with Chris Vickery – famous SHODAN Sleuth & Security Researcher Interviewed by J. Tate – newsroom bits&digits
This article takes 19–21 minutes to read
Last week bits&digits was afforded the opportunity to speak with the famous Shodan Sleuth, Security Researcher Chris Vickery. For those who are not familiar with Chris Vickery and the amazing work he has done in the Cyber Security field I urge you to do your research. Some of the more notable findings Mr. Vickery found are the Million U.S. Voter Database in California, Department of Records Open Databases, and the Mackeeper records vulnerabilities. He also was involved in gaining access to the World Terrorism Database due to a configuring/programming flaw within the Thomas Reuters database which all have been remediated. If you want to learn more about Mr. Vickery, he’s all over Google. The Naked Security publication has also written an article that’s worth reading.
Our conversation was based on our interest in his motivation to deliver such valuable and intelligence rich data to the forefront. Many times there can be a very grey line between the motives Security Researchers have, some want notoriety, some want financial gain and others simply want to say “I did it”. None of aforementioned is what I gathered from this very talented man. His moral fabric is commendable, complimented by a strong desire to see the Information Security atmosphere make a significant impact in both public and private industry as a Need not an After Thought.
Without further ado, take a
listen read from a true advocate of Cyber Security research for the greater good.
Chris: This is Chris
J.Tate: Hey, Chris J.Tate Tate here, how are you doing?
Chris: Hey, pretty good; glad to hear from you.
J.Tate: Likewise, man finally it is good to hear from you. It is an honor first and foremost to speak with someone like you; man. You’re quite a legend within circles. How is your day going? How is your day going?
Chris: Awe, day is going pretty good, hit lunch pretty early due to boss being out this afternoon, so it should be a slow day.
J.Tate: That’s cool, cool beans. Well let me jump right into it okay. I know you are strapped for time so I am going to respect your time. Let me give you a brief introduction, you got a brief introduction; awe you got a brief introduction of who I am. I represent a company Bits and Digits, we are a cyber intelligence forum. We deal mostly in crisis….
Chris: I checked out your website, got a little background.
J.Tate: Okay cool, so you know, okay good that is great. I obviously know who you are, I have been watching you actually; since your first release about six months ago. It is a good, it’s really a great honor to speak with you man. And it is also a good to hear that, more importantly; that your mindset your paradigm is aligned on the better good of the universe so to speak; rather than the other side. And I really appreciate that otherwise; I wouldn’t be speaking to you if it was anything else, you understand what I am saying.
Chris: Exactly, exactly.
J.Tate: So here, here is the status. So I have been trying to get a hold of you for quite some time. And this is a great time for me to get a hold of you, because first and foremost, I am associated as you can imagine; if you have done your homework. I have worked with a lot of government agencies. I come with a very long list of DOD intelligence, background so it is obvious to see that it is very advantageous for me to keep my connections. Long story short, when you put out that bulletin, that bulletin about the global terrorism database, and it hit so many alarms. […]
Chris: Okay, yeah that’s for sure.
J.Tate: So there is one particular person […] who I want to introduce you to. Who is really intrigued by you, he works for the […]. He is an Infraguard member. No, I’m sorry, that really didn’t give him any honor or justice in that. He is an Infraguard chapter leader, and if you don’t know what an Infraguard; I suggest you go and look it up brother. It is Infraguard.
Chris: Okay, it spelt just like it sounds.
J.Tate: Yeah, just like it sounds. It is a consortium between the federal government and civilian organizations that collaborate on how to protect the United States infrastructure.
J.Tate: Okay, it’s been around, it’s been around; I want to say before I was born. But I can’t attest to that or not. Long story short, […] is a fan of your, I don’t want to speak for him. He is a fan of anyone that is doing the right thing. Okay he sees the problem, and says let’s fix it. And that is what I am doing, that’s why I started Bits and Digits, started about two years ago. Because I, I got tired of hearing about these Charlatans. These organizations coming, saying they are some security guys that sell a false sense of security. I have a very strong distain for people like that. And I…
Chris: My next, my next post release is going to be on a security company who had incomplete security. And is has exposed The Oklahoma Department of Safety their complete security infrastructure and secure database. So yeah I understand how they say that they are Security Company, and they are not.
J.Tate: Not for us to go off on a tantrum. It’s because, this is my opinion, my humble opinion; the security business has turned into a security operations. You have MBA’s running around with security outfits, which has no idea what security really is. That don’t know what cyber security really is, and they use flag words; like a flashy show person that has spent three years in cyber security, who you know is not enough. You got people, awe; well anyway I appreciate that good finding, first and foremost. That is actually what Bits and Digits is about, man. And we are selling trust, and by selling we are not selling it for cash. We are selling it for notoriety, not notoriety but for more of a bonding thing.
Chris: mm, hum.
J.Tate: We don’t want data, what Bits and Digits does; we go into organizations, and teach people how to do it themselves. So they don’t have to trust other people.
J.Tate: And a forced multiplication type of doctrine and tandem with a lot of doctrine; and other operations, with red pen pass attachments, and ect. ect, ect. But back to topic, So […] is a leader in the Infraguard community. Who wants you to speak at an Infraguard consortium, if you are willing to?
Chris: Where and when will this be?
J.Tate: Well, first he wanted me to get good communication with you, that I get a good feeling of who you are. And then I can set up the introduction between you and him. If you are willing, and I understand people that has any kind of apprehension to deal with any kind of governmental interties. Like I said, I want you to trust me; or do your own research. I would never expose you nor put you in a situation that would feel icky of course. […] is the real genuine security researcher; and he runs an Infraguard chapter. He would want you to speak possibly in DC, or in Charlotte, or North Carolina; it depends. Of course this would be stuff that you would negotiate. This is a good position for you to get on your platform, and actually speak about the situations that are currently present in the world. You know what I mean?
Chris: Yeah exactly, that sounds perfectly comfortable to me.
J.Tate: Okay, great great. On top of that, I got a…mm; I am part of Peerlyst and a few other people. And I want to ask you a few things?
Number 1: Are you happily or gainfully employed right now?
Chris: I am gainfully employed; however, my wife really wants us to move to California. So, if you have any connection with anyone in the California area, so I would really be interested in hearing about it. But a…I got a pie pie job.
J.Tate: What part of California?
Chris: Northern California.
J.Tate: San Francisco?
Chris: No, Trish has family, and that is where she wants to go. That’s where they have me transferring.
J.Tate: Question 2: And don’t take this question the wrong way. Are you a US citizen?
Chris: Yep, I am a US Citizen.
J.Tate: Okay, yes you are.
Chris: Yep, born and raised in Texas.
J.Tate: Okay, you’re a Texan, I just left Dallas brother. Okay, he is a US citizen. So how long have you been in the security field?
Chris: Well, I have been working in the IT department at the Law firm, during a large portion of the security for hey, I have been working in the security for about six and half years. I have been working IT for five and half years, and even before publishable then; for the most part for even a decade I have been dedicated to security research and surveillance. Yeah, you know I got into it for a personal privacy project type thing. But the anti surveillance and computer encryption, and all that type stuff really peaked my interest a little under a decade ago.
J.Tate: Okay, awesome. Let me ask you a personal question, this is where I want to gain and get inside your head a little bit. If one is white, and two is grey, and three is black. What do you think, or consider Edwin Snowthen?
Chris: Edwin Snowthen, awe well; Probably 2, because one is white, two is grey and three is black. Probably a two.
J.Tate: Okay alright, wonderful, I personally put him in a little more server category. But it is for different reasons. Okay mm, do you have a CD brother?
Chris: I have a resume that I can send to you, awe not anything that would turn heads or run bring _____ house. But I can send a history to you.
J.Tate: You don’t know your worth, if you think your resume won’t turn heads. Let me see what you got, and I will tell you personally man to man. I will definitely work with your resume, to make it look illuminating. You know what I mean. You have definitely done enough for the community, I am surprise that you are definitely in the position that you are. But this is what I am really starting to notice. I definitely have friends on both sides of the fence, and sometimes it amazes me “why are you doing this; or you should be doing that, you should be working for; Mendicant. Well, I don’t want to sell out.” “Well okay, then do your own thing. That is what I did. So, it takes time, patience, and a little bit of; you know… I guess acumen.”
Let me ask you another question, awe man; what would you do to change the cyber world currently. What do you think are the main issues out there? And the reason why I’m asking is to just trying to get your comprehensive understanding of what is out there and would change the cyber industry currently?
Chris: What would change it the most, like a broad impact; and I have discussed this lot, when I have spoken at conferences; to professors at Harvard and stuff. Yet, I do maintain a relationship with. Right now it is profitable not to be secure for companies. We need to change the regulations, or laws, or fines involved for data breaches. So that it is no longer profitable to be insecure, I think when profits are affected, that is when people will start to give a shit about security. And that is the bottom line.
J.Tate: Perfect yeah, well said, that is a beautiful response; I can agree with you on that completely. It is a fiscal run, and something that definitely; I don’t think people have illuminated in their business model yet. Like you said they don’t have that sting to make them get secure, trust me I agree with you completely; brother… if I could tell you everything that I have been exposed to. You would completely understand if I completely agree with your sentiments down to the “T”. A lot of these companies, “The big ships, the big moving objects”. That have not been really stung by the Hi- HIPPA, Hi-tech, OCR’s, or SOCK’s; you know those two billion dollar fines. They have not gotten hit with them, and they don’t really care until they get hit unfortunately.
Chris: I think with the FTC, Health and Human Services, and the OCR; and everything. I have helped them in investigations before, even the companies that they go after; they get consent decrees and everything. But even then the companies barely see any of the PR hits, and they don’t always get hit with the big fine. So it seems like a headache, but it is still not affecting profits.
J.Tate: Yeah, that is unfortunately; yeah I have seen that to; the internal legal counsel, are able to majestically craft some kind of document, that gives them some kind of cease order; and doesn’t classify something as a breach, so they don’t have the FCC down the pipe. Yeah, I have seen, stood on my soap box, gotten horse and gotten shot. It is an uphill battle, that it is going to take digital warriors like us, or cyber operators like us, to actually get that message home. I’m glad to hear, and good to know that you have actually worked with OCR.
Okay, Number 3. Okay, I just try to keep a strict time line. The mm, The Global Terror and Data Base, which you know is run by Start Program under UMOC. I already got, I’ve engaged a friend of mine who actually trains there. And actually, is a professor there, once they get their point of contact that actually runs the system directly. I don’t want any laggies; I don’t want any people who are second degree connections; or two degrees of separation. I want to know the program manager, the director of the Start Program. Once I get that persons point of contact, I am going to put you in contact with them.
J.Tate: Obviously there are other people that want to get access, that you got, and I am not even going to entertain that conversation. And I have told everybody, no; that is not the way this is going to happen. This is not the way this is going to go down. The person that is in charge of the data base, with this guy and that is the only person that needs to know about it.
Chris: But I will ask one question. The…
J.Tate: I know your TTP’s, and Tech and Technique-Base Protocols to a certain extent. The exposure of this data base; with its vulnerability that it has on a scale of one to ten. With it being on a scale of one to ten, with ten being easily script kit accessible.
Chris: Like it was or is?
Chris: I have plugged some holds in Thompson-Reuters it no longer exposed.
J.Tate: Okay good, so nobody there knows about this? At Start?
Chris: Well this Global Terrorism database was the one, but the world check database, is the database maintained by Thompson -Roueters.
J.Tate: Oh, so it is not the one that is run by University of Maryland campus?
Chris: No, It is a different world check database.
Chris: It’s the one that Thompson-Roueters charge a million dollars to have subscription to.
J.Tate: Excuse me?
Chris: They charge a million dollars a year, to banks and intelligence agencies to have a subscription to this database.
J.Tate: Holy crap. Wow, and people pay that.
Chris: Yeah, people pay up to a million dollars. Yeah, for each subscription to this database per year.
J.Tate: Holy crap. Wow.
Chris: Yeah, So they can get there ALM and Key-checks and not get fined.
J.Tate: Yes, yes that makes sense. Jesus Christ, oh wow. Okay.
Chris: Yeah Thompson- Royalters, brought this company back in 2011, for five hundred and thirty million dollars. They brought the world check company that included the database.
J.Tate: Jezz Louise. Wow, that is nuts. Well okay, so that as we speak it is fixed, correct?
Chris: Yes correct, it is fixed. I have a copy, but it is fixed, it is plugged.
J.Tate: Well okay, that is good. Alright, alright, that is good to know, so I can cease and desist all of the other actions. I thought you, the last reedit Prozac, I thought that you where looking for a point of contact to convey this message to. But it seems like you have already fixed it.
Chris: Yeah, I have already fixed it. I already had been in touch with Thompson –Royalter’s. They where, they are very very appreciative. Of the information that I provided them.
J.Tate: Wow, yeah.
Chris: I have saved them millions of dollars.
J.Tate: Then you should definitely try to get some kind of consulting deal, man. Seriously.
J.Tate: If you need help with that, I can definitely help you with the type of language you need to use. It’s not a problem; it’s definitely where “I can help a brother out, type of mentality.”
J.Tate: They should definitely be compensating you for some kind on watching or monitoring capability. That is awesome, do you have a point of contact for your latest vendors. Let me let you know right now, I have access to lots of people. If you ever need to speak to someone before you go public. Let me know it is up to you that are if you want. Just say Jay I need someone to, like in the Oklahoma State Corrections Department. I can get you the person you need. Right to the “T” that is not playing any games.
Chris: I could have used that about two weeks ago.
J.Tate: That’s more interested in fixing the stuff. Then just let me know, just say “Hey J.Tate, man.”
Chris: I have found a navy data base that has been exposed. It is plugged now; it just took a little while to get to the right people in the NCIS, and to get that exposure closed off.
J.Tate: Oh my God, and was it an open database?
Chris: Open database, no username, no password, and had like consorter, and P&Q qualifications for the US Winston Church Hill.
Chris: The US Winston Church Hill, off duty contact information, biographies, signatures of commanding officers, and all sorts of interesting, juicy details.
J.Tate: Jesus man, you know that is just ridiculous. You know that I am a navy vet. Jez…
Chris: You know it was a Navy contractor, name Crosbec; who also known as Military Mobile. And they had put up a catch DT with no indication. Apparently this guy was some kind of contractor with the Winston Church Hill. And just it put off with no sort of indication.
J.Tate: So they basically did not adhere to any of the (DOD) Defense Federal Acquisition Defense requirements for cyber security at all. Those guys should have gotten blasted for that. They should lose the contract for that in my opinion.
Chris: The NCIS is doing intermit right now with some teeth. And they have asked already if I was willing to testify. So I told them sure, if you want me to sit on the stand and talk about what I found sure thing.
J.Tate: Yeah, exactly.
J.Tate: See this is why we are losing the war on the cyber front and on the intelligence front. We have the DOD contractors that don’t have their stuff tighten down. I have worked with the DOD for field for twelve years. I know this issue really close and intimately. But anyway, that’s crazy man. Now you have a contact the NCIS, definitely know the Deputy J6. So you know that in the future, you want to know anybody, you can definitely run it by me first; and then I can definitely get you plugged in.
Chris: Sounds good.
J.Tate: You definitely have my email address, brother. Please send me your CV and then I am going to communicate with two people if you don’t mind. One person is going to be named, her name is Limor Ablaze she is the developer of Peerlyst, and alright she is the CEO of Peerlyst. Alright I’m going to talk to a guy his name is John Calyst the developer of the Black Phone and the developer of the encryption for the I-Phone 6. And then I am going to talking to a guy by the name of […], who is the Infraguard meeting. He is our Infraguard chair person, who works for […] about you. All of these people I’m going to put you into the contact with, saying that you are a reputable guy in the industry, get you on their board, and also their availability to get you out there speaking. Is that okay with you first and foremost?
Chris: Yeah, that is totally cool.
J.Tate: Okay awesome man; well let’s stay in contact with each other. And if there is anything that I can help you with please let me know. And if there is anything that I need to know I will definitely reach out to you.
Chris: Sounds good.
J.Tate: Yeah man, it was definitely good talking to you.
Chris: You have a good day.
J.Tate: You to brother, ciao’.