Ep.11 Mike Weigand | Securing Planes, Trains and Tanks
In this episode of the Cybrary Podcast, we sit down with Mike Weigand the founder and CEO of Shift5. Speaking with Cybrarys head of infrastructure Jonathan Meyers and Joe Perry, Mike explains the mission of Shift5 and how they are working to secure commercial equipment. Mike and Jonathan also discuss their time at the United States Military Academy Westpoint.
Share it with friends now!
In this episode of the Cybrary Podcast, we sit down with Mike Weigand the founder and CEO of Shift5. Speaking with Cybrarys head of infrastructure Jonathan Meyers and Joe Perry, Mike explains the mission of Shift5 and how they are working to secure commercial equipment. Mike and Jonathan also discuss their time at the United States Military Academy Westpoint.
In this candid conversation Michael Weigand talks about his journey. Starting out as a common student, to military, to cyber security and now to his venture Shift5. He talks about his observations in this domain, prospects and real life conditions. Though the conversation is light hearted, everyone can learn a lot of things from our guest. Not only for those who are in active military service looking forward to advancing their career in information security, but also for many students and young entrepreneurs.
We get to know about legacy technologies in use and presenting an attack surface with emergence of networked devices. It gets interesting how far and wide these systems are used from transportation systems on earth to the International space station. Mike explains how securing these systems is a viable career option for a viable future. He predicts that we will continue to see these legacy systems in use as there are not many alternatives present, and with governments actively looking forward to replacing or patching these systems, he explains his vision for Shift5.
Discussing more about Shift5 we get a close insight of entrepreneurship and management of a rapidly growing company. We also understand the importance of time management and personal projects to keep yourself interested in the learning process.
Do not forget to checkout Shift5 LinkedIn page as they are actively hiring professionals. To know more, feel free to contact Michael Weigand on LinkedIn at https://www.linkedin.com/in/michael-weigand/ and Shift5 at https://www.linkedin.com/company/shift5/jobs/ for amazing job opportunities.
Michael Weigand: Yeah. So, my name is Michael Weigand. I am the CEO of Shift5, a startup out of Roswell, Virginia, where we secure planes, trains, and automobiles or tanks, actually, that's normally what we shift into that last word there. Let's see, I graduated from West point in 2011 and I was really fortunate while I was there. I studied computer science and the army, a couple of years ago, you know, it was really kind of looking forward, you know, towards cyber and computer network operations, computer security. And so, Studying computer science at the Academy, they offered me a bunch of summer internship opportunities, which exposed me to DARPA, to the Naval research lab.I worked at the Institute for creative technologies out in Marina Del Rey, California. And it was through those internships that I was actually in direct contact with the hacking community. And, I made a couple friends along the way, and some of them encouraged me to take them at the time. I love UAVs and model airplanes and, and just, you know, see if I could get a talk into a, Shmoocon and Defcon, which I was fortunate enough to do before I graduated. So, you know, pretty early on, I kind of identified with the hacker community and I really liked it. I don't know, just there was something sexy about it. Right. And so it really drew me in. And then of course I graduated and they commissioned me as an infantry officer because that's what you should do with your science degree.
Joe Perry: Yep. Same thing to me, don't worry.
Michael Weigand: So, you know, I go to Fort Benning after a little stint at Fort Belvoir where I got a little taste of cyber, you know, they get you excited and then they send you to Fort Benning. And I went to infantry school and, it was exciting, being like a full fledged nerd and, and showing up not having a lifted truck and, you know, just like working out all day and learning to shoot guns and stuff. So I finished infantry school and they sent me to ranger school and airborne school, and I kind of do the whole program down there. And then they shipped me off to Fort hood, Texas, where I served as a platoon leader. In a, what they call a combined arms unit. So we had these giant vehicles that kind of look like tanks called Bradleys. And, we were, we were in a heavy unit. It was, you know, it was really exciting. Mean semi heavy, well, I was in a pallet in the unit. That's how I got it. So, you know, it was cool because we got to go out to the range and shoot stuff and blow things up all day. And I got to learn, you know, what it's like to, You know, to lead and manage like, you know, 40 guys from across the country, did a couple overseas stints and everything with that outfit. And then, the army in 2014 established the cyber branch. And I was like, Oh man, this is my chance. Like I can finally get back to just nerding out full time. So, I was picked up in the first kind of wave of like 60 officers that came into the branch and eventually I found my way up to Fort Meade, where I was, you know, working for army cyber command. And there, I just had this incredible opportunity to work kind of all across the department of defense and in the, the federal government more broadly. And, you know, I just got a lot of experience with operational technology, you know, the types of network technologies that underpin all of our transportation systems. I found that I really liked that because I had always had an interest in micro electronics and microcontrollers. I was a decent programmer, but by no means the best. And I didn't really find that. Reverse engineering binaries was my expertise. And so I gravitated more toward the tech that ran on slower processors and these old, serial data buses, which it turns out like our entire society is underpinned by. So after, you know, just being exposed to these critical vulnerabilities for years, and the federal government trying to patch our own stuff and stay one step ahead of the adversary. I decided to jump out so that I could found a company with a couple of my tremendously talented coworkers, James Carney and Josh, Phillip. We wanted to bring a company together where we could, frankly solve these problems, help protect planes, trains, and tanks, where we could, from cyber attacks.
Jonathan Meyers: Nice. Awesome. Great. Let's see. So kind of, you said that like your interest, you said that, You kind of got interested in doing these, AADs is what they're called at the Academy, but the summer internships, what made you want to go? Like what caused you to go into computer science? Like in the first place?
Michael Weigand: The funny story is I didn't even get into West point. The first time that I applied, I was from Maryland, which is a really competitive region. And I applied. They rejected me, And I didn't accept no for an answer. I kept driving up to the Academy and like literally sitting outside the door, the regional admissions officer. And so one day, I think he just broke down and he was like, all right, listen, here's the deal son. You know, you can, you can go to like one of these four, like prep schools. Of course I picked this one, called the New Mexico military Institute in Roswell. Yeah.
Joe Perry: Roswell New Mexico. So a fun fact, I went there cause I was an AOJ prep kit out. Tommy's brother went to Naomi, I would say early commissioning program grad. So actually it's interesting, as we're talking about macro enticing fun fact, I was actually born on Fort hood.
Michael Weigand: Get out.
Joe Perry: Yeah. My dad was in 18 Bravo.
Michael Weigand: No kidding.
Jonathan Meyers: Yeah. So it's a small world, right?
Joe Perry: You guys at home, can't see this podcast, but it is a complete bromance moment in this room right now. That's fantastic. That's great.
Michael Weigand: Yeah. So, you know, I spent a year out, out in Roswell, New Mexico without a car,
Jonathan Meyers: without a car?
Michael Weigand: Yes. Without any money as well. There was this restaurant across the street called Farley's. I'd like to scrape together a couple pennies and. Go over there, get fries like once a month, but have a great time, learn a lot about what the Southwest is like, culturally, it's beautiful out there. There's a lot of really smart people in Albuquerque by the way, just a really, really incredible corner of the country.
Joe Perry: Like at that huge NASA facility. There's a whole launch facility out there and like, there's a lot of like, Super smart people. So like my uncle, he used to work out there and he managed Cray supercomputers and like building those things back in like the seventies and the eighties. And so there's just a lot of smart people that still just live out there.
Michael Weigand: Yeah. It's nuts. You've got the national labs. There's a ton of space. So if you like the outdoors, a little bit of everything. Right. So, you know, so I go to Neomi, I do my year there and then, I finally make my way to West point and while I was at Neomi. You know, after, a couple of months I started to get bored. And so I went to Walmart, which is like the only store in Roswell at the time. And it was like three miles away.
Joe Perry: You had to catch the bus.
Michael Weigand: I walked like literally I was super poor and, I bought this little control line car. Do you guys remember before the days of RC cars, the controller was connected with a cable to the electric car.
Jonathan Meyers: The electric track?
Michael Weigand: Not like that. Like this was like a four Wheeler car that you could take out into the parking lot, but the controller still had a cord connected from, so this thing,
Joe Perry: When was this out of curiosity? This was probably like 2008.
Michael Weigand: So this was only like 25 bucks. This is probably the only toy that I, before I bought this thing and I had a parallax basic stamp. If any of that rings a bell. Before Arduino and a time, you know, before microcontrollers were easy to program, there was one company called parallax and they had this parallax basic stamp. And I had taken this thing and I had a little gear Trex, Garmin GPS that transmits GPS information on these serial lines on the outside. And I had kind of like glued everything together so that this car would attempt to drive a route that you had programmed into the GPS. I didn't know anything about control theory. So it was like a bang bang controller. It was terrible. If, if somebody had been exposed to this car as like, this is what autonomy might look like one day, they'd be terrified now. So, you know, I had done this, this kind of project on the side at Neomi and, When I got to West point, I wasn't smart enough to like, test out of any of the courses that I had literally just taken the year before. It was the exact same course, same books, same everything. So I'm repeating a bunch of the same coursework my freshman year at West point. And I end up just getting really bored within a couple of weeks. So there I am on this main street called Thayer road at West point. And I get my little car out and I'm playing with it in this army Colonel, which is a really terrifying experience. They have like, what looked like, chickens or to my mom, but they're like, people. Yeah on his shoulder, really a high ranking officer, he just walks up to me and asks what are you doing? You know? And I'm like,
Joe Perry: Which is the most terrifying, possible question you can get from a Colonel.
Michael Weigand: Yeah. I'm like, I don't know, 17, 18 years old at this point. And I'm just speechless because nobody has ever, you know, no Colonel's ever stopped to talk to me before. And he's like, what is this? And I'm like, Oh, this is just my personal project. And he's like, this isn't for class? No sir my personal project. And he's like, who are you? Apparently it turns out that this project kind of looked like a project that you did at the end of this mechatronics class that juniors and seniors take.
Joe Perry: Yeah, I did it. And except ours had whiskers and could feel the wall and then learn the rule.
Michael Weigand: So, anyways, the next day, you know, I like to report to his office, and he introduces me to a couple other guys that I subsequently end up working with. Years later, I'm in the army, you know, in the cyber community. And they just started giving me access to equipment, like here's an Arduino and like, here's a ping sensor, one of these ultrasonic sensors and stuff. And so I started like pimping out this little RC car. I had upgraded it by putting motors in that I had ripped out of some somebody's printer that they had tossed out at a window, the trash, probably out of a window. There was like a riot at one point at the Academy. Yeah, it was pretty, it was a pretty exciting day. So you would like to pick up printer parts and the. In the CA in the, like the quad. And, so I was putting in all my time in this car, and then of course my grades started to tank cause I'm just not being challenged. And I get yelled at, but it was through those experiences that the faculty kinda to their credit, there's a lot of interaction between the faculty and the cadets at the service academies. Because there's such a small student to instructor ratio. And so they offered up these really exciting things. Summer internship opportunities through a program called AID and I did four of them, which I'm pretty sure is not possible now. Like they only let you do one, but I got the opportunity to intern at almost every corner of the military industrial complex. I even spent a little bit of time on the Hill and it was really kind of exciting to see technology on the DOD side from private industry from a contractor from the government procurement side from government R&D. I was exposed to all that before, like I could even think it was really cool. So I was set up for failure basically. Yes.
Joe Perry: So it's weird. Like we're basically spirit animals right now. Cause I had a very, very, very similar experience where I took all the classes at Naomi to get to West point.
Michael Weigand: And I'm just taking the same classes because I didn't test out. Cause you had to carry like a B or an average Naomi in order to even have the conversation about testing. And so I just got super bored. I was sitting in the mess hall and somebody threw up a slide, asking if you liked programming and like possibly working with the special forces and all this other kind of crazy stuff. So I emailed whatever, whoever it was, And found out that they were running a network science thing. So network science was like the new hip term back then. They had not stood up the network science center at West point yet, but they just stood it up. And so I started like basically hacking, like, do you guys remember those little tiny Sony bio PCs? The little slider, like Microsoft full PC though. Ran windows XP or, I think, I think it was NT or 2000. This will be triple EPC.
Joe Perry: Yes.
Michael Weigand: Do you guys remember those?
Joe Perry: Yes.
Michael Weigand: Oh my God. I took one on an AID to Thailand. Yeah. It was the greatest thing. I thought it was so cool. And now I couldn't even imagine using that. It's like a raspberry PI blows this away. Yeah, and so I started developing these tools. They were using natural language processing to analyze text. And so I was just waiting, basically writing all these scripts to kind of tie it together and upload it, like in a relatively fast fashion. So like you take a photo and then three minutes later you would know kind of the thematic attendance intent of this product. So that's how I got hooked as like a freshman and that's how I started getting introduced to like Joshua Espinoso and all those people. Because he was just writing papers. And they were trying to like get us to go do some stuff. They were doing like a lot of the Blackberry stuff, but that's kind of how I got hooked and then started committing. Cause like when I first got to West point, like it was questionable if I was going to go like mechanical engineering or IT, or computer science and things like that. And so I eventually just went IT. So that I had more time to work on some of these like side projects, for fun. And so it was super interesting and that's kinda how I got stuck in that whole area.
Joe Perry: I found that generally speaking, like people who got into programming stumbled, like even I stumbled into it myself in JCAC, they have one programming class and it's programming. They teach you Pearl Python and C supposedly in four and a half days. That's that's, that's what the class reports now at the end of that class on average. No one can write any program, but I fell in love with it. And so I ended up taking, you know, I took that class and the instructor of that class, whose name, I won't say on the air, because I don't know if he'd be cool with that actually got me my first post at Navy cyber warfare development group. Because he had just left there being a program or quit the Navy and become an instructor to teach young programmers. So he got me my first job over at Nick, which, and I just started. Basically building tools and they're like, yeah, they're like five programmers in the Navy and now you're number six, so good luck getting to work. And it was one of those where just, yeah, it seems like in that, one of the great things about that military military education process is you were talking about the faculty to studio, student ratio is so low. And so the faculty are able to get much more involved if they choose to, are able to get much more involved in the progression of their students and open doors that they would just never have otherwise.
Michael Weigand: Absolutely. Yeah, it was crazy. And they just built this lab. And so they were just like, Oh, you've now proven yourself to like, use this lab, the fare to 12 labs. There are two 12 labs because of Amos. It was right when VMware became like ESX. Was still like, I guess it's always been open source, but like it was, it was still only the free stuff. And they would like, show me how you could just destroy a server and bring it back up. And like, they were just like, here's a console to go and do whatever you want. And you're just like, Oh my God,
Joe Perry: that original, that immediate discovery of the concept of ephemerality, it was great.
Michael Weigand: I immediately took it and installed it in my parents' house so that, you know, you could bypass certain firewalls for certain things cause you need to, and you know that. That specific room, in this decrepit old building called Fairhall that used to be literally like a stable. I mean, they kept horses in it. They converted it to classrooms decades ago. There's a specific room in there called there two 12, where they run these war exercises. Right. And. I swear if you're like a cadet and you do one of these NSA, cyber defense exercises, it's evolved a little bit in recent years, but you get a taste for, you know, what it's like to do real, you know, cyber defense, cyber offense, you know, to, to be part of something operational it's exciting. Once you get a taste for it, you know, you're almost ruined,
Joe Perry: like you're useless than any other field.
Michael Weigand: I was upset. Cause I think I was in the last year where they didn't let us do offense. And so back in the day, you just had to sit there and defend boxes. And I was defending, I think, an active directory server, a postfix server, and DNS. And it was just, I got so bored, like the first day in, cause there's. There's things you can do to lock it down like that, I know they're not going to get in. Cause I mean, we're cadets or I was a cadet, like they're not going to use a zero day exploit, like discussing it. Wasn't too worried. And it was back, you know, since it's an active directory, you can change every setting in the book to lock it down. And we turned on the firewall. So we only white listed the sources of traffic we saw because you have like a week lead up and we were like, okay, cool. Let's turn it on full. And then just open one by one but yeah, it's, it was nuts. And then the offense, I think the next year I would have been completely sold. So, you know, one of the really cool things about this educational opera experience that we had was that, that specific room. It was kind of home to a, not this click, but like this group of people that we're all studying together, we're all living together in the barracks. Like you can't really leave on the weekends at a service Academy. It's a pretty, kind of an austere, you know, educational experience. I wouldn't, I would not call it college. It's not college. But you go there and you form these friendships and you learn from one another and when you get a good group going like that, what's really cool is that everybody ends up joining the army together. Right. And you almost end up like in similar branches or the same branches and you end up living with these guys later when you. Post to the same place together. You ended up going to war with these guys and you form these relationships and these bonds that are just unexplainable, unless you had gone through it. And I think of that particular room as the place that really inspires people to get in and do something meaningful and impactful in this field and where incredible relationships, a hundred percent.
Joe Perry: I would argue that most of probably the most impactful people at cyber command the last couple of years, at least junior officers started in 212.. No doubt. Yeah. A hundred percent. I didn't even go. And I can tell you off hand, I've heard this conversation between every. Like Intel officers I've ever met and respected. Yeah. It's not.
Michael Weigand: But then in the army, in its full glory sent me to be a logistician because why would you waste all this money? So I'm told that they've gotten a lot better at this. Right. But only in recent years.
Joe Perry: Sure, sure. I believe when I see proof of this and the military has always gotten a lot better, as soon as you leave and people are trying to get you back all of a sudden it improves dramatically. Yeah. Yeah.
Jonathan Meyers: all right, so what's one thing you would change, like as you enter your career into cyber, I know you guys both have both kind of in the military type thing, but like what's one thing you would have changed or like told your younger self to do differently if you were just getting in. So I'm talking post schooling, but like in the military, as you hit, like your first duty station,
Joe Perry: I would say probably the very first thing I would tell myself is to learn how to pace yourself. Honestly. , one of the challenges that people get in this field, we talk about like, it's addictive. What are you going in this field? very commonly you'll see people put in a 12 hour day and then go home and work on the same project for another six hours. And that's not a bad thing. Like being passionate about your work is good, but learning how to take a project to really think long term, like, is this, you know, how do I do this effectively? How do I use my time? Well, and keep learning, I think is a big deal just being able to pace yourself in general is one of the skill sets that I think cyber professionals, you didn't see me do the air quotes, but cyber professionals, tend to not be great at that. And it's one of the more important skill sets.
Michael Weigand: So, you know, what I would say is that when you get started in this field, there's this feeling that you're inadequate and in psychology, they call it the imposter syndrome. And I think it's just really important to realize that everybody starts out from zero, no matter where you are, like at some age, at some point you figured out, Hey, this is interesting. And, or I want to do this for some reason. And, and you're starting out from zero. You don't know how to code, you know, maybe you learn to code in middle school or high school or college or later in life, but at some point you didn't know anything. And I think it's really important to realize that, You know, a lot of experts in the field are, extremely, their expertise is very narrow. There are a lot of people as well, that can couple that with a lot of breadth, but there's nobody that knows everything. Right. And so what's really cool about the field is the way that it evolves so quickly. You can find a niche area of the field and own it on her, can truly own it and make it yours. And it won't take too long to get there, you know, just a couple of years, but If you stick to it and you keep the imposter syndrome at Bay and you just tell yourself, like, I want to make a name for myself, you can go out there and do it. And then I think, you know, the question is like, do I, you know, obviously I would advocate for doing that in a socially responsible way. I think I did that, but I watched some other people, that I kinda came up with that I think made poor decisions along the way. And so I would just say, you know, imposter syndrome, you know, having some moral and ethical understanding of things like what you're doing as you go about your work with an eye to the future and what she could accomplish is really important and so. I guess just, just turn it all back. You know, I was really intimidated when I got started and I should have realized that I shouldn't have been, and I should have just openly acknowledged, like, you know, Hey, I'm a newb. is that, is anybody willing to, you know, help me figure X, Y, and Z out. Right. I find people are super gracious as long as you don't come in and peacock.
Joe Perry: Yeah, absolutely. And if you're willing to admit a lack of knowledge, one of the great things about this field is someone is willing to give you that information. Yeah. And I want to go back to your point about, you know, specializing and understanding you can own a niche. Cause I think people tend to not really get the extent to which that's true, you know? And, and I often like when I'm talking to new, cybersecurity professionals or just IT professionals, I try to hammer home the idea of like, when you're going through elementary and high school, you're just learning. A little bit about everything, just how the world works, man, everything. Then you go to college, you pick something that you get, you know, this is what you specialize, and this is a general area of knowledge in which you're considered knowledgeable. Then you go for your master's degree and there's a subfield in that, that you get really good at. Then you go for your PhD and there is one thing, you know, everything about and just, you have no more information. So my personal example for this is that. In most conversations. I described myself as a windows specialist. My real specialty is undocumented network driver functions on windows curdles. Wow. That's the narrow level that you're going to. It's not an operating system. It's not a technique. It's a very specific skill set. That's smart.
Michael Weigand: That's a small club. You can have a conversation about exactly. How many people do you think you could have a conversation about that with?
Joe Perry: I know all of their first names.
Michael Weigand: Yeah. Which is another really, I think exciting thing about this field is that, you know, through Slack, through discourse, you know, if you're, you know, if you're really old school IRC, right. And I'm a bunch IRC boards still around,
Joe Perry: so what are you talking about? The army still uses IRC like this business, I think I used Mark before I was in the army anyway.
Michael Weigand: Yeah. Not to be confused with BFT all those same user experiences. Yeah.
Joe Perry: There was a point at a Navy command where they locked down. Every communication like to include Gmail, you couldn't get on Gmail at work. IRC was still available a hundred bucks every time.
Michael Weigand: That's what they run on. And I remember like I had to give people classes, cause I knew all the commands back from, you know, When you used to be able to share files and all those kinds of fish. Yeah. Yeah, it was great. So I just think that like in the age where communication, so of Equitas like, you know, these communities' success get on Reddit, find that sub community. Right. I go to a local hacker conference, like a, besides find somebody and just be like, yo, how do you like to communicate with other people that are interested in the same stuff? And then boom. Right. Yeah. There's probably a ton of discord channels now and all just crazy stuff.
Joe Perry: You just have to look, show up to a bar with something hacky in its name. Like there are just so many ways to do it.
Jonathan Meyers: Cool. Let's talk about , let's talk about your favorite tool, offensive, defensive. Who wants to go first? I went first on the, what would you advise your younger self for? So you're up.
Michael Weigand: So I would have to say kismet and the reason for that is that. A drag horn actually came.
Jonathan Meyers: So describe kismet in your own words.
Michael Weigand: First kismet is like the Swiss army knife of wifi hacking. Right, and, I'm sorry. yeah, so like the author, right. And, you know, he comes to, he comes to school one day and he gives this like over lunch, you know, presentation on, on some research that he's doing. And I was just like, wow, like, here's like, Here's a guy that's like made it right. He's made a tool that's known by everybody. Like the world over, you know, is repackaged and sold, you know, in certain corners of the world. But like, I mean, this is the expert that likes to read all the code and I was you know, I was just kinda like, wow, this is, this is cool You know?
Joe Perry: And he took all that knowledge and he spent the time to like package it. So that he could give it to other people to like share it with the world, which is not always
Michael Weigand: such an altruistic, you know, trait. And I was really, kind of enamored by that, to be honest. And so. What I wanted to do is at the time I wanted to put this on a little model airplane and the autopilot that was based on the Arduino was just out called ardupilot and this was, before you had, you know, quad copters that were really reliable, you would buy any of those on the market and I actually did a little, a senior design project where I took kismet. I put it on.
Joe Perry: I think I've read this paper.
Michael Weigand: Yeah.it was super exciting. So, you know, I had basically this like a war flying model airplane, a couple other people did it too, but I loved that. It was so much fun.
Joe Perry: Yeah. That was like, that was about the time I remember. I remember cause you graduated in 2011, Okay. So like my junior year. I guess sophomore, it was all about the blue sniffing and the directional cannons. And I was like, if only I could have something that just flies around and captures these, cause it was always somebody driving around in the ranch. Trying to capture all these things. And I was like, if I could just fly something back in 2010, 2011,
Michael Weigand: it was actually pretty tricky to get like a model airplane or like a home built quad copter too, you know, just like hobbyist funds to fly itself autonomously and not crash like every third or fourth flight. There were a couple of groups that were doing an amazing job. Those. Team called the paparazzi out of Europe. I know Jordy Munoz, you know, was taken over the Arctic pilot thing that evolved into a company called three D robotics, which was doing well but I think they've since closed up shop because DJI is crushing it.
Joe Perry: Yeah. They crushed, I owned one of their first generations. And the whole board was open sourced and you could do whatever you wanted. And I was just like, this is phenomenal because the sensors that came on it for the price, I think the price was kind of expensive, but not compared to things up to that point. I think it was like a thousand dollars for the first second generation fandom. And you could use all the sensor data, like it was just dumping it to standard out. You could just, yeah.
Michael Weigand: Great products from them. But, I don't know. I have concerns about my data privacy.
Joe Perry: Especially now that it phones home before you take off. Oh yeah. So, I think, I'll have to say Ghidra so Gator, for those of you who don't know, is a recently open-sourced reverse engineering tool from the NSA. it is. A godsend. It's almost indescribable how much better it is than any other alternative. I'm a, you know, I being an exploit developer, being a vulnerability analyst, a huge chunk of your job is expo is reverse engineering tools and reverse engineering systems to figure out where the exploit can be found. , and, and I'm barely more than a mediocre reverse engineer. It's not really what I'm good at. And fortunately Ghidra just does. All of the work for me, it's this incredible tool. And it was developed. What was great is it's developed by reverse engineers who were basically just given, you know, a big chunk of time and a huge chunk of money and just told, go forth and do something magical, and so it's one of these tools that you're getting reversed. You know, it's not just giving you just the. No, the tables are the exports imports. It's building out C plus plus code that you can very nearly compile and rerun. Like it's incredibly effective, a really useful tool, a great collaborative tool. I'm a huge fan of the show.
Jonathan Meyers: How does it compare in your opinion? So binary Ninja or Ida?
Joe Perry: No competition, Deidre gage. I love Ida and I don't want to talk smack about it, but Gator just blows it out of the water every day. Nice.
Jonathan Meyers: Mike I'm going old school. Okay. So there was. I'd say it's probably two. So sub seven was probably my first favorite. I don't know if you can consider it a hacking tool, what is this like 2003, 2002. It was like one of the first like Trojan horse things per se. I think it's sub seven. I'm almost positive at some seven. so you could basically send. It would, it was back in the aim days. So you would like to send a link to your buddy, he'd click it and it would open a TCP connection, a wind socket to your computer, and then you could inject it to see from the drive over a dial up modem. Probably. Yes. And you could, you could flip his screen, you could do a bunch of things. And it, it started, it was kind of the first thing I got when I was in high school, like early high school, that kind of started me going, taking computer science classes and things like that, it was just like, It was crazy at the time, like what it did and how it worked. I was just like fascinated by it and then second, another old school tool was ethereal, that they later rebranded to Wireshark that changed life changing. It was life changing just because I could see everything that was happening. And I think it set me up for the rest. In the next, like 10, 20 years as I know what I'm looking at, when I'm, I can, I can look at large blocks of data, all these abstract concepts, like just laid out in a timeline.
Joe Perry: Right. And it was great. And you're just being able to reconstruct streams like that functionality by itself makes Wireshark incredibly useful. It's a great tool. It was great.
Jonathan Meyers: So that's, that's what I like.
Jonathan Meyers: Any, hackathon projects that you kind of do on the weekends that you want to talk about?Share anything cool.
Joe Perry: I mean, I'm working on actually it started out as a personal project and it's since become a cyber area project, but, I, I'm a huge lover, obviously, you know, malware is, is my area of specialty and I've got really interested in the ML revolution as it's, as it's picked up steam and I, it is kind of fascinating as a slight tangent that we talk about this new machine learning models and all the math we're using was developed in the eighties. Like everyone knew how to do this. They just didn't have an expensive enough machine, but, So I got really into that. So between those two, I've been working on it. It's got a whole long fancy name, but essentially a polymorphic engine powered by machine learning, specifically focused on using for a dataset we're using functions from existing malware, and functions from, you know, malware that, You can find unopened source databases online. That's our thing. And so we're what we're doing is constructing shells for those functions and then running them against a big pilot, you know, like a virus total kind of a big pile of AV products, PSP products anyway, and figuring out, you know, what catches, what doesn't catch and how you know, which machines are actually getting detections on it. So from that, we're able to construct this machine learning model that we're still in the process of building out a lot of this dataset, but it takes a piece of functionality. It has labels of, you know, what this, what this specific function does, what it's for inputs, outputs, that sort of thing, and constructs a new version of the malware binary for the given tool that it's targeting. So it sends out an, an exploring bot says, okay, this is the PSP here. Whether or not that bug gets caught, we don't really care. And then the malware has constructed autonomously to specifically avoid that instance of that malware. So that's my current project. Yeah. That's exciting. It's fun. A lot of math
Michael Weigand: I have to admit, you know, about six months ago, I sat down. With the lawyers. Cause I was in the army and I got permission to, you know, like start this at nights and weekends, you know, side project, a shift five, the company. And then all my projects went out the window and the project just became like building the product. Yeah.
Jonathan Meyers: So talk about shift5 then.
Joe Perry: Yeah. A CEO with hobbies frightens me. So I totally frightened you as an investor.
Michael Weigand: So all my investors, I only do shift5. So, yeah, shift5, you know, what I learned. During my days in, you know, in the army cyber command and us cyber command was that we have all this operational technology, right? Tanks, planes, trains, helicopters, you know, everything that, you know, everything that I'm saying kinda sounds, Transportation related, but it's so much more than that. There's so much tech around us. That's underpinned, not by TCP IP, but by redundant serial data buses. And I'm not talking about serial, I'm talking about protocols. Like here's some obscure stuff for the yard. So just prepare yourself for that mil standard 1553. This is the thing that the international space station runs on.
Joe Perry: Yep. I think 45 year old protocol.
Michael Weigand: I think so. Yeah. I mean, it was originally developed by the DOD, for, you know, programs like the F 16 and it was adapted and, you know, put in like a, a bunch of our ground vehicles. Now it's used by satellites, super redundant. Just just works maximum throughput of a megabit per second. but it was developed, you know, in an era where people just assumed, well, as long as it's not networked, it's secure. Right? Yeah. Because the air gap solves everything.
Joe Perry: Yep. as we all know,
Michael Weigand: totally safe,
Joe Perry: totally safe.
Michael Weigand: So, you know, there's some similar protocols in the aviation world, That were designed by a company called a rink in 9717 and then, obviously a lot of people are familiar with the canbus can 2.0, it's in your car. there's a version of it. That's in all the trucks and offers a vehicle called J 1939, where they implemented a version of the OSI stack essentially on the Canbus. Oh, Yeah, like the wireline standard. And so, you know, all of this stuff exists out there, interconnecting these different electronic control units, and it's just not secure. There's no authentication, there's no encryption. I think this is pretty well understood at this point there's a 60 minutes report, by Chris and Charlie a couple of years ago where they hacked a Jeep grand Cherokee And, you know, then even my grandmother understood like, Oh, my car can be hacked. Right you know, the same applies to all of this other stuff. And I mean, there was that 60 minutes thing, but Tesla's, and all new modern cars are still using the old technology. Right. Well, it's not like we've learned props to Tesla for at least bringing the cars out, you know, to, to some of the conferences and with, I guess like cash prizes delivered onsite.
Joe Perry: I think it was Blackhat last year that it was like, if you can hack this car, you get to take it home.
Michael Weigand: You know, I think that that's, that's the right message to send. I mean talk about a pen test. Right? So, and then they patch, I think they patched it in 24 hours, which was cute. Mind blowing. Yeah. I don't think you can do that against me. I'm not going to say, my car. So, you know, I started to become exposed to these problems more and more, through my military service. And I realized. You know, just in the course of being curious that while it manifests itself, all across the commercial industry, and I wanted to do something about it because I felt, I don't know, just like compelled to protect this equipment because in some cases, literally lives are at stake. I mean, if you take control, you know, of a significant transportation system, you know, say a train, you know, It's almost like we've regressed back to the mid 18 hundreds, except that you no longer need a horse to like, you know, ride alongside this train, like jump on, like throw the engineer out in order to hijack it. Like you could do it from the comfort of your, your couch. And so we wanted to do something about that before, you know, people were hurt in society and paid attention. So, you know, here comes shift5 and , essentially. Yeah. That's what the company was established to do was to bring products to market that allowed us to secure these legacy protocols that are on everything. And we'll continue to believe, you know, be installed. We believe in systems for the foreseeable future. We have a lot of legacy infrastructure that is going to run this, you know, for the rest of my life. And so let's do something about it. So that's been my. Day night and weekend for, you know, ever since I left the army.
Joe Perry: Nice. And you guys are based out of?
Michael Weigand: So right now we're based out of Roslyn. You know, we bill ourselves as a DC area, cybersecurity startup, you know, eventually we'll, we'll find and settle at a home, but we're growing pretty rapidly right now. So Roslyn, Virginia. Nice.
Jonathan Meyers: So, what do you like doing in your free time? Do you have free time or not?
Joe Perry: Do you remember what it was like when you had freedom at one point? So.
Jonathan Meyers: You have a pilot's license?
Michael Weigand: I do have a pilot license. I love to fly. When I was at Fort Benning in infantry school, I got a little bored, going out and just drinking every single weekend. I was spending a lot of money as you do. Fort Benning, military Fort Benning and so what I did is, I just kinda calculated that I was spending like hundreds of dollars a week on, you know, just like partying. And I started to save up the money for a couple of months. And then, I got a book for the written pilot, like the written pilot’s test. I just sat down and read the entire ground school book. And I walk into this flight school and I tell them, Hey, listen, I'm going to be the fastest, like a student pilot you've ever seen. And they're laughing at me. They're like, what are you talking about kid? Like, and I'm like, no, listen, like give me a practice written right now. I'll take it. I'll pass it. I'll prove it to you. And I did. And they were like, okay, sure. Like, let's do this. Here's the trick to getting a pilot's license on a budget. If you make your budget at the minimum FAA, our requirement is 40. Most people do it in around 72 hours. I did it in 42 because I showed up for classes like every single day, almost jeez. So I would do one or two lessons a day, like everyday or every other day. And then I would go home and I had a simulator set up with the yolk and the pedals, and then I would redo the lesson at home, to, to really make sure I got the muscle memory down, understood the, the sight picture, you know, on landing and everything and so I knocked out my pilot's license and, I've. You know, I just really like flying. I think that general aviation has kind of taken a nosedive the last couple of years. It's, it's become inaccessible to the common person and that's a shame because. It's a wonderful experience. It's an efficient way to travel. You learn a lot and I think that it forces you to stay dedicated to a lifetime of learning because you have to constantly be doing some type of training or some type of professional education to be a safe pilot, and it's also just really cool. Just, you know, telling your friends like, Hey, want to go, you know, just do brunch, like 400 miles from here. It's only like an hour flight.
Joe Perry: I recall you talking to RCO on your way about flying about Ocean City for lunch one day.
Michael Weigand: So like a four and a half hour car ride. Right. But you can make it there from DC and about 45 minutes.
Jonathan Meyers: Nice. Do you have friends that are like refusing to go with you?
Michael Weigand: No problem.
Joe Perry: You haven't had that problem yet. That's interesting.
Michael Weigand: I don't know. I guess it would all depend on my friend, which if I would,
Joe Perry: yeah, like I know who I'm friends with and not, I don't like him behind the wheel of a car, so. I'm not getting into the air with any of those people.
Michael Weigand: I mean, I guess air is easier. It's like as long as he's focused for the takeoff and landing.
Jonathan Meyers: So it's funny. I think everybody that knows me will tell me that I'm terrifying behind the wheel, but I don't know. It's just different. You get on a plane, you have a checklist. There's just a total. Like you like prep for it. You know, the.
Joe Perry: It's a process that you can immerse yourself in.
Michael Weigand: Yeah. And I like it because it forces me to, yeah, exactly. It's like a Zen thing. Like you, you just get in the motion of it and you do it. And it helps me, frankly, it helps me destress and focus.
Jonathan Meyers: Yeah, I think it's also, it's dangerous enough that it makes you kind of take those steps where I think driving a car is kind of numbing your senses to use it.
Michael Weigand: I don't know if you'll ever get that used to flying because it takes so much prep to get off the ground. It's actually around the DC area because we have these special flight rules here. Yeah. So here's a little trip, a trick. If anybody's interested in learning to fly in DC, there are a couple airports. One of them is college park airport, right? It's the world's contingent load. This continuously operated airport, right? The Wright brothers flew out of here.
Joe Perry: We'll actually read out or you can walk there in about three minutes.
Michael Weigand: So, you know, after nine 11 with the no fly zone, you know, a lot of their flight volume really decreased.You can still fly out of these airports in the DC, special flight rules area. If you go through this process, to get fingerprinted and certified by the ATC. And, it requires you to be a little bit more on the ball with air traffic control. but honestly, you know, hats off, I think some of the most professional people in government are, FAA, employees and the air traffic control controllers, and they do an amazing job. You, you just, you get the, you, you get fingerprinted, you can, you do like an online class and then you can fly in and out of the region here. And so, you know, a little shout out.
Jonathan Meyers: Yeah. so what's, what's on their radar. What's coming up for you in the next six months shift five or otherwise. Yeah.
Michael Weigand: So, You know, the company is at an early stage and we're revenue positive. And so we're trying to grow that, we're hiring, we're looking for exceptional, you know, world class, security engineers software. We need a couple of hardware engineers as well. People with electrical engineering degrees, computer engineering degrees, you know, we're looking for people that really want more than anything to apply their skills, in the service of, You know, securing our national infrastructure. I think that this is a competitive advantage that we can offer advice, you know, other companies in the, in the tech space. So hiring, I think really just building out our sales pipeline, getting our product integrated onto more aircraft on more ships onto more rail. We're doing, obviously a little bit of support for the department of defense. But, you know, the things that we're really focused on is securing this commercial infrastructure. I think it's really cool by the way, this idea of securing off-road equipment. Like, you know, when you were a kid you probably played with like this Caterpillar Tonka trucks. Yeah. We are sending people out to the field and literally just a couple of days to do data captures on massive real-world Tonka trucks and stuff, because we think that this is infrastructure that, you know, people , well we know that people want to secure and the reason is because people are targeting it. Yeah. It's nuts.
Joe Perry: I think, well, I just pulled up an article about it. Cause it's really interesting. When you look at securing these infrastructure systems, it was last year that a water utility in Europe found out that they had Bitcoin miners all over their ICS and SCADA equipment, which I found fascinating for a host of reasons, not least. Why are those touching the internet, the mine coins for someone. But, I mean, obviously there's a cross section of need because these are, these are. Incredibly legacy systems with no real security applied to them. But is there anyone as you've been working on this, is there any one, like system, anyone fact you've discovered that has just scared you the most or been the most eye opening?
Michael Weigand: Yeah. So, you know, a broad trend, there's a big push to install telematics systems. Wasn't a term I was familiar with until recently, but essentially. You know, let's say you're, you're operating some infrastructure. and it's kind of at the intersection of a telecommunications network, some type of operations or automotive for mobility or whatever. You know, everybody wants to hook everything up so they can get the data. You know, we see a lot of a push in the automotive industry for companies to reinvent themselves as tech companies, as data companies and not in a less so like bending metal and actually building and selling cars. As we connect things up to the network we're making on net access, you know, easier right off net access has always been there. I think that that's going to continue to grow as a threat, vector, no doubt about it and, you know, supply chain dependencies, you know, people physically getting access to things or just walking up and, you know, breaking and entering that kind of thing. But the more that we drive to get data, through. you know, through the network, the more that we hook things up, you know, so to say this isn't really IOT, but right. It's concept still applies. We're going to see these, these threats emerge. And so I've recently come across, you know, some major transportation systems that, literally. Tens of thousands of people rely on, just in one metropolitan area on a daily basis, to move from A to B you know, as they commute and, you know, it's unsecured and connected to the internet. And when you get access to that telematic system, you know, to that modem, Then you can reprogram other things right on the data bus. And so when you reprogram an engine control unit for a full authority, digital engine controlling a feta controller, or you, you know, you reprogram a, you know, an ECU that is maybe the bus controller on a primary network, you own that thing.
Jonathan Meyers: A random question. If you could add one thing to our shelves, if you've noticed our shelves in the back, what would it be?
Michael Weigand: And you guys got a bunch of stuff covered here. We got a bunch of random stuff, so we're starting out small and
Joe Perry: we're trying to just expand it until the whole room was just, yeah. Get your show.
Michael Weigand: That's good stuff. So, you know, I guess just sticking with the flying theme, maybe like one of those little, you know, like pull back to wind up, you know, a little like actually, you know what, and I'm gonna, I'm gonna go a little, little crazy. I got my start in this because I really liked autopilots and I really liked autonomy and microcontrollers and stuff. I think you guys need an old school autopilot, like maybe an RD pilot board. It's totally useless. Now it else I'll send you guys one. All right. Yeah. A box of these old perfect microcontroller PCBs, from
Joe Perry: that'll be perfect. Yeah.
Jonathan Meyers: Yeah,
Michael Weigand: something to counter that ZX 81 up there, then it's nuts.
Joe Perry: Or our ancient floppy drive, just sitting on the shelf. I love it.
Jonathan Meyers: Five and a half inches. Yeah, the good stuff. It's really floppy that those like stiff, floppy, floppy or whatever.
Jonathan Meyers: Well, what about the CDs that were in the three and a half? Like floppy? What were they called? You know, what I'm talking about? It was like the old tech data. It was like the CD rom drive that was inside a flop house, mag tape.
Joe Perry: what the hell was that called? Those were nuts. I wish we had one of those that have been sick.
Michael Weigand: I remember when my dad brought home a computer from his engineering company and they had installed a CD drive and presented this like ancient. It was a 486. This is not that ancient, but he presented this to me. I was like a birthday, Christmas present. And had a CD drive in this had just come out. This was like hot tech. Yeah. And I was able to install StarCraft, which didn't run. Nice. Slow. That was a, I think it was my second computer. Sirica there's a, yeah.
Jonathan Meyers: My second computer was a gateway 2000. That I got to custom build ish, I guess. Yeah, because those were like the first, that was like the precursor, I think, to Dell or one of the competitors that kind of came out with Dell, you go, and it was like a barn theme store. It was the weirdest thing, but I got my first one and I think it was one of the first ones with a CD rom drive. And that was. I was nuts
Joe Perry: When I was in high school, my buddy and I got a job over the summer, replacing all the school and library computers. And as we were putting them in were noticed like, Oh, Hey, these all still have floppy drives. I wonder if they're enabled. And we checked in like on the boot and we were the ones doing it. So we just left that boot menu option open. So we would boot them up. We had like, say, I think it was six or seven floppy disks that had the most. Like the lightest weight, Linux distribution we could possibly find. And we just use that and just use that to skip past all the school's filters and everything they had implemented
Michael Weigand: six or seven floppy disks. That sounds like an Oregon trail.
Jonathan Meyers: Just about. Oh, alright. anything else you guys want to talk about? Otherwise we'll wrap it up.
Michael Weigand: I just want to say thanks.
Joe Perry: Yeah, absolutely. Thank you for coming in.
Jonathan Meyers: Yeah, it was great, and then anybody you think we should have on the podcast besides Josh?
Michael Weigand: Yeah. So, you know, somebody that has a really interesting story, as well as my co-founder, James Karreni, he had a very different, you know, venture. He went into the signal Corps and at some time in special forces doing, you know, comms worldwide, and then went into cyber. So if you want to hear how that painted a very different perspective, and then he also helped, he was like the founding member of the Army's offensive. Capability development organization, which was modeled after a 90th, CMOs and deck, which I see should, yeah, we'll definitely check that out.
Jonathan Meyers: Yup. Cool. Awesome. Well, Mike, thanks again for coming, Joe.
Joe Perry: Awesome. I have a B. All right guys.
Jonathan Meyers: All right guys. Thanks.