Joseph Carson:
Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the episode, Joe Carson, and it's really a great pleasure to be here with you today. I've got a fantastic, awesome guest. Somebody who I've seen a few times speaking and his talks are always impressive. So, I'd like to welcome this special guest to the show, known as Sick Codes, and sometimes referred to as Casey once in a while, I guess doing some impersonation. So, over to you, Sick Codes, to give us an introduction, who you are, what you do, and some of the things you enjoy.
Sick Codes:
No worries, man. Thanks for having me on. Great to be here. Yeah, I think we keep bumping into each other in Vegas and things like that. DEFCON just happened. My name's Sick Codes. Australian obviously, you can probably tell from the accent. Yeah. In the recent years, I think I've done some pretty interesting stuff that you might have seen. Jailbreaker John Tractor produced some research on a TCL TV that ended up getting, well, practically banned from the United States almost. And a couple other things, just other random stuff. And always making sure research is taken care of in the domain because people like to get... Companies got those big hands and sometimes they try to huff and puff at people.
Joseph Carson:
Yeah, they try to push it aside, and that's always getting into the safe harbor side of things. You try to make sure that you're doing the vulnerability disclosure. It's always important to have that two-way communication, and a more allowing the researchers to share their work. Because ultimately, people like us, we want to make the world a safer place. We're doing it and helping organizations find those high-risk areas, where we're showing the risks without taking, let's say, maliciously. We're doing it in an ethical way and giving them the opportunity to make sure that it's not maliciously attacked later. Which could cause them a lot more devastation, a lot more problems than the way that security researchers are doing. So, how did you get into this? What was your path? Where did you start?
Sick Codes:
Well, I won't get in too far back because there's a lot of crazy stuff that happened back then. But in the last couple of years I think I met Casey just through working on stuff, contract stuff. I eventually just weaseled my way into white hat behavior, if that makes sense. Anyway, and we started doing cool stuff.
Joseph Carson:
Okay. It does indeed.
Sick Codes:
So, we had a look at TCL, and TCL televisions I'm sure you've heard of them. Everyone's seen them. A couple of years ago, nobody had actually heard of them. We basically, me, I started myself. I went on my friend's team viewer, we're looking at his TV and we're like, "Hang on, what's all this stuff?" Anyway, long story short, Department of Homeland Security ended up actually basically saying that TCL is being looked at because of the back doors that they allegedly put into their televisions. The funny part about is I called it. I didn't call it a back door, so I called it an extraordinary vulnerability. Basically through the press, I think it was PC Mag, Security Ledger as well with Paul Roberts, who was the subject of the talk the other day at BSides as well on the panel. Yeah, basically they ended up getting in big trouble. Big, big trouble.
Actually, funny story, they had just sold. I'm sure you're aware about this big huff and puff about Huawei and TCL and Shami getting banned and sanctioned and they keep swapping each other's products. Just before this happened, TCL had actually purchased the branded, the Honor phone off Huawei and they were going to start selling it in the United States. That was just before this happened, and then I published research on them and they basically got smacked down as well. It's like whack-a-mole. Sometimes you got to take stock and figure it all out.
Joseph Carson:
So, what's the process? What method do you go about finding these vulnerabilities? Do you have a process that you standardize on? Do you try to extract the firmware or do you just basically monitor the communications? What's the methodology you use?
Sick Codes:
Well, I think I usually start from what sort of product am I looking at. Am I looking at industry? Am I looking at critical infrastructure? Am I looking at something just random like an airplane? I've got an airplane wifi over there that I'll show you later. I didn't take it from the airplane myself. It was sold on eBay. Actually, that reminds me, I've got a voting machine right here.
Joseph Carson:
You have a voting machine?
Sick Codes:
I've got a voting machine right here.
Joseph Carson:
Fantastic.
Sick Codes:
I've started taking it apart.
Joseph Carson:
Cool.
Sick Codes:
And I wanted this. For the headphone users only, I've got a massive Voltronic 1 here. There you go.
Joseph Carson:
We're sitting looking at a voting machine for those who's just listening to the audio, which is pretty cool.
Sick Codes:
Yeah, it's quite funny. The funniest part about it is that-
Joseph Carson:
So, what's some of the ports you use? Are they all easy extractable as well? You can easily take them off.
Sick Codes:
I don't know how explain it other than, can I say the S-H-I-T or not?
Joseph Carson:
Absolutely, yep. You can be.
Sick Codes:
It's a fucking shit show, man. It is a shit show. Fuck. Look at the CPU. It's an Intel L Terra I386. Old school, right?
Joseph Carson:
It's really. Yeah.
Sick Codes:
It's these little chips here with the, this is the vote count or something. And it's two megabytes. It's just a bit of mayhem, but I'm just having fun. I bought it two years ago and I thought I'd just have a crack at it. Off eBay. A lot of stuff from eBay.
Joseph Carson:
Yeah, eBay is our friend in regards to getting access to... And the worst thing, some of the things is that when you buy some of the things is that ultimately they're pre-used, which means sometimes you can actually find a lot of sensitive information on a lot of this equipment as well. It's because it's not that you're buying it brand new and they've never been used. It's you're getting it from basically someone who's basically decided we've it got sitting in the storage, let's get rid of it, let's just put it on a eBay and see if we can make some money back from it. But they never go through the proper process of actually erasing or getting rid of even some of the stuff in the memory or even the disc or storage. You can easily get a lot of quite of interesting information from them.
Sick Codes:
Sometimes it's actually impossible to get rid of the data, because they haven't actually implemented some sort of bleach bit level stuff. But if you look on AliExpress and things like that, you can buy secondhand chips that have been out of print, so to say. They're not in production anymore. Those chips have been literally cut out of a PCB and you can see them online. They're literally secondhand, all the data's on them, you don't know what you're going to get. Sometimes it's a phone, sometimes it's an old Samsung unencrypted with all their contacts and cookies and whatnot. Sometimes you get these cool things like John Deere tractors.
Joseph Carson:
That's pretty awesome. The John Deere one is always an interesting one because you always give them... So, you got to play Doom.
Sick Codes:
Yeah, so last year-
Joseph Carson:
On a John Deere tractor.
Sick Codes:
Totally. I think, so the long of the short is last year a gentleman named Paul Roberts, who got the idea from someone else who's a big right to repair advocate, which is a big issue at the moment.
Joseph Carson:
It's a massive issue. I'm happy with the direction it's going because it has been a pain for a long time.
Sick Codes:
Yes.
Joseph Carson:
And also it's get into a lot of the acceptable rights and software bill of materials. All of that needs to be pretty much redone in order to make sure that we have the right to repair.
Sick Codes:
Yeah, if you look at the last, I think last month, Paul and a couple of fellows, Kyle Wiens from iFixit, they went on the House Judiciary Committee for cyber internals copyright or something. Some of the people on the panel, well, Darrell Issa, who's the chair of the committee, they were there when they wrote the DMCA. That's how long that experience has been. Obviously, in that time they had no idea that they would be used for this sort of purpose. They were supposed to be for burning DVDs and stealing. There's so many uses where they wiggle around and there's fake... They did some sort of encryption with the data or whatever they did that somebody's cracked 20 years later. But yeah, there's so many things that have gone wrong, I think, in that vertical, particularly when it comes to products that are end of life. So, say that John Deere right there.
Joseph Carson:
Right.
Sick Codes:
That John Deere tractor that I bought off eBay and I jailbroke and I put Doom on it. As everyone knows, Doom is the greatest game to run on a jailbroke device because it proves that you can do anything with it. Because if I can run Doom, I can run web browsers, I can install malware, I can delete account data, I can get things for free. For example with the John Deere one, John Deere knows full well that there's a lot of stuff that they pay, like packages, subscriptions and things, and I've got full access to it. Which I don't publish because I don't really want to get in big trouble. Not that I would get in trouble because what I'm doing is fully good faith, but that's that little fine line there.
Joseph Carson:
Yeah, it's the intention.
Sick Codes:
Right.
Joseph Carson:
We had a big discussion actually with EFF when I was in Vegas. I had a big discussion around that they said that what they would like, at least that part of the motivation side, is that you have to prove malicious intent. Not that you have to prove actually your motive was actually for good intentions, it's that you actually have to do the reverse because that's the right way. If your intention is non-malicious, then you shouldn't already be trying to get out of the application rather than trying to get in.
Sick Codes:
Right. Yep, yep, Guilty until proven innocent. Right. And that's the way, I think so a couple of years ago with the Department of Justice and they released the CFAA changes, Computer Fraud and Abuse Act laws where they made it so that you have to be... They won't take any charges unless the person was acting in bad faith. Yeah, in bad faith. If they're acting in good faith, basically don't approach.
Joseph Carson:
And you have to prove it. That was the other. You have to prove the malicious intent and that's the key part. So my question, when you're actually putting Doom on, what tools are you using?
Sick Codes:
Well, as you can see the rack.
Joseph Carson:
Because one of the things, you end up getting me to go, and you end up making me purchase...
Sick Codes:
That's a good tool. That's a good tool.
Joseph Carson:
Because I have a lot of them.
Sick Codes:
I keep forgetting the guy's... The guy that made is, it's Joe. It's Joe Fitz something. I can't remember his name, but he's a legend. I know the guy really well. If I don't forget his name. But made the Tigard, really good device. It's got everything and it's got Spy, I2C, it's got ATag, I believe so. It's got everything you need to just jump in there.
You need a couple other little tools? I've got a good one. I like this one called the RT809F, and I should have one in one of the boxes. I've got a lot more stuff. It's not in the rack yet because I need probably six or seven more racks to put it all in. But yeah, there's just a small amount of tools that need to be used to do damage. In fact, in this case with the John Deere, all I did was basically open it all up, take out the hard drive, per se, which is a little complicated because I... You can watch the DEFCON talk. It's quite in depth. In fact, I show a lot of videos and stuff about it.
Joseph Carson:
Yeah, we'll make sure to actually, we'll put in the show notes, we'll link out the DEFCON talk for sure.
Sick Codes:
Sure. Yeah, it's a long talk and you might get recording fees and it's super technical, but at the end it's pretty funny with the Doom stuff. Basically, I took a fedora version of Doom, Fedora being the fork of Red Hat. It's like a free version of Red Hat, Red Hat Enterprise Linux, which is a expensive version of Linux with all the bells and whistles and support, and FIS 120 or whatever the stuff is. But yeah, I took one of those out and I put it on the device. It's a very unique device. I think it's INX6 NXP I think. Is that right?
Joseph Carson:
Mm-hmm.
Sick Codes:
Yeah. Basically, an old chip 2016, and just kept trying and trying and trying until I got it done. One thing I couldn't get done was GZ Doom. And if anyone's done Doom before, they might know the graphics. Like the old Doom where it's 2D and you just go left, and then there's the normal, the now Doom, which is you can look up and down and stuff like that, and you can shoot in different directions. But the one that I had on there, it's obviously a John Deere tractor, it's not going to have a very powerful GPU if at all. So, we had to make do. We had to make due with the downgraded version of Doom, which was fine, but I had a different version of Doom ready to go. Actually, we monitored the Doom. Another mod named Skellegan from New Zealand, who helped me do the mod in the last couple of days. We had a mod, but it was for GZ Doom. I had to migrate it down to Chocolate Doom, which got rid of all the cool stuff anyway. Yeah.
And the impact. Okay, the impact of that. Playing Doom on a John Deere tractor is basically like saying to John Deere, "I've got the keys to the kingdom. I know exactly how the products work. Here's a presentation about it." I actually didn't tell them that I was going to run Doom on it beforehand, because we'd ruin the surprise, which is sometimes... As you know, in bugged down or in any sort of research, if you sometimes do that, you can get in trouble if you do the wrong thing. But in my case, I thought to myself, I'm not producing any zero days on stage. I'm showing you a result. I'm not releasing the POC or the exploit, I'm showing how I did it physically to an extent. If you follow the track, if you follow it through you can probably do it. From that, it just exploded obviously. Then, it made a big impact on the Right to Repair argument about, well, where does the software part end and where does the physical end of it and stuff like that? It gets a bit complicated.
Joseph Carson:
Especially good point. A lot of things when you get into end of life, end of life hardware, and maybe you want to make it more updated. You want to fix some of the vulnerabilities yourself. A lot of times what I'm using a lot of things like Bus Blaster, Bus pirate for is typically repairing stuff. I may have bricked doing a flashing of firmware and it bricked it because maybe I basically chose the wrong firmware at some point when I was doing the flashings.
Sick Codes:
Right. Wrong chip.
Joseph Carson:
Wrong chip or maybe basically the cable wasn't connected properly and you get a surge, or the cable comes out and fails you in the par. So, a lot of times what I'm doing is mostly to repair things, and absolutely right. The right to repair is definitely one of the main motivations for a lot of these, especially for old hardware that all of a sudden the manufacturer is no longer supporting. That's getting more frequent, where it used to be that you didn't have to worry about that because there was very little things you could do with the hardware. But now that the hardware is becoming more smarter, lots more chips, a lot more connectivity. And it does mean that you have really have to consider about what is implications of this for using it beyond, let's say, the software support? Because the hardware should last a lot longer. It gets into also the recycle issue as well, is that recycling becomes a big part of this problem as well. Is we can't recycle it, then it just becomes a massive, the garbage pit pile as well.
Sick Codes:
Totally. Think about how many people go out and buy Game Boys and things like that from the old version. If somebody hasn't yet been able to repair that, it's just waste.
Joseph Carson:
Yep.
Sick Codes:
I get the whole point of it. Maybe there's a point to it when there's turnover of lifecycle of products. But there should be a limit in terms of... There should be some sort of limit about, okay, the device is finished. Because the manufacturer currently has both the trademark or the patent on whatever they're doing, which is fine. I'm okay. I understand all that ingenuity and things like that. But there's a part where it's like, well, they have both parts. They have the part where they can look after the product and the part where they can dump the product. I get that, but if I'm buying it and I'm not fully aware that it's going to be dumped eventually, like absolutely dumped from the market, is that something that should be the customer aware? Is it even logical? If you think about an old product like a television, you can repair most of it if not all of it. But things that are deliberately made to not work in terms of, well, without the manufacturer.
Joseph Carson:
Especially when there's controlled by software.
Sick Codes:
Yes.
Joseph Carson:
And software, they decide to switch that off. I've had a lot of even old hardware devices where the vendor has literally just kept a web service going just to provide longevity of that.
Sick Codes:
And they want it.
Joseph Carson:
Even I think it was the Universal Logitech Harmony Remotes. There's a server that's literally just running. And sometimes if it's not running, you might not get the configuration, but they're just keeping it running.
Sick Codes:
What, the remote for the television?
Joseph Carson:
Yeah, the universal remote. There's a service, they have a service. Even though it's been end of life now for a number of years, they just have to keep that web service going to provide the download configurations because that's something ultimately, and they're doing it. So, there's some vendors that will provide that and make sure you're not breaking the devices. That's something that consumers and people should know about them.
One of the things I get worried about mostly is that now a lot of the EULAs, when you turn on TVs or you get the devices, that EULA at the beginning is saying that, yes, I own the hardware and maybe the software. But actually, the data now being generated is no longer, you don't own it and you have to actually hand it over. That's part of that whole data, the communications and you're uploading it to numerous servers. What's your thoughts around that?
Sick Codes:
Well, I think they had a really good point at the House Committee the other day when Paul went on the Passage Committee in front of the world, in front of the Congress. They brought up an example, I think it was Lofgren or one of the members there. They were saying that they had some old study where they put terms and conditions on the last page that had, if you read this, you get $1000 and nobody claim that.
Joseph Carson:
I remember that one. I remember that one.
Sick Codes:
Yeah. So, it's in there. Who's going to read 96 pages of stuff beforehand? Whether or not that's legal, that's fine, that's not related, but a customer should be able to... The word is repair. Should be able to look after their own product, especially after the product lifestyle gone. And especially in terms of security. Because for example, the previous version of the John Deere display here is actually end of life Windows CE6, and it's still the literal workhorse of the industry. There's a couple, how many I don't know, 50 or 100,000. You'll have to ask John Deere. They know the stat because they track every one. But there's a lot of the previous version, which is Windows CE, which is totally end of life. Ended in 2016 and then end of, end of, end of life was like 2022, which was last year and they're dead.
Joseph Carson:
And they're going to still use them until those things fall apart.
Sick Codes:
Yeah.
Joseph Carson:
Because we have a country house here in Estonia and we've got, I think it's three tractors right now in the country house. The oldest tractor we have is from the 1960s and it's still running, and we're still pushing it.
Sick Codes:
Yeah, and it works fine.
Joseph Carson:
It works fine. Okay, it hits a few rocks, you have to replace it, you have to do some welding and stuff, but it still works. You're going to get people using them as long as they possibly can because they're expensive and you want to keep using it to get the value out of it. So, the length of time, absolutely for a lot of those devices is going to be well beyond when the vendor stops supporting it.
Sick Codes:
Yeah, and I think we've had a brainstorm, me and Paul, who's obviously very, very... He's the founder of Secure Repairs. At the start, I was very iffy on the issue. I thought, right to repair, it seems kind of communist, it's sort of like everyone's software is mine. I'm thinking to myself, okay, so how does this make sense to sell security and versus blah blah, blah? I'm thinking, well, the problem there is the software locks, like the iPhone for example. They're designed in a way, or they were designed so that you can't use one iPhone screen... If you go to the Apple Store and buy two iPhones or two products regardless of what they are, I'm not going to say iPhones, what they are. And you take the screens off and you swap the screens for each phone, and then it should work obviously. Two genuine products, original products.
Problem is, the manufacturer's obviously relying on, they're obviously worried about counterfeit products that come in and just they do the same thing, they match up. Then Apple does allegedly some type of color diffusion or something like that. They make it duller or something. But that should work. People expect that to happen. I think what they've done in this case is maybe a bit too trigger-happy and they've said, "Okay, well, let's do that."
I'll give you an example. So John Deere, they actually, they wrote an MOU about a couple of months ago. They said, "Look, we're going to comply to some stuff. We're going to make some sort of agreement." They said, "Okay, we're going to give the dealer software out now to customers." They did that and they released the special RS 245 tool, whatever that connects to the tractor is now available without a dealership contract. So, you can actually buy it on their website. It's expensive, two or $3,000. We get all the manuals, 700 gigabytes of manuals, by the way. We've got Deere construction, forestry, we've got Deere agriculture, ag, construction of forestry, yeah.
There's thousands, a lot of manuals, okay? A lot of manuals, a lot of data, and that stuff wasn't previously available to the customer. You had to go through dealership and there's all sorts of...
Joseph Carson:
Agreements and things.
Sick Codes:
Even that deal alone, that deal alone, that contract that they said we're going to sign and do this stuff, that alone is the evidence that there is a lock. There is an ecosystem of you have to stay here, we control the product. I think manufacturers need to just chill out a bit. I get the market share is competitive and all this stuff, and the shareholders want control, and data and AI and all this crap. But at the end of the day, if the customer's getting really furious, they're going to leave anyway. So, why would you treat them like infants when they know what they're doing? There's smart people out there. Deal with the counterfeit products with lawsuits or go to China and take the factories down. Do it through imports.
Joseph Carson:
Yep. So question, what's some of the most common types of vulnerabilities or bad practices that you do find? What would be the most common things? Do you find a lot of keys hardcoded, passwords? What types of things do you find when you're going through?
Sick Codes:
Well, typically with hardware stuff it's like operating systems. It's a fully unlocked computer. You've got everything. You've got all the config files, you've got everything. You've got all the file permissions, the file dates and times, access, all that stuff. All the keys, you've got all the private keys that connect to the server. Sometimes they're for every product on the market for that. Sometimes they're for every, say for example, I found a key on the John Deere of some description. I'm not going to say what it was. It was a key and I asked John Deere, "Is this key on every single tractor or is it my tractor?"
Joseph Carson:
Reused, yep.
Sick Codes:
This is my gun, this is my rifle, right? They were like, "Oh, we'll send it to..." And they said, "Oh no, it's just yours." I'm like, okay, whatever. But anyway, sometimes there's a big key or you get a lot of private certificates. Even the other day I was looking at Huawei solar inverters and I found a private key to their Tomcat Client Response, whatever it is. Some sort of API that sends their data back. Basically, I dumped the firmware, I'm just reading through it in the text file because I don't have the high silicon Ghidra decompiling, all that crap. Basically, just looking at it through a text file. Just dumping the entire ROM of the device, just scrolling through what it does. It goes like, oh, I've got function names, I've got some sort of log here. Basically, just figuring out whether or not it's a joke. Because sometimes with the small devices, they've usually skimmed on security layers. You need a whole computer to run to beat Zenbleed and all this stuff. But if you're on a tiny little ESP 32, all of that stuff's out the window. It's tiny little things that can destroy it. One little thing just destroys it.
Joseph Carson:
Yep. I think I remember. I remember one a few years ago where it was one of the first vehicle companies, car manufacturers to basically connect their car basically to a mobile app. They end up using the VIN number as the key.
Sick Codes:
Right.
Joseph Carson:
So, literally if you just went to the car window and you look at the VIN number, all of a sudden you could literally authenticate with the app and be able to pull things like the vehicle statistics, the log history. Some of the kind of things that you end up going, really? Okay, it does take a physical. You can go check it physically. It does take some element.
Sick Codes:
Yeah, but you get to steal a car.
Joseph Carson:
Exactly. You can unlock and turn the lights of the vehicle.
Sick Codes:
Totally.
Joseph Carson:
So, those are some of the things. I think, though, over the years manufacturers are starting to learn and starting to bring more security researchers and security knowledge into the business as well to make sure that they're thinking about these. Because to repair it later is way more expensive than to think of these things upfront.
Sick Codes:
Yeah. If you look at the example of I think John Deere as an outlier, well, agriculture is sort of an outlier. You think ag, mining's doing okay because they have really good ISEC. You've got Rob Levy and I think Cheryl Serene. They have a really good ISEC. They look after them and they're all in the same club, you know what I mean? They actually think about things, brainstorm, whereas AG doesn't have an ISEC. Information Security Exchange Center where you basically exchange vulnerabilities that you're facing. Say, Rio Tinto Mining Company. Or say John Deere's experiencing this, Caterpillar is getting thumped with this, or they're getting some sort of malware, ransomware, and they circulate it sometimes anonymously to each other. So, they can say that we're on the same level, team and that's it. But ag doesn't have that. Ag's coming from the literal outback. We call it the outback. I think the Americans call it the sticks. I don't know what they call it. The country. The country, that's right. The country.
Joseph Carson:
The backwoods.
Sick Codes:
But it seems like such a non-connected industry, but it really is. And only in the last five, six years. And the amount of data, and of course as you know-
Joseph Carson:
Absolutely. I mean, hey.
Sick Codes:
... the AI component. The AI component is fascinating for agriculture because ...
Joseph Carson:
Yeah. Even for repairs. I've seen it in the mining industry where they're basically checking pipes with drones for repairs. Shipping. I did a lot of work in the shipping industry and they're basically, rather than sending people in, divers, they have drones that goes and does everything for them these days. Because ultimately, I think in these industries, the priority is the health and safety of the people working in them. The more we can take them away from the dangerous types of activities, the safer it becomes. That's ultimately where we're getting to.
Sick Codes:
Think about oil rigs. As you're in the shipping and stuff, you would obviously, you're the same sort of industry, maritime or whatever, but if you think aviation. A lot of these industries, people sort of like, oh, there's not much going on there, but there kind of is. Think about when you get on a plane now, there's wifi everywhere.
Joseph Carson:
Yeah, absolutely.
Sick Codes:
It's like a mayhem. Open wifi.
Joseph Carson:
Yeah. You've got connections everywhere.
Sick Codes:
Yeah, we'll just go to Starlink. Just beam it up to Starlink, just like you're on the ground. It's like someone's router and everyone's on the same network.
Joseph Carson:
Especially when you get into satellite's K-band and L-band, then it gets into, it's the bandwidth. So much limited bandwidth that securing it ultimately sometimes is impossible. When you get into those types of communications, it really comes down to whoever has the biggest antenna and the most power is typically the winner. Which typically gets into when you're talking about somebody who's very resourceful or government-backed, that's where they get into those capabilities. But the communication side becomes very, very tricky.
Question, for anyone in the audience who's looking to get into hardware hacking or where to get started, what would be some of the good resources or direction that you would point them in?
Sick Codes:
I think I look up some tools. I did a talk at Microsoft's Blue Hat last year called Advanced Hardware Hacking. It's on YouTube. It's a pretty decent introduction. It's kind of like you watch it twice through and you might get it. But I think other than that, there's good guys like Colin O'Flynn. He's got a book out called Hardware Hacking Handbook, I believe, through No Starch Press. That's pretty good.
Joseph Carson:
Yep. No Starch. We had Bill Pollock on a few weeks ago.
Sick Codes:
Right, right. It's a hard...
Joseph Carson:
Bill Pollock is amazing. He's such a great...
Sick Codes:
Totally, totally.
Joseph Carson:
And No Starch definitely has by far, for me, it's got some of the best cybersecurity books out there.
Sick Codes:
Yeah, quality. They are pristine quality. I think another one out there, yeah, Joe Grand obviously has his stuff.
Joseph Carson:
Joe Grand has his. Yeah. I was registered for his course a couple of years ago. I wanted to go on it. It was basically right when COVID started and it was canceled. So, ultimately I missed that chance, but I've always kind of-
Sick Codes:
I just saw him. I just saw him last week.
Joseph Carson:
You just saw him? The kingpin himself?
Sick Codes:
And he did training and he did a talk. Missed his talk because it was nine o'clock in the morning and mine was straight after. I just wanted to prepare for it. But we did see The Grugq, and I think you said you had The Grugq on.
Joseph Carson:
Oh, the Grugq? Yeah.
Sick Codes:
Yeah, yeah.
Joseph Carson:
We did have The Grugq on a few. A couple of months ago, we were talking about OSINT. When OSINT is good and when it's bad. When it's useful and when it's not, which is always great.
Sick Codes:
Right. He had a really interesting talk that jumped my mind. It's about systems, and I don't want to spoil it because I think it comes out on YouTube in a bit, but it's pretty good. Anyway, it's an interesting talk. Quite short and we had a little bit of AV issue, but he's a really good natural talker. He's quite interesting.
Joseph Carson:
He's fantastic. He's always exciting. But it's been fantastic having you on the episode and it's really very insightful. Really the mixtures that all the things we talked about, we'll put in the show notes so people can get easy access to the talk from DEFCON and also the Microsoft as well. Any final words of wisdom you would like to share with the audience? For maybe the manufacturers out there that might be listening in?
Sick Codes:
You know what? You know what? I read a book the other day called Jonathan Livingston Seagull or Jonathan Seagull Livingston or something. Interesting book. Interesting book. It's only like 20 pages. It's 1970s. Go and read it. It's something about going out from the pack and doing your own thing, and then coming back and everyone thinks you're different and you're doing something wrong. Then you come back and you come up with disciples. Then, I think about John Deere. Here I am in Thailand, thousands of miles away from the US, and then we all come to the DEFCON and then it's anointed. Everyone's coming there like a zombie, and we do this massive hooroo, and then everyone goes off to their little islands again.
I think that community thing, connecting with people, even if it's a GitHub or Discord or Telegram or Element or Matrix, whatever, and Twitter obviously. Yeah, just keep connecting with other hackers. Reach out to people. People are obviously very friendly.
Joseph Carson:
Absolutely.
Sick Codes:
Yeah, totally friendly. Especially in the hacker community because they learned from someone else. I think just reach out to people, DM them, email them. I emailed Joe one day and was like, "Hey, dude," and then bang, we were on a Zoom, you know?
Joseph Carson:
Fantastic.
Sick Codes:
Yeah.
Joseph Carson:
Definitely. For the audience, one of the things is get connected with the community. There's a lot of great people out there and they're all willing to give a helping hand and share. So, many thanks, Sick Codes. It's been awesome having you on. It's always great to catch up, and I'm pretty sure we've been passing each other at different events. I'm sure there'll be another one soon. So, for the audience, definitely sync up, check out Sick Codes' content and resources. It's amazing. Stay safe. Check in every two weeks for the 401 Access Denied Podcast, and look forward to having and chatting with you again in the future. So, thanks everyone. All the best and take care.