Keith Jones' Journey As Expert Digital Forensics Expert To AI Malware Researcher Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

Keith Jones' Journey As Expert Digital Forensics Expert To AI Malware Researcher

February 03, 2025 • Joe South • Episode 182

Send us a text

This episode explores the intricate balance between career aspirations and parenthood, highlighting how remote work has transformed traditional workplace dynamics. The conversation touches on evolving priorities, the impact of AI on cybersecurity, and the challenges of pursuing advanced education while managing family responsibilities.

• The shifting nature of work-life balance for parents
• The importance of remote work flexibility
• Experiences in the cybersecurity field and investigations
• The role of AI in cybersecurity and privacy concerns
• The challenges of returning to education with family commitments

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:54

how's it going? Keith, it's great to get you on the podcast. You know, I think we've been planning this thing for a while and you know I got burnt out towards the end of last year. It just seems to happen every single year I get burnt out. And then I went and, you know, decided to get sick with the rest of my family for all of the holidays. So I'm glad that we can finally, you know, get you on here and have a great conversation.

Speaker 2: 1:21

Thanks for having me. I'm glad you're feeling better too, yeah.

Speaker 1: 1:22

It's a. It was a blur last year too, I agree with that, yeah, yeah, I mean last year, I mean literally, you know it was December and I mean my head was still in May, it was still like thinking about the summer and stuff. You know it's I don't know. I think when you have kids, like everyone says that it like speeds things up, you know, but like it's so true, because every single day is, you know, I have a two year old, right? So every single day is her learning a new word or interacting with us a different way, or, you know, giving us attitude a new way, right, Like it's all, it's all fun and new. And when you have something like that, I mean it just, it just flies by.

Speaker 2: 1:56

And when you have something like that. I mean it just. It just flies by Absolutely. Mine are older, mine are like high school and college and my one recommendation is going to be don't blink, cause it's like mine came home for um uh, you know, the holiday break and he just left and I think we're the next time he comes home is going to be close to Thanksgiving. So it's like with a little man, just just adore that time.

Speaker 1: 2:18

Yeah, you know. So it's like, yeah, with a little man, just just adore that time. Yeah, you know it's. It's fascinating, right, how, how priorities change and whatnot.

Speaker 1: 2:24

And I was always the kind of guy that when a when a better opportunity would come along, like I would just take it. I wouldn't even think about it or anything like that, right. Well, now I've been remote for five years, right, and I have a two-year-old and I have a second one on the way, due end of April timeframe. And fairly recently I had someone offer me a job, better opportunity, right, really big financial institution worldwide, a lot more money, right. And I mean, five years ago I would have taken that without, without thinking about it.

Speaker 1: 2:59

Right, the big problem was that I'd have to go into the office three days a week and I sat there and I thought about, like the pay difference isn't worth me not being home when my kid gets here, right, like it's that it's a weird, it's a weird predicament, because even 10, 15 years ago, right, when I was getting into the field, I mean it wasn't even, wasn't even an option, right, like it was, like you're going into the office, that's what it is, you know, if you can't live with it like get out, get out of the industry, you know. But now, like we have that privilege of being like, nah, I'd rather, I'd rather be remote, to save the two, three hours of commute, you know, just so I could have those hours with my kid.

Speaker 2: 3:42

Yeah, the company I work for right now. Their name is Coralite, and most of us, so I work in Coralite Labs, which is a research branch of Coralite. We make the algorithms that you'll see on the sensors and we have researchers that are literally scattered all over the world and it's really kind of neat because me, being on the east coast, I'll wake up at a certain time and I'll see a certain set of people on but they kind of fade off and then midday a new set of people come on and it's like we almost have 24 hour coverage, because even for a small team, because we're scattered so much, and it makes it really beneficial for a lot of things that we do, like keep the processes running and doing research around the clock and stuff like that.

Speaker 1: 4:20

Yeah, it's way more beneficial and it makes so much more sense for technology, people, people in IT, to be able to be remote, right? I mean, if the pandemic taught us anything, it is that there's literally no reason for us to be in the office, like literally zero. Right, you can't use the excuse that technology isn't there, it's not available. You know we don't have it. You know the VPN only takes so many, so many users at a time, right, like, we don't even have that big of a trunk, right, whatever those excuses were, all of that is completely gone. You know them saying, oh, the business won't survive. It's like, well, you survived for two and a half, three years during the pandemic with everyone a hundred percent remote. What it like. What are you doing now? Right, like you know, I regularly have an Amazon recruiter reaching out to me every single, every year, every six months, something like that Right Seeing if I want to come on. And this past year, every six months, something like that right Seeing if I want to come on.

Speaker 1: 5:19

And this past year, or maybe you know, four, four ish months ago, one reached out to me and said you know, it was like two weeks after the five day work week. You know, push from Amazon, right when they announced it. And I mean, he reached out to me and the very first thing I said was, no, I don't think I'm interested because I wouldn't go into the office five days a week. And first thing I said was no, I don't think I'm interested because I wouldn't go into the office five days a week. And that's really saying something, because even a year ago, I interviewed with a team there and they were three days in the office and I asked him I was like well, where's everyone located? And the hiring manager was like oh yeah, some people are in New Jersey, new York, washington, seattle. You'll be the only one in Chicago.

Speaker 1: 5:59

And I said so I have to go in to work remote. He said oh, you don't have to think about it like that. I was like no, that's what it is. My entire team is around the globe right In different time zones. I'm never going to see them face to face in person. You just told me I won't, right? So what's the point? And he couldn't answer that question. Obviously, I ended up not going there. But you know, it's like these companies, they're really pushing hard for people to go back in when, like you just said, it's actually more advantageous for you to be remote, because now you have 24-7 coverage on a team that otherwise would never have 24-7 coverage. And if a service provider even claimed that they could provide, you know, coverage on threat research or security researching, they're lying to you because that doesn't really exist.

Speaker 2: 6:49

Yeah, one of the in our area, around the Washington DC area, there's an interesting little twist because I, like you, I see these things come across. You know LinkedIn and stuff, and around here it tends to be government contracting type of work and most of that type of work tends to be classified. So it's like if you see something that's I don't know from like Raytheon or some you know really big defense contractor, you almost know immediately you got to go in for that and do the classified work. And you know, for some people, if they're not, they're not living in DC, they're not going to be able to do that.

Speaker 1: 7:23

Yeah, yeah, no, that's that's a really good point. I mean, that's the. I feel like that's probably one of the very few industries as a whole. That it's you know. It's forever in the office. There's nothing you could do about it. And it's you know it's forever in the office. There's nothing you can do about it, and it's you know within within reason too right.

Speaker 1: 7:41

You wouldn't want someone taking their work home, like that's illegal, yeah. Then then it was started like a whole other conversation of well, if it's legal now, then why was Edward Snowden illegal and you know all that, all that sort of stuff, right. But you know, keith, I really want to dive into your background right. How you got started, what made you want to get started right, because you know I view security as kind of like a crazy, not necessarily wild west, but of dive into security. So how did you find your way into IT and how did that evolve into security?

Speaker 2: 8:38

for it but also kind of lucky. So if we go back way back, I mean in the eighties, I can remember programming on VIC-20s and Commodores and stuff like that as a kid and I was just always really, really interested in computers and computers. You know, if you're not as old as me and you're watching, listening to this, they were not all that common back then. So if you had a VIC-20 around that was a big deal as a kid. So you know I got to learning programming and stuff like that and then by the time I switched to college there wasn't a computer security anything in the 90s, the early 90s, when I went to college and when I did that I knew I wanted to be in computers and the easiest thing or the most matching major for that was computer engineering and electrical engineering. So I did a double major for bachelor's in that and then by the time I was done with the bachelor's I still kind of looked around and I was like I don't really want to design chips the rest of my life like CPUs and stuff like that. I don't want to write operating system code. I know I'm interested in this other stuff that during that time I was working at the school of criminal justice too. So I had exposure to cyber crime and just all sorts of crime. I even worked with them one time help them clean up a blood splatter room, so it was kind of it was a really neat as a computer guy. It was a really neat job to have back in the nineties. So I got to see the law enforcement side of side of things which kind of went with computer crime. But still nobody was calling it computer crime back then. And so I graduated with my master's in 99 and I figured you know what, I don't want to get a PhD yet because there's nothing in here that's computer crime related. If I did it it would have been straight electrical engineering or computer science back in 99 and it just didn't fit.

Speaker 2: 10:20

So I went to work and, um, I started out because I had a programming background. I helped work on some security software, some like log correlation type of tools I think Splunk, but like way before Splunk, just to you know, match web logs to a login and not logins, but like your firewall logs and stuff like that. And in that I ended up transitioning into doing investigations. So when I say investigations I mean very loosely, not just, you know, remote attacker breaking into your network but also your internal employee gone rogue, or sometimes it was civil stuff where one company would accuse another company of stealing their source code and I'd have to look at it and say yes or no. This is, you know, this is or isn't the same as what you think it is, and I worked in that space for quite a while, somewhere between like two early two thousands through about 20, 16 ish.

Speaker 2: 11:21

So I did investigations for quite a while and in there I I had experience doing expert testimony in federal court, um criminal and civil. I've done state courts like tennessee and some other states that off the top of my head I'm not remembering right now, but you know a handful of other states and um it gave me experience with a lot of different types of cases. So some of the cases were, let's see, for the testimony. A lot of the testimony tended to be insider cases. So one of my biggest one was um United States versus versus Roger Geronio and I testified back in 2006 in that one and I investigated it. It was about a couple of years investigation in front of it. I think it was like 2004 to 2006-ish. He committed the crime, if I remember correctly, somewhere in the 2002 to 2003 timeframe. So you know, when you get into these things it's not like a quick investigation and it's over. You get kind of into them for a long time, and so I would work on these longer investigations that would tend to go to trial, like that one, and in that particular case I would.

Speaker 2: 12:30

I got up on the stand and spoke about you know this was the logic bomb, which was a piece of computer code that deleted data, and I demonstrated how it was spread on these computers and how it only could have been him and all that kind of stuff, and so that was probably my largest case. The other ones were things like intellectual property theft, um, like I talked about earlier, but my last case was probably the one that you know just if I can be vulnerable for a moment probably made me switch, which was a murder case, and that was completely different than all the other cases that I did, because I looked at computers from the defense and the prosecution. I was retained by the defense, but it was just a completely different experience from the. I mean there's still electronic components, so it's electronic crime in a way, because there were messages sent, but the true bread and butter electronic crimes of stealing credit cards and insider gone wrong. It just was a completely different ball of wax, and that was about the time I decided, you know what, maybe I should get that PhD.

Speaker 2: 13:34

And I looked around and I still had trouble finding some universities in 2016 that taught true cybercrime. Most of them would teach policy-related cybercrime stuff, and I'm a very technical person, I code in most languages and just doing policy stuff wasn't where I wanted to go with my career. But Dakota State University had this program online that was for they call it cyber operations, which is like cyber crime basically, or computer security is how I think of it. There's cyber operations and there's cyber defense, and operations, I guess, is more technical, and that's the one that I did, and I ended up in that one writing a dissertation on how to classify malware using artificial intelligence, and this is before LLMs. This is like 2019.

Speaker 2: 14:27

So I had to use things like tensors and the really nerdy and geeky stuff that we don't really talk about nowadays. We just say LLM and everybody knows what we talk about, but it was like the very low level high torch tensors that I ran this data through and basically was able to classify them and then so that's, that's the um, uh, endpoint. And then in 2019, I switched over to network. So I wanted to give you that lay of the land of we can talk about investigations, if you like, we can talk about endpoint malware dissection, detection, or we can talk about what all this stuff looks like on the network, which is what I do now, which is developing algorithms at scale for think like universities, really large universities, writing algorithms that'll say, hey, this traffic out of all your university traffic, this thing here is a beacon and you need to look at it. And that's what I do now.

Speaker 1: 15:22

Yeah, it's really fascinating. So you, when you were getting your PhD, I was like just getting into getting my master's in cybersecurity and I saw that exact same thing where it was all policy, it was all theory, right, there was no hands-on keyboard. Um, and the the one uh university that I that I stuck with, I I went with, uh, capital technology university sounds like it's one of those you know schools that are going to be like you know you're going to be getting a refund from, because it was a scam, you know, or whatever it was right, but but it was extremely hands-on, like, literally, you know we'd have four, four, five hour classes or something like that. You know four hour, five hour. And the first half you know you're talking about. You know the logic behind it, right, the thought process behind. Okay, like, I'm going to do recon on this network, this is what I'm looking for. You know they'll show you maybe a little bit of the like, the history of it, right, like where it started and now the tools that you're going to use and whatnot. And then the second half, like you're actually doing it. You know, like they, they walk you through setting up your home lab, right, what does that look like what do I even need? You know, and you're actually launching all these different attacks.

Speaker 1: 16:37

You know the forensics one I thought was actually really interesting and I actually did pretty well in it. I wish I just had a better professor, which they now have a world-class professor in it. So I'm like even just tempted to go and take that class alone, you know, just to get the info. But it was really fascinating for me to see how to see like kind of both sides right, like how you can go back and you can basically pull anything from a computer's history you know in the registry, whatever it might be, and you can follow it all the way along.

Speaker 1: 17:12

And then you know immediately where my mind goes is well, how do I get around that? How do I start manipulating that sort of thing? I guess that's that degenerate hacker mindset in me. That's like, well, it works like that. But what do I do over here? It's a really fascinating world. And now I'm getting my PhD from that same university world. And now I'm getting my PhD from that same university and it is uh, it's a struggle trying to, trying to do it while having a little kid, you know, at home it's like, um, yeah, I should have done it when I was younger, honestly, yeah.

Speaker 2: 17:50

I thought that too and I also thought there was a definitely a difference where I could appreciate more stuff because I had experience, especially in the real world experience. If I went away master's PhD job, it would have, I think, been a completely different experience than having you know over a decade of, you know, real world experience in, because it's just, you had a more well-rounded and well-rounded view of things and you had examples of things that you've done in the past and that you could work, you hit, you have you have your interests kind of fleshed out by then. You know there's a lot of things that I was very grateful that I did when I was older. But I agree with you, my kids were teenagers when I did it. It was just like trying to drop them off at things. You know their events, and then come back and then get this paper done and it was a juggle and I, once you get it done, you'll be so happy and you'll go. I'll never do that again, yeah.

Speaker 1: 18:48

Yeah it's. It's like it's taken me forever. I mean, it took me like a whole semester just to figure out what I wanted to do it on, you know. And then, like I don't know, I've run into so many roadblocks and you know, the biggest issue, the biggest issue by far with achieving it which I can understand why most don't even complete it right Is all of school you're taught okay, the test is on this, right, the paper is on this, we want five pages on this. This is how I want the five pages to look. Like right, and you kind of just fit in the idea into that mold.

Speaker 1: 19:25

In the PhD, it's like no, go, choose what you want to do it on, get approval to do it. Hopefully there's enough info there for you to do a PhD on it, right, you have to figure out how you're going to test it, like what the methods are, everything You're starting from scratch. I mean your PhD, you know, could be 20, 40 pages, which I'm already on like page 40, right, and I'm like not even getting started on my research or it can be hundreds of pages long. That's a crazy variation. Um, that you know, all of school basically doesn't prepare you for, and maybe it's because they don't expect anyone to like go and get a PhD, except for, you know, 1% of the population that goes through schooling. Maybe, I don't know what that is.

Speaker 2: 20:16

There was a really good quote that one of my professors or advisors said to me one time, which was your bachelor years we tell you what the question is and then we tell you what the answer is. In your master's, we tell you what the question is and then you tell us what the answer is. And then when you get to the phd, you tell us what the question is and you tell us what the answer is, and I thought that fits perfectly with my experience and even now with the research team that I'm on. There are things that I will just say I'm going to write a detection for this and nobody will ask you, nobody will tell you how to do it or anything, and it mirrors that process that you learn in your PhD, which is okay, Go out there, do your literature review and do this.

Speaker 2: 21:00

All this other stuff and a lot of it is self-motivated that when you get on research teams like this with people with PhDs and so forth at least in my experience, no one there's very. There's probably just as many things that I'll just pick up and do just out of curiosity as things where the company says, hey, we'd like to develop this thing, so it's kind of nice and it does very much. At least my experience is very much mirrored what I experienced in the PhD of having some freedom to explore and come up with different things.

Speaker 1: 21:33

That's interesting. No-transcript, or that. You're, you know, investigating the case to some extent. What is that like? Like, how do you get, how do you get verified to do that?

Speaker 2: 22:13

well, let's see. So it's not like I jumped into the job. It kind of just was part of the job where I would do investigations. And then let's say, you do 100 best investigations and some of them might involve court. What a vast majority of what you investigate.

Speaker 2: 22:32

If you find something, somebody's going to settle either criminal or civil and you don't really see court. It's just kind of to develop some data so that they can start making arguments and then somebody will settle right, but then there's that small percentage that the sides won't agree. You know, either be a criminal, where they're like, hey, I'm going to trial, or it's civil and they're like we're not going to pay that much, and they decide to go to trial. And in those cases I've already been on the case when it went to court. So I was just the. I was, I was just the person. There was nobody else that did it. So it was me and the process itself is pretty interesting and I haven't done it since 2015. So if there's any lawyers listening or anything like that, you know it may have changed, but this is, this has been my experience. So you'll typically get a case and you know I'll work for a company and that company will say hey, we're getting. You know, we landed a case. It's um, let me think of one that we did. Well, let me let me take the dronio case. So it was probably 2003 ish when the company I worked for retained that case and I got assigned to it and it basically started with okay, we think this person deleted all the data on the UBS Payne Webber's trading system, so people couldn't trade stocks because back then, I mean it was computers were a lot harder to come by than they are now and it was like each office had this server and the server was responsible for processing these stock trades and stuff like that. So if you go in and knock one of those out, in theory they can't trade. Now, in reality, what happened was they just took out paper and they continued to trade. It was slower and they didn't get as much done, but you know, that's how they did it in the past and that's what they did when these systems went down. And so in that particular case, they said, hey, these systems were deleted. You, there's no hard drives or anything you can look at, but we got these tape backups of what they looked like right before they went bad and I was like, okay, so you have to go down the whole path of I have these tapes and I got to figure out what format they are, I got to figure out what tape drive I need to get into, how to restore them, what programs they use, and there's like, you see, there's like all these steps you gotta do just to get to the data, and it's like you have the data at that point and you start doing an investigation and that particular one, I was able to pinpoint it down to a particular user which ended up being the person that was arrested anyways. So what happened was once you come up with your conclusions.

Speaker 2: 25:01

So in the legal world there's two types of witnesses. There's a fact witness, which you could say things like I saw the red car go through the light. And then there's an expert witness who can give you opinions, which would be it was my opinion, the person was drunk when they went through the light. You know what I'm saying when it's like you have to apply some knowledge and critical thinking to it, whereas fact you can just that's it. You can only say the facts.

Speaker 2: 25:27

So, as an expert witness, there's this whole process that happens with this, with these opinions, and you start it by writing a report, a physical like paper report, and you give it to the attorneys and then they'll give it to the other side and then they'll get an expert and then that expert will go through there and tell you why you're wrong and how could you ever think this way. You're completely wrong. And so you'll have you typically have some opposing expert that will be saying everything that you did is wrong, and in almost every case I can think of that I've been in, there's been that opposing you know expert on the other side. So once the report is done, typically and this happens more in civil but you'll be pulled into a deposition, which is you have to give live testimony and it's not in front of a jury like a court case is. But it's just as important because this is where they get you into your opinions on record more on record because it's coming out of your voice rather than your.

Speaker 2: 26:25

I mean, you got your report, but now you're up there saying it right, and so you've got that record coming out and that's going to basically be available for them during the trial too. So even though people are thinking, oh, I'm going to testify in trial, that's usually the very last step in these things. So there's things like depositions, where it's just as important for the trial, but it's a completely different environment where there's no judge, there's just a court reporter, the lawyer you're with and the lawyer asking you the questions. And I've had those be wild. I've had lawyers throw their pens in the air because I wouldn't answer a question their way you know the way they want to meet you and all that kind of stuff.

Speaker 2: 27:02

And it's just wild because there's just no there. There's no judge and jury, so they can pretty much do everything. But what's on the record is on the record. So when the guy throws a pen, you have the attorney going. I don't appreciate you throwing your pen and stuff like that just to get it, just to get it on record.

Speaker 2: 27:18

So if you're at the deposition point and you've given your deposition and you they still haven't settled, whatever it is the criminal or civil case then typically you'll go to trial. And then you know, by the point you know you're going to trial, you've had a lot of this writing the report, doing the depositions and all that kind of stuff to get there. So it's not really a surprise or you're not really coming up with your ideas at the last moment or anything. You know it's months and months and months prior that you've written this report and it's kind of like going to trial, sort of putting the bow on the package where you're, you're now just basically saying what's in your report and then it's left up to a jury or a judge to, you know, find if you're what you're saying is believable or not.

Speaker 1: 28:06

That's interesting.

Speaker 1: 28:06

It's more of, I guess, like right place, right time. You're at the right company that gets that sort of thing and you're in the right role to be able to handle that sort of situation, which is fascinating, right, Because I would assume you would learn a whole lot, probably a whole lot more than you would expect. You know because you're now looking through, you know different ways of doing different things and the you know the background tasks of you know the bits and the bytes, right, like what's going on you know over here and how does all that tie together? Like what enabled them to you know, and how does all that tie together? Like what enabled them to, you know, delete that entire, an entire database, which was pretty crazy that that happened. And now they're back to trading with paper. I don't even know how that works, but I could imagine I worked for a financial services you know firm like that before that did a lot of trading and, man, if something happened to that data, I mean they might fire your entire floor just because you were on it.

Speaker 2: 29:12

Well, this might give you a chuckle then, because when you're an expert witness, a lot of times the lawyers will only give you just the piece of the case that you need to know, so that way you won't be asked questions about stuff that you just have no business knowing about, right? So I you know, it's kind of like they kept horse blinders on me where I could just look at these. All I knew about up until trial were these tapes, right. So like that was my view of this whole story. But because I was an expert witness, I actually got to sit and listen to the whole case and all the other witnesses that went up there, and so what I found was there was a logic bomb set off by this particular administrator and I found it in his home directory. I found it on his home computers and stuff.

Speaker 2: 29:55

And I thought, wow, you know that really. That really tied everything together, right. And I'm sitting there and then I'm listening to the secret service agent and he goes oh yeah, we, we found a printed copy of that logic bomb on his nightstand next to where he slept. It's like you almost didn't even need me at that point because you had it in his house next to where he slept, which was just. I've never heard of that, I've never seen anything like that.

Speaker 1: 30:17

Since it's just crazy that's crazy that someone printed out right. I mean, what's the purpose of that? You're gonna hang it up on your wall, so, like I did that I have no idea, but it was.

Speaker 2: 30:29

That's wild. I'm looking at this. I'm like I just built my opinion on all this electronic evidence and then there's, like this, one physical piece of paper that I had no idea was out there that basically said this guy definitely knew about this logic, bob, wow that's pretty crazy.

Speaker 1: 30:45

It's, um, yeah, that's really fascinating. So you so you went from there into more research. Did the PhD kick off before you got into security research, or was it the same time, sort of thing?

Speaker 2: 31:01

Pretty close to the same time. I did that murder case in 2015, but I was my whole life I've been doing software development stuff. So when I was an investigator and I'd work with other investigators, I would write tools. For instance, to do pci compliance. You have to search for credit card numbers and at the time I was a pci investigator, I didn't.

Speaker 2: 31:20

There were no tools so I developed an extension for our forensics tools to search across it. So my interest has always been to write these things that help make one person look like 10, or at least help five people do their jobs easier than if they were to do it without it, and so that research part was always there for me. And at the end of that 2015 era, when I started my PhD in 2016, that's when I switched it was a pretty hard switch from doing just general investigations to malware analysis. So, specifically, I started focusing on malware. At that point, even though I dealt with them in investigations, it was more like I was like a general medical doctor in a way, and what I was doing is saying I now want to look at cancer research, that that was the equivalent of the computer switch of what I made.

Speaker 1: 32:12

Hmm, Okay, that makes sense. So then you know, talk to me about being a security researcher. What is that like? Is your company kind of just like setting you wild on on a topic, right and and figuring out what's going on over there, or what is it like?

Speaker 2: 32:29

Sometimes Sometimes I do, and sometimes I come up with them on my own. Sometimes they give me an idea as they run with it. Sometimes they already have an idea of what they want. So you'll have these like company ideas where they'll say hey, like for instance with Coralite, we have this part that I helped write called application identification, which looks at connections on your network and tries to tell you something about them. So, for instance, if you were going to GitHub to get some source code, this algorithm that I wrote would notify you and said oh, that connection there, that's GitHub and oh, this connection over here, this is going to LastPass and this connection over here is going to microsoft office and generic things like that. The company will tend to come to me and say, hey, we want something that will do this. And that was one example where they basically said I want this idea and I just sort of ran with it and figured out the ways to do the detections and alert the user and stuff like that.

Speaker 2: 33:25

Some other ones like if you follow some of my postings, I will quite often post a detection for a malware family those I just pick up. So a lot of times I'll be crunching big, big data sets with, you know think, big universities, all their connection logs, you know looking for patterns and stuff like that. So I have little gaps of time where I'm waiting for computers to do stuff. So one of those gaps of time I went to anyrun and started looking through their they have like this top 100 or top whatever number it is list it's a giant list of these are all the submissions that we have and they basically rank them from this is the most submitted sample to the least submitted sample. So when I get bored, instead of doing a crossword puzzle or something like that, I go to that list and say, all right, I don't see a detection for this malware family, and then I'll start poking into their pcaps, which they allow freely that you can download them out of that network section, and I'll start looking at, looking for c2 or whatever it is that that mauer family will do, and then I'll write a detection on it in zeek and then I'll publish it to the open source community.

Speaker 2: 34:35

But we also will put it in the product. So it really does vary from you have a vision of something to hey, that's a great thing that you developed. We didn't even think of doing that. So when you're a security researcher, I find there's a lot more um freedom to do those things, especially if you have a track record of doing them. Before. When I did the first, first couple malware ones, I didn't really know how to go about doing it. I didn't know the best way of doing it. But now that I've been doing it for about a year and I've done I don't know, know, maybe like 10 or so malware families, you know, it's just like it's just a part of what we do. Now Nobody really thinks about it. I just will go, pick up another piece of malware and then I'll write a blog about it, send it to our marketing and then I'll go back to my day job.

Speaker 1: 35:20

Hmm, you know what. What does? What does malware-based detections in AI mean? I feel like we're getting into a place with AI where we're kind of opening the diving into this AI thing. None of them know what's going on, right? They have no security controls around it, they have no concept of security around it, and you know it starts going into a place where you know, well, how do you know that they're not mining our data to go and sell it to someone else or make their model better, right, to go and sell it to someone else or make their model better, right?

Speaker 1: 36:09

Or how do you not know that you're not feeding you know a piece of malware that's underneath their code, that they're not even thinking of themselves, that they, you know, somehow got infected with this piece of malware and now it's, you know, maybe siphoning data off of over to, like you know, the Chinese model. What is it like? Seek, seek, deep, deep, seek, deep, seek, deep, seek, right? What does that look like, even using AI to do malware detections? Because at some point it's going to figure out the detections that you're writing, maybe the logic behind it, and it'll extrapolate on that. So what's your thoughts on that?

Speaker 2: 36:43

Well, I started playing around with LLMs several months ago and what I've been learning, developing with LLMs to do certain parts of my job feels like it's so foundational. It was probably equal to when I learned Python. It was like it's just a new giant tool I can do stuff with. And, like you said, when you use it as a tool, you really need to know everything that's going on. And I'm I'm saying this with a smile on my face which is, if you go to chat gpt, right, and you just start putting personal data in there, I'm sure they have some kind of privacy policy and they have some kind of processes behind there, but you, as a user, do you really know? You really know, right?

Speaker 2: 37:27

I mean, you got to kind of trust them, right and then on the other hand, um, deep seek, on the other hand, has a chat application like chat gpt, and I I haven't used it, I've just read about it so far. I use chat gpt a lot to do comparisons, but from what I read they, yeah, we're sending your data over to Chinese servers and I would assume that it's probably going to be used as a data training set. Because, from what I understand, deepseq was actually built because there were export restrictions on AI technology. So there was a group that says, well, we can't use this really powerful technology to basically crunch these things out like the big Facebooks and Googles can, so we have to find a more cost efficient way of doing this but still getting great results. Supposedly, they have a way that's a lot cheaper than the other people like the meta, the metas out there and so forth, and you know that's. You got to assume that when you're sending that data and they're trying to train these models to be bigger, better and faster, to be, you know, basically, the it's like the moon race, right, it's like there's I would. I would think that they would take your data and use it in the training model.

Speaker 2: 38:45

And now, why I think this is interesting was because there was a blog article that we wrote just a couple days before I started practice or just playing with chat GPT to see what it could do and stuff. And so I started asking it questions about just research that I had been doing. And I asked it a question about detecting something that we'd done recently. But I didn't I didn't say anything about who I was or anything and it went and found the article that we wrote on that particular thing and it told me it's like you want to use this fine command. I wrote that fine command. And it was telling me it was a very, very unique fine command that when I saw it I was like, yeah, I definitely wrote that fine command Cause I use, like certain directory tokens and stuff in there.

Speaker 2: 39:29

And so, yeah, you got pretty much have to assume that anything you send to a service is probably going to be used as training at some point.

Speaker 2: 39:38

And you know there's a lot, a ton of celebrities that are upset about that because you know their likeness and all that kind of stuff. So my solution to the problem is this if you want to use an llm, there's a lot of open source software out there. There's one in particular called olama, o-l-l-l-a-m-a, you put it on your computer I know it runs on Mac and Linux, I think it runs on Windows and you can pull down most of these models that are used in these chat applications and you can run it all local on your computer and not send data anywhere. So, for instance, the DeepSeek people released DeepSeek a week or two before they released their actual application that you have on your phone, and so if you want to play with DeepSeek and you're worried about sending your data over there and you want to see what it does, you can run it locally on your computer with Ollama and run the DeepSeek R1 and ask it questions and at least not worry about that data going anywhere.

Speaker 1: 40:32

Huh, wow, that's really interesting. That's fascinating.

Speaker 1: 40:44

It's, yeah, we're in a weird place where it's difficult to check how your data is being used in those models, right, especially with the Chinese models and whatnot, right, like I read some article it was a long time ago that surpasses any other.

Speaker 1: 41:11

You know countries, you know like nationality or or you know urge to do better for the country itself, like they really instill it in their people, right, and so they talked about, like, even the risk of like hiring chinese nationals that have spent, you know, decades in america. They talk about the risks because it's like, yeah, they've been here, they probably love america, but you know, the love that they have for china will greatly go over, above and beyond what they have for america. And so you have to like really vet their loyalties and whatnot and almost expect them to go the China route if they needed to, to make sure that China overcame whatever difficulty it might go through, right, and that's really fascinating because I don't even I like barely view, like being an American citizen. I mean, I'm very much all for America, right, but I don't know, I feel like that's still a different level, that's still something completely different. And so now we're kind of going into a place where these models will be used against us and we trained them.

Speaker 1: 42:23

You know that's a. That's a. I feel like that's something that no one really wants to talk about right now.

Speaker 2: 42:28

Yeah, we're. I think we're still figuring out what these things can do, because almost daily I will think of an idea and I'm like I wonder what the llm will say to this and I'll put it in and I'll be completely surprised to be like I can't believe it. It was so spot on. I mean, there's plenty of times it's not, but there are other times where I'm like there's no way it's going to get this and I put a question in and it comes back and I'm like, oh my gosh, I just didn't expect that.

Speaker 2: 42:52

And I would say, to add on what you're saying, I, about 15 or so years ago, I did an expert witness case where it was theft of intellectual property. It was criminal. If I remember right, I think it was criminal, it was department of justice, so I think had to be criminal. And what I learned is there's a whole like the cultures are different. Even so, business wise, in America we write contracts and if you and I have a contract, you know in a perfect world we would abide by that contract and if one of us broke it we would sue the other person and they would get you know the situation and get rectified side, whereas in a particular case that I was an expert witness for. I found that, or they explained to me that in China you'll have contracts, but it's more like a suggestion than it is what it is in the U? S.

Speaker 2: 43:44

So in that particular case it was kind of like you said, where there was this American company that built some software and they wanted to go reap the reward of being able to sell it in other countries like China and it's more difficult, I think, at least back then, to sell in China. You had to have an office in that country and all sorts of stuff. Well, what they did is they took that software, put it on a server over there and put it in China, and then they were like, oh, you're in America, you can't do anything, this software is ours now, yeah, and basically you know, owned it, and what happened was the person that was still in the U? S. That was the person that went on. You know that I was an expert witness in his case, he was the defendant.

Speaker 2: 44:24

So you know that that threat has been there for probably a couple of decades, where it's like we want to be able to sell our product, either a physical or software product, and there's this great market over there, but if we sell it over there, we're running the risk of being reverse engineered or stolen or something like that. So, yeah, it's. I think that that older style of intellectual property theft that we saw for so many years is just now kind of translating into llms, where llms will just eat up as much data as it can in order to train itself, and that's kind of, in a way, like taking other people's intellectual property if you, if it's not already public information right, yeah, I uh, you know, I, I work for a large automotive manufacturer and we have a whole Chinese division and everything else like that.

Speaker 1: 45:18

And we were talking about I think it was my architect was talking about you know, different security controls in China and stuff like that that we had. And I just looked at my CISO and I said we're in China. And he said, yep. I was like so none of this even matters. Then they have everything that we could ever have over there. He goes yep, and I said, are they at least different cars? He said no. I was like, okay, so they have everything that we sell. Then and the discussion ended right there.

Speaker 1: 45:50

It's very safe to assume we have a presence in china. You know, china has a policy where if it's in china, it's the, the republic of china's uh, property, basically right, and there's nothing that you can do. And so now it's it's turning into like ai models and consuming all the data that it comes that comes with. And you know, we're getting into a place where it's almost like these models are going to start writing themselves, if they're not already, and we don't know about it. Right? I mean, is that kind of how you see it too, because we're going into a place where, you know I mean even Chad GPT was saying that they're running out of data to train their model. I mean, they're running out of data in the knowable world. How insane is that.

Speaker 2: 46:35

It is. It's crazy the part that I sat back and when I tell people, especially that are out, not in the computer world, and I say, listen, so I run these chat GPT-like models, pick like DeepSeek or whatever I actually like 5.4. That's Microsoft's model. It's very good with cybersecurity questions, so I've been using that one and I'll run that locally. But I'll run these prompts and I'll get some data out and I'll be like that's not exactly what I wanted. So what I'll do is I'll take my prompt that I usually send to my, my five, my local model, and I'll go to chat GPT and I'll say, listen, this thing is producing some data that looks like this. But I really want it to look like this. How can I make this better? And so I have one chat actually making my prompts better for my other chat and it actually works.

Speaker 1: 47:23

It's crazy, wow. Yeah, for you know, for a lot of the PhD research that I'm doing, I'm doing a literature review right now, so I'm using Brock and Chad GPT pretty heavily, you know, finding the right papers, finding the right quotes even within the paper, tying it all together. It's really fascinating to see the differences, because there will typically be, you know, maybe 80%, like if I say, say, find me the top 10 articles on, you know, quantum requirements for quantum encryption to work, maybe seven or eight of the articles will be the exact same. You know same sources and everything. But then it's those outliers. You know that it's that it categorizes something higher above another or adds in different articles and whatnot.

Speaker 1: 48:11

Um, and it's it's interesting to see it just pulled together because it's like the new. It's like the new version of the search engine. I don't go to google. I didn't go to google like one time to find any of these articles. I literally just went to this lom and I mean it probably knows more my, it probably knows exactly what I'm researching and, you know, has its own dissertation in the background ready to go.

Speaker 2: 48:38

Ask it. Ask ChatGPT what it's learned about you. That's an interesting response. So I'll I'll ask it things. I'll just think of random things. I'll be like what's the funniest thing that I've told you? What's the coolest networking thing that I've shown you? What's the coolest coding thing that I've shown you? What's the coolest coding thing that I've worked on? And it'll weirdly summarize stuff that you did like 30 days ago.

Speaker 1: 49:00

Oh wow, I'll have to. I'll have to do that Like as soon as we're off here. It's pretty cool, that's really fascinating. It's interesting too.

Speaker 1: 49:09

And then there's like a whole poisoning aspect of these models, you know, like where I mean I don't want to say that Google's model was poisoned, Right, but the way that it was coded was obviously very biased towards one like subsect of the population in a very odd way, right. Like I mean, someone gave it the prompt like give me a picture of a Nazi, and it had, like an African-American person you know as a Nazi, and a Nazi uniform was like that. That would never happen, right. But I'm thinking of it in terms of when you ask it for some type of critical information and it gives you the wrong answer intentionally, it makes it seem like that's the right answer. It gives you different sources for it. Maybe it even created those sources, you know, and so now we're having limited ways of even verifying or validating that information.

Speaker 1: 50:03

You know, like the Google model was very obviously incorrect. It needed some tweaking. Google admitted it right. Admitted it right. But what if you don't know? Like you legitimately don't know, like for my phd research, some of this stuff I legitimately don't know. It could tell me the wrong thing and I wouldn't know it and I would include it in my research, not knowing that it's wrong and I mean you have your phd right, so your resources are.

Speaker 1: 50:30

Could be potentially hundreds of citations, right, Hundreds of articles that you pull this info from. Who's going to go and check 200 articles that you claim to be in your research? It's very small, right. And now we're turning into this thing that's being informed by a model that's potentially being influenced. You know in some other way that we're not seeing.

Speaker 2: 50:55

Yeah. It it whatever input they give, it is whatever biases it's going to have. So it's it's. I've looked at a lot of those models through a llama and you know I could. It's almost like when you see these models it's kind of like meeting a new person because you ask it a question and you ask a technical question and one will be like really good at you know, bulleting it out and stuff.

Speaker 2: 51:16

You ask another one and it'll be free form when it tells you and it's really strange but it's like I just uh, I just had a brain fart there for a second. Sorry, these, uh, oh. So the the models themselves, I find each one will have its own strength and weaknesses. So the LAMA model not to be confused with O-LAMA, but the LAMA model written by Meta is very, very good at just natural language narrative responses. Where I found the Microsoft model its bias in a way, is it's really good at, in my opinion, at cybersecurity questions. I can ask it pretty up to date cybersecurity questions and it it gets it, whereas with you know the meta one, I have to tell it a little bit about cybersecurity for it to get it.

Speaker 2: 52:13

Model that came out the deep seek r1. When you run it it looks completely different. It looks like it reasons. It doesn't just say here's my answer. It basically says okay, in order to answer this question, I've got to do this, and then it does that and then it's like, okay, now that I know this, I gotta know that. And then it does it and it's like it tells you how it reasons and then it goes. Here's my answer.

Speaker 2: 52:31

Yeah, it's really kind of crazy. If you get a chance to play, then it goes. Here's my answer. Yeah, it's really kind of crazy. If you get a chance to play with it, it's. It's a lot of fun to see it. It it looks like a human reasoning when it answers you. But my point being is it's you know there are, there are bad biases out there, but there are also these biases in a way of which model can answer the question. You're going to ask it correctly and I just know if I'm going to ask it a cybersecurity question, I'm going to pull out Microsoft's model. If I'm going to ask something narrative related, where I need a nice passage of English text, I'll probably go to metas and ask it the question. So you just kind of you got to play with them and kind of understand them.

Speaker 2: 53:10

It's interesting.

Speaker 1: 53:11

I mean it's almost like there's some sort of bias towards, maybe, who was creating it. Right, like you think about how Meta's model, you know, does better with text, or you know the flow of language and whatnot. Well, I mean that's probably because they probably trained it on. You know Facebook, right, and they see how everyone talks and the differences between different countries and the language and the slang terms used and everything else. Like that. I mean there's nothing else on the planet that would even come close to that. Right, like, especially if you're using that model and you're saying, oh okay, two, three billion people use this thing every single day. Go learn everything that you can from it. How are they talking and whatnot.

Speaker 1: 53:57

And then you know, like I kind of brought up before the differences between Grok and ChatGPT. Right, like, there are smaller differences. It seems like almost ChatGPT is more I don't want to say like legalese, but more professional in how it answers things, and Grok is a little bit more, you know, free form. Almost to some extent It'll give you the same info, but it responds on a little bit more conversational than than chat GPT does in some ways. Right, but it's, it's fascinating. We're moving into an area where, you know, I've been saying it for a couple of years now right on the podcast, where one of the top emerging fields is AI security. And then the next question is people ask me, well, what's AI security? And I literally my only response is I don't know. Like we're still trying to figure it out.

Speaker 2: 54:51

I was reading an interesting thing that people are trying to fight back against these ai web crawlers that, will you know, pull in, pull in tons of web data and use it for training, and there is said that they're basically using a tar pit like tar pit, like the, the defensive tactic that was used in spam years ago.

Speaker 2: 55:11

They're basically doing the same thing where, where these AI bots will come to your website and start crawling for data and, instead of you saying, all right, I'm going to give you my normal data when you recognize it, you go, I'm going to give you a bunch of links and you're just going to keep traversing down these links and I'm just going to make you busy forever because you're bothering my website. And going to make you busy forever because you're bothering my website. Wow, and yeah, it was pretty interesting. I was just like I was sitting there and I was like I never even thought, like I would never even have thought to do that. Right now, you, you have people that are basically building defenses against these ai bot crawlers because it's hitting websites millions of times a day to pull in new, new data wow, I mean it's gonna make people it's right there.

Speaker 2: 55:54

It's like a job right.

Speaker 1: 55:55

I mean that, yeah, that just made a job of how someone has to defend against this stuff yeah, I, maybe I need to go like form an ai security company where all we do is ai security stuff. I'm sure it would be like bought up. You know, by x or someone, like immediately as soon as you do it, you just got to have one customer. That'll be interesting. But you know, by X or someone like immediately as soon as you do it, you just got to have one customer. That'll be interesting. But you know, keith, this, uh, this conversation has been really fascinating. I really enjoyed it and I need to have you back on. I mean, I think it would be really interesting to have you back on, maybe even in a couple months, right, like with the, with the rapid pace that AI is, uh, is you know, evolving, it might be beneficial to have you back on soon.

Speaker 2: 56:36

Absolutely, I'd be happy to, and whenever you need anything, just let me know.

Speaker 1: 56:39

Yeah, absolutely. Well, you know, before I let you go, how about you tell my audience you know where they can find you if they want to reach out to you, where they can find your company. And I saw that you have a podcast. I don't know if you're still doing it, but all that info I've been doing it off and on.

Speaker 2: 56:53

Basically, I just make fun of electronic crime criminals and how they get caught. But if you want to get a hold of me probably the best way you can hit my blog first. That's just dr, as in doctor keithjonescom, and if you don't spell Keith a lot, it's E-I, not I-E, and that would be my personal blog. My work, the company I work for, is named Correlate and they're Correlatecom. They have network sensors that detect a lot of these things that I was able to talk to you about today, and you can find me on LinkedIn. I'm always on LinkedIn. That's probably the number one social media place that I'll visit the most, and just do a search on there for Keith Jones and I. I'm in Maryland.

Speaker 1: 57:33

I'll I should pop up there pretty close to the top. Awesome Sounds, great. Well, thanks everyone. I hope you enjoyed this episode. Thank you much.

People on this episode

Joe South

Host