Trent Gander on Defense

Jeremy At Firetail (00:02.178)
Hey, welcome back to another episode of Modern Cyber with your host, me, Jeremy, as usual, not always, but usual. And I'm delighted to be joined by somebody who brings a different perspective to the podcast today. You know, normally we talk about cyberspace, we talk about digital threats, we talk about risks to data, we talk about risks to things like functional aspects of application stacks, cloud platforms and whatnot. Today we're gonna get into something that's a little bit more tangible.

I'm joined today by Trent Gander. Trent is a freelance writer and consultant who has worked in the firearms and security sector for over eight years. In that role, he's dealt with everything from civilian concerns to law enforcement and military methodologies, as well as practices in logistics, data and intelligence. Trent prides himself on making complex problems easy to understand. Trent has also participated in multiple projects related to modern war fighting since 2022. This is a really interesting space, Trent. Thank you so much for taking the time to join us today.

Trent Gander (00:56.956)
I'm happy to be here and I hope I have a great conversation with you all.

Jeremy At Firetail (01:01.418)
Well, I just by judging on the things that we've got lined up to talk about today, I think it's going to be a fascinating conversation. So let's kick things off with an area that I think is probably not that well understood. I know you spent a lot of time with law enforcement and the armed forces and you've studied the connection between kind of the cyber space and the physical security space. So as we sit here today in twenty twenty four, how do you see that connection between cyber and physical?

Trent Gander (01:29.706)
They're inextricably linked. There is no way you can separate physical security and cybersecurity. You can have the best firewalls in the world, the best observations, and if someone can break through a window and just grab all your stuff, it's worthless. So you have to have the physical area around you secured in addition to your online presence as well. This is something a lot of people don't really understand.

grew out of the 90s when you don't get into cars with strangers, don't give out your phone number, don't give out your address to people you don't know, but yet online, we do that for everything. So as we start to focus on the internet side of things and the electronic side of things, there is this forgetting of the previous world's guides. So we see this in the military space where methodologies that worked 20, 30 years ago are still valid.

Jeremy At Firetail (02:03.667)
Mm -hmm.

Trent Gander (02:24.85)
but they're being pushed out and overlooked by the newest, latest, and greatest development. And it's been that way since war has been happening. But when we fail to learn from our previous experiences, we open ourselves up to have those experiences happen again, but with even greater damage because we don't know how to handle

Jeremy At Firetail (02:46.821)
Okay. But I feel like along those lines, most people have learned that they're connected, right? And most people have learned that they not only need to logically secure, let's say their application stacks, their cloud environments, their data centers, their offices, et cetera, but they also know that they need to serve.

Sorry, they need to protect the physical aspect of it, right? You've got access controls, you've got biometrics, you've got key cards, you've got any number of things. Do feel like there's a set of lessons that, you know, we as society are either unlearning or that we're starting to forget about?

Trent Gander (03:24.082)
There is the aspect that if there is a lock, there's always time to open the lock. The purpose of these passcodes, these key cards, these keys themselves is to buy time. All security is delaying the action of a determined actor. A perfect example of this is firearm safes. There's firearms cabinets and then there's firearm safes. The safes is what we generally think of when we think of like gun vaults and things. They're big, they're heavy, they're bolted down.

Jeremy At Firetail (03:36.604)
Okay.

Trent Gander (03:52.146)
But a firearms cabinet is just like, don't want my kids to touch my guns and I don't want an accident to happen. But someone who's determined with a lot of physical aggression can literally rip a firearms cabinet off the ground because of how thin the metal is. And despite the fact that I have a lock, I have all these things, if someone just cavemans their way into my stuff, it doesn't matter. It's not as secure as I think it is. And another example.

to think of was there was something I saw in a cybersecurity group that I'm in that they had put an entire server farm that they were no longer using just in the alleyway. They put it out with the trash data in all of it. So the guy goes, hey, I could have walked away with entire server farm all the data on there because I'm almost pretty sure they didn't wipe anything if they're just throwing it out the trash. And that that would you think that'd be a logical conclusion like

Jeremy At Firetail (04:32.199)
my goodness. Yep, yep. Yeah, yeah.

Trent Gander (04:49.234)
I'm putting this out outside my little security cordon outside of all this other stuff. Somebody can just walk up and take it. I myself had a actual interaction with something like this. I was taking my recycling one day and in the recycling, I saw that somebody had put all their business papers for like the local cattle industry. Just probably multiple years of information just sitting there, not shredded, perfectly legible, but it was just there in the recycling and

Jeremy At Firetail (04:56.155)
Yeah.

Trent Gander (05:20.126)
My family has been very security conscious for a very long time. We tend to shred and or burn any important documents that we have that are no longer going to be needed, whether they're financial, medical, things like that. And that is not something that you tend to see a lot of because we're in an area where everything is recorded digitally, even in papers. People are encouraged to kind of hoard that information.

And as you hoard more information, the more likely it is for somebody to be like, hey, that's really nice. I'm going to take that and use it against you.

Jeremy At Firetail (05:54.478)
Yeah, yeah, I do tell, you know, everybody who will listen in my circle of friends, you know, it's not enough to just throw things out. I've got a bin here. It's kind of off camera here, but I've got my own little home shredding bin. And, you know, for me, it's pretty much once every other week or so I'll take that to a co -working space that I go into that has a high powered

and just kind of crank through everything off of that box. But I take your point on this, and I think actually if I kind of extend that analogy, especially along the lines of the fact that it's delay not fully preventative, we talk a lot about encryption and we talk about the strength of encryption, but we also know over the last 20 years that for instance, the encryption that was used when I first started my career in IT is eminently breakable today.

you know, anything that we use right now, whatever the current standard is that we have, the chances are pretty good that 10, 20 years down the road, that will also be breakable. Now we may be delaying by a factor of years, and it may be the case that by the time this data is unencryptable, it's no longer relevant or valid or, you know, usable for any real kind of purpose. But I take your point seriously, and certainly, you know, any determined actor can get into things if you just take the recent kind of assassination attempt.

it took the FBI a matter of days, but just days to break into the shooter's phone. And so, even the protections provided by the phone manufacturer and the Android operating system, et cetera, were at best a delay of a couple of days. So where do you see organizations kind of thinking about, do you see them kind of separating the two domains or do you see them like starting increasingly to treat them as one unified exercise when they do their own?

let's say security posture evaluations or when they do their own threat modeling. And I'm particularly, you know, kind of thinking about this from the perspective of the type of organizations that you interact with, which candidly, by the way, are ones that I almost never interact with. So I have kind of no idea what the current state of play is with those organizations.

Trent Gander (08:03.262)
So you're starting to see more separation rather than integration. For example, illustration of this is the United States Marine Corps. They have a number of military jobs referred to as MOSs. And they have now a specific one for cybersecurity. It kind of covers everything within the cybersecurity space. But physical security and I'm mixing them with the Air Force, which is security forces. That is an entirely different job.

And there you can learn the other jobs, but they're not treated as the same specialty. So you might go in to the Marines and say, I want to be cyber security. And then you can pick up five or six other different jobs that you're certified to do, but only within the military. But they're not treated the same because of the hyper focus on a specific task that tends to happen within the military and law enforcement organizations.

Your smaller departments within law enforcement will have people cross trained on a lot of different things because they have to. I live outside of a small city where we have like 24 to 28 sworn police officers. And then it's like six support staff and maybe a couple of volunteers. That's not a lot. And it's not that small of a city. It's almost 20 ,000 people. But that's, that's not enough to have somebody on cybersecurity.

the entire time. might have somebody they might call in as an expert to be, hey, we messed up. We need help. And that's, that is in fact the beauty of being able to outsource certain jobs. But of course, if I'm relying on my security all the time on an outside source, weapons if they get compromised, weapons if I'm unable to reach them because all my phones are down, all my radios are down, all my everything is down because

Jeremy At Firetail (09:29.3)
Yep. Yeah.

Trent Gander (09:51.246)
my department or my job or my home got specifically targeted for a specific attack because we are seeing criminals start to, especially in other countries, become more more advanced using things like signal jammers to isolate people who are already in isolated area where they can't call out. Now that sounds like an absolutely terrifying prospect to experience, especially like, my goodness, I'm going to call the police. The phone isn't working. I'm going to call the police on my radio. The radio isn't working.

I'm on my own. I'm here with my family. My kids are here. My spouse is here. Everyone I care about, everything I care about is here. And there seems to be an indication that somebody wants to take everything from me tonight, today, tomorrow. And living underneath that pressure is something that I'm going to make an assumption, say a good portion of the US does not experience. There are certain areas where that is the case. It absolutely is the case.

Jeremy At Firetail (10:45.34)
Yeah. Yeah.

Trent Gander (10:48.574)
But the more white collar aspect of the United States doesn't have to worry about that. They have their own private security details or they live in nice gated communities and the barbarian hordes waiting to take your scalp kind of a situation has been a little bit lost in translation when that was only 100, 150 years ago, or that was the norm.

Jeremy At Firetail (11:11.517)
Hmm. Yeah, it's interesting. I mean, you mentioned that the majority of the population probably doesn't live with that concern. I just kind of Googled while you were making that point. And it is right now about only about 20 % of the US population that lives in what is classified as rural areas. And there's a definition here about what kind of qualifies as rural areas. To your point, there's a couple of follow up questions that I want to ask before circling back to the kind of separation of physical and cybersecurity duties.

But along these lines, one of the things we've seen recently is that when it comes to kind of industrial control or utility systems, the organizations that are getting breached the most or starting to have troubles the most are these smaller municipalities. When you hear about such and such wastewater treatment facility, ransomware, you're generally not gonna see New York City, Washington, D .C.

you know, Chicago, you're not going to see these large municipalities that to your point have the resources to probably fund 24 seven operations, have the resources to even if they're not doing it themselves, they can maybe outsource and partner with, you know, higher dollar amount and higher budgets where they can lean on more extensive 24 seven and more more complete 24 seven services. So I wonder along the lines of outsourcing.

What are you seeing in the wave of trends? Are you seeing that, for instance, on the level of a state, that there's statewide efforts to support smaller municipalities, or are you seeing that municipalities are largely left to their own devices?

Trent Gander (12:45.756)
This is going to be an assumption on my part in regards to what happens at the local level. And it is along the lines of not much is happening because we are dealing with small town governments. Many of these individuals who work here might have a passive interest in cybersecurity, but we have to remember that either government isn't their day job or they're the only there to fill a position. The aspect that is the most concerning is that a lot of people don't know.

that that can be an issue for municipalities, that there are malignant actors who are going to come in and hold something for ransom. We hear ransomware on the radio and other means of spreading information all the time, but it's a significantly different issue to experience yourself. that's never gonna happen to me. We're too small. We don't have to worry about that. We have security through obscurity. But it only takes one person with a little bit more know -how than me.

Jeremy At Firetail (13:37.227)
Yeah. Yeah.

Trent Gander (13:44.53)
to operate a computer to be able to break into a place, figure out how, I just turned it off remotely. And then we're also seeing that larger municipalities such as those in California are becoming more more technologically integrated so that they can remotely activate and deactivate utilities. And there has been concern over essentially political retaliation of you voted for the wrong person or you've been deemed to have extreme excuse. We're going to shut off your power, water and your gas remotely.

Jeremy At Firetail (14:13.321)
Mm -hmm.

Trent Gander (14:13.774)
Those exact same mechanisms that being used in that way or couldn't be used in that way can also be used to hold people with ransom. hey, I've now connected to your whatever utility you want to have. And now I can control it without the utility company really noticing it. And that to me is more terrifying than my local municipality not being prepared. It's that the we'll call it the Internet of Things is starting to get into our into our networks of infrastructure.

because there was a story within some of the pen tester groups about how somebody got into a home network because the smart light bulb didn't have security on its hardware.

Jeremy At Firetail (14:59.092)
Yeah, yeah, yeah, we've seen.

Trent Gander (15:00.412)
So it's just jumping off a couple of things and it's just how much are we going to integrate without security before people realize that that's a bad idea.

Jeremy At Firetail (15:10.922)
I mean, look here, you're preaching to the choir on this one. And I'm sure like a lot of our audience will have already been thinking about some of the things I'm about to say just kind of in in support of the points that you just raised here. First, I'll mention that, you know, for those who've been listening to the podcast for a while, you may remember that we've had Mikko Hippinen on here before. Mikko wrote the book If It's Smart, It's Vulnerable, which has kind of come to be known as Hippinen's Law. And it really is the case that, you know, all of these smart slash connected devices

First of all, they ship with vulnerabilities. And the truth of the matter is that we're kind of outsourcing the responsibility for keeping them up to date as these vulnerabilities are found and exploited. It's the responsibility of the owner of the smart device to go update them. And of course, I'm probably an outlier, you're probably an outlier, and everybody in our audience is probably an outlier. But go talk to your parents and ask them the last time that they told their TV or their refrigerator or...

their whatever device to go scan for a BIOS update or updated their home Wi -Fi router for the latest thing. And along those lines, you it's pretty well documented that in a lot of botnets, some of the larger components of the botnets are not actually PCs. They are exactly these things like smart doorbells and light bulbs and refrigerators and coffee machines and all of these things that are connected.

They have an underlying Linux operating system kernel with some vulnerability that shipped when the device was initially made and has never been patched or updated. So yeah, just bear that in mind. Anybody out there who's kind of listening, it does leave me a little bit concerned about all of these municipalities and this whole approach of security by obscurity. I tell people all the time, we have our own testing lab. You know, we do API security here at Firetail.

We have our own testing lab where we put APIs online. We are not a large company and we have no illusions about who we are and whether we are a realistic target. Despite the fact that we have previously interviewed what we suspect to have been a North Korean agent applying for a job with our company, any API that we put online, it can be on any of the cloud providers that we support and that we test on. We give it a random IP address, no DNS name. It's not linked from anywhere. It gets traffic.

Jeremy At Firetail (17:30.149)
within less than five minutes. And that is not dumb traffic. That is traffic probing for what's running at this location. And once we see one request, we see a bunch of follow -up requests trying to discover what's running there. And that's exactly the path that most bad actors take when they're starting to look at your network. And this is true of every municipality across the country, whatever size. If you have something with an IP address that's connected to the internet, it is being scanned, it is being probed all the time.

many times per hour and this whole view of security by obscurity that is just not a valid strategy in 2024 as we see it. So I want to change gears a little bit in the conversation. I want to come back to something that you said earlier about kind of physical versus logical or cybersecurity. And you said that these things are kind of generally being separated in a lot of the organizations that you kind of look at or work with. And I'm curious what your take is because

I could almost make two arguments around that. One argument is actually it's better. People can focus on one domain space, they can go super deep on that domain space. And in fact, you've got domain space one, domain space two covered by deep expertise. They're really, really focused. And in fact, the two should kind of check each other. You get the best of both worlds because you've got deep expertise on both. The other view is that, as you said at the beginning, they are inextricably linked.

and going forward, in fact, they're just going to be more and more and more linked. And so by separating them, what you may be getting is great physical security, great cybersecurity, but at any device or any touch point where the two come together, that's where your weaknesses are gonna lie. Where do you see that dynamic playing out right now?

Trent Gander (19:13.99)
I think the perfect example of this would be the war in Ukraine. So currently we are seeing the use of drones heavily. Drones are quickly becoming the equivalent of mortars for close air support, which is a light portable means to lend aid to soldiers in the field. The predominant aspect of drones today, especially on the market because they're outsourcing themselves, is from China and from other places that may or may not be your friend today and your enemy tomorrow.

Knowing how those can create issues is extremely important when you're in a job field where life expectancy is quite low. Most people who are in the civilian sector, they don't really have to worry about a security breach resulting in them and their friends' The military aspect, to an extent law enforcement as well.

that is a very real possibility and is quickly ramping up that, especially if another global conflict kicks off, that, hey, your normal life is suddenly disrupted and now you're on the front lines. A perfect example of this, was an exercise a few years ago in the NATO countries where an operating force was completely eliminated because they did not control their emissions in the form of their soldiers were on dating apps during the mission.

Jeremy At Firetail (20:19.285)
Mmm.

Trent Gander (20:36.79)
and they called an opposing force, found this strange cluster that they triangulated of all these essentially foreign nationals in this area looking for dates and stuff like that. They called in a simulated artillery strike in the location, completely wiped out the entire unit, unit moves, pops back up instead of the dating profiles. So there is this misconception that everything that I

because of how much is going on is still covered up that security through obscurity mindset isn't necessarily stated there, but no one's thinking about, I just want to have some company for dinner or some some fling on the side, not realizing that they're sending out information. And going forward, we're going to see one of two paths be practiced either at the same time or focused entirely by themselves, which is a return to traditional soldiering, which is

No GPS, no infrared emissions, no light emissions, nothing going out as we move like ghosts, and a heavy integration into things that require more expert knowledge regarding integration of cyber security, drones, electronics, and all the stuff that goes with it. That, that's where we're starting to see the connection between physical security and cyber security, because

If I have to have, if I have a guy who specializes in using the drone, that's his whole shtick. That's his, he's my, he's my signals guy. He's my cyber guy. He covers everything. The next day he's gone. He's died. He's moved on to something else. He's injured and isn't able to do anything. He loses a hand. He loses an eye. Some aspect of his performance ability goes down. I need to have my number

Number two guy step into his place and start dealing with that. We don't get that in the civilian thing because we can just hire somebody else. But even then when you think about when somebody gets fired or if they're doing malicious stuff and they get picked up by the police, suddenly you have a hole in your cybersecurity stuff because well he's used to doing it and or he or she is used to doing it and they've been doing it all the time. Now we got somebody coming in and they've developed their own system within your own thing and they're not following the operating procedures which is

Trent Gander (22:58.152)
what you're going to find in these smaller municipalities, in these smaller businesses who just hire somebody who knows more about computers than them. Now we got to come in, we got to clean up all those aspects that they knew how to do. I can't think of how many times I've walked into even just a writing prompt or something where I said, I have no idea what this person was thinking. I'm not used to all this stuff because my system is different from their system. And that's just something that we as humans do. We develop our own idiosyncrasies around the tools that we use and

Jeremy At Firetail (23:26.81)
Yep.

Trent Gander (23:28.348)
One of my cousins had a, even a lawnmower and it had to have a special couple of things hit in order to get it to actually turn on. Despite the fact that it was completely almost analog lawnmower, but you had to know the specific way to turn it on to actually get it to work. Like, this one has like a faulty kill switch. So we have to, you know, tap this thing over here. And then it starts. If you didn't know that you'd be like, man, why you got this lawnmower that doesn't work.

But instead of it being lawnmowers, like, why do you have this entire security pack and that doesn't work? Why you have this entire security system that does work? that's because I integrated this one specific thing that I was testing myself and it's like, my goodness, why do you have to make my job a thousand times harder? Because you had something that you didn't document, that you didn't tell anyone else about that is now the crux of your entire security

Jeremy At Firetail (23:56.069)
Mm -hmm.

Jeremy At Firetail (24:21.623)
And, you know, sitting here, it's really hard for me to think about that backward slide. Like it's just almost impossible for me to kind of imagine it. And, you know, it's been written about in any number of kind of doomsday sci -fi books if you've...

If you're old enough to have read the mode in God's eye, you will have seen that, know, encyclopedias became the most valuable commodity because they taught humans how to recreate a lot of systems that frankly, like nobody knew how to do anymore. Everything from I think, you know, rotors for electricity generation to, you know, designing gas lines for ovens and things like that.

But I just can't see that playing out. If anything, I think your point at the beginning that they're inextricably linked, know, the kind of the physical technology and the hardware and the software really, like they just seem to be coming together more and more and more. And that just seems like a one way path. I don't know. I find it hard to think about the

Trent Gander (25:24.894)
So I have a perfect example of this actually. There are events that I remember from the last 20 years that really aren't covered online, that aren't dealt with. And the more we become relying on electronic media to support all of our information needs is the higher likelihood of us not actually learning anything. I'll bring up ChatGBT as an example of this.

Despite the fact we're trying to avoid AI, the aspect is, we made 25 minutes without mentioning AI. We'll call it a win. So because of the firearms industry is very maligned online, despite the fact that it's completely legal, it's very heavily regulated, there is just a social aspect that people don't like to touch it. It's like arm stealing. And it literally is arm stealing, but it's not in a malicious way.

Jeremy At Firetail (25:57.058)
Yeah, we made it 25 minutes. Yeah. Yeah, exactly.

Trent Gander (26:21.008)
I decided to try out ChatGBT in my day job for freelance writing. like, let's see what ChatGBT can do to see if it does anything that like my specialized knowledge doesn't provide me. And I told it to, I wrote out a couple of things. It's like, hey, tell me about these three or four things and modern options. It's like, well, it didn't cover anything. It was all very generic. It was all very surface level. And then I went and I said, hey, tell me about these models of firearms. And it says, sorry.

that goes against our current programming and our policy, cannot comment on that. And there are a lot of other industries, we'll take pharmaceuticals, legal things, all that stuff may not get you accurate information or may be denied information if you rely on chat GPT to write everything for it. Now, it's a great tool to write everything quickly, or at least outline it very quickly. But certain things are just societally unacceptable to deal

Jeremy At Firetail (26:54.966)
Okay.

Trent Gander (27:20.818)
with certain programs. So if we, and we know that high school students and college students, they're taking the easy way out. I credit them for using ChatGPT to make their workload easier. It's great. However, we can see that the information within ChatGPT can be manipulated to a point where you can get it to lie, or you can get it to give false information. So if we're relying on the search engines, like

Jeremy At Firetail (27:43.115)
Mm.

Trent Gander (27:48.22)
I've had to deal with a couple of searches in the last few weeks just on Google where I'm looking for a very particular thing that I know is going to be related to something like the FDA and everything that comes up is everything but the FDA. I put in new search terms and it's nowhere near what I need it to be. I have to go to that particular website and pawl through the information there myself, essentially bypassing a search engine to gain access.

And as we're starting to see the integration of AI into search engines and AI summaries, we can't verify that information as easily as being accurate. So we all have our little biases. We go to people that we trust or people who seem trustworthy and we get our information from them, which of course still has its own problems regarding what if they're lying. But now we can't go and verify credentials or verify the history of something if AI just like

randomly grabs all the stuff off the shelves, summarizes it and puts it out on the plate in front of us. So the possibility of that backsliding gets more and more plausible when you start to look at the reliance on tools that make the job easier. There's just certain things that you can't do with technology without using some older method or older format or even the old knowledge. Like I can look up how to fix my car.

but I'm still gonna need the physical tools in order to do that and no, to cross these couple of wires otherwise my car is gonna catch on fire. Kind of a thing.

Jeremy At Firetail (29:17.029)
Right, Yeah, I get your point. I mean, you know, there's a counter argument that can easily be made, which is that like, a couple things. First of all, chat GPT made by OpenAI, it's their right as to how they classify data, what data or what information they classify as being, you know, against their terms of service, just like it is for any social media platform. And they all face the

the questions around what is harassment, what is hate speech, what is unacceptable user content, pornography, what have you, right? So, you know, it's a private corporation that gets to set their own rules for their own products and services and so on. I do definitely take your point that, you know, as humans become more reliant on search, there is definitely kind of a self -referential effect of what information gets surfaced.

Trent Gander (29:52.36)
Hmm?

Jeremy At Firetail (30:11.407)
versus what information just kind of gets buried and may actually be out there somewhere online, but it's so obscure and it's so disconnected from search results as to be effectively non -existent. Like I get that. But at the same time, you know, there's this argument that could easily be made is like, look, these are teething problems. These are just the results of like a new technology making its way into the mainstream.

As it goes through this, we hit some hiccups along the way. We figure out where the weaknesses are. They get better over time. You know, more data kind of will actually like support this and a few tweaks to the algorithm here and there. And, you know, generally speaking, these things should get better at understanding our intent as far as what we're trying to accomplish. And then, you know, doing that and along the way, you know, I can share some

anecdotes from our own team where we've started to use chat GPT for a few things in the realm of content generation. And in particular, I gave a talk at a conference recently about API security and I wanted to summarize a report that we had written. It was about 40 pages, relatively text dense. And I wanted it condensed or certain aspects of it condensed into a few bullet points. And I asked chat GPT to do that and it did a really good job. And then I told it, you know what?

tone it down, make it more casual and familiar, and it did a good job of that as well, which is something that, you know, a year ago it may not have been as good at doing. And so I can see there's a layer of progress here. That would be one counter argument around it. What's your reaction to

Trent Gander (31:49.694)
So I don't deny that chat gbt is an amazing tool for when you actually put information into it. It's when you don't know how to put all the information into it that it starts to create a problem. So, hey, tell me about xyz is literally three or four words for the prompt or a couple of paragraphs compared to how some people have been doing where they essentially write four to five pages of a prompt, write an article and do all those other things. And they use it to the best of their ability and it creates

great work and it creates great summaries and all these other things. I'm not denying that it has a utility. I'm looking at the lowest common denominator of someone who's going to that to have all the answers given to them. You already had the information, you can verify it. You know what you said, you know what all the other things are. The issue is when somebody who doesn't, someone like an older person, someone who is just getting into computers, someone who is just not with

Jeremy At Firetail (32:29.238)
Mmm.

Jeremy At Firetail (32:32.609)
Yeah.

Jeremy At Firetail (32:37.922)
Gotcha.

Jeremy At Firetail (32:43.105)
or somebody who gets all their news from Facebook, for instance, and then, you know, kind of that self -referential echo chamber effect and, you know, least common denominator to your point. get what you're saying.

Trent Gander (32:55.358)
And on that other aspect is who controls the algorithm. That is a significant concern within the firearms sphere because Facebook has not been friendly towards firearms, the firearms community, despite the fact that there's a bunch of great people and a bunch of all everything legal. There's just a almost malicious intent in how much its reach is strangled. And that's across the board for YouTube.

Google and all of its subsidiaries to the point that a lot of like advertising and customer outreach for firearms companies who just wanted to reach their customers who've worked with them before have to resort to 1980s technology. They have to go through emails, through newsletters, physical copies of things. And I'm not saying that that is across the board what's happening on every level. It's just that there are certain

There are certain biases that have to pop up and have to be accounted for when we're dealing with the development of algorithms, programs, and other things. And that's just the case with anything. Who's making this product? Why are they making it? Where is it going? What's it doing? These are aspects of all security that we have to take into account. And unfortunately, I encounter a little too many people on Facebook, because I'm on there a lot, who think that everything is puppies and rainbows and sunshine when there are legitimate

malefactors out there. within the last month, I had someone impersonate a dead relative trying to do the, hey, I just found out this great new thing. You want to sign up for the NIH scam thing? And it's like, I know this person's dead. Everyone else knows this person dead. The person who's impersonating them doesn't know they're dead, which was, I found very amusing. I had a lot of fun with that. But what about the person who doesn't realize that somebody's been hacked? What about someone who doesn't realize that

Jeremy At Firetail (34:31.029)
Yeah, yeah.

Trent Gander (34:48.24)
Some people are just mean because they want to be mean. And some people who just look at you as a paycheck. These individuals do exist. Now they may not exist in large numbers, thankfully, but we can't. They're the ones who are doing most of the problems. They're the ones who play outside the rules and don't recognize the rules at all. Instead of realizing that the rules are there for a reason, they will continue to act and they will continue to benefit themselves any way possible. And

where most of security is focused. It's focused on the individuals who are mean -spirited, who are predatory in nature, rather than your sweet, lovable grandma who just wants to get her bills paid. Stuff like

Jeremy At Firetail (35:29.539)
Yeah. I want to get your take with kind of, think, the last question that we've got time for. I know we're kind of coming up against time here. On this point about, let's say, who controls the platform, who controls the algorithm, what effects that has on the availability of information, data, or content on those platforms. In the work that you've done with law enforcement and with armed forces, how are those organizations thinking about these platforms?

because they're probably not going away. And I could imagine that law enforcement is probably maybe somewhat happy that there's not more firearms information available on social media, for instance. I don't know how the armed forces might feel about it, but I'd just be curious to hear what some of your observations are, some of the things you're hearing from those types of organizations.

Trent Gander (36:20.366)
So there's an interesting aspect. is the people on the ground who want people to be able to defend themselves and essentially lighten the load of police. And then there's the opposite aspect of we don't want any information out there at all. I generally classify this as the American mindset versus the European mindset. European mindset doesn't have to be based out of Europe. The government is there to take care of you.

weapons and stuff like that is their concern and the viewer not specifically in that area, it's not your job to deal with it. Well, the American mindset is it's all going to hit the wall at some point. You have to be able to figure things out and knowledge of firearms is actually a lot better because weapons if you find a firearm, you mishandle it, you've hurt yourself, you've hurt somebody else by accident compared to, okay, I know how to handle this safely. There was a

a big push by the NRA in the 90s with, I think it was Eddie Eagle for gun safety. And the less information that's out there about firearms, higher likelihood you have of misuse. It's very similar to computers. I'm going to click on all these random links because I don't know that most of them are probably phishing scams. The funny thing of it is that people focus on the crime aspect of firearms.

but they completely forget that things like explosives are very easy to synthesize at home. And the information is out there. You can buy a good handbook on it for like 10 bucks and it's completely free provided... No, no it's... So the anarchist cookbook, the ones that are out today mostly have been doctored a little bit so that people who take those and use them actually harm themselves so that people can track them a little bit better. However...

Jeremy At Firetail (37:50.211)
Mm.

Jeremy At Firetail (37:55.908)
I think the Anarchist Cookbook is still pretty widely available as a PDF, no?

Trent Gander (38:13.15)
The manual to improvised explosives put out by the DOD from 1956 is still readily available, still accurate, is marked for dissemination in perpetuity. And it gets surprisingly wild and surprisingly easy to do anything with it more than people actually expect. And the only difference between a couple of household items, we'll call them,

and a terror event is literally just intent and knowing how to combine them. And you can do that relatively simply, but it's highly recommended that you do not do that. There's a lot of stuff about transporting explosives that requires a lot of licensing and a lot less requirement for synthesizing and blowing them up on your own property. But if you're listening to this, do not synthesize explosives in your home.

or in any place you own, gets sticky really fast and it gets dangerous very quickly, contact your local law office and don't do it.

Jeremy At Firetail (39:20.513)
Yeah, yeah, yeah. Well, I might disagree as somebody, by the way, who is a dual American and European citizen, I might disagree with the American versus European classification of the spectrum elements. I've certainly experienced people on both sides of the Atlantic Ocean who are also on both sides of that spectrum. So I might have a little bit, but I take your point very much about kind of, you the attitude towards what's better, more information versus less access and availability. And I think that's really

an interesting spot to leave today's conversation on. Gander, it's been a real pleasure to hear your perspectives on this as somebody who spends time in, again, an area where I myself don't spend a lot of time looking at this convergence of physical and cyber, looking at the availability of information, some of the trends in this area. For people who want to find out more about your work and some of your writing, what's a good place for them to find you online?

Trent Gander (40:13.586)
The best place to find me is on Upwork and LinkedIn. My personal email will be put at the end of this podcast as well because I check that all the time. I'm happy to help and consult with whatever you have need of, specifically in the law enforcement and military space. And I hope to be on again and have another great discussion.

Jeremy At Firetail (40:32.521)
Awesome, awesome. Well, we will have those links in the show notes. For those who are listening, if you've got a second and you've enjoyed this conversation or any of our previous episodes, please do us a favor, rate, review, share, subscribe, all that good stuff. You know what to do. Until then, we will talk to you next time on another episode of Modern Cyber. Bye for