:I heard there's goals to get that open, like, wider Yeah. Times and everything.
Eddie:So Yeah. Yeah. And and and there will be. Right? So
Justin:there's there's
Eddie:a talk about what
Justin:you guys built that, like, a month ago or something like that.
Rick:Like, it's really new.
Eddie:And it's been like one thing at a time. We just got bar stools in today, so you had to stand at the bar. Now you can actually sit down at the bar and
Justin:hit some
Eddie:of the tables.
Joe:Justin said that anyway. Yeah.
Eddie:Well He's
Justin:a standard well,
Rick:you sell some cool bar stools in the gift shop.
Eddie:Are there what's all what's all over there?
Rick:It's it's the Iron City bar stools.
Eddie:Oh, okay. It's
Justin:not exactly
Rick:it's not like but the gift shop has a bunch of different stuff that goes on, which is very neat. So yeah.
Eddie:And we're we're we're separate from the distillery, or excuse me, from the brewery, but we're still the same company. Right? So we we get a lot, and we have a lot of cooperation from the, from the brewers. They have a fantastic lab that we kinda we can totally utilize on. Like, all the excite the lab equipment that we'll take our our 2 samples a day, and they have, like, all kind of stuff that's going on in there.
Eddie:And, you know, all the all the things that we can utilize from those guys is is is terrific, and it works out really well for us. They actually do our single malt. The owner is a big fan of of single malt whiskey. Right? And American single malt is now a category.
Justin:Yeah. They just actually reset.
Rick:Yeah.
Justin:It was, American single malt, and I forget the other definition that they solidified.
Eddie:Yeah. I I don't know either. But I Yeah. For us, we were very interested in
Rick:eating that single malt.
Justin:Yeah. That's cool. Yeah.
Eddie:And we're we're yeah. We're we're we're aging our single malt in all sorts of different casks. Sauternes, the one that we're this is bourbon, but, there's cognac barrels. There's, red wine. We got a bunch of red wine barrels from Stagsley just delivered the other day.
Eddie:Oh, nice. Gonna be really, really interesting to see what happens with, with the, with the single malt in those. And I was thinking of something else I wanted to share, but, it's gave me for right now. Oh, so cooperation with the the brewer. Right?
Eddie:So they actually have I'm not sure if you're how familiar you guys are with the distilling process. But the mash cooker that we have, we distill on the grain. Mhmm. So we'll cook the grain, just, ferment it, and then put everything into the still. Right?
Eddie:And then we'll once we grain out, that only happens after it's been distilled.
Justin:Right.
Eddie:With a single malt, the traditionally, you will, you'll you you will take the the liquid off the grain before fermenting.
Rick:Okay. Yeah.
Eddie:Right? So it's a different Oh, really? Louder tons. Right? So we get a a just a gorgeous liquid from the for pumped over from the brewers.
Eddie:Oh, that's right. Louder tons that can spin, and they can Wait a minute. They can separate the grains.
Justin:You take the liquid off the grain before fermenting? Yeah. Okay. So you'd, like, get all the grain out of it, filter that out.
Eddie:Yeah. So
Justin:Then you throw the yeast into the liquid Correct. It ferments, and then you pick it out.
Eddie:Okay. You're from the beer making process.
Justin:Yeah.
Eddie:Yeah. Beer makers do that. Right? Because you they you get the wort off of the grains before you ferment. Right?
Eddie:And so it's a very similar process to doing that.
Rick:That's really cool. They have the material. Yeah.
Eddie:There's like a it's just a it's like a 2 inch line. They just pump the stuff over and we put it into a 3,000 gallon.
Rick:That's awesome.
Eddie:You know, fermentation vessel and add yeast to it, like you said, and and we distill it from there. So a little bit different to a process, but real close, cooperation with the with the guys on the brewery side. I shouldn't say guys, the folks on the brewery side.
Justin:Sweet. Yeah. Alright.
Rick:You mind if we drag you into your old life for a little
Justin:bit?
Eddie:I have no no. Absolutely not. I'll I'll I'll I'll I'll I'll, jump in when I feel appropriate.
Justin:Yeah. So, yeah, so going on to our next topic here. Obviously, you know, a couple weeks ago, the UnitedHealth CEO, got, killed and everything. You know, just cold blooded attack based on somebody who thought the insurance industry was broken and everything. And separate from that, I want to bring up and just talk about from the role of a security practitioner, CISO, whatever it may be, what is our role in protecting some of the executives?
Justin:So I saw, like, some of the initial things that were very knee jerky. Like, they went on, they started wiping bios off the website and and stuff of that nature. And does that do anything? Does it not? What should we be doing?
Justin:How serious of threats? Because he got some threats, but I don't think it was located to this. I'm not sure there was an actual threat based on this, you know. I haven't heard that this was
Rick:connected to, like, anything like that.
Justin:Yeah. So kind of curious, I mean, as you guys, you know, are out there, have you got any questions, you know, from this on how to handle it? What would you recommend? You know, companies do post up the bios or not. Yeah.
Justin:I have a couple of stories of, like, what we did with, like, some of the senior executives, specifically at Diebold. Diebold well, I worked at BNY Mellon, but I wasn't connected to what we did for executive protection at that. I was way down on the totem pole at that point. But I know at Diebold, we did have, obviously, some insurance. We, provided, some response.
Justin:Like, we basically had that a team could go in if somebody got, like, kidnapped, or something like that. A little bit of assurance along that lines. But, you know, this is domestic here. You don't think necessarily about that. You know, protection, especially in a big city like that.
Justin:You know? Yeah. What do
Rick:you wanna go first? Do you want me to No.
Joe:You go ahead.
Rick:I mean, I so I've been thinking about this a lot, and I I don't know well, you're asking about, like, what what's the role. Right? So information security Yeah. First and foremost, it's like, okay. Well, if there's information about people traveling around, right, I mean, you probably want to keep that reasonably secure.
Rick:Right? But does keeping that secure prevent something this, like, well, not really. If there's a big meeting somewhere and you know that people are gonna
Justin:I particularly Any more remote meetings? Like I
Rick:mean, maybe I I I actually don't my take on this is probably it might not be the best one, but it is mine, so I'll own it. Which is, like, there there are always gonna be and this is, you know, people getting murdered is, like, a tragedy, obviously. Yeah. Yeah. But there so but to talk about it clinically for a little bit from an information security practitioner perspective, like, there are gonna be isolated incidents.
Rick:Right? They're going to be things that happen that you you don't necessarily that no company necessarily is going to employ the resources to, you know
Justin:Do it correctly.
Eddie:Yeah. Well,
Justin:to to So women say this is a black swan event? Yeah.
Rick:I mean, I I think it might be right now. If it spawns a bunch of, like, copycats, okay, well now the the the dynamic is changing. Right?
Justin:There's a
Rick:whole lot of socio political stuff that goes into that. But for me right now, if I think about it truly from, like, an analytical risk perspective, I don't, a, I I I just don't know that the thing the practical things that you could do to prevent something like this, like, from a controls perspective or from a response perspective, are practical from a financial perspective for these organizations. Right, wrong, or indifferent. I just don't know that people are gonna invest the type of money that they would need to fly everyone private forever and have, you know, bodyguards with details and clear buildings and restaurants when they go there. Like, I mean, it's effectively a presidential detail.
Justin:Yeah. I mean, you could have a small scale one, you know, you could have a guard or 2, you know.
Rick:But even, but then, I mean, we've talked about this forever, like, but a motivated adversary, right, with a long enough time frame is gonna do the thing that they wanna do. Right? Whether it's digital or physical.
Joe:Yeah. There has been, some stuff I've been reading on this, and some of the knee jerk reactions are, how do we get and you cover some of these. How do we get the profiles off of the corporate websites? How do we start scrubbing their information from the Internet?
Rick:But so much of that is theater. Right? I mean, at the end of the day Yeah.
Justin:Like I mean, you go to the EDGAR, the SEC EDGAR.
Rick:It's all working.
Justin:It's very It's all It has to be all
Rick:there Executives are public information. Right? Right. And so, like, yeah, they don't have to be on the website. But, again, if someone's motivate like, I just I think if someone's motivated, they're gonna find the people.
Rick:And if they're not motivated, like, incidental contact with, you know, the board of
Justin:directors Yeah. The I mean, he had a target and
Rick:And highly educated and all these right. Right.
Justin:He's not a bunch
Joe:of viruses.
Justin:Reading
Joe:Yeah. Was was even supporting that. It's like, even if he would have had all of his stuff removed, this, the attacker's determination, their knowledge that they had was they they they knew how to leverage public records. They knew the, regulatory file filings. They knew the OSINT tools they could use.
Joe:They knew where he was gonna be.
Rick:Absolutely.
Joe:And even if he didn't have a profile on the about section and what's happening is some of the about sections of these, websites that used to have Yeah.
Rick:All the people.
Joe:Click on here for our CEO. It now it's redirecting back to the main page.
Rick:I saw that as a knee jerk reaction, and I just don't know I I don't feel feel like it does anything. Now, if an executive team is, like, well, I'm scared you must do something, I guess. But I would argue it's not really something.
Joe:Those are things you could do, but it's not just one thing. It's a culture of trying to begin to limit what you're putting out there. So what can you do?
Eddie:So let's get to the privacy. Reasonable.
Joe:So do you need to have your your be careful. Don't put your wife and your kids pictures on every single thing, and don't take all you know, don't be the Facebook person. Don't have it all out there. Don't be publishing, I'm going to this place for this meeting at this time or I'll be at whatever. You have to have a little bit of a different you're not an influencer anymore.
Joe:You have to have a different profile on the Internet because that's where people try might track you and know where you're at. What's that gonna do? It might begin to marginally reduce some risk, but it's not gonna stop the determined attacker.
Eddie:Right.
Rick:And I think people care about their personal brands too much. Like, I think everyone's gonna individually balance this. Even if there's a knee jerk, oh, I'm nervous about my personal health and safety because of x y z. I feel I don't know. Like, historically, with events like this, like, major events, society has a pretty short memory.
Justin:Mhmm.
Rick:And I wouldn't be surprised if now I don't know if, like, bios go back on websites, but, again, I don't know that anyone cares either way whether they're not they're on websites, so why would it matter? But I feel like in terms of people posting and stuff, like, I could imagine it's gonna, like, curve a little bit and then give it a year, give it 2 years, or whatever. And, again, assuming things haven't, like, changed massively and this becomes, like, a repeat thing, I just don't see much changing. Yeah.
Joe:I agree with you. It'll begin to stabilize. People will go back to old habits. I mean, really, it's and you can't really vanish from the Internet, And at the same time, it's a layered problem. So you're you one one thing's not gonna change everything.
Joe:And it's becoming habitual about just being careful of what you're posting and what's going out there for somebody to research, like, where you're gonna be tomorrow.
Rick:Yeah. You don't have to make it easy. Right? But then but, again, so many of these individuals also have these habits. Right?
Rick:That are, like, I'm gonna do this thing. I'm gonna go to the gym every day. I'm gonna do this every day at this time. I'm gonna do this. Like, a lot of individuals that have sort of high stress, like, you know, days weeks months, they rely on their habits to help ensure that they knock out all the things.
Rick:And so, I also just don't I just can't see people changing too much because of this. It's I think from a again, from a human perspective a tragedy, from a risk analytics perspective, I mean, I don't know, like, every time you have a 100 year flood, do you just, like, not live there anymore? It's like, no. People don't do that. That's just not how it works.
Eddie:Mhmm. Just be because I've been thinking about this because since the things have happened. Right? And I've like, wanting to take everything off. And then I was while you were talking, I was thinking that, you know, there I know plenty of senior level executives that their out of work activities are, you know, wonderfully benevolent.
Eddie:They're involved in charity fundraising events, all these other things. And you want to be able to publicize that. Right? Yeah. You want to be able to say because most of the and I and I have this very, you know, I'm a a capitalist at heart, and I I really do believe that most companies are doing what they think is the best thing for all the stakeholders involved in their company.
Eddie:Sure, there are instances that you can point to in industries that that are tragic and maybe, you know, somebody didn't get this particular and and whatever. But I do think that and most of the, you know, the highest level people that I know are are good people and do good things and and want to celebrate that, right, and want to be able to have that on their bio from the page. And for the company, you wanna be able to celebrate the wonderful things that that executives are doing. So, you know, to just have that automatically taken down, I think, is a tragedy.
Justin:Yeah. But does that turn into more of a post, you know, a post event, sharing instead of a pre event sharing, you know, type of thing. Like, hey. We did this charity last weekend.
Rick:But then, like, how are you going to advertise? How are you going to advertise talks? How are you going to advertise, like, all sorts of things? Like, I mean, I just I Yeah. I don't think that any of the responses that would matter from a risk perspective are actually going to occur.
Joe:Well, I bet there was, I agree with all that, and I bet there was a huge shoot up for these tools.
Justin:Oh, yeah. I bet that's what you intended. What's that? Huge shoot up for these tools.
Eddie:Oh, yeah. Wording. Yeah.
Justin:I didn't mean that. Sorry.
Joe:I that's a but yeah. Exactly. But a spike in the, sales of these, various tools. I don't
Rick:know what to call dot me's or whatever they are. Yeah.
Justin:I've seen yeah. I I got a number of questions like, how are these tools employed like it? What what do we pay for to get everything off? But a lot of it needs all the permission of those individuals to wipe it, you know, type of thing. And quite honestly, like, it'd be different if I was involved in a situation like that.
Justin:But at the same time, I don't wanna wipe out my LinkedIn. I work hard to get, like, my followers up and everything like that and build a social brand because that helps me sell stuff at the end of the day. You know, for me to remove my Yeah. My brand from and I don't have a huge brand, but to me to remove that, all of a sudden, that sales down, you know?
Rick:Well, and anyone that's done a reasonable amount of OSINT Yeah. Understands that anyone is findable unless you're, like, super truly off the grid.
Justin:Most homes are findable. Like, up to a few years ago, you could find anybody's name in the Allegheny. In fact, if you go down to the office, you can still look up anybody's name to what house. They've removed that ability off their website. You used to go to him and say, Mario Lemieux, and see exactly his house and what he paid for and all that stuff.
Rick:Like, there's some limited exceptions, but those exceptions are not executives that are highly connected.
Joe:Well, that brings up something I've heard recently. I don't know if you guys heard this, but it's as soon as you can, if you're an executive and you're gonna buy a new house, the tip is get an LLC, put it in place, buy it through that because it creates another layer
Justin:Yeah. Yeah.
Joe:Between the 2.
Rick:Yeah. I mean, you yeah. If you have a lawyer, you can do a bunch of things through your lawyers too. Right?
Justin:You realize that that's just one extra, like, 10, $15 fee that you have to pay. You find out that that LLC owns it, then you just pay to get who's the members of that LLC from whatever state you filed that way.
Rick:But if you're
Joe:an executive making the multimillion dollars a year,
Rick:like pay someone to do that for you.
Eddie:2 l c. That's the other l c.
Justin:At least I've added to your lawyer too. I think you can actually do something where you hide the members, with that, but that's not every state that you can hide members of the law. But, like, then
Rick:what else? You're gonna get a PO box. You're gonna, like, change your utility.
Justin:Might be a record, do it. Irrevocable trust, you know, type of thing.
Rick:I don't
Justin:know if that's disclosable.
Rick:There's some good books on this. I think, Wow, man. I wish I remember I wish I could remember. There's a dude that worked at Amazon, I think, for a while that's super incredible privacy stuff. He wrote a book on
Justin:it. Yeah.
Rick:There's a bunch of, like, you can do a lot to take yourself off the grid, but it takes a ton of time, and it requires a ridiculous amount of dedication, and I think the individuals that care about this specific topic the most, I just don't know that the lifestyle and the requirements of it align with those things.
Justin:Really funny. I saw a talk at Derby Con years ago and everything, but he talked about his process of going through and buying a house with cash Yeah. And keeping his name off all the stuff. And it was nightmare. A process and a half.
Justin:Yeah. Nobody's like, what do you mean you don't have a loan for this? Yeah. And he was talking about, like, keeping his name off a whole bunch of stuff, like
Rick:Did you
Joe:bring a briefcase to the closing pool?
Justin:Yeah. But he did a little talk, and it was it was cool to listen to.
Rick:Yeah. It was like the the issues encountered along the way, because that's just not the typical process. Right. Like, we we talk about, like, user behavioral analytics. It's like it's your flagging every single
Justin:thing along the way. Right? Like, what do you mean cash? Where'd you get all this cash?
Eddie:Fraud did
Justin:you do? Like, how much structure you sell to get this cash?
Joe:What's what's our so do we come up with any actual meaningful takeaways that a CISO can use when they're asked this question?
Justin:I like what you said. I I think there should be training, specifically for executives to say how to minimize, you know, your stuff. Don't don't advertise, but, you know, share, like, maybe past stuff, do different things of how you actually do posts and everything. And the company should also do that as well, whether or not to doing too much, you know, pre, you know, but doing a lot post, you know, with that. And the other thing I think would be good too is I mean, you're always looking at threats, but I don't think it'd be that big a deal to get a security guard or 2 when there's something credible, you know, into that.
Rick:Oh, when there's something credible? Absolutely.
Justin:I don't think this would be a case in that. Right. You know?
Rick:But that's a different yeah. A different a a an adjacent
Eddie:learning. But along those same lines, though, and if forgive me if I'm, if I don't understand remember the situation correctly, but he was alone. Right?
Rick:Oh, yes.
Eddie:But there's gotta be
Justin:some situation where he was walking from the hotel he was, staying in to the hotel where the meeting was at.
Eddie:Okay. To my knowledge. Sort of situational awareness that you know you're an industry that that that could be in in, out of favor. And, yeah, is is it practical to walk around with security guard? Probably not.
Eddie:Right? But, you know, if you got other areas of the country that Well, sure. A senior executive Man, like, man, have 247. 747 armed guards. Right?
Rick:But, I mean, like, I I don't know. Like, I I think if all this
Justin:in that situation, even if a guard was with him, who knows if who would actually made it? It might have made a difference because he could only fire 1 bullet at a time in his hand, maybe.
Eddie:And does does one other person there, like, take away that bravado of somebody to approach and do I don't know. I've never
Rick:had that fun. And then this gets into all sorts of psychology and, like, how motivated is someone to do the thing and, like Right. This
Joe:from everything I'm hearing and reading, this person was quite motivated Right. And had made He took
Justin:a bus from Atlanta? Yeah. Atlanta all the way up to
Eddie:New York.
Justin:Yeah.
Joe:And there wasn't anything that'll stop a determined attacker.
Justin:Yeah. And then this is
Joe:a case where it seems like, the person didn't care care enough to stay anonymous. They didn't take precautions.
Rick:Absolutely right.
Joe:So Oh, you left a
Justin:cell phone at the scene, even though it's pseudo burner phone, like If
Rick:you're not, like, not that worried about getting caught
Justin:Yeah.
Rick:You'll you can be pretty brazen about how you go about doing this.
Joe:You're gonna accomplish your mission, unfortunately.
Rick:Yeah, I mean, like, we live in a society, so when people are like, I'm just gonna break all these rules all at once, like, there's not necessarily, like, structural ways to prevent some of those things.
Justin:No.
Rick:So, but as far as takeaways go, I mean, I think some of it is thinking about it in terms of, okay, is this legitimately a risky thing? I think executive training for a whole bunch of reasons is a good separate thing. That's probably
Joe:Included in that social media training, just know where you're gonna be, and let's not tell everybody,
Rick:I mean, if you want to pivot it into a thing that might have ancillary benefits selfishly as a security practitioner, like, maybe don't use personal communication channels for business things, mister or missus executive, because that's not terribly uncommon. Right? Where people like,
Justin:oh, I'm
Rick:just gonna send this thing from my Gmail account to this board member or whatever. Like, I mean, try to consolidate communication streams and stuff like that. But
Joe:Yeah. Yeah.
Justin:Yeah. Very good. So What are we drinking?
Rick:Let's drink.
Justin:This is some delicious stuff. Eddie, you wanna lead this through? You're you're the guy that
Eddie:knows this. Is, this is a sauteurne finished bourbon, right, from our distillers reserve collection. So, the distillers reserve is, our barrels that were distilled previous to Iron City Distilling being around. Right? And so I I mentioned to you that the, single malt program is very important to senior level managers.
Eddie:And and in our master distiller is a very fun, place in his heart for, for single malts. Right? So just exploring with finishing in different casks and in different, barrels. Right? So this was 6 year in a, bourbon barrel and then finished in a sauterne cask.
Eddie:Yeah. Right? Which is a sweet wine. So if you'll notice, it still has some of the gorgeous, like, buttery, caramelly, baking kind of bread almost notes.
Justin:Did you
Joe:say bacon?
Eddie:The baking, like, almost like a un un completely Yeah. Like bread. Right?
Justin:I like that. The
Eddie:sweetness of the wine on
Justin:your description and everything you had that adds, on the nose, it smelled like, fresh laundry and everything. My palate
Rick:is not necessarily the best. I don't know that I get fresh laundry, but I will say. So, I typically like just a a little bit of water or a cube for for my
Eddie:open everything up. Yeah. Absolutely.
Rick:When when I had when I had just a little bit of water in mine, I get so much, like, cocoa and chocolate. Yes. Like, it it really I mean, and again, not the best palate in the world, but, like, that's what gets me in the face.
Eddie:I'm so suggestible too. If you tell me, oh, I smell bananas. Oh, bananas. That's right. So now I'm searching for fresh, fresh lobster.
Justin:I don't know.
Rick:I get a
Justin:lot of love.
Rick:I'm gonna run
Justin:this truck right now. Someone smell toast? Yeah. Yeah. Yeah.
Justin:But it is, excellent. Very smooth going down. I do, taste the cocoa. It's all like a bunch that was actually on the official Was it? Tasting notes, and everything.
Justin:Yeah. But it's good. It, like, settles off into that, like, cocoa, a little bit of, like, floral sweetness, you know, with that. I think that's definitely the wine, coming through and everything. And
Rick:it's a little I like rye, so I like the pepper, like, the the a little bit, but, but it's a little it's it's peppery, neat, but it really, like, mellows out way quicker than I would have expected.
Justin:When we tasted it at the distillery, when we were picking this up, I actually asked, what the, rye was, because I got a little bit of spice in it. Oh, yeah. Even though it's a bourbon, which has to be mostly corn into it, I got, like, a good spice out of it.
Rick:So I was It was high. Right?
Eddie:Yeah. I don't know.
Rick:She didn't didn't necessarily a high rye, but I suspect it's higher.
Justin:Yeah. Exactly. Nashville. Yeah. Type of thing.
Justin:So cheers, guys. Yeah. Cheers. Cheers,
Rick:gentlemen. Good. Delicious.
Eddie:It's a good time to bring out a little gift I brought for all you.
Justin:Nice. Christmas time. Gifts.
Eddie:This is the holiday spirit. I got t shirts, iron,
Justin:silver, and silver. Pretty cool.
Eddie:Oh, that's awesome. I didn't know anything about sizes, so they're all extra larges, but Perfect. Feel free to choose a color that you particularly like.
Rick:So my rule with fortune cookies is I always take the last one, so you guys have to pick them.
Joe:What's your color there, Justin?
Justin:I don't care.
Joe:There you go. I'll go with this one. Nice.
Rick:Brilliant. Love it. Thank you so much.
Joe:Oh, look at this.
Rick:This is so cool.
Joe:That is awesome.
Justin:Just to show here, it has a 3 chamber on the back. Very cool. Look at that.
Joe:Do all of them?
Rick:Nope. No.
Justin:Oh, just a day. Why I picked you up. This was what you did. First.
Eddie:I love this.
Justin:This is fantastic. Thank you so much. We're, you
Eddie:know, we get all the all the, attention that we can get. Right?
Justin:So Yeah.
Eddie:Wear that proudly throughout Pittsburgh?
Justin:Indeed. Yeah. Very cool. Alright. So, what's next on the agenda here?
Justin:We have, oh. Oh. The one you dove into.
Joe:This is fun. Yeah. Who's heard of the, Google Willow Chip, which is the new quantum computer that Google put together and some of the stats. So if you don't know what quantum computing is, it's a function of being able to take all the bits, and they can be in a state of on or off at the same time and somewhere in between, unlike your normal computer, which it allows it to, do computation so much faster. And if you think about our normal cryptography, it is made to be able to last 1,000 of years.
Joe:And you've heard this, like, your password, if you have it strong enough and use right encryption, won't be a crack for 1,000 of years.
Rick:Because the math just makes there so many combinations.
Joe:Yeah.
Justin:Yeah.
Joe:Yeah. And it's so hard to, it's easy to go to the encryption, but to go and reverse it, very hard to do. So what does the, Google Willow Chip do? Well, it takes, computations, and it can do these in under 5 minutes that would take a modern supercomputer. Now this is the part that gets me.
Joe:10 septillion years. And so if you're thinking about what that means, 10 septillion years is if the age of the universe is one second on a clock. 10 septillion years would stretch that single second into a lifetime of countless universes repeated billions of times. So poetic. So thinking about that, it's like, what is,
Justin:Kinda wanted Carl Segan to say that a lot. Yeah. More than enough.
Joe:It's 10,000,000,000,000 Yeah. Trillion years. Yeah. So if you look at all the zeros, it's 10,000,000,000,000,000 years. That's what they've reduced with this chip to be able to crack or do computations in 5 minutes.
Joe:Yeah. And so there's an excellent video. Hope we can put that in the show notes. Okay. Yeah.
Joe:That talks about it.
Eddie:So are passwords gonna be irrelevant then?
Joe:Well, that's a that's a good topic. In fact,
Eddie:we're so sorry
Justin:about that.
Eddie:Public. Right? Yeah.
Rick:Everyone's gonna know exactly where I'm gonna be.
Joe:Yeah. And so, well, what what are you thinking here is that, and and the video is so cool. It shows how what they do at this layered set of this, computer, it gets down to the bottom part
Rick:Yeah.
Joe:And it's all these layers. And as you're going down through, this one layer hits this point that's, like, the normal cold temperature in Kelvin of the general universe and
Justin:outer space.
Joe:Yeah. And then they go down to having made this thing so cold that it's truly, in their estimation, the coldest place in the universe. And that chip is inside of that area with all this stuff because they needed to be so super cold to handle the stability.
Eddie:Yeah.
Joe:And what they did to make this thing more effective is you have now, not a play on your name, but cubits. Yeah. And you have more cubits you add, creates more stability on the way that the, chip works.
Justin:And they actually said that was one of the big things with this chip is that they were able to reduce errors out of this.
Rick:Prove provably so for the first time.
Justin:Right. Yeah. Yep. And that was a big thing with us. Yeah.
Joe:Yeah. And so what does this mean for us? Well, in a positive way, we'll talk about the infosec bad things in a minute. But in a positive way, they're saying by the year, 2030, nuclear fusion simulations, might be possible to actually achieve that. The way they can do pharmaceutical developments, like the impacts it can have, the battery technologies that you can get to are, you're just gonna be there.
Joe:But if you think about the, cybersecurity implications, well, now you have what what do the bad guys do? They they break in. Mhmm. They steal your data, and they encrypt, and then they steal that data. Mhmm.
Joe:It's probably, some of it is probably encrypted. So what are they doing? Well, the big big thing people talk about, they're sitting on that data until which time it can be cracked in the future because of quantum computing. And so now what what are your big risks? What do you have to worry about?
Joe:Get to worry about your threat assessment is what data may have been stolen, what's on, what's in that encrypted data stores Yep. And what could happen now if somebody's able to actually do this in 10 years?
Justin:Mhmm.
Joe:So what data could have been stolen that in 7 to 10 years from now, if it's decrypted
Eddie:Is still damaging. Damaging.
Rick:Yeah. I think that's fair. I told you guys at the beginning of this that I was gonna be the naysayer of this whole podcast. So I think this is super cool. I don't think your typical scammer has access to the coldest place on Earth or the technology to build this stuff.
Rick:They're not Google. So to me, part of this risk equation is, like, is it gonna be actually commoditized in 10 years? Right? And some of that's gonna depend on, okay, who's using this for
Justin:I think it'll be close. You think? Commoditized. I've been following Moore's law and everything. That's where I things move faster than what you anticipate.
Justin:I I get it, and I think there's a big hurdle because nobody's gonna have absolute zero computers running in their house. They have to find a way to actually have this at a room temperature, you know, before it goes, to the consumer level.
Rick:I think that's fair. It's when I was thinking about this, I don't know why, but in my head, I started thinking about, like, DKIM for email. Right?
Justin:Mhmm.
Rick:Introduced 20 years ago.
Justin:Mhmm.
Rick:It's every company you know using DKIM?
Joe:No. They're still not doing it.
Rick:They're still not
Joe:doing it. Look into.
Rick:One of the first things. I suspect that this technology is gonna get out there. Peep like, people are gonna do quantum encryption of things. Right? There's gonna be quantum decryption at the state secrets level.
Rick:Right? There there's gonna be all sorts of, like, political stuff with this. But I think from an actual corporate perspective and, again, I am don't no one employs me to own a crystal ball. Like, I'm not necessarily great at that. But if I
Justin:had to if I had
Rick:to guess, I think this is gonna go the road of DKIM to a large extent where specific things that need to be protected in very specific ways route through I mean, it's like quantum Zixmail or whatever, right, in the future. But, like, for the most part,
Justin:I I don't know. Thinking that it's gonna be the cloud service providers that will have a server you can rent or, you know, buy If
Rick:it's commoditized in 10 years, it'll probably take 40 years for the security around it to be commoditized.
Joe:Well, what I'm thinking is forget commoditization. I'm thinking nation states who are going to be able to do this like the like Russia, China.
Justin:Yeah.
Joe:They have the ability to afford it. I mean, if Google can do it Yeah.
Justin:For sure.
Joe:They'll be able to do it.
Justin:And China yeah. I was trying to get onto this as well.
Rick:And are they gonna be but the ability to do it and to potentially sell it to The highest bidder. Organizations that can pay for.
Justin:Keep in mind, not all encryption algorithms have the same effect on quantum, you know, with that. That's true. Absolutely. The ones that are at biggest risk are, like, the RSA, Diffie Hellman, those type of public private key Mhmm. Implementation.
Justin:So in that, if they trapped a communication between 2 servers, you know, that does the key exchange Yeah. Securely. But then you go into a, AES, you know, encryption Yeah. And that's actually resistant to quantum, with that. So if you just have something AES encrypted, that's not necessarily gonna be beneficial on
Rick:The math matters.
Justin:Yeah. Exactly. There's a lot of different and I'm not a encryption expert by any means, but the algorithm matters depending on, like, whether it actually does better.
Rick:Recently released They did. Certain, quantum resistant crypto.
Joe:Yep. Exactly. And and and one of the things I, nerded out on is what what they're called in the names in the back end.
Rick:I'll just look
Justin:into that in a
Joe:Yeah. In a minute. But, if you look at what other companies are doing, like Apple already is starting to employ things because they have, what's called the pq the p q three protocol Right. Which is a post quantum, crypt cryptographic protocol for Imessage, and it's designed to withstand future quantum based attacks.
Justin:Yeah. And I
Rick:think that that type of thing is what's gonna drive consumerization faster than anything else. Large organizations that are thinking forward and pushing it into things, so then it becomes a differentiator. So, like, oh, I'm on Android and I don't have this or whatever. Okay. Maybe it becomes a thing, but, ultimately, I just put myself in the head of these security professionals that are, like, hey, executive.
Rick:I need x dollars, so we can be post quantum secure, and then you go, what?
Joe:Right. But here's why it matters now, is because banking and transactions A
Rick:100% agree.
Joe:And if you're a CISO and you are, you're you're likely gonna get the question because your CEO is gonna be on the airplane reading the magazine, will see the article, is gonna come back and say, what are we doing? But but And you need an answer.
Rick:Yeah. So so when you say before about, like, oh, what's your risk profile for data that might have leaked before? It's not like I do think there's probably gonna be a bomb at some point that goes off or or, like, slowly goes off in terms of, you know, data explosion for fairly old data, and maybe that's damaging. But I think the bigger thing to your point is, like, banking, health care, so people know where, like, the class 1 drugs are and are not, like, all that stuff.
Justin:So even government information was already stolen. So are you saying that regulatory and compliance will actually be the ones actually pushing this at the end?
Rick:To think so I I I was gonna drop this grenade, and then walk away conversationally. Think about the privacy regs. Right? When privacy regs are like, oh, you're not, like, really securing these people's private information because it's not
Joe:quantum. To be able to get away with is
Justin:Well, they just say strong cryptography. Right. And that's it. But then, again, it comes back to who's pushing that definition, what's it mean?
Rick:As defined by NIST who says it's post quantum now. Yeah. Right.
Justin:Right. Right.
Rick:Right. There's stuff like that.
Joe:Well, real use case. So you get your data stolen
Rick:Yeah.
Joe:And if you can actually find a way to prove that the data that was stolen was all encrypted with strong cryptography, you you have the ability to, with lawyers' help
Justin:Mhmm.
Joe:To not contact that attorney general.
Eddie:Yeah.
Joe:To not Right. Do the disclosure because it is your safeguard.
Justin:Mhmm.
Joe:So, well, what happens now? At what point does somebody say, well, it was stolen, it was strong encryption, define strong encryption. Right. Was it quantum safe?
Rick:Yep. And this is why I think what you said is right in terms of, well, there's gonna be a bunch of, like, industry definitions of, like, oh, you're dealing with this. You and and I I think I could be wrong about this. Please don't beat me up too hard in the comments if I'm wrong. I do think that some of the, like, the, FFIEC or the NYDFS or some of the financial regs
Justin:Yeah.
Rick:Have said recently in there, like, hey, you gotta do risk assessments. Some of them have started to talk about, like Quantum? Start thinking about. Not, like, do anything I'm
Justin:trying to think if there's any publications. I I thought there was.
Rick:I could be wrong. Yeah. Yeah. Again, this is, like, a a bit of
Justin:a talk about those. AI and some of this stuff.
Rick:That's true too.
Justin:But I could be mixed. Sure they did it on quant I'd have to look it up. Yeah.
Eddie:Yeah. I could be wrong.
Joe:So thinking about some of NIST's, protocols, 1 you know, they they call it CRYSTALS, and CRYSTALS stands for cryptographic suite for algebraic lattices. And so I totally nerded out on,
Justin:on, like, lattice math. And,
Joe:if and if you think about it, lattice, they're complex, high dimensional mathematical structures, extremely hard for both, classical and quantum computing to solve, and they're made for, you know, basically doing this. So if you were to think about, like, a, multidimensional haystack. Okay? So picture a haystack with millions of points and finding the smallest needle, like, the most pinpoint needle, which would be, like, the shortest vector
Justin:Technology.
Joe:Or understanding this so that all depends on understanding the exact structure, of that haystack, which is practically impossible knowing the blueprint already. So the way that the quantum, proof algorithms will work is they use this multidimensional pinpointing math, the lattice, math, and try to navigate, encrypting something. You can do it because you know the road map, But try to figure it out without the map. Right. It's nearly impossible.
Joe:So that's why quantum computers are still not able to break this stuff. And so there's a a couple different algorithms that NIST has, said are good, and it's called Crystal's Dash. 1 is Kyber, and the other one is the lithium. So that got me thinking, like, where these names come from? That's very clever.
Justin:And
Joe:Kyber, where have I heard that before? Well, Kyber crystals are what your lightsabers are made of.
Rick:Not your everyday lightsaber.
Joe:Yeah. It's made of Kyber crystals. And, it's also, what the Death Star uses to power the super laser. Yeah. And so you think of that from that perspective.
Joe:So the name reflects the algorithm's role in, being a powerful, reliable tool to defend against quantum computing threats. So just like a lightsaber helps you, defend. The other one goes
Rick:to the other side of the world. Dilithium?
Joe:So dilithium. So if you're not a Star Wars fan, maybe you're a Star Trek fan, and the dilithium crystals are what they use to power the warp engines. Right? And so these are the 2 things. So hop on ChatGPT, Google about or, put in some, questions about the, algorithms that are naming.
Joe:You'll get some fascinating, information.
Rick:You're very clever
Justin:in the naming. They actually found trilithium in a episode of Voyager once, FYI. There you go.
Joe:Did it make that starship go twice 3 times as fast?
Eddie:Oh, it
Justin:went past the, like, the what is it, warp 10? Yeah. And then they, like, devolved or evolved or something like that? Yeah. It went into something weird.
Joe:We'll have to look that up again.
Justin:So we'll You can tell which one I I lean to. There you go.
Joe:You like the Star Trek?
Justin:Yeah.
Joe:So but, yeah. Look at what Google did. Look at the video.
Rick:That's pretty cool.
Joe:It is so fascinating to see them walk through. And these people, they have, like, the coolest jobs. I mean, that is just building the coldest place in the universe. Neat.
Rick:He has a pretty
Justin:cool job too. I As cool as
Joe:their job is, they're not making, whiskey.
Eddie:It's actually pretty warm in the Rick House.
Justin:Yeah. Not really. The opposite of the coldest place. So not absolute zero there. No.
Rick:What did you say? A 190 degrees?
Eddie:80 degrees. In 90 to 90 90 90 to 95 at the top.
Rick:Were you you were you said you were cleaning stuff with steam earlier today?
Joe:Oh, oh, yeah.
Justin:Yeah. Yeah.
Eddie:Yeah. So we steam clean all the gear after, you know, after use. And so steam is, like, just under 200 degrees. Right? Yeah.
Eddie:Not Well, over 200 degrees, the steam is, but we'll heat up the inside of the vessel until it gets to about 200 degrees.
Rick:Not the coldest place on Earth.
Justin:Yeah. Alright. Do we have time for one more?
Rick:Should we
Justin:do a
Rick:quick one? Super quick?
Joe:I don't know. I guess we're gonna do a quick one. What do you wanna talk about the password, best practices?
Eddie:That's a good I think that's a good one. Yeah.
Justin:I think that should be fairly easy. Yeah.
Joe:So well, what was the, the main point here is, there was So this was years ago,
Justin:and this redid a lot of their, stuff. We haven't talked about it on the episode here. But I get questions all the time, you know, on this, especially with the antiquated change your password every, you know, 3 months. It has to be, you know because we're in the butt. 3 out of 4 on the other side.
Justin:You can't
Eddie:use your previous password. Right?
Justin:Oh, yeah. Exactly. And there's a lot better ways. You know? And in fact, NIST, for years now, 5, 6, 7 years, they've they've yeah.
Justin:It's been a while since they updated, 863 b. And it goes through and gives very pointed, very reasonable advice into this. Some of it is if make it a very long password. No matter what it is, make it very long, you know, into that. That will disrupt most of the password crackers out there.
Justin:Additionally, you don't have to change your password unless there's a good reason to, you know, into that. Like, if you've this is the only place you've used this password, you know, on this either website or corporate or whatever, and there's nothing to suggest it being compromised
Rick:Why change it?
Justin:Why change it, you know, type of thing, which I think goes to a lot of it where, you know, you get a lot of people that aren't as security savvy or anything like that, and they'll just, they'll do, you know, spring, you know, 1, 2, 3, bang, whatever, 1 you know, whatever it is because it's constantly changing. So they go pattern based instead of something that they just remember, you know, into that. And it's funny for us. I don't know about you guys. Like, as a security practitioner, for years, I've been every single time, you know, you use a a password manager of sorts, and every single website gets a brand new password randomly generated.
Justin:I don't even know what it is, you know, type of thing. There's only a handful of passwords that I actually know. Like, one's to my laptop, one's to my password vault.
Rick:It's like phone numbers I have memorized. Like, there's not that many
Justin:of them anymore. And those are different, you know, type of things, distinctly different. And there might be a couple of more into there, but that's about it. Like, most of the passwords, like, I have a whole bunch of clients I have logins to, you couldn't, like, put a gun to my head. I don't know.
Justin:Right.
Joe:So some of the main takeaways of this new, 8163 b is, yeah, encourage longer passphrases. They're actually letting you, or encouraging the use of, emojis in there as well. And one of the articles that. Yeah. 1 of the articles, one of the senators said, oh, great.
Joe:Now the the poop emoji is gonna be used as part of the password.
Rick:It's an addition it's effectively additional characters. Right? You increase
Justin:Is that in the standard right now?
Joe:That's, what what they were saying is the ability to use different, character sets from the,
Justin:Yeah. Outside of the ASCII Yep. Normal, thing. That's interesting.
Joe:And funny funny thing, you know, I was looking that up too. I'm like, was it always the poop emoji? Well, no. It's the same, it started as a soft serve ice cream Yeah. Because there's a vanilla one,
Justin:and it doesn't look like that. Right.
Joe:And then you have the other one with the eyes, and and there you go. And then officially, it got crowned as as the poop emoji.
Justin:Yeah. Yeah.
Rick:That's just like language. It changes to do whatever people are doing
Justin:with it.
Joe:Yeah. Then then the other pieces of it is, you know, definitely you need to be able to put the multifactor authentication with it and passwordless technologies. So now you're starting to get to the passwordless Yep. Which becomes better, but also introduces risk. So think about it.
Justin:Why is that introduce risk?
Joe:Well, just think about, when you go to your lap I was just doing something to log in to something, and they said, oh, would you like to, be able to log in to this without a password from now on? We'll use, like a web auth and, the passwordless technology. And then what it wanted me to do is I scan my finger on my fingerprint on my laptop, and then it allows it
Justin:to go Passwordless. Passwordless. Yeah. Okay. I thought you were saying the passwordless.
Justin:Oh, no. No. That's another thing in the standard.
Joe:Oh, right. Yeah. That you should have common passwords already in there. And a lot of the implementations like m 365
Justin:Yep.
Joe:That they they have that.
Justin:Turn it off. Right. Right. Yeah. Which is great, you know, on top of thing.
Joe:So then I started really wondering, like, well, what's still the risk? Because at some point, you have a username and you still have a password. So the password becomes stored on your machine, and only the token then When
Eddie:it gets passed by the network.
Joe:Passed across the network. And that's what makes it better.
Justin:Yep. So, but Like, FIDO 2 is a popular Yeah. Passwordless, token. I use that not too many sites. It's actually unfortunately, it's not an easy implementation on websites.
Justin:I say easy. There's not, like, a common framework, you know, into that. It takes work to get into your app, you know, with that. But I wish it was very easy because it's phenomenal, you know, and it helps.
Joe:But then think about your normal user behavior. This is what I was really trying to get into. Like, why does this matter? How's it gonna help? Well, it's gonna help only if you were gonna remember that you set that up.
Joe:So what am I gonna do on a busy day? Or forget me. What's my mom gonna do on a busy day? And I go to well, the risk is is that you get a fake phishing website that's a look alike website that you're gonna go to, And all of a sudden, it pops up, and it says, what's your username? What's your password?
Joe:And the last thing I'm thinking of is, oh, I set up that password, this stuff, so I shouldn't be being asked for it. So my human nature is I'm just going to, log back in. So what's what's happening? Mhmm. I'm I'm reauthenticating.
Joe:There goes my password across the Internet.
Rick:And just to plus one that, I mean, all these websites are inconsistently configured. Right?
Justin:Right.
Rick:So one of them might be not following the standards, like, oh, you need to reset your like, your tokens expired, or we need to reset your password, or for whatever reason, we need to re authenticate. Yeah. Right.
Justin:Which, yeah, is fine, but one of the things that any good password vault, you know, worth their salt Okay. They usually have domains associated with filling that in, you know, type of thing. Worth their salt. Worth their salt. Yeah.
Justin:That was good. You know, so, like, if you go to a random website and say log on to your Amazon account, and it's, you know, Amazon with a dollar sign that's a z, your password vault would be like, I don't have a password for this.
Joe:Oh, sure.
Justin:You know, type of thing. So all of a sudden, it's off. You know? Like, it's not gonna suggest putting your Amazon password into a site that you haven't recognized before that you auth that. So So if
Joe:you're gonna really implement this well, I think there's a lot of good stuff in this standard. It's really gonna help, but you can't just again, there's still residual risk. People doing human nature stuff.
Justin:Yeah. Yeah. Yeah.
Joe:The stuff is you know, where where are the passwords stored? And now let's combine that with the last topic. So now what happens, somebody gets, on your machine. They exfiltrate the password store. Now they use their quantum computer and they crack it because they're not using the, strong,
Justin:proof.
Rick:Well, I I think one of my favorite things in the in that standard though is the essentially, like, the do dark web searches or do compromise password searches. Right? Because I think the value that has for organizations just to say, hey, there's a known breach associated with this username, or if organizations that are particularly evolved, they can actually they're actually pulling and I know, like, 2 of these organizations that are doing this. They're doing just sort of general dark web searches on user account names that could be related to employees. And so, yeah, does it match, you know, rick yokem, you know, rick.yokem@company.com?
Rick:No. But is it rickyokem@yahoo? Well, it is, and that's compromised, and then they auto alert the person. Say, oh, by the way, first of all, we saw something that might be a compromise of you. If this is your account, you should know about it.
Rick:2nd of all, if you've used the same password, well, you shouldn't have, but you definitely need to change stuff right now, and we proactively change things on your behalf. That's my favorite thing is that because it's extraordinarily impactful both for the company, but it also, like, kind of helps your employees using your resources to look out for them. We, when
Justin:I was working at, gift cards dot com, we found a pastebin script that essentially took any amount of credentials, like email, password, and test it against 200 websites, including gift cards dot com Yeah. You know, at the time. So if there was any type of credential breach of anything Yeah. They'd run it all through these scripts, testing walmart.com, gift cards dot com, and all.
Rick:100 biggest ones with some financial
Justin:dot com. Like, it just it just went down the the like, hey. I have a username and password, and I'm just gonna test it all, you know, into that. And they even they even set up in the script, they even set up test accounts to see whether their script was working. So they had, like, you would actually see and we saw on our side, like, they had an account that they set up with us that they used to validate whether they a successful login or not, type of thing.
Justin:So, yeah, it's, it's mature. That industry, like, the the criminal industry, they put a lot of time and effort into it.
Rick:But, Joe, you always say, like, well, what would the advice be? So my my number one is, like, oh, if you're a CISO or someone that, you know, influences a space, like, if you're not doing just, like, dark web or compromised password searches, absolutely figure out a way to start doing it. There's a couple. And then if you can level that up into also searching for similar named accounts, Right? For your employees that aren't necessarily your corporate accounts, but, hey, look.
Rick:This is John Smith. You're John Smith. I don't know if it's you, but if it is, I'm gonna let you know about it. Yeah. That's super useful.
Joe:Yeah. That's great. So, also make sure you check out the new NIST 8 163 b. Yep. And if your policies and standards haven't caught up yet, your auditors are gonna hold you accountable what you say you do, and you won't be held accountable to changing passwords every 90 days.
Joe:So definitely update your standards, make it work, adopt what, Rick said, and then take the things that Microsoft Okta, these other tools, build in to help you automate some of this stuff so that you can make this whole lot easier for yourselves.
Rick:I know we're wrapping up, but I have a that prompted a question that I wanna
Justin:ask you guys.
Rick:So, okay. So we're in a situation where we say, hey, we would love to update our password policies. Right? So but we can't just make things harder. We have to, like, give and take a little bit.
Justin:Yeah, I bet you do. We have
Rick:to give and take a little bit. So what we're gonna do, we're gonna make them more complex, but we're not gonna change them, you know, every 3 months anymore, whatever.
Justin:Right?
Rick:So if you're the CISO of this organization, and you're like, hey, I want to do this thing. And then, all of a sudden, some compliance person or or salesperson comes into your office and says, wait a minute. We can't change this because we have client contracts or we have these regulatory frameworks that might not be within your control, right, that are aligned to this old way that have these password change expectations and stuff like that. How do you guys think through approaching the the disconnect between, sort of, what's right and what might be compliant yet holding you back from that password?
Joe:The first thing I do is scoping, and I would say if that's a system that I can contractually legally not force getting to this better way
Eddie:Yep.
Joe:Scope that. Make my standards say that
Rick:Carpet to decide. Everything you're allowed to do, go do that.
Joe:Go do it, and then get with your lawyers and get on the phone. Yeah. Solve this problem.
Justin:See, I'd I'd take even a a a more slight of hand approach depending on how much they audit us. Like, if it's a customer that we never heard from them again, like, they never execute their right to audit. Be like, no. We're doing the best best practice. If it comes up, it comes up, you know, type of thing.
Rick:That's fair.
Justin:If it's more of a compliance regulatory thing where it is actually looked at, you know, that aspect, that's where you just basically have to, like, confront them, be like because there's a lot of stuff like HIPAA, when was the last time it was up? And not that it's specific to that level. Right.
Rick:But I understand.
Justin:But to those, like, standards and everything, like, you got a whole bunch of especially federal stuff that might be antiquated. They're just not keeping up to date. Yeah. And when you can logically say, hey. This government body that's paid to give expert advice says this is the better way, are you telling me not to do the better way, you know, type of thing?
Joe:I love that argument.
Justin:Yeah. But,
Rick:can I throw another Yeah? Inject into this conversation?
Justin:And who's signing contracts that specify exactly password standards? Oh. I've seen it. I've seen it too, but you shouldn't sign that. Get a type of thing.
Justin:But Because, again, you're basically, like
Joe:But here's
Rick:why you do. Right? Because you have lovely people like Eddie in his prior life trying to sell stuff.
Eddie:Badgering you until you signed
Justin:it. Right?
Rick:Trying to sell stuff. Or the other side. Right? You're Eddie's at my company selling someone else on the second. Yeah.
Rick:We're gonna buy this thing, but only if you sign this contract. Right? And it there is a commercial dance that happened, whether it's right or not.
Eddie:Like, the
Rick:reality, the pragmatic reality is that this commercial dance happens, and so
Justin:I just push back on that level of specificity, you know, type of thing, because if you're gluing yourself to the floor and say, this is the exact spot we were operating from a security 10 years from now. That Yeah. That could change. You know?
Joe:Yeah. I like I'd I'd say take Justin's approach and then just push back and say, argue with me why it's why why I'm wrong. Like, yeah.
Justin:It's just instead of saying, like, we're gonna change our passwords every 3 months, we're gonna have good password practices implemented within the organization Yeah. You know, and implement strong passwords. Like, that's the the verbiage you want and multi and I think you can survive off multi factor, you know, that type of thing. Yeah. But, again, you just don't wanna, you know, pigeonhole yourself into a thing that 10 years later, as we've all seen it throughout the industry, like, it changes, you know?
Justin:And then then we have to adapt to that and what's ever best practices.
Rick:And very little of it matters if you don't have good SSO. So if you don't have SSO, get better at SSO.
Joe:Yeah. Hey. This was awesome. Cheers.
Justin:Yeah, guys. Cheers. Gentlemen, thanks for coming out. Thank you. Thanks for glitching the shirts.
Justin:Yeah. Absolutely. That was awesome. Thank you everyone for tuning in. Don't forget to like, comment, and subscribe.
Justin:Definitely, with all the topics we're talking about here, tell us what you like between Star Wars and Star Trek. Star Trek is probably the better one. I'll get hate from that. And don't forget yeah. And don't forget to tune in next time.
Justin:Thank you all. Bye. Awesome. Yeah. We're out here.
Rick:It's Gunzo.
Eddie:That was great. Thanks, though.
Creators and Guests
