Ep.1 - Jordan Wiens aka @psifertex, Co-Founder of Vector35, BinaryNinja
Download MP3Like, okay, is this what I want to keep doing? And the answer was absolutely.
Like, I really I want to keep doing this. Like, I'm not, I don't feel
like we've solved the problem. Like, IDA is still the major dominant tool, you know,
technically there's still problems that I want to solve. I
think we're the product itself is at a spot where it can now,
replace side up for the vast majority of users. And so now we just gotta
go, like, show everybody, like, convince them and, like, demonstrate it and be like, hey.
Listen. You can you get all these advantages. Let's let's let's get
everybody switched. And so that's super exciting. Like, I feel like
we've we've done some of the hardest work, and now we can reap the rewards.
This is Hackers to Founders, a podcast about cybersecurity professionals who
have reached the pinnacle of their cybersecurity expertise and have a ventured
into new frontiers. Whether it's launching innovative start ups or making
impactful investments in our industry. My name is Chris Manistrato,
and I'm a vulnerability researcher best known for traveling and meeting hackers
from all around the world. And I'm using what little extrovert
skills I have to introduce to you hackers that are
changing the world. Today, we are joined by Jordan Wines, a cofounder of Vector
35, a long time DEFCON CTF participant and winner of
multiple years, who will share with us a unique story, a binary
ninja, its creation, and where it's going to go into the future.
This is hackers to founders. Alright. Welcome,
everybody, to the show. My name is Chris Medistrada. I'm joined here with Jordan
Weins. Did I pronounce that correctly? You got it. You got it. Is
it German or what's your name? I think it's I think it's originally
like Wines, but, like, we've always pronounced it Wines, so my family has spelled it
that way. My grandfather's brothers were born in Germany. But
Okay. That's so funny. Like, mine's a magistrado, but I think it's, like,
technically maestrados, but, like, I'm like Yeah. Filipino
Anglicized. Oh, that's funny. Excellent. Yeah. We
were just talking about, different processes in in terms of, like,
starting a business. I'm one of the founders of Vector 35. It'll be 10 years
this January. Which is bonkers to me.
But yeah. So there were there were 3 of us originally and,
like, 3 technical cofounders. 2 of us sort of split all the administrative duties,
which is I was also really nice. Having another cofounder that, like, could we
could each be part technical and part administrative actually helped a ton. So we've been
able to grow, I think, really a lot bigger, you know, like I said, even
sort of lacking as much administrative as as maybe we could have a lot because
of that. Because Peter and I split that role and that that helps a ton.
It's also just nice too to feel like, you know, we're engineers trying to figure
out marketing and pricing and, you know, contracts and Yeah.
So like all the books and things and trying Yeah. Especially 10 years ago, there
was there even a lot of, like, cybersecurity companies,
startups, or even resources to learn about how to work with governments on
that? Yeah. It was like, we had well, so what we did have was we
had a sort of, like, mentor network. So we had Mike Fransen from
KuduDynamics, who we had
previously worked with, at at back back at Raytheon before
that. And, in fact so we got our we got our start as
a company, working on separate grand challenge. The the DARPA
CTF, like, robots playing CTF, like, automated. They you know, the the winning winning
team went to go play in the Defcon finals. So that was, like, our first
contract. And it basically was a matter of, we were Peter and
Rusty and I, the 3 cofounders, were all working at Raytheon at the time. And,
they CGC basically needed help running, like, the
visualization side. So they had a game company that was contracted to, like, build visualizations,
but they didn't know anything about capture the flag or security. And so to be
like, hey. Make a dashboard, make a visualization,
was was, like, not easy for them, and the people running the game didn't have
time to, like, translate everything or to, like, babysitter, like, work with not
babysitter. It's a bad it's a bad way of saying it. Really, to work we're
closely with the game company. Educate. There we go. It's a much better one. So
that was we basically got brought on to that. So Rusty and I started on
that contract, and, like, that was the start of our our our company. So Mike
Fransen was one of the people working that. We were I remember I don't think
we directly subcontracted to him, but he really helped us to a ton.
Gave us his rate card. He's like, here's how you structure it. And here I
mean, we we had, you know, working right then, we had a lot of some
intuition. You know, we were we're technical, you know, tech leads,
so we knew a different contract type, contracting types, and and scheduling
a proposal process and stuff, but we were not the program managers doing some of
the details. So we had, you know, a little bit of learning curve, but certainly
less, I think, than if we had started from scratch. And so it it helped
that we we we had that kind of basis and and that's yeah. That's why
we started the company with that contract, basically, paid the bills with that, and
then, you know, like, it's not like a startup where, like, you grind the startup,
like, 60 hours a week on your your product or you take on VC money,
whatever. We did, like, 40 on our contract, and then Rusty
dropped down to, like, 3 quarters time. And so he was working on Binary Ninja
on, like, the the other 3 quarters as well as extra time. And so, you
know, we were both, like, working working extra hours, but, you know, the
bulk went to the contract to pay the bills. So we, you know, we took
a salary. We had a nice benefits, and we had a budget, and we had
a rate card, and then we could do that. So so the the actual product
for, like, binary binary ninja, was this already in place where, like, you
guys were developing it and saying, like, we already have Yeah. It's it's part of
the contract or it's part of a buyer already. It was a part of the
contract, but it was a part of our design for the company. So we in
fact, you know, like, that was one of the pitches, like, when Mike first reached
out to us. He's like, hey. Do you wanna go build that binary ninja thing?
You've been you've been thinking about it. We're talking about it. So you guys We're
talking about it. I really wanna build this thing anyway. Well, because it it so
it existed. Yeah. It actually there in fact, it's there's even an open the the
original version is is still out there in open source. It was a GPL Python
version. In fact, we had somebody accuse us of, like, ripping off a Python. Like,
you know, how dare you rip off this existing project? And we're like, 1, we
wrote it. And 2, we don't have to we can relicense it however we
want. And 3, it's rewritten completely. The new one's all c plus plus. So we
have, like yeah. We had written Binary Ninja for CTF. I don't know, Rusty. First
started it. Maybe 13 years ago, 12 years ago. Like, it
was built internally just to help our CTF team. And then
it had a so so some of, like, the design that kinda carried
through the name carried through, but that's about it. Like, the actual code
was, like I said, completely rewritten. It was all Python before, and it was
completely rewritten in c plus plus. It still has, like, a the Python plug in
API now, but but the all the analysis is c plus plus. So
rewriting it basically was our first, you know, order of business, and we
basically started that. Like, even just, like, right as we started the company, we're
actually doing that in the side. And then it was about a year after we
started the company before we launched the first version of it, which I'm almost embarrassed
now when I look back at, like, the features it had. Like, people paid us
money for that. Like, we didn't charge a lot less, but, it's crazy how far
it's come. Nice. Beautiful. And, like, so you guys
were developing the company and the product app while you guys were still at
Raytheon? Was No. No. So we yeah. Well, so the Python version.
Right? Like, the open source Python version was was was built at
Raytheon, and then, basically, we quit there, started back
to 35 January something, whatever I guess. And so it's by the way, it's
vector 35 because we were all 35 years old in 2015.
So it makes it easy to keep track of the yeah. Yeah. So 2025 will
be would be a decade. Yeah. But Peter, Rusty, and I were all born in
1980. So so we, yeah. That's
that's how we started. And then we we basically rewrote it then,
ourselves, like, a sort of, you know, clean code base, for the
ground up after we after we start the new thing. So, like, I know, like,
like, certain companies, it's like if you do, like, Apple specifically. Like, if you design
anything while you're working at Apple and then even, like, sometimes it's, like, 5
years after we started to own that. They owned all that stuff. Yeah. So
Rusty didn't didn't have that agreement because he started so early.
His stuff wasn't locked up. And they had they had gotten some people. In fact,
I didn't have one either. I was I was one of the last people that
was hired before they started doing that, for employees. So
we never had those agreements, and so we were pretty flexible,
with with the IP one. They also had like, you could also declare a thing
and be like, I built this on my own. It's independent. You don't own it.
You could submit that paperwork even while you were there for them, which you may
have even done even though you didn't need to. I don't think. I don't
remember the the the specifics of it. But, yeah, there was a web. But, yeah,
Apple is notorious for, like, you don't touch open source while you work for Apple.
You don't do any other side stuff. Like, you are completely locked down. Yeah. It's
completely wild. Like, I have I have like friends that are like
leaving their it's from the security aspect and they're like, yeah, I gotta like wait.
And this is before I can even make my product and things like that. And
they'll be like doing red teaming at, at Apple and it's like, yeah, I got
something good but I gotta wait the 5 years before I can even create it
which I don't know cycles innovation creativity. But Yeah.
I they I love Apple products. I'm a huge Apple, like, fan as a
consumer, but, I don't know that. And and I've heard a lot of good
there's some good things about the structure with their like, the impact you can
have when you go work there. There's a lot of great people, a lot of
good friends that work there, but, yeah, I'm not a huge fan of, like, the
way that they approach stuff like that. Their secrecy, the, the
lockdown kind of requirements. I do know one person right now, I'm not gonna
name, who's trying to, like because there is supposedly a way you can commit contribute
to open source while you work at Apple. And, like, you can get approval and
go through a process and give us a second. He's working it. So we'll see.
We'll see. I wish him I wish him godspeed. But Yeah. I'm I'm happy, like,
we started this this conversation. We kinda just jumping into it. Yeah. Straight
in. You We're talking about entrepreneurship. You're talking about your company, back
to 35, and then even a little bit of government contracting.
But the audience, maybe they don't know too much about yourself, and, like, how
you entered into our our industry. And then
Yeah. Even, like, what you did and where you started at Defcon as well. So,
like, we'd love to hear a little bit more about your background because there's it's
been there's a lot here and super interesting. Yeah. Thank you.
So so I was always into computers. I went to college thinking like,
oh, well, now I'll get a real degree and do something else. I got a
lie in my head this was this was a thing. Were you
playing with computers at your house before college? Like I yeah. I
just grew up. I grew up. My dad my dad had a computer. I I
was always I was, like, very straight laced. Like, I never
smoked like, I was just very, like, straight edge kinda, like, as a kid. And
so, like, I never did anything illegally, like, hacking wise, but I was always super
into it. I was really into computers. I was, like, running,
running Linux at home and, like, you know, I started kinda, like, teach myself
programming from, like, 3 to 1 contact magazines in the back. So I was kinda
into What languages was that? Basic. Just like old g
GW Basic was the beginning. Yeah. I wish you know, it's funny because Rusty, my
other cofounder, is was highly technical. He wrote his first emulator at the age of,
like, 14 and it was bought by TI. Like, he Texas Instruments bought
his emulator because it was better than their official one, like, licensed his
tech. So he was, like because he was doing the same thing. How did you
even have a conversation with TI about that? Like they reached out to him as
as I understand it. Like, yeah. It's it's kinda crazy. You can in fact, you
can actually find I was writing stuff for the TI, like, all the old, the
Usenet forums like ticalc.org and the old, forums and
stuff. But I was running base TI basic programs, and he was in here, like,
hand coding assembly, writing writing emulators for the
hardware, like, you know, pre Internet. You also were selling to to TI,
teenage age as well? No. No. I was just in the same, like, the TI
calc programming scene, like, writing little apps because, you know, you you would write apps
and post them on like, at the beginning of the Internet, like, early, like, go
for even days and use that and that kind of stuff. So I was that
was kind of part of what got me, like, online a little bit, but I
was not no. I wasn't nearly as good of our programmers. I I was good
with computers. I was very good with computers, and I had to, like, a lot
of, like, IT jobs. My first job was selling dial up Internet accounts from the
mall. I started doing tech support for them. Or a different variety? It was a
it literally called Internet in a mall. It was a very brief they went out
of business long after. It should be a kiosk in the mall, you you do
it from. And I worked for gateway computer tech support, for a while to, like,
phone support, which is the worst. So we're, like, an outsourced reseller. So they would
call up, and we didn't even have the customer database. So we'd have to be
like, okay. Open up your case and read me serial numbers and look up in
a physical book to find the model numbers to get the download URLs to, like,
drivers and stuff. It was it was abysmal. But but
it was, you know, it's a good learning experience. Actually, I met Jason Street of
all people who is is active in the security scene. He was, like, my boss.
And we discovered this, like, 20 years later. We're, like, wait a minute. I know
you. It just it took us forever to figure it out because we just, like,
didn't go back far enough. For those who don't know Jason, who's
Jason? Yeah. Jason Street is, it's very, like,
famous, pen tester. Does a lot of stuff, in
the the security community. Just Google j a y s o n street. You can
see a ton of talk show, man, really. Excellent present, presenter
as well. Yeah. Great storyteller. Good presenter. Yeah. So,
so yeah, he was like my boss, like literally in 1996 or
something. And then, yeah, I went to college
thought like, okay, I'll get a job. Didn't think about
computers. I was dual math, computer science, but I started working for the
university. You said dual math. So are you doing, like, applied
mathematics? Or It was number theory. I really
loved so I wanted to work for the NSA.
I just thought I read a lot of spy
novels as a kid. Yeah. I just, I read a lot. I read a lot.
I read a ton. I love spy books. And so I studied,
Mandarin in college. I was a math major and a computer science major. I was
like, because they hire 4 they at the time, they hired 4 things. I heard
hardware engineers. I didn't wanna deal with that language, math, and computer
science. And I was like, well, I got 3 of the 4 covered. I ironically,
911 happens, and I I dropped off a resume at the booth, like, that came
to a career for when I was already working for universities. I started working part
time for university. I turned into a full time job. So I dropped off a
resume, never heard back. I who knows what what
happened with it? And then and then years later, I was working for them as
a contractor. It cost them a whole lot more money. So that would've would've saved
the government some some cash if they would've just, gone through that. So
yeah. So I I started working, like, IT jobs at the university, and I had
a server set up set up this, like, Red Hat Red Hat Linux 5,
not Red Hat Enterprise Linux, like, Red Hat 5, the old school. It was
like I still remember that when you set up your sound driver, it would be
like, my name is Linus Torvalds, and I pronounce Linux Linux. Hello.
This is Linus Torvalds, and I pronounce Linux as Linux.
Like, it's Linus, but you pronounce it Linux because there was a big debate.
And Yeah. Yeah. Like, that was the that was the sample file that would play.
So, yeah, setting up that and, it got popped. Like, somebody
had, like, a a print server bug that they were that they I set up
the server, like, overnight, didn't finish the updates or something, came back to work the
next day, and it had been unplugged. There was a note from my boss, like,
hey. The security coordinator for the university says this was sending spam.
They got reports that, like, overnight, it was served the weekend or whatever it was.
It was sending some spam out, and I was I was like the Internet and,
like, someone on the on the So got it or was it Yeah. It was
it was Internet. Everything was public IP at the time at the university. There was
no, like, firewall. Oh, no. This was, like connected. It's public? It's
public. Yep. Go live. Unless you had your own map. If you unless you unless
each department like, the universe the dorms had a map, for example, or, like, certain
departments maybe have, but, like, by default, just, like, yep. It was all
there. So, it was the Wild West, and and that was, like,
all that would happen. Like, you, like, you would just send spam. Like, that was
that was the only, like, malicious thing that would happen basically at the time. It
wasn't it wasn't even, like, botnet era. So this is, like, 2,000, maybe 2,001.
And so I was like, woah. I got hacked. This is so cool. And so,
like, I did some kind of basic forensics and, like, her upload report for my
boss. He forwarded on to Kathy Bergstrom, who was the newly hired, like,
university security coordinator. And she was trying to hire, like, a security engineer, and she
was like, oh, are you interested in this position? And then she was like, oh,
you're a student still. Like, I don't want a student. I'm like, no. No. No.
Please. Please. The security stuff's amazing. I wanna do this. I've always wanted I just
never had an excuse to do it. And so, anyway, I talked to her into
it, and that was my my first security job was doing,
like, forensics, instant response, network. I got to do, like, the the
firewall and set up, like, a a had a 10 gig IDS system we
had built back in the day. I mean, you know, like, we had serious pipes.
Yeah. So as as a research university, you know, we were on Internet too,
whatever it was called, a bunch of different names for it. Like, we had
really high speed, connections. So trying to, like, buy
a IDS that could even go that fast. We actually built our own. We ended
up using a bunch of different stuff. We used, you know, row at some
points and sort and bunch of different things. But, like,
these NDAIS, I think with the the accelerated video cards, you can actually
put rules on the the the NIC itself and do it like an FPGA, basically,
so you could do line rate, detection and filtering and alerting.
And so, yeah, it was a super fun gig. I got to do kind of
a lot of, like, a lot of stuff. What was the first task or job
that they assigned you to as soon as you got the the role? Do you
remember? Oh, that's a good question. I
think the first thing I did was,
I automated what was the vulnerability scanner? I
I ISS from, like,
IBM or one of the, like, one of the early, app scanners.
I it wasn't Nessus. And maybe at one point, we switched out to Nessus, but
I basically, like, did some basic kinda, like, scripting and automation. I wasn't much of
a programmer, but I was really good at, like, scripting and shell scripts and,
like, kinda cobbling things together. And so I automated, like, this always on
scanner for a couple of things that were, like, really common at the time that
were causing us trouble. And so it would just automatically sweep all of our IP
space constantly and then either send emails or, you know, take some kind of
automated action. And then, like, we eventually several of us built,
like, this this sort of, like, automated response system. Like,
I sort of predated SIM or SIM or whatever. It was kind of a little
bit of that where it would pull from, like, pull from the the campus
captive portal logs and pull from, like, the dial up IP logs and pull from,
the map of which network administrators have which IP space and, like, have this
database, and then combine that with abuse complaints or
alerts from our system or the MCA complaints or whatever, like, all this different stuff.
And it would just automatically have a bunch of rules and send emails for us,
like, our little ticketing system internally. So, yeah, just trying to automate as much as
as much as possible, and then getting to build out, like, the IDS and actually
go and physically, like, deploy it like all the different pops all over campus.
You know, this this this IDS box. We had Dragon, IDS way back in the
day, Ron Gula, and that was that was a it was a good idea.
Yes. I enjoyed I enjoyed working on that. But yeah. So that was my network
defense, my first my first security job. Now I'm building a lot of tools
internally at the at the college and setting it all up and, like Yeah.
I haven't, like so, like, jet I have, like, 2 questions. 1, like, how difficult
was it to keep those, like, pipes open in terms of, like, the data flowing?
And then 2, when you left, was it easy to hand over all of the
things that you had built? Because this is, like, a whole, you know,
program. Yeah. Thankfully, there were enough by the time I left, there were about 4
or 5 people on the team. And so we had grown the team, and so
I wasn't, like, the only person running stuff, for quite a while. And so there
were there were definitely enough. I didn't feel like I was leaving them in a
lurch. There were a lot of other people. And that system was still
running up until a couple years ago. I don't even know if it is right
now, but I went back and visited the campus and talked to all the guys
who was still there who who I was has stayed around. That's right. It I
mean, it's both terrifying and it feels good. A little bit a little bit of
both. Yeah. Exactly. Like, it was, I mean, this thing was written in. There was
Pearl in there. There was some shell scripts. There was it was
it was a whole but, like, you know, if it ain't if it ain't broke.
And the concept I think, yeah, to this day remains really solid, like, to
really just get all of your logs. Even, you know, a great example is I
remember at one point we got early flow data and, like, just gather everything. You
never know what's gonna be useful. Like, the the the week that we storage for
it all? So we had decent storage, and we would only keep,
like, a week of it or a couple days of it or whatever. Right? Like,
we didn't need because even even a week worth of full flow data for all
all of campus was fantastic. And it was it wasn't like all the
internal routers, you know, necessarily. It was that, like, some of the main there was
a couple of main main pops, like, on campus that we would we would get
the the c flow d firmed or whatever. And so when we started aggregating all
that, like, we actually had a a loft student who left
a laptop plugged into a, like a podium in a in a
classroom overnight, sent spam for a local club to a bunch of
emails he had harvested from the campus directory, and, then
came back in the next day, pulled it, and and, like, took off with it.
And he had remote controlled it over, like, and he did
something where basically we were able to, like, correlate the,
the only what had happened because he had remote
desktop into it from his, like, campus,
portal account from some routes on campus. Right? So he had, like, use elsewhere on
campus, and he had, like, RDP'd, VNC'd, or whatever it was, into the box. And
we solved that flow, and then we can look up his logger for the original
machine. So it was only because we had like, otherwise, it would've been this ephemeral
IP that shows up since spam is offline. Like, where in the world did that
come from? Right? So Investigations are happening within that week span of, like, when
you have Yeah. Like, I mean, we we got, like, spam a bunch of spam
complaints, like, immediately. We had headers, and we pulled the logs, and we know exactly
where the machine is. We can tell like, this ephemeral thing. The MAC address hasn't
been seen on a wired port before on campus, and, it's gone
again. But then I was, like, oh, we got this new, like, flow data. Let's
go look at it. We can see, sure enough, all the app on us in
DP, and then an inbound RDP, and it's, like, oh, hello
there. I was still disappointed that they apparently like, the guy was, like, not
really punished their that's a lawyer. They they really should have
the the rule book thrown at them. Like, they know better. Like and it was
clear that he knew what he was doing was not okay. Right? Because he he
went to great lengths to obfuscate what he was doing. Right? Like, he didn't just
do this from a machine he was logged in to. He intentionally wired into a
different network, controlled it remotely, and then and did it that way. So I was
a little disappointed that they didn't, the punishment wasn't wasn't particularly
severe, which was a little bit disappointed, but that's what it is.
Yeah. Interesting. Wow. Yeah. The, the my
experience of working at not working. Well, before working. So I was
at Georgia Tech at the Institute of Information Security and Privacy working, like,
a 150 servers for the PhD students that were, either
malware research or vulnerability research and No. Wait. Was that
Georgia Tech Lab the same one that just recently got, in a little bit,
like, the news for NIST 80171,
stuff with the I don't know. I'm gonna reach out to you if I Google
Google Georgia Tech and NIST 800171. It's for what it's worth. I'm on the university
side. That's a whole it's a long story. That's actually, that's a really separate interesting
topic about sort of, like, the over classification slash the creation of, like, this
new,
class of protected data called CUI or CDI, which is really, I think,
a problem for small businesses. Like, the big contractors love it because it's gonna
lock out small businesses from doing, defense contracting.
The here we go. CUI, control, unclassified
information. Is this a new standard or requirement? Yeah. So it's basically a new
requirement that, there was I forgot what it's it's an executive order that
basically was, like, the safeguarding defense material. Like, a lot of I mean, it
came from good intentions. Right? Like, after the, OPM breach and stuff like that,
where they're like, oh, we need to protect information.
The problem is, like, it's unclassified information, but they
still wanna, like, make sure it's taken care of well. And so they asked
NIST to write a whole bunch of, like, rules about,
like, how would you do good comments as practices. And, like, a lot of it's
fine, but the problem is just it's a 122 pages of government
specification that you don't have to read and conform to and, like,
do an audit or self assess and a test. And, you know, it's
like, I I understand how to run a good secure network. But,
like, as a small company, I'm not gonna, like, clap on those
ankle irons to, like, slow down how I do development
or how my, you know, engineers work. So, like,
yes. Two factor auth and everything? Absolutely. Password change policies? Maybe
not yours because, like, there's a lot of debate as to what's a good password
policy, but, audit log and review, certain, like, you have to look
locked out. Yeah. It was just a bunch of stuff that you have to do
that makes makes contracting hard. Anyway, let me back up on my my
my bio for a second too. So, like, that was network defense at UF,
and I started playing Captions Flags. And that's what, like, got me into offense.
I did. Yeah. So I started I went to, like, a Sands conference, like, when
I which I forgot what Sands course it was in Orlando, doing,
like, offensive security stuff. And I was like, oh, yeah. This stuff's fun. Again, I've
always wanted to, like always wanted to do it, but and this
is like a a legal way. Exactly. Exactly. And so, like, that was
super fun. In fact, one of my one of the people in the class was
was Atlas, a dear friend of mine to to this
day. And he, like, went on to play Defcon
CTF that next year. And I was like, dude, how did you like, I met
you. You were not that good. Like, no offense, man, but you were not that
good. He's like, no. Like, I did this whole boot camp. I guess somebody else
mentioned me. I wrote my first exploit and started, like, you know. And so he
kinda described this process, and I was like, I'm in.
It wasn't an official boot camp. It was more like a mentorship program, like, you
got somebody else to, like, just reach out. And he basically offered you the same
to me. He's like, hey. I'll I'll give you, like, some challenges. You can work
through it. Like, you can join I'm putting together a team. And, so we
we started a team and then we play so he he he
played as, like, a road. That was the last year that you could play as
an individual. You could show up and play as an individual at Defcon. From then
on out, last 20 something years,
There were still several 100. I mean, that would have been
actually, you know what? I have a, a, a Google Sheet where I
track the history of DEFCON CTF.
Yeah. I don't know if I've added this last year, but,
out here, it's history of Defcon CTF. Yeah. I'll drop a link, if there's a
yeah. Let's check here. Yeah. Yeah. I see it.
Alright. It says whisper backstage, but there you go. You should be able to see
that. So, let's see. So that would
have been so let's see. The first time I played Defcon CTF
was at the Alexis
Park in 2,000
and 1. Yeah. So I played kind of a one off,
yeah, at DEFCON CTF. Like, I barely just turned 21
even. And, that was, like, pickup. It was a pickup game. You could
just walk in and sit down and, like, go. It was it was kinda wild
and crazy. Right? The
yeah. I mean, it was still a a oh goodness. I don't
know. Yeah. I mean, it was it so the Alexis Park as a hotel was,
like, very different. Right? Like, it was kind of, like, apartment style, like, hotels that
spread out, like, more resource style. And there was, like, literally a tent on
the roof. Like, can you imagine a Vegas? Like, a tent on the roof. That
was the year, like, Cult of the Dakar released, like, I think, b o two
k or something. And they announced that from from
one of the rooms. That was Dimitry Skalirov, the
PDF. He reversed the year that they were, like, rot 13. Like, that
was their encryption, and, like, he was arrested by the FBI. That was that that
same year. Route 13 was the encryption? Yeah. It was basically
it was basically route it was a little more than that, but it was basically
route 13. And then, like, he announced it, and then the FBI arrested them. And
then and people got a ton of flack, and Adobe's like, no. We're not person
charges because they don't like, they suddenly realized it was, like, against the, like, public
perception. But yeah. So it was Defcon 9, 2001. But then I I I didn't
go to it for the next couple of years. And then I came so then
Atlas was 2,005 when he basically soloed, like, played as a as a
Ronin. And then it was 2,006. That was the last year. 2006 was the
year you had to, like, qualify. The only way you could play was to qualify.
It was only teams that, only has teams. So that was the 1st
year I played, and we won that those
next 2 years. And I was also on the team that won in in 20,
2009. So first year you're 3 You just like you you
didn't win, but you were you're getting No. We did. We did win. Yeah. We
actually yeah. I got lucky. Well and so I yeah. I got with smart people.
Right? So again, we had Atlas. We had Doc Brown. We had Burfra, like, a
bunch of really good people in the team. And,
so it was 7 or 8 of us. And yeah. It was like when that
was, like, really when it started to, like, evolve. Like, it
went from, like, it's all sort of own art form. Right? Like, DEF CON
became very kinda, like, more specialized, and, like, the game was getting tuned and tweaked,
and, like, people really kinda, like, honed in on what made Defcon CTF Defcon
CTF. And that was really, I think, when it when it even actually
the year before. I would say, 2005 is when it really started that process when
Ken showed up to take it over. Oh, even get, you know, hackers. Maybe 2,004
began it, and then it but really the game as it existed in 2,000, 2005,
2,006, hasn't substantively
changed. The only real difference was, like, the CGC introduced brokered,
where basically, it it used to be you just got a server and your route
you logged in and you defended your server. Right? And then there was some other
mechanisms that the organizers had. There was that This is for well, this is, like
yeah. So it's always been attack so the actually, the first 5 years or 6
years of it were, like, just kinda, like, show up and plug a machine in.
It was, like, really poorly structured. Like, plug a machine in and see what happens.
Like, that was the CTF. Yeah. Hack each other. Like, run some stuff, I guess.
It was it was a little little weird. And and it was it was the
last year at GitHub Hackers and the 1st year at Kensho. Do when they really
started to, like, no. No. No. We're gonna give you a VM image preconfigured. You
have these services. We've custom written like that happened really then and
started to kinda mature. And then really the only you know, there's been a lot
of changes in, like, OS or network or, you know, stuff over the years. There's
been a couple of new innovations like, King of the Hill style challenges,
where, like, it's you can iteratively, like, whoever solves it with the fewest bytes, and
then you can continually kinda do it. And so there's, like, a sort of a
separate style challenge. But mostly, it's been yeah. Attack depends. You've got a
server, attack it, and defend it at the same time. So you're writing
patches for your binaries. You're you used to be able to put network firewalls in
place. That's part of the game that's changed. They sort of removed that. People got
too good. Like, people figured out too many generic defenses.
Right? Like, if I can just run my server, I'll just virtualize your
entire thing, lift it to something else, and then emulate it or put it in
any kind of thing that's doing Cisco tracing, and I'll block all access to the
key file. Like, ta da. I've secured your server. This is so much of boring,
like, become Superman defenses. And so this the the changes lately
require you to submit your patch to your binary to the game infrastructure
that it's deployed for you. You're not root on your box, so you can't totally
rewrite. Yeah. And often, we'll limit the size of the patch or whatnot. So that's
the trend, the last few years post post CGS. Going
forward in this type of fashion? You know, it's different. I,
it's not better or worse. It's just different. I miss like, there was all sorts
of amazing shenanigans you could pull when you had a full real box in the
full shell. And, and as both an admin and an
attacker, it was so many you'd find things that other teams have forgot or teams
would have wrong permissions or it was all sorts of really cool stuff you
could do, and that's that's gone away, which is sad. But at the same time,
they kinda had to. Because like I said, too many teams had figured out these,
like, just generic Superman defenses that you just could never score them, and that's
really boring. Like, yeah, everybody can do one generic wrapper that just doesn't let
the key get red and then deploy to all their services and poof. You can't
now score on them like that. That's stupid. So, yeah, it's hard to
to to kinda strike that balance. But I do miss I do miss the shell
shunning. I that was my main specialty. I was really good at, like, just weird
oh, yeah. Shenanigans. I loved I loved that stuff. Like like,
when you're, when you're we could log into the scoreboard
using a key that they dropped on our box at the beginning of the game,
and the key existed in 2 places. Like, it was in a database that was
in the file on the file system, and no team
removed it in both places. Like, some people would, like, fix the file permissions to
make it not readable for the file, but they would forget the database. Some people
cleared the database, forgot the file. So we had, basically, everybody's login to their score
server, which, like, I could log in as them and score for them, I guess,
or I could log in you know, it's like, what what can you do on
that? Well, one of the things you could do is reset their overwrite token. Alright.
So you you have an overwrite token that when you exploit somebody to prove you
have write access, not just read access, right, you would take your overwrite token
and put it on top of the flag file, and the hypervisor, whatever's doing the
logging, would would detect that and be like, oh, okay. You get points for an
overwrite. Right? So it was just you could both seal a flag and overwrite or
some services maybe you could only overwrite. Right? Depending on the the challenge.
And, so we, for example, click the button
to, like, refresh the override key from School of Root and we would
watch them and wait till they notice. And, like, 45 minutes later, an hour later,
you see them all, like, looking around. Who who did? Who hit the button? No.
Who did the button? No. They go back to work. Wait till they're not paying
attention again. Do it again. So we denied them, like, overwrite points for
a period of time. Like, you can't, you know, you can't get that back. You've
missed that that that time with us. That was really fun. We also logged in
as a different team and gave them points from us because that was back in
the day where you had, 1st Blood. So the first person to score a particular
service got, like, an extra bonus points, and then it was just over time how
many time slots could you could you score in essentially. And so we intentionally gave
low ranking teams first blood against our services that they
hadn't actually done just to deny those points to other teams because we
knew we couldn't solve those challenges at the time, and we were we were afraid.
Yes. There's a bunch of shenanigans. Like, that one's actually a little questionable, I think,
in hindsight. We did ask the organizers at the time, and they were like and
they were like, well, you you did a hacking thing. You got everyone else's logins.
They didn't secure it properly, and you're using that to get an advantage. Like, it's
fair. So there and I I that one actually didn't matter in the end either,
guy, because it turned out that that none of the other teams were actually close
to solving the ones that we gave those points to. But, you know, sort of
defensively, we we thought it might be. So, yeah, I love that that side of
the the game. It was it was fun.
A lot of people have. Yeah. Absolutely. I never I again, I said, I was
always kinda straight. So, like, if I ever was do I love the shenanigans, but
I would always just ask. I'd be like, hey. I wanna do a thing. Can
I do a thing? And, you know, occasionally, they'd be like, yes. Occasionally, they'd be
like, no. Like, it's we've we've gotten both and so, like, there were years that
1 year, when, legit BS was running at their 1st year, I think,
actually, like, denial of service attacks were kind of a thing. Like, it sort of
unintentionally opened the door to that. And usually, you don't let any DDoS because one,
DDoS is technically uninteresting. Right? And dumb. Like, yes, you can flood your
opponents. Nobody cares. Right? Like, that's not interesting. No. No. No points for
style. And so there's, like, a certain amount of things are just forbidden by rule
and if they catch you, they'll penalize you. And they sort
of, like, one team found a kinda cleverish way of doing a DOS
using infrastructure, and they allowed it, and we're, like, oh, fine. Well,
we have this other thing where we can half close a socket and spoof a
thing from somebody else and, like, trigger it, and it will cause them to flood
somebody else's traffic. Like, sounds like fair game. Right? And they were, like,
yeah. We did sort of open up the rules for that. We're sorry. And they
they ended up basically saying, like, no. You can't do that. We're gonna
give you some points. We're gonna have the other team that's doing the other thing
a little bit of points, and then just stop doing it. Right? So they gave
you a little points for a school idea. No one can now do it. You
had the first person idea. And so, like, that was kinda how they how they
did it. I've seen people get kicked out because they cut courts though. When your
one team was so angry, they've literally went into under the table and cut another
team's court. They were just, like, bad bad manner, and they were they were kicked
out of the they should've been kicked out of the whole whole convention, but at
the time, it was just they were kicked out of the CTF. There have been
people who who explicitly were denial of survey, servicing
before that they were, like, stop it, knock it off and if you don't, we're
gonna kick you out. You're hosting now as well. Right? So you might be, doing
that and that's your host. So you're able to see a lot more of what's
behind the scenes now. Somewhat. Like, I I'm actually I'm so busy with
with so I'm I'm doing live CTF which is, like, sports casted
e sports commentary. Yeah. It was like a 4
hour video too. It was like, oh, it's, it's exhausting. Yeah. And we, thankfully
we have a team of people this year that groups grown a little bit. So
I like the 1st year I was literally on camera the entire time. But now
we can we can we can trade out. Yeah. I just like being, like, you
know, enthusiastic the entire time. Yeah. High energy
and, like, you're you're pretty exhausted by the end. But, I mean, it is it
is exciting. It's fun because you're legit watching some of the best hackers in the
world. You get to watch their screen live. It happens. So, like, it is it's
pretty great. But, like so I'm I'm, like, in with the organizer, you know, the
main, you know, Nautilus Institute team that's running it. I'm not officially
on the team. We do we just kinda like to do our live CTF stuff
sort of sort of separately. We just have enough nothing to worry about. We do
technically have access though to to what they're, to what they're doing. We, you know,
we we talk a fair amount. So we do hear some stuff, but we're just,
yeah, so busy with our little kind of side quest, that that I don't I
don't, I don't worry about that a whole lot. Anyway, I wanted to to go
well, and I'm kinda keeping keeping ear to things. But yeah. So,
like, so so CTF was, like, my my introduction into office. Right?
That was where I was, like, okay. Cool. Like, this is this is fun. I
like write writing exploits. I like reverse engineering. I was starting reverse engineering at the
university for, like, an hour analysis a little bit. Right? Like, I had an audit
copy back then. And I wasn't very good, but, like, I like the idea. Learning,
like, what resources were you using at the time to to start your reverse engineering
journey? I mean, at the time, I don't yeah. I don't remember a whole lot.
Just Here's the details. Right? Like Just kick off the office. No. Literally. I
have I have absolutely highlighted Intel books still sitting on my shelf at the
office, for, like, you know, it used to be a game to find who who
could find the most typos. There's a bunch of like little either typos or like
errors depending on which version of the books you had. And books they don't ever
they don't ever expect people to actually read them. And like they'll just have
like, oh, so this does the thing. Like, don't worry about it kind of thing.
It's like, I wanna learn. I think I think they do. I think they
do. Like, they did fix them. They would you could send them in send them
in, and they did, do a lot of editions of it. And I I don't
know if any of the typos that I found are still still there in the
the online versions. Because the same same docs are now. Still PDFs
online. But yeah. So I like, I literally I I just would
go through and and learn opcodes and, you know, look at
disassembly, look at look at decompilers. And,
I actually I I taught, an assembly language course at when I
was working at Raytheon. But yeah. So so the the story was I went from
network defense at at UF, Sharpen Capture the Flag, and then turn that
into a job at, a small company called
SI Govs, SI Government Solutions, which then Raytheon bought and they
became Raytheon SI, Raytheon CSI, Raytheon
CodEx, and now they're spot Nightwing is like the the company's had a million different
names. That's the origin of Nightwing? Yeah. Nightwing was well, so so
SI was is not is a part of of Nightwing. But
Nightwing Nightwing was, like, all of the cyber business that Raytheon had kinda spun
off. So it was a bigger business unit, but, like, a big chunk of it
is, yeah, is is is what was originally SI Government Solutions.
And they say government solutions, that was reverse engineering? It was all vulnerability
research, reverse engineering. There was a frame out of tool dev and stuff as well.
The thing I loved about about SI, was that, like, back in the
day so even, like, several of the I'm not gonna call it explicitly. People I
was playing CTF against or with, at the time, we're working for
other defense contractors, and we're doing the same kind of work. Right? Like,
there were there were folks involved. And, so even some of the
CTF challenges came from, like, ideas or problems they had or stuff, which is really
fun to kinda, like, you know, find out about that. But the thing that
SI did really differently was and by the 3rd by my 3rd
year, of of winning, the 3rd one I had was with
basically a bunch of SI players. So I I switched kind of
from, the original team I was playing with, and and was playing with them.
And, as I had, like, this focus on tool development, like,
not just find the bugs or, you know, do whatever, but,
like, invested a lot of time into both, like, the analysis harnesses and the
fuzzing tool sets and, like, the fuzzing corpus and fuzzing harp like, was doing
more, like, infrastructure around it, which was really fun. So we actually had a pretty
good sized staff of, like, just raw developers. There's people building
tooling, and then we had it was kind of this internal split, which I think
now there was some some issues with that in terms of, like, the, you know,
the vulnerability research or hacker cool kids were kind of annoying and the developers were
like the adults in the room, like, y'all grow up. And now I'm the developer
going, oh, I'm so embarrassed about the way some of some of us behaved.
But, like, it was but it was great because we did have that that balance,
which I think a lot of a lot of companies didn't. And so that was
and yeah. So they hired me because I was doing tech writing for for magazines.
Yeah. So going to that, I I Yeah. I was reading that and then I
think, there's a talk that you gave recently in Germany at one of the institutions.
I Yeah. That video and I was like, how did you go from,
like, technical writing and say like, oh, I I wanna actually do this. And do
you just run to the manager? I'm like, okay. I'm your guy now. No. The
the funny thing is I didn't even know that was the plan. Like, literally
so what happened was I was, you know, I was playing CTF. I was getting
a security. And at the time, like, SI was like, how do we hire people
who can get clearances and write exploits? Right? Like, that's a pretty rare
it was people that you could write exploits, but maybe they weren't clearable or, you
know, vice versa. Exactly. And that's where our company, Top3d Recruiting,
comes in. Finding the right cybersecurity talent with the necessary clearances
can be a major hurdle. Did you know that it could take 8 to 15
months on average to hire somebody with a TS SEI plus full
polyscope? At top creative recruiting, we have a network of 1,300,000
cleared professionals ranging from CNO developers, reverse engineers,
and data scientists. Whether you're working on offensive operations or
data analysis, we connect you with the elite talent you need
fast. Visit topcoincruiting.com, and let us help
you to find the perfect candidate already cleared and ready to
go.
This was in 2,005 maybe or what what time frame is
this? Yeah. So this would have been, I think, 2,007.
Right. Because it was my daughter was yeah. My daughter was 1. So that was
how I that's how I remember it. As I started, it was it was 2,007.
I met a couple people. I can met somebody at at RSA. So I was
I at the university, I it was a there's a guy in town,
who was a writer for a bunch of different magazines, and he would kinda part
with the university because we had lots of data, lots of networks, you know, stuff
to test things on. And so he had a long standing partnership for just, like,
network year to come in and test and work with them. And he started to
when when I was in security stuff, he said, oh, do you wanna write for
some of these magazines? I'm like, yeah. That sounds super fun. So, anyways, it turned
into, like, a sort of side side career of writing for, like,
InfoWorld and Information Week and a bunch of, like, computer
network computing magazine. Bunch of these are all, like, you know, out of print now.
Were these big ones at the time? At the time, they were they were they
were very well known. And they were, like, CMP was the parent company for a
bunch of them. They owned Black Hat at one point. I don't know if that
was still the case, but they were literally, like, bought. Black Hat, the conference was
owned by CMP Media. Yeah. Like, this big media publishing house. I don't I have
no idea if that's still the case, but I I know that, yeah, at one
point that was, they actually bought officially bought it out
from from Jeff. And so, yeah. So, I mean, it was, like
so I I went to, like, Defcon or Black Hat on, like, a press pass
for several years, because I was a I was a reporter. I went to RSA
on on a press pass, because I was it was actually, you know, writing for
magazines. And, in fact, I won, like, there was actually an
early prototype for, like, live CTF, like, a head to head competition
that the the precursor to SI govs was called SI, and
they actually split to do commercial stuff and SI govs went to the government stuff.
And so SI, Security Innovation, ran a,
like a thing at RSA where it's like a web hacking challenge where, like, you
were on screen and your screen's above your head, and you're competing with somebody else
and somebody's, like, with a mic, like, you know, heckling you and talking about what
you're doing and you're racing. I'm like, it's always very similar. It's really what inspired
a lot of the a lot of CTS stuff I've done since. And so I
won that and, like, the headline was, like, literally on slash. That was, like, you
know, network computing reporter when Yeah. With your press
badge, you're like, yeah. Blah blah blah blah. Who is this? Yeah. People were most
of all, like, Jeremiah Grossman at the time was I I became good friends with
him as a result of, like, like, he was he was, like, wait. Yeah. I
interviewed him for the magazine. He's, like, didn't you just, like, do that competition? I
was, like, well, I, like, I do real work too.
Like, but, you know, so I was doing writing. And so the yeah. SI gov
is basically I went down I wasn't even, like, in a formal interview. Like, I
just went to visit. Like, I had talked to them, or at least I didn't
know it was an interview. And, at the time they were maybe 30
people. They looked at my
resume and were like, Oh, he knows security stuff. He's writing for magazines. He'd make
a great tech writer. Taking our reports on vulnerabilities or things we're
doing for government report writing. He could do a really he'd be a really, really
good tech writer. But, like, nobody told me this, and I was like, yeah. I
wanna I wanna write exploits. This sounds great. So as soon as I started, like,
I was in the engineering group. I just they just assigned me to start doing
reverse engineering, start writing exploits, and I wrote my first, like, QuickTime exploit in the
1st, like, week. Because QuickTime, you could just sneeze that and it would fall over
back in the day. Started straight into it. Did you still have to write the
technical part where they wanted you to do? You're just like, oh, I'll do that
too, but then you're also No. Like, literally, the person who thought that never
talked to the engineering lead that I ended up with. I was just a straight
up, like, engineer. I mean, I did I did do some role that they were
looking for originally there. They hired somebody else. We don't really do. They did hire
somebody else. Yeah. No. It was literally, like, a while later that they admitted to
me. They're like, you know, we didn't originally hire you. I was like, what? Like,
I had no idea that that was the intention, but, like, the. Yeah. They,
so, I mean, I I did do some, you know, I did proposal writing and
some other kind of writing, but I was not like, there were other dedicated, tech
writers that were hired afterwards. That's crazy. I I'm trying to figure out if there's
any, like, lesson that, like, if any listeners, like, how do I, you know, get
my first really technical job? Yeah. Yeah. Yeah. Seriously, like, is there any lesson
you can come from that other than just, like, apply this a technical position
a technical writing position? I don't know. Yeah. But you ship you over? Type
confusion attack and you just get them to, you know, you just start doing the,
the other stuff. Like, I I will say, like, you know, a lot of a
lot of positions become what you make of it. Right? Like, no matter what your
role is, if you demonstrate the skill in something, I feel like you can you
can shove stuff around. I've seen I've seen that happen, you know, more often than
not, where somebody if you're if you're good at it, if you can do it,
just just do it. And the the company will will value it. So Let's let's
dive into that. I feel like some people might actually have questions. Maybe for a
beta, of course, getting the first role, but let's assume, like, they're in a company
and then they're like, okay, now I wanna go over to this this department. What
Yeah. Did you have you seen some people that have shifted over and like how
have they done it? Yeah. Yeah. I've seen I've seen it work, both ways too.
I've also seen people who are technical who get burnt out and go to non
technical roles too. Right? Like, and I think both are are healthy. Right? I've seen
people who are like, you know what? And and, like, for
example, like, QA, for example, can be, like, looked down upon, but really
good QA is super valuable. And so some people, like, find their fit
not doing your the development they were hired for, but in in QA or in
in tech writing or in these other stuff. And then other times, you know, you
see somebody who starts as a as a tech writer and then,
like, very quickly is just writing, you know, hand coding assembly, for
exploits. I yeah. I I don't know if there's,
like, a a manual or a map for it. For for me, I was just
I just did the things that I found fun. Like, if I liked it and
enjoyed it, I just did it when I was doing it. You know? So I
was at home. Yeah. Playing capture the flag and doing things. And when you're,
yeah, doing it, when you have the cape capability,
if you communicate with your with your your management, you're like, no. Like, this is
what I wanna do. I think I think a good manager too, you know,
like, right now, we have we have one on ones occasionally with with employees and,
like, we've sort of 2 different ones. We have, like, status of, like, what's your
on this project, and then we have a separate one that said let let's frequent
interval. It's just more just like, hey. What are you doing? Are you happy overall,
like, with what you're doing? But I think a good a good boss is, like,
your job is to, like, find out does this person wanna take on a leadership
role? Do they wanna take on more technical, less technical? Do they wanna like, they're
not happy with this part of the product they're working on? They wanna do less
of the Python API. They wanna see people else. Yeah. Whatever whatever it is.
But but I think it goes both ways. I think you as an engineer should
be communicating, what you wanna do. Now it's not always
gonna work out. Right? Sometimes you gotta every I've absolutely had to slog through things
I didn't wanna do because it just need to be done. Right? Like, that totally
happens. But, like, over a long enough time frame, don't, like, do
something you don't enjoy. Like, I've I've left my jobs when
they became not enjoyable or when something else presented itself. It's it was
it was, like, 7 to 8 years at the university. 7 to 8 years at
Raytown. That's a long time. Yeah. In general, now in this world,
like, 2 And now year and a half, 2 years people are out. Yeah. And
now it's been 10 years for me at the current one, and I I don't
I this the role has changed. The company is growing. Things are, like, I'm still
so excited about Pioneer and Ninja, what we're doing. We're starting this conference. Like, so,
like, I have no desire to go anywhere else. It's because I just yeah. You
know, it's it's a cliche, but, like, love what you do and you'll never work
it in your life. Like, it's Yeah. Very true. I I'm just very, very
lucky that I've just always loved what I did and that could, you
know it paid the bills. Like, we're you know, pretty much makes sense. Let's let's
get in more into that. So you so the I wanna hear about the origin
of vector 35 and, like, what was the deciding factor? It's
like, let's let's get into this. Let's start building this out and
grow. Mhmm. So so for us,
you know, I could we talked earlier, like, minor engine was like the CTF tool.
Like, we were playing capture the flag a bunch inside the company, and that was
great because, you know, I just love playing capture the flag. It was both my
hobby, but then the skills directly translated when I was doing for work. We used
it for recruiting. Like, we would somebody interviewed me. Like, well, we can't really tell
you, like, exact technical examples of what we're doing. Like, we had multiple pony
award winners that weren't, like, the public version of the ponchies. Like, they were,
like, we either beat a pony award winner to the research and just it was
never public or so, like, you can't, like, you know, show people what you're
doing or you're working for a government contractor, unfortunately. But, like, we could be, like,
yeah, but we won Defcon or we were 2nd place this year or and they
were, like, oh, like, okay. Like, you have legitimate skills. Like, that was, like, a
useful thing to indicate to people. Plus, it was just super fun. It was great
team building. It was great. Like, we tooled that. Like, we
built we built technologies for CTF that we were like,
know, actually, this would be really helpful for this, like, real world problem that we
have over here that we port or rewrite or adapt. I mean, much in the
same way. Again, Binary Ninja was a a sort of toy application
built for CTF, because I you know, it wasn't, at the time,
originally built to be a better decompiler than IDA, but it was meant
to be a faster patching tool and quicker analysis and for triage and, like,
you know, you didn't a lot of people still, back in the day, didn't trust
decompilation anyways. It was more of like a yeah. It's good when it's good, but
something's just wrong. And the, What's the premise on it now? Do people, like,
generally say, like, yeah. It's it's fine. Or they're like, I wanna write my own.
Like Yeah. I think right now, you're relatively foolish if
you never use a decompiler. Like, I mean, there's reasons where you can't because of
an architecture or whatever. But, like, yeah, people that started 20 years
ago, the decompilation quality wasn't very good. Like,
just I mean, and and that was amazing that it worked at all. But there
were all sorts of times where it would just be straight up wrong. Conditional's inverted,
code not shown, code shown, you know, like, just consistently wrong. And so like
the error rate was high enough that people would in fact, actually, I like it
a lot of like AI stuff to the same sort of thing where people are
like, yeah, AI is like wrong all the time. It's like, well, yeah, now. It's
super early. Yeah. I Right? Do the exact same thing. It's like we're we've gone
like through 1 year, and it's like we're already getting to the point of, like,
they're generating videos and images. They're already providing some value.
Yeah. Yeah. It's it's gonna be new wild west with
our guys. And so, like, you know, we're we've got Sidekick, which is our AI
based plugin for binary ninja. We've been working on actually originally, like, 4 or 5
years ago, we started it, internally as as research and finally launched it about a
year ago. So the LLM yourself, you guys just check CPD rap? So we
started we started with all of our own models because there was no opening the
time, and we had, 6 different, like, sort of techniques or models. About, like, half
of them, we sort of threw out when when OpenAI came out because it was
just so much better. So we're, like, oh, we should not be trying to name
variables ourselves or summarize, like, decoupled code. Like, those two
things, we're gonna use the better models. But we
had thankfully, we had enough internal models that was, like, structure recovery and other things
that we were doing that were still better. And so we the
hybrid approach has worked really well for us. We have kind of kind of a
little bit of both. But, like, for people that are sort of, like, a skeptic
in reverse engineering in particular, I I like it to the same thing as decompilers.
Like, do you use a decompiler now? And 9 times out of 10,
9.59 times out of 10, right, it's yes. Like, people use
decompilers because they're just so effective. Like, maybe you do both side by side, but
there's a reason that Ida, Binder Ninja, and Ghidra well, actually, I I might be
the only one that doesn't know. I think about this. Like, default to decompilation. Right?
But, like, to me, the default should be decompilation because it's just that
good. That should just be the default most users want. You could change it but,
like You know, this this actually this actually probably brings up a specific thing
in my learning of, like, reverse engineering because, like, I well, I started with
radar and then I went to Ida. I tried to do both. Yeah. Yeah. I
went to, r2con in, like, 2017, met pancake and
Mhmm. Had a great time. But yeah, like I I would use for DAR and
then I also like try to use IDA and I just never used decompilers because
I can start to defaulting by disassembly. I'm like, okay. Cool. Let me just learn
this. So Yeah. It was just straight assembly. You can you can tell when
somebody started their their career versus engineering based on what they default to. I really
do think it's a sort of generational thing. And then Model that people now especially
with the with the availability like Ghidra. Right? Because Ghidra has just, like, good
decompilation on the box. And and we are gotten better about the in
fact, there's even you know, Cutter's got, like, the GEDRA integration and and for decompilation,
and it's an option now. But it sort of depends on, like, where
you started as to what you prefer. I see the reason that, like, even when
I'm debugging, I have, like, a separate debugger. I don't use Binary Ninja as a
debugger even though it supports it. I know a lot of people who don't use
IDA as a debugger even though it supports it because they're just used to, like,
a debugger and the decompilers being separate tooling. And maybe you'd sync your your
location or whatever, you know, but, like, so there there definitely, I
think, are are sort of, like, generational tells. Yeah. Using Versus
Versus VM? Yeah. Yeah. I I use both. I use both.
Yeah. Yeah. Yeah. You install install the new of them layer on
Versus Code. Is there is there a layer on
that? Yeah. Yeah. You could tell the use, new of them integrated into Versus code
and get full VIM bindings. It works quite well. Okay. There's very few things that
that I miss from, from real VIM. That's great. I use I
use Space Max for a while. I use lunar VIM on the command line. Like,
I've tried a bunch of bunch of different ones, but so yeah. So, like, the
decoupling, I think, is I I think it makes sense that people are,
going to use it. And I think AI, ultimately, people will be using it more
and more. It but I I get why people are hesitant now because, like,
yeah, it hallucinates sometimes. This is wrong. And, like, the question is
how what does the error rate have to be before it's worth your time? And
it's just a default thing. You can change it. You can override it. Right? So,
like, at what point is it is it is it where
you're gonna be like, oh, nope. I'm just gonna leave this on by default. And
if it makes a mistake, it's fine. Like, no tool is perfect. No disassembler is
perfect. No. You know, even disassembly gets wrong sometimes. So,
there is an error rate. There's an error rate. And, like, it's also,
like, outside of it being, like, error or whatever, I
think like there will be the talk about like how some of them are
political or like like how they will have some political bias in some of
the things that they say or whatever the case. Even though like there's no factual
evidence to suggest one way or the other. A decompiler? No. No. No. I'm sorry.
I'm talking about AI. Alright. I'm really confused. I was really confused. I'm like, I
don't think my decompiler's got a full of compilers. Oh, yeah. Yeah. Yeah. No. Like
AIs for sure. For sure. I'm talking about like chat gbd. A lot of the
people on one side will say like, oh, this is specifically
providing some type of information or, like, in in skewing. I think I think it
was what was it Bing's or, there's, like,
you you type in, like, the president, like, George Washington, and he would be black.
Like, it was Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Somebody was trying a little too
hard to to to kinda skew it. Yeah. I I, as a kid, I read
a lot of books from authors who I disagree with politically. And I think it's
super important that, like, you're able to, like, consume Do you want some of those
big references? I I don't wanna no. I don't
wanna highlight my bias too much. Well, I'll give you I can give you a
mixture of some I agree with and some I didn't. It ran it ran the
gamut from very, like, libertarian stuff from,
like the the Cobra series. I like all sci fi and fantasy stuff. The Cobra
series was really good, from such as these
dead, Timothy's son, maybe. And then Ellie Modesitt has
very, like, kind of more left leaning,
ecological and economic books that are that are great.
Like, I I like to read things from perspectives
that I don't always agree with because I just think that that's an important
skill in in society that we've that we've lost. So I I don't mind so
much. I think it's funny and stupid and silly when when the a's are doing
and they're skewed that badly. But at the same time, like, again, if you can't
think for yourself, like, you know, like, grow up. It's okay.
You're not gonna agree with everybody whether it's an AI or not. Like, figure it
out. And so, you know, I think you wanna use caution and good
judgment, and, not trust,
the the things. But that, you know, that applies to everything. It applies to
news. It applies to, whatever. You know? Yeah.
So I I don't mind that so much. Like, I I think it's
it's dumb. I think it's definitely it's gonna tell correct. It already has, you know,
just to some degree. I think I think it's quite that crazy anymore, but no.
I I like that I like that that people have the option to do that
now. And I think that, like, that sort of balance of, like, you know, we're
gonna get a bunch and, I I do worry that it's a little bit of
a bubble. Right? And you're gonna get this sort sort of self reinforcing. I it's
an interesting idea if you've heard of, this is a heavy self reinforcing.
Yeah. Everything you say about Chat TV, I wanna have this idea. That's a
great idea. There's never it never tells you it's a bad idea. Right. Like,
oh, the market's fucking really heavy right now. You might need like, you know, few
investors for this. It's like, yes, that's a terrific idea. Go for it. So it's
I don't know. It's it's never that like maybe you should do some more research
on this Like Yeah. Yeah. And so it's a little bit like the the the
sort of fallacy of, like, a ruler or a CEO that only has yes men.
Right? Like, that's what you surround yourself. So I and that's where I think that
people need to be need to be critical, and you need to,
like, embrace not conflict, but differences of opinion.
Even just like so, you know, back to to my company. You know, my cofounder
Peter is much more, like, growth focused and, like, future focused. And I'm much more
here and now focused and the vibes and the ride kind of thing. And so
it's a really healthy, tension between the 2
because, like, neither one at the extreme is healthy. Both can be extremely
unhealthy when when you go too far. And so I think that that's
really, really a good thing to to to look for in in a
in a cofounder. You want somebody you really can work with and you trust and,
you know, you have ultimately the same vision for, for the problem you're trying to
solve and the difference you're trying to make. But, like, not necessarily
having the same philosophy on how to get there, I think could be could be
really useful,
respectfully disagree, and you could figure it out and make a choice and move on
together and and kinda, like, you know, decide and go. And it's like I said,
it's 10 year 10 years in, still going strong. It's awesome. Businesses
generally don't last longer than a few years and, like, gets
yeah. It's amazing. I'd love to hear, like, a little bit more about where you
guys are at right now after 10 years in your journey. Yeah. What have you
guys been doing up to recently? And then we can talk about the future.
Yeah. Absolutely. So, you know, let me start at the
beginning because the goal was like, our stated goal was,
like, I I like Ida. I like Hexrays. I actually get along with the the
team there fairly well. I I'm I nominated, Olafact for his
pony lifetime pony award a few years ago because I just have a ton of
respect for what they do. But also, like, our our goal was to dethrone them.
Like, our goal was like, we really wanna take what we think we can we
can do this and, like, you know, I've I've I've told them this to their
face. It's not surprised they know and, you know, sort of wish I I think
the market as a whole will benefit from from healthy competition.
But, like, that was our that was our goal. We love that. Yeah. Yeah. That
was that was our goal. Right? Like, it's out of the out of the gate.
I wanted to I I thought they had not had enough competition and does
not force enough innovation out of them. They're seeing and now with Giro by Ninja,
you're seeing them make tremendous changes to their pricing, to their product
lines, to they're really really finally reacting. It's gonna be like
$5,000 for a key for for Ida or something. Right? I mean, it's
actually it hasn't gotten cheaper unless you're a non commercial student or whatever.
Like, it actually is in fact, they're about to, I think, do their their,
subscription pricing, which they've been doing for a while too, which we'll see. I think
for some people, it'll be cheaper. For some people, it'll be more. The total cost
will probably go up. I mean, so, you know, they were acquired by PEO,
last year. Last year or years not long ago. And so, like, you know,
there's necessarily gonna be a return they're looking to get on that
investment. And so I think that's gonna make them, you know, make certain choices,
in in the market. But,
but but yeah. So that was kind of our goal. Like, we just feel like
this this market is like, we can we can disrupt it. We can really come
in, like, do something new and different, and we made some, you know, conscious design
changes and differences, in in how we built Pioneer Ninja, like, with the goal
of doing this. And then we had kind of along the way, like, okay. We
lost the collaboration version. We actually both IDA and Pioneer Ninja announced a
collaboration plugin, and then ours came out, like, a whole year in advance, basically, of
theirs. Like, we were much sooner market. Because we had built that in we
from the beginning, we started the company, like, collaboration's gonna be a killer feature. We're
gonna put that in an enterprise version of Binary Ninja, and it took us 5
years or 6 years. But, like, we knew it from the beginning.
And so For people that don't know what the collaboration part is, what is that
exactly? Yeah. So it just I mean, much like, you know, with source code, you're
still, like, get where you can, like, you know, work with multiple people and see
differences and merge changes and deconflict if there's conflicts.
That hasn't existed in the reverse engineering space. Ghidra, actually, it
was the really the first tool to market that had there were actually plugins that
tried to do it at NIDA. They were very brittle. They would we used them
back at at at right now. Like, they would corrupt your database consistently because it
was really wasn't it was, like, hacked on. It wasn't really part of the model
and didn't didn't work really well. And so Gidra actually
had really had the first version of this, you know, the open source n s
NSA tool. And both now IDA and Byterinja have this where you
can, as a team, collaboratively reverse engineer, on the
same kind of kind of kind of binary remarking of different pieces of it.
And so that was, like, you know, sort of our first, like, new product beyond
just like Binder Ninja. And then we launched our Sidekick, the AI thing a year
ago, you know, and that was, like, another new product. And so we're we're at
a really good point now because it it took us 10 years. Like, it took
us 10 years to really get our decompilation quality, our features that our
architecture was kind of, like, to where it needed to be to really compete with
with with IDA originally and now and now Ghidra. And
so it feels really, like, we're the product is much is
finally at the maturity level it needs to be, where we can sort of
like, we're not like a superset. Right? Like, we have things that they don't have.
They still have, you know, some things that we don't have. We're working on them.
It's I think it's a small list now at this point. But,
but, like, now we can really start building on top of it in ways that
are more interesting and fun, and start solving new problems or problems in a different
way, and kinda push push beyond it. And so that's that's really exciting.
And like I said, I like that we've that was always the plan and we
we did that. Like we said, we did the collaboration, we did it with, you
know, with with AI integration. Our design of our ILs is this distinct
nobody has anything like that. And I think, you know, there's a lot of other
advantages like that, the API. So anyway, it feels like we're at a
point right now. We're seeing a ton of people switching. We really are
at a point now where a lot of folks are like. And and Ginter
makes things tough just as a free price point, but I think having, better
UI, faster analysis, the real Python API, bindings for other different
languages, better better API, program analysis, the IOs in between, you know, all these other
things. People are like, okay. Yeah. This is the so, like, totally worth the the
1500. If you're a professional, $1500 for a tool that you spend, you
know, 68 hours a day and it's like like, come on. Like, it's not even
that's it's underpriced. It really is. And you just have a student discount as well
for students that want Yeah. So we actually have about it. Right? A hobbyist license
for $300. So if you're, like, just somebody doing at home, it's $300 so you're
still professional but just in another field or whatever. And then we have a student
discount, and you can apply to either one those other two licenses. And that brings
it out to, like, $75 for the noncommercial student license,
and then, like, 3.50 or 400, I think, if you're, like, a student that wants
the there's a couple of features in in commercial
that that don't exist in in noncommercial, but, like, I think at this point,
there's only 2. We've actually that's another thing we do well. We set the beginning.
We had a couple of features in commercial that we trickled down into noncommercial, which
I'm really, really pleased with. Like, it was like a a promise we made at
the beginning, and then we we delivered on it. We did over, like, every couple
years, we add new feature. We drop it down. In fact, for a while, they
were like, okay. We have to add a new feature in a commercial only. It's
worth, like, we run out of, like, things to, like, include.
So when we had a project support, we added that just a just a commercial.
But, yeah. And so, like, for, like, the vision,
kinda like where we're going and where we're at, I mean, the the question now
is, like, how big do we wanna be as a company? What is our you
know, 19 people, like, if we keep growing, we we need to now, like, kinda
restructure a look at that. Or do we try to keep, like, at a at
a flat size where we can, you know, stay this? Or do we try to,
like, you know, grow bigger but keep it do like a a valve sort of
thing, right, where they notoriously have, like, a a a very flat no org chart
and yet a a bigger group. You know, what could that look like?
So that's, like, our sort of next thing is trying to figure out where do
we do, where do we go, and then we've got all these ideas for actually,
we are launching another new sort of product here pretty soon just in the I
don't we've even maybe public has said this before, but,
Oh, you're welcome to now if you want. Yeah. Yeah. Yeah. It is it is
that. It's still I mean, we're very transparent about it, but we've we've we've definitely
told told a number of folks individually. We started selling a couple
of architectures as separate architectures just in the last couple releases.
And that's different from us. So till the very beginning, we took, like, the GEDER,
like, model of, like, every architecture. You can write your own. You can add your
own, fully extensible at one price. We didn't do the, like,
per architecture pricing that that IDA has always done for the decompilation.
And, we had a couple of people, like, reach out and be like, hey. Can
you build me an architecture for Nano Mips? Like, I really want this.
But it, like, just wasn't popular enough that, like, it was
gonna justify itself by just a few extra $1500 purchases.
That makes sense. Right? So, like, we were like, well, like, if we do it,
we have to charge separately. This is the only way it makes sense. And so
the last two releases, and this will also be true in this release, we're
releasing one extra architecture in the in the all the products, and then one
architecture that's only a paid thing. One extra architecture, you know, makes really the same
thing. So to 2 architectures. We're basically gonna take all those paid
architectures. We were kind of charging them like a la carte, and we're instead just
gonna have, like, binary and digital ultimate. We're gonna have, like, a new addition. It'll
be $3,000 instead of $1500, but it will include these more esoteric niche
embedded, Tricore, C Sky, and Nanomeps, and we're gonna add, some
some more as well in the future. So we are gonna have, like, that that
kinda comes soon. So that's kind of another thing that's on on the horizon. So
for the things that you're looking at in terms of, like, potential growth into the
company, are you guys looking at the number of users that are using it and
paying for on commercial side? Or are you guys also looking at government contracts
where you guys are bringing more money in through through that? Which one or both
of those avenues do you guys look at for KPIs? Yeah. That's a that's a
that's a good question. So our we don't wanna be too skewed,
basically. Right? Like, we so, yeah, to be clear too, we're we're getting we're fully
transparent about this. We've we've got some, like, research contracts essentially
that we're doing prototype development of of capabilities. So
we demoed, for example, firmware ninja, a few months ago on, like, one of
my live streams, which is a new plugin. It just does a bunch of firmware,
specific things, like automatically find MMIO and,
I don't even remember if I oh, it we actually one of the features that
we we built for that is now the base product, which is the automatic, base
address detection. So open up a former blob, and it just will try to
scan, find pointers, predict base addresses, guess them, check the the string
references and function references. Like, so it's, it will just find me the base
address. Right? This is a very useful feature. So that was actually originally
developed, for prototype on a on one of our research
contracts. So, you know, we don't do, like, vulnerability research or, like, you know,
we're not, like, using the tooling. Yeah. Exactly. It's more
like we we have done occasionally a couple of those contracts before. Actually, it tend
to be commercial as well too. Every now and then, we'll we'll pick up one
of those because it's it's nice to force yourself just to use the tool to
get things done occasionally and just and kinda keep the skills fresh. So very occasionally,
but we really don't usually we actually often turn down work work like
that. But, like, yeah, we've got a number of research contracts. We're building these prototypes.
And then if it works well, like, we still have the rights to be able
to ship the product or ship us a new plugin or a free plugin. So
several of our our architectures and plugins, you know, that we've least open source
were were, you know, basically funded on these research contracts in the past. So we
do have, you know, about half the company, doing
researchy things on that. Even though half the time there's research to think
just our features or plugins or stuff that goes you know, it's all all
binary ninja focused. So as long as we keep getting these contracts that are,
like, the government's happy to pay us to build a prototype for a thing that
we can then roll into the commercial product, we'll probably keep going. It's just funded
r and d. But we do yeah. We don't wanna exceed it too
much. If 80% of our team is just doing that kind of stuff and 20%
is doing product, that feels like an unhealthy split. So we really try to keep
it kinda kinda 5050. That's really what difficult balancing act,
to the last 10 years of doing so. Right? It's been it's not been too
bad, because mostly, we we just say no to a lot of things. Like, people
will be like, oh, hey. There's this new contract. I want you to come help
me do this thing. We're like, well, if we don't have a good idea for
a binge of feature or analysis or plugin that we would build to solve that
problem, like, it doesn't make sense for it. Like, we just yeah. It was really
it give us a lot of clarity for the type of work that we do
and don't do. I think if you're just starting a general defense contractor, you're like,
you're like, hey. Whatever we can get, it's it's serve you know, it's just a
labor based contract, and you get your your, you know, markup on
top of that. And and yeah. Because we had this kind of very specific vision,
we just said no a fair amount, to things. Like, no. We're full or we're
good. Or even so now the work is good, and we're like, yeah. But we
don't have the people to do it, and I don't wanna, like, lower the bar,
and I just hire anybody just to get it done. Like, we're we, you know,
very beneficial about our growth. And so so some of that limits us,
that limits us as well. So it's kinda a case by case basis. It depends
on the contracts. It depends on what comes up. It depends on,
yeah. And but and then, you know, how the how the sales are going. All
I would love to be able to just just do the product. Right? And let
the contracts kinda go. Because even at their best, they're still you gotta do
monthly reports and, you know, invoicing. Like, it it's
kinda nice to just have a product where you're just sort of, like, it's separate
from, like, development and the the road map, and you can just as long as
people still kinda buy and renew, you just keep going, keep building and adding stuff.
Whereas, you don't have quite as much flexibility to contracts, but
it's worked so well and, you know, everyone's as every kind of wins, the government
gets, like, a prototype that a lot of these, like, research contracts,
it's like a one off thing that doesn't go anywhere, never transitions, nothing ever happens
to it. It's, like, mostly DARPA work too to to to be clear. Like, a
lot of these a lot of the work that we've done. And,
it's nice that we are able to, like, have it be something that will be
around for 5 or 10 years. Right? Like, they have a a sense that Right.
Any built up under ninja is gonna last. It's not gonna be like this one
off prototype, which happens unfortunately more times than than, you
know, you might like as a citizen when the government pays for some research that,
like, this contract when they built the thing and then it disappears. Nothing ever happens.
So it happens far too often. And so when they when they purchase
your guys' research and then of a prototype or something and you guys integrate into
your tool, do they then purchase your tool, afterwards?
So so when it's DARPA, not necessarily. Right? Because their whole job is to, like,
cause it to happen and then it's other people within the government that they want.
Like, their job is just to get the DOD or other people
in the the government to to be using the research that they develop. They
don't aren't direct consumers of, and they might use it like in some follow on
research contract or something. But generally, like, DARPA wins
if they get a bunch of other groups within the government using
the things they've developed. If they transition and it now is a follow on contract
in the Navy or the Air Force or whoever, whatever has, like, some other
contract that they will sign to get you to, like, continue to do that thing
or just buy if you're yeah. They're buying Miner Ninja, and then the thing that
the research contract paid for is now available as a plug in. That's even better
for them because it's cheaper than a government contract. Right? So Right. Yeah. Like, that's
what winning looks like for them to a large extent. If they're if they're really
improving this data, if they're solving problems that their community has and and getting
that stuff actively into the hands of of other government people.
Got it. So, what what's next for Vectrus 35? And what's
gonna be on the road map for the next how how deep do you guys
look? You got, like, 1 year, 2 years, 5 years, 10 years?
So, I mean, on the one hand, we have had, like, you know,
Sidekick has been a 5 year thing. We knew 5 years ago, we were gonna
have a some AI based thing. And what was that gonna look like, and how's
it gonna work? And let's just go plug it away. So for the 1st 3
years internally, and then finally get some customers to get prototype and, you know, iterate
on it. So sometimes we have we have stuff like that out there. We have
right now on our road map, I feel like it's a little more near term
than it's ever been just because we're kind of, like, we've been burned through a
lot of this stuff. Mhmm. And and so now it really becomes a
question of, like, we have a lot of ideas for business problems we could
solve with our technology. And do we now
pivot or do we license or do we work with other companies to, like,
build, you know, wrap binary inside of other products,
or or sell an enterprise security product that is been powered
in in some way. Do we do that? Do we partner? Do we license? Like,
what does that look like? So that's something that we're continually
kinda kinda tinkering with and talking to folks, and we've had several different kind of,
you know, experiments like and we build it from the beginning to do that. Like,
from the very beginning, Binge is just a library that you can, like, easily wrap,
and so that's that's really I like IDA has 9.0 coming with, so it's gonna
have headless mode. Like, that's been, like, 10 years ago. That was that
was a part of the core design. Right? And it's first class. It works great
like that. We have one API. We don't have, like, a public private API, and,
and so it really it it works well for for exactly situations like
that. So, yeah, we might see some some integrations of
partnerships. You know, I think there's a lot of
there's a lot more to be done in terms of integrating AI. I think we
are absolutely the most mature thing in the space. Like, most the other like, any
other AI plugins. Like, well, we decompiled it and we copied and paste the decompilation
into an LN, then we asked the question. Like, okay. That's cute. But that's not,
like, really you know, that's just the very, very beginning.
We have a lot more deep integrations already, but I think we've we're still barely
scratching the surface. You know, how can we integrate an LOM, for
example, into changing 2 things that are equivalent
into the one that's more readable. Right? If I have an if statement or if
I have a switch statement, now I'm reordering the blocks and things like you can
do is a lot of things you can do to improve readability that
are, semantically equivalent, like, they're they're the same thing, but, like,
one of them just more intuitive or more readable. Little stuff like, you know, is
it less than or, is it greater than or equal to, to 1 or is
it greater than 0. Right? Like, which one is more understandable? Well, it depends
on the context of what the thing you're talking about is, and whether it's in
Erika, you know, there I don't know. It depends. And so that's where I feel
like that there's a lot of interesting things potentially that we can leverage, machine
learning and integrate it more deeply into the the
decompilation, like, at different stages of analysis, which is also where, like, our
exposed, ILs and, like, the
stack of them that we have make us really well suited towards that. So I
think that's that's gonna be particularly interesting, but we were really worried about export
controls on decompiler technology, and then the NSA open source to put on
GitHub either. We're like, okay. Oh, we should be fine. Yeah.
Clearly clearly, the the government doesn't think that this is a,
export control technology if they're open sourcing it on GitHub. So, so
that was actually that was that was kinda great. Yeah. In terms of AI, I
I don't think so. I you know, we'll we'll see what happens with it. But
Yeah. Let's let me ask you a little bit more about the the most difficult
challenges you had in Vector 35, like, as an entrepreneur
and shifting from very, very technical.
I mean, you've been a technical lead as well. So you've been able to have
different types of leadership as well. But there's there's, like, a mentality
shift of, like, okay, I'm a technical person. Now I gotta put on my business
hat and then the sales hat and then, like, how has that been in
that transition? And what are some of the challenges that you've faced as the
entrepreneur or the cofounder of your company? Yeah. I think some of the hardest
things for us were around pricing and marketing. Pricing and
marketing? What does that look like? We have zero experience
competitors out there to be like, okay, we know them and them. That's like, yeah.
Right? Yeah. Yeah. We've got GEDRA and X rays. That's that's exactly it. One's
free. And the other one's been around for 30 years. Like, okay, what does this
look like? So I, I think it's, you know, this is one where, where, you
know, we can read books, but like, I don't know how much their advice is
really all that relevant a lot of the time. And so that's been super
challenging figuring out how we do our, you know, there's definitely, there was certain bits
of advice we got like, that sounds good. Let's try that. Like, never discount. Like,
you know, there's a lot of different theories in discounting or whatever. And I think
there's sort of 2 ways either you really bake in discounting and have a, you
know, a high initial price and then you can, you know, segment your market that
way with with discounts of sales and you can get people or just never ever
discount at all because that way people know that's just the price and that's just
locked in, and we've kind of gone on that route. But I don't think it's
this inherently right or wrong. I just we're like, yeah. That sounds good, and it
also sounds easier because I don't like negotiating them too hard. Like, I'll just give
things away. So, like, just just lock it in.
So I think, like, for and yeah. Pricing in particular as we move to the
higher ends of the market, move to our enterprise tier and and some, you know,
more much more expensive versions, like, dealing with business sales practices that we're
still figuring that out and still learning. You have to negotiate
on you know, at the lower price point. I will say one of the lessons
we learned, I wish we'd learned earlier is when I'm selling a $1500
license, don't negotiate ever on anything. No. Like,
we would have companies early on, but, well, we can't agree to your standard EULA.
You need to sign our custom terms. And I would I would read them or
I would hire my, like, outside consultant contractor, my lawyer to, like, review the thing.
And it's like, no. If you don't spend so now we have a minimum and
we keep raising it. Right? It's like $15,000 now. If you're not spending $15,000,
I will not review your terms. Take it or leave it. Because 9 times out
of 10, they're gonna take it. Like, they just want Binary Ninja, and they're gonna
get them a reseller or somebody else or go down for. Right? It's it's not
even so much that they will go down. It's just that there's parts of, like,
you know, the engineer just wants it, and then there's the purchasing department that just
has all the stuff that they're required to do and required to try to to
to make people agree to. And so, yeah, they want you to agree to all
this stuff. And so we just say, like, nope. This is our policy. We will
not fill out your paperwork below a certain dollar threshold. That was liberating. That was
so huge because that freed up so much of our time that we were wasting.
Like, it is I remember in particular, there was one large financial,
a very large well known financial,
bank that's, it also was very British.
It really narrow really narrows it down. Yeah. But
they Bank. We had there was some good
engineers and some people I really respected, like, in the
engineering, but I've never worked with a more dysfunctional purchasing system. Like
in the course of them buying a product, it's like 6 to 9 months.
And it feel like it would turn out Is that normal? No,
no, no, no, no. Very, very few. Right? And and, I mean, if you're selling
a $100,000 or several $100,000, sure. 6 to 9 months.
Okay? And you got the negotiation, whatever. And they bought 2 licenses. So they paid,
like, $3,000. Right? To be clear. Maybe me at the time, maybe even have been.
Right? Alright. Like, you put your credit card and go swipe it and move on.
Like, what are you guys doing? And this is where we first were like, this
is insane. What are we doing? Because we literally have email threads of over a
100 emails of, like, this back and forth. And what happened is the person that
purchasing would quit. A new person would come. We would have to reteach them everything
we had already taught the old person because they can't read the email thread apparently.
And, like, it was the most painful they want us to agree to their
their human rights violations ethics documents. Like, you as a subcontractor. I'm like,
I'm not a subcontractor. You're just licensing my software. Please just purchase
and move on. But they literally wanted, like, hundreds of pages of, like, documentation
read and approved. And and and that was the last one where I was
like, never again. No. I'm not even go I will not even
look at your paperwork below this threshold. And even above that, I'm much more willing
to just be like, nope. Have you calculated the amount of time and hours, like,
it took for you guys to I $6,000 deal? Refused
to because it would be depressing. We learned we lost a lot of money. And
it was like, not even 6. It was less. Right? So, like, yeah, it, it,
it was, that was, that was a really important lesson to learn is it's at
the beginning, you feel like every sale super matters and you have to get everything
in that, you know, you you do. But like also and it helped for
us to be cheaper too. Right? Because we didn't come out of the gate with
a 6 figure or 5 figure product at the beginning. We were 3 or, you
know, 4 digits, initially. That helped a lot too. It's
it's the realization that, like, wait. Why would we bother to no. We're just not
gonna do that. That was that was probably the most important lesson I think that
that we learned. And I wish I wish we would have done it sooner because
it would have saved a lot of headache with that particular organization. Yeah.
A lot of people, though, looking in market share by releasing a product for
cheap or free. I think that's what PayPal did and they Absolutely. The market
went on eBay. And then by the time they integrate integrated,
like, 2%, 3% fee, then everyone have already been started using it.
They were like Yeah. So that depends exactly on your pricing strategy. Right? Like, if
you are gonna start with just enterprise deals and sales where you're you're 5 or
6 from the beginning digits, you know, sales, then you don't really have that
flexibility. Like, you're gonna have to deal with the lawyers and the purchasing department contracts.
So it's gonna take 6 to 9 months, and that's just I mean, depending on
exactly where in that, like, lower fives, maybe not, depends on,
depends on who who you're you're selling to. But that's definitely something that that
that we've we've we've we've had to learn. What have been some of your, like,
biggest contracts, that that you've gone through and worked on in
terms of, like, selling in bulk for you guys' software?
I think we have a a particular telecom company, which
kinda out of the blue reached out and got, like, 40 licenses a couple years
ago, which is a pretty large one. We have
nowadays, it's larger, not so much in total seats of licenses, but
it'll be like an enterprise customer with, like, 10 floating licenses. Right? So I don't
they could have 50 people. They could have 10 people. I don't know exactly how
big they are. But they're but they're buying the enterprise with floating
licenses and so it's a much higher price point, it's a higher support tier. Is
the majority of the the revenue on the product side
commercial versus non commercial?
So historic oh, you know, I should pull I should pull that spreadsheet
up. Let me see here. We do
have a like an active license count that shows that the
splits between commercial versus noncommercial. And this
and this is interesting too, especially when you when you look at, like,
GEDRs it back to the market too. Right? Because, you know, our sort of, like,
part of our game plan yeah. Part of our part of our game plan initially
was, like, look, if we just get students and hobbyists and just
wait, we'll take over. That was 100% our strategy.
Right? It gets the item from the very beginning. And then that is where really
Geter really hurt us the most. Right? Now there are absolutely professional and corporate
environments. They're still using it and we're we're kind of competing with because again free
is hard to compete with. But, like, yeah, that was
where, like, we like, 1 year, like, Seesaw as, you know, CTF for
for students. It was, like, Binja was, like, taking over, and I was so excited.
The next year, it was, like, all Ghidra. And actually, after that, ironically, it
was actually back to, like, Ida and Ghidra, because it was more it's, kinda, more
chaotic. It was sort of a mix, which is interesting, as as things change.
But, yeah. That's where, like, it can really making sure that
we're active. The student discount has helped a bunch, and so we do
we have a surprising volume of, student discounts. We've really thought about,
like, should students be free? Should we just get free student licenses? We've really wrestled
with that. Yeah. Like, incorporating it into,
like like, education systems or or institutions where the teacher
then utilizes it and teaches it with it. So that way, upon leaving,
everyone's already using it. You know? Yeah. And like I said, early on, that was
our sort of strategy, but we didn't make it totally free. We still made it
cost something cost because I I just sort of ended. I'm kind of a stickler
on, like, I wanted to have some value, in particular if you're a student. If
it's super discounted and you get a student discount, but you've paid your real money
on it, you're gonna put the time in to actually use it and evaluate it.
And if it's just, like, oh, just totally free, well, more
likely. You're you're much more likely to because that money is much that money has,
like, real value to you for the most part. Like, you I would say. That
was, like, $75 you had to pay. You know, that's that's a that's a PS
5 game. Right? So, like Yeah. You know, that like, I I at least
that's theoretically. That's my that's my logic on why we we still
charge. And and, like, so we have,
about 1.5 times
the commercial licenses and noncommercial licenses.
Okay. So you guys are heavy in noncommercial. So we have more noncommercial. But, again,
by revenue, commercial is way more. Right? Because commercial is 2 x.
Right. The or no more than that way more than that. It is like, 4
x. Like, it used to be 2 x at one point, and we just randomly
doubled the price of commercial, left noncommercial alone. And we're like, let's see what happens.
I do think there are a lot of, commercial company. We we'll see a commercial
email go bought fast on a noncommercial license occasionally, and we'll shoot them a note
and be like, just so you know, like, you're using it. Like, you it might
be fine because depending on the the terms of, like, how you're using it, you
you can use it at work. And we have, like, specific terms, like, describe, like,
okay. This is considered commercial. It's considered not commercial. We'll
just kinda kinda let people know. But, but yeah. And it
actually it looks like it looks like noncommercial continues to
actually grow at a faster rate than commercial, which is interesting. So that's been
even in the face of GEDRA kinda flat for a while, and then it's it
sort of picked up again post GEDRA. Can you see, like, the
the the point when, like, Gija was there and then if you guys grew was
pretty much the same or dipped? Oh, yeah. No. It totally it
was about 6 to 9 months of flat growth, like, no growth whatsoever.
Right? So yeah. Yeah. Yeah. We went for, like, 10, 20%, like, consistent growth.
Feeling and thinking at that time? Well,
that was that was the time which we took on a very small outside investment
for equity just for, like, 5% of the company in just so we
have more in the bank because we were really worried about, like, do we need,
in hindsight, we didn't need to do that. So it wasn't,
wasn't totally required, but we thought that maybe we would.
And so we we kept a little more kind of in the coffers.
Would you advise, entrepreneurs to
to do that same move or maybe adjust? Yeah. That's be
different. That's so hard to say. Right? Like, you know, our
product was technically far enough along that we looked at Gator and we thought, okay.
I think we can weather this. Like, if that happened a year even a year
or 2 earlier, we probably wouldn't have been able to. But we had, you
know, 6 years of of development. The product was already mature enough. We had, you
know, enough things out there. Like, okay. I think we have enough advantages over
it. But, it was, yeah, it was it was
a little it was it was very concerning for sure. We were we're definitely kinda
keeping an eye out for it. I you know, I feel like every situation is
different. Whether you should be pivoting, whether you should it depends on what, like, we're
like, VINJA is our our baby. It's our passion. It's why we, like, we could
be making way more money, like, working for any of the
major tech companies. Like, everybody at my company is highly
skilled. We're very good at development, reversing their security. Like, we have skill sets
that could actively double our salary maybe
somewhere else. Like, no question. But, like, we all
really like what we're doing, and, like, who we're
doing it with, what the problems we're getting to solve. And, you know, like, as
the product is better, we get bigger bonuses. Right? So the goal of the dream
has always been, like, well, just get, like, more product sales, without growing the size
of the team, and then we can just continue to to bump everybody's salary up,
which is, you know, this year is looking is looking really good for. So it's
been nice to to, you know, see that kinda dream coming to to fruition.
So we're we're gonna keep doing it. We've talked
about the the origins. We've talked about the what's happening right now.
We've also talked about the future. What's the future for you? What what
what are you what are you gonna do in the next 5 to 10 years?
Yeah. I I really took a it surprised me last year
when it was, like, you know, eight and a half years. I was like, oh,
wait a minute. Didn't I leave my last few jobs after 7 years? And,
like, am I Was that like a wake up or, like, am I gonna do
it again kind of thing? It was just to, like yeah. Like, me, I took
stock. Right? I stepped back. I was like, okay. Is this what I wanna keep
doing? And the answer was absolutely. Like, I really I wanna keep doing this. Like,
I'm not, I don't feel like we've solved the problem. Like, Ida is still the
major dominant tool. You know, technically, there's still problems that I wanna
solve. I think we're the product itself is at a spot
where it can now, replace Ida for the vast majority of users. And
so now we just gotta go, like, show everybody. Like, convince them and, like, demonstrate
it and be like, hey. Listen. You can you get all these advantages. Let's let's
let's get everybody switched. And so that's super exciting. Like, I
feel like we we've done some of the hardest work and now we can reap
the rewards. But I also don't feel bored. Like, I feel like, you know, we're
launching a conference just next year. Tell us more about the conference. Where's
it gonna be? What's it gonna be about? Speaker, CFP So sort of thing.
Yeah. Reverse, r e dash verse dot I
o is, is the conference name. We just yesterday put the
website live and, the the CFP is open starting
immediately. You can go submit your your talks, please. Submit talks. It's gonna be in
Orlando, Florida, March, sorry. February 28th to March
1st is the conference. In hindsight, we really hate that it splits. It's really annoying
to have to split 2 months for the the date, but it was it was
very weekend for the hotel. So, it's it's it's a little bit
like infiltrate, really. We just took a lot of inspiration from, like, how infiltrate was
run. How did you run? There was a an event. In fact, we
hired the event coordinator in Belinda who ran outside event.
So, yeah, we very much were like, oh, hey, Linda. You wanna you wanna go
do this? And she was excited because she loved she loved Infiltrate, the community, the
people involved. So it's gonna be, it's gonna be more reverse engineering focused. The Infiltrate
was very offensive, security focused, so exploits vulnerability research. Ours will
have some of that, but it'll have also malware analysis and hardware reverse you know,
reverse engineering will be a little bit more just reverse engineering. It's not Bingeacon.
So to be clear, like, you know, several of our trainers are using Ghidra. Tox
can use either a Ghidra or a Ghidra. Like, that's totally fine. We're not,
not just trying to show show binary energy here. We want literally the
best, you know, the research and presentations. But but the thing that that
Infiltrate did 2 things really well. 1,
like, the hotel, the food, everything was top notch. It was really
well done. We're going to have really good, like,
logistics and planning, and you didn't so infiltrate was in South
Beach. You didn't leave the hotel because everybody stayed there. There was meals
there. There was, like, big gatherings out in the open lawn, which is beautiful in
Florida in February. Right? It was, like, a nice time of year to be outside.
And so, you know, it was really a good time
for, like, just connecting with other people that were at the conference. Like, it was
very, like, close knit. And that sort of vibe, I
think, is really, really important. And then the second thing that Infiltrate did super well,
which I thought was great, is not a lot of conferences forced dry
runs beforehand of the presenters. Every accepted speaker has to do a
dry run a month before the talk, the actual conference, and
then the review board or the conference organizer gets
basically a feedback. I'm like, oh, you should do this, or what about this question,
or what about this, or, you know, this slide is hard to read, or, like,
just all that stuff. And so just that little I mean, just having
me being forced to have your slides done in advance is a little bit
right. Just like you're always making changes, but if you have an internal deadline that's
earlier than the conference, because if you know, I do this all the time. If
I have a deadline, I will, right up to that deadline, be working on it.
But by forcing people to do it earlier, you just get so much higher quality
presentations. And so that's another another thing that we're we're we're
bringing back as well is I really I really there's just a ton about you.
And even as somebody who present a ton, like, I'm a very good presenter. I
can off the cuff, I can just do something quickly live. I could put together
the week before. It'll be a a good presentation. It's still important
to have had that earlier deadline to go through and try run it once. And
so, like, I'm not gonna name names. I remember somebody, like, do you knew who
I am? Like, your presentation's all the time back during the infiltrate days, basically, was
was saying this for that process. And sorry. Like, this is
to your benefit as well as the audience's. Everybody wins when when you
have to do this. So yeah. You said that you wanna keep it
very community and tight knit. Is there, like, a certain number of tickets you're gonna
sell? We we, offensive con, and there's only a certain amount of
tickets that always sold. Yeah. So Offensive con sells out real fast. Offensive con, I
think, is about 600. So they're a little bit bigger for our 1st year. We're
we're sticking it at even 400. So even a little bit smaller than that.
And so I'd rather sell out and really have it be be
tight. We might if there's a ton of interest that sells out, well, you know,
we'll see. We could go a little bit. The space we're in could actually grow
much bigger. But, like, you know, probably because it was our 1st year, probably just
because again, yeah. Like, I don't want it to be some huge Defcon like experience.
Like, Defcon is fun for other reasons, but it's not a community. Right? It's
hundreds of communities that are all kinda, like, you know, colocated. That's
probably a better way to put it. I I would say that Defcon is a
community just because of the comparison to Black Hat. Like, I don't Sure. That's
fair. Feels about community at all, but Defcon does feel. But you're a
100% right that the micro communities are not the size of what Defcon used
to be. Exactly. All the villages itself. Right? Oh, yeah. No. Every
village there is is as big or bigger than, like, that It's its own conference
at that point. So Yeah. They they have their own agendas and track and speakers
and awards, and, like, they they're a 100%. It's dozens of
separate cons kind of kind of in one. So Yes. Yeah. But this
is this is meant to be kinda small. It's meant to be, sort of more
boutique, really, really nice high end. It's also Florida in the summer, which is a
great time to visit right near Disney and Just in the summer? You said Yes.
Not in the summer. No. Sorry. Not summer. It's no. Florida in the summer is
when the worst time to visit because it's too hot. Yes. Florida in the winter
when it's a great time to get out of cold climates and come visit Florida.
So Track 1 track, 2 tracks. One track. Yeah.
One track for now. I remain really skeptical
of 2 tracks. I love again, product community, knowing everybody is there for the same
talk and the same thing. Same talk. Yeah. Maybe we could do some fireside or
some workshops, some other thing eventually. But I think for 1st year in particular, we're
gonna keep it simple. I I like One Track. And if there's a topic you're
not interested in, well, you can go outside, and that's a good time to talk
to people. And, but just knowing that everybody is is sort
of there for the the same stuff, I think is I think is is valuable.
So that's part of the part of the appeal. What you know, little other
stuff that, like, a viewing room outside, right, where you can also listen to the
talk, not in the main conference room. You wanna talk to people, but you still
wanna hear the talk that's going on or occasionally tune in. Offensive Condos, like, great.
I think that's another thing that we we love. You know, so there's a lot
of little stuff we've been thinking about. We've been talking about doing this for for
since we started the company. It's really been something we've been toying with. Yeah. Move
for you guys. It's a very exciting thing to to be doing. Feels like it's
it's time. Yeah. We're we're we're ready to do it. So, hopefully, we'll and it's
it's just there's been, you know, a lot of conferences in the US have shut
down. Shubukan last year is is coming up. Yeah. Infiltrate. Oh, they're just
burnt out, I think. They've been running that thing for so long. Right? Yeah. Yeah.
Yeah. Yeah. Yeah. I know. I like it. And, actually, I ran the CTF for,
like, 6 years, back in the day with with Heidi and Bruce. They're fantastic to
work with, but it is just a huge investment of of
energy and, time and they're, you know, they run is like a it's a nonprofit
too. And so, it's like their their
laborer's costs are covered, but, like, every year they sort of start fresh, kind of,
with with the budget and with, you know, just yeah. It's
it's just a ton of work. They've done it. It's been a very good
benefit. So there's DistroCon too, I wanna shout out. There's another conference starting up
actually just a week before ours in DC, which they're kinda trying to, like,
inherit the ShmooCon mantle. We kinda wanna inherit the infiltrate mantle. So that's that's
kind of the the, you know, but I think both are needed. I think there's
a lot of value in, in more cons in the US because
Hexagon, offensive con, recon, a lot of the best conferences right now are not
in the US. So I'd love to At least offensively. Kinda return that. Reverse
engineering. Yeah. Yeah. Yeah. Even even, like,
just the kind of a, you know, technical detailed depth, like, there's b sides.
And in the US, like, you just don't see as many as many conferences I
feel like. Oh, you have a massive amount of b sides. Sometimes you
get good technical talks. You do. But, like, I sometimes say, you don't have, like,
the like, I just feel like if you look at tops info site
conferences, Blackhat and Defcon are really some
of the only ones you see in the US. It's just not can you think
I yeah. What can you think of? Like, can you think of a good
really I mean, a summer con is more of a drinking con. It's fantastic and
fun, but it's not, you know, the it's explicitly not the highest
technical content, talks. It's a you know, another we're
actually talking about, like, conferences and talks and and and, other places to go
drink at, like, it's really divided between because I've I've given
talks nationally and internationally at, you
know, conferences, but then also at camps. So like Yes. And it also depends on
the the the audience that you're looking for, right? So if you're talking and I
think it's like split between like, commercial based
things, government based things, and then more grassroots,
Yeah, Yeah. Community. Exactly. Hacker. The old school. Yeah. What Defcon
was a long time ago and hasn't been for years. Like the fact that, like,
there's sponsors being tweeted out for I literally tweeted those recently. Like how weird it
is that, like, Defcon villages tweet out sponsor lists. And this is
bizarre to me when, like, you know, corporate logos were
anathema for the longest time at DEF CON. It really was, you know,
a counterculture thing. And it it clearly hasn't been for you know, it's just it's
changed so much. And again, I don't make it as as a judgment. I don't
think there's it's inherently better or it's just very different than than it
used to be. Are you guys having sponsors at your guys' conference? We we do.
In fact, we already have, 4 that like, it's crazy to me. We actually 4
signed up before we even launched the website. People who are like, yes. We're excited
for a conference. So we've got binaurali as our platinum sponsor,
celebrate, Ursa secure, and,
our II research innovations is the, the, the other one. So
Perfect. Yeah. Give them give them their plug now. But yeah. No.
It's it's cool that, like, people were willing to sponsor us, like,
sort of sight unseen. Right? Just trusting that we would we would do it. So
that felt that felt really good. It's building the brand. That's that's the 10 years
of building guys' brand up and and being a salesman in the industry. Yeah. I
think that's exactly right. Is there anything else that you'd like to share? The only
other hobby I do is speed cubing and I haven't been practicing as much lately.
So Speed cubing? Have you been doing competitions for speed cubing? There's not enough in
Florida, but, yeah. Like, I I go to most of the ones in Florida. But
the the last was in Tallahassee. It was just too far of a drive, so
I didn't didn't go. State champion yet? Not even no. I'm an old man. Are
you kidding me? Like, there's literally a separate league for people over 40. Like, there's
actually a separate scoreboard because I, at one point, was like 69th
in the world, over 40, but, like,
I'm 30 thousandth or something if you count everybody. Like,
I am very slow. Yeah. Like, relative to like, my fastest times
are like 12, 13 seconds usually. And, like, that's not even
enough. It's doing 6 seconds, 5, and 4? They're down in the
fours. Yeah. They're down in the fours for, like, yeah. The top the
top the the top spots, but any any regional It's just
there's no, like, algorithm, like, advantage. Everyone knows the algorithm
of the fastest way to do it. Right? Or
yeah. For the most part, yeah. What what what, there are you can
memorize more and more algorithms. And the more you memorize,
the the more options you sort of have available to you. But, also Okay. At
first, the more it takes to recognize which other game you should do. Can they
can't just lay you down? So there's that trade off. The best people know all
the algorithms and also have zero pauses and just go straight from one of the
other. There is a little bit of creativity in one of the earlier sections. It's
it's kind of fun in terms of decision making choices. Like, there's absolutely strategy. It's
not just a hard and fast. This is the optimal way always, and you know
it. There's a lot of, like, different techniques, and different people will solve
it, a little bit in the earlier in the earlier phases. Towards the end, it
tends to look very, very similar, with exceptions for, like, how
many memorized algorithms you have memorized. But common algorithms just, like, you know, sequences
and moves for particular cases, like case case case solves. But, no.
It's fine. It's it's been my and now it's happy. It's been a been a
good thing to pick up and It's been a good thing to pick up and
It's been a good thing to pick up and It's been a good thing, like,
I've I've wanted to do my I remember one of my best friends in
high school, he knew it, how to do he solved it and I was like
I wanna learn, but I wanna learn on my own. I
don't wanna follow an algorithm. And then I just now I'm 30
what? 3? Whatever? 30? I don't know. And now I haven't done it and I'm
like ah, shit. I maybe I should just learn the algorithm. Shouldn't just learn it.
I can do it. Rusty, my my my third cofounder, did that
where he was, like, I wanna learn, like, intuitively. I wanna get a sense for
I just wanna play with it for a month or so. So he he did
that. Like, I was just straight up, like, I was just gonna memorize. He didn't
solve it though. That's the thing is he made it to the last layer and
it's it gets exponentially more difficult. Really? The because
because the the closer you get to being solved, the less freedom you
have to, like, make moves without disrupting what you've already solved. And so that's where
it becomes easier to, like, just memorize an algorithm or look
up the correct answer to, like, get those last those last little bits. But, like,
the first two anybody can and should just play with it for a couple
weeks, and you can learn enough to get the first two layers. Like, to get
a whole lot of face and to get like the size and the edge. Like,
you can figure out just by I got that part. Doing that. Yeah. Exactly. Then
the last layer, it's obviously, there's people who figured out their own. It's been solved
before by people at that point, but I'm not one of them and that's yeah.
So so I just memorized. A lot of good old ones.
About games. So, like, do do you
do you get any interest in playing, like, games like mafia or werewolf where you
have to, like, pretend to be someone? Yeah. My son is a huge he's literally
right now is playing that out of school. Every day at lunch break, they play
they play werewolf. Yeah. We have all of the variants at home. This new one,
by the way, if you haven't looked at the Kickstarter called, either werewolf in the
dark or mafia in the dark. I think that looks really, really fun. It's like
an in person kinda big group gameplay. Anyway, yeah. So I'm
very familiar with with with those games. Do you play these ones as well? Do
you like these ones? I I do to a certain point. I'm a pretty good
liar. Like, when I when I need to be, which is weird
because I'm not naturally a liar. Like, I'm very like, I just am super
I default to the truth just all the time, which is also part of what
I do. Because it's like long term relationship, something else. It's never worth
it. It's almost not yeah. It's like yes. Exactly. So
If somebody, like, will ask me my opinion, I'm gonna tell you my opinion. Even
if it you don't like it. Because I'd rather you know the truth now than
it, like, it just it's one of those things that we're just practically speaking. I
think it's always best to tell the truth. Always. And so I'm scrupulously
truthful and even just how we run the company, we're very transparent. We have a
GitHub database with all of our issues and our roadmap in future. Like, we don't
hide or have secret plans. Like, we just we do everything in the open as
much as we can. It's just kinda like our philosophy on doing this. I really
think that's just a better way to do things, but, Yeah. No. I
I'm usually pretty good at mafia, like, in lying, about, like,
whatever. I can I can keep a pretty good face? Yeah. I prefer I I
like it a lot too. I've noticed we've been playing I got, like, Catan right
here. We've been I taught my girl Catan. And she loves
it. She loves playing it. And I've what I've realized is if you
are like let's say let's say I go to your house and I'm playing with
you. Right? I'm more likely to screw you over because I know
you and I don't really wanna screw anybody else over because I don't know them.
Yeah. So, like Yeah. The person that you invite over always screws you over. Not
always, but most of the time will you over more so. So you already you
have this, like, disadvantage. Like, as soon as the game starts, I've noticed. I was
like it's a it's just one of these, like, quirky things about, like, how the
game dynamic's set up and, like, how human human behavior is,
regardless of the rules in the games. It's it's interesting to do with some people,
like, my mother despises mafia or werewolf or any of those
games. She just because she always gets mafia and she hates it. She just doesn't
like lying. She doesn't like being the one that's gotta hide what she is. She
just it is the most painful. And she literally just for the her mental
health. We just stopped her. Yeah. Exactly. She's just too nice. Like, it just doesn't
so she just refused to play now. So now we'll like, big family gatherings will
always play play around the mafia. And, she is
she is excited. Play. Nope. Grandma grandma doesn't play. She just and it's
everyone's just that's fine. Grandma doesn't play. But all the cousins, all my my
my siblings, and my, you know, my dad will will do it. So
yeah. We'll play games. We we always play family games as well and whether I'm
playing fam actually it's when I play games with new people. If I if it's
a game that like I almost a 100% sure very very confident that
I'll win. Sometimes I'll like decide if like I'll just purposely lose
so Yeah. That the next time in series that we play They wanna play. Yeah.
Yeah. They wanna play. Yeah. Yeah. Yeah. So, it's just another level of I
like I like co op ones. Table co op like there's a castle panic and
there's, you know, there's a couple of the the the tabletop games that are explicitly
like cooperative. I think that's a really fun genre. There's a there's a bunch of
those which I I really enjoy. I I am I'd like to see some of
those and learn about those. I we've never done those. By by nature, I'm too
competitive. If I so I I could that that by just not caring and not
not be competitive at all. Because, like, once I start being a little competitive, it's
bad. Like, so I've I sort of, like, have had to, like, over the years,
I've mellowed out and I just I don't try because once I, like, it's, like,
I'm either on or off and, like, I Yeah. Yeah. Just better if that happens.
After the game is done and you're like, that's you're like Some years ago this
guy No. For me, no. I'm I'm very I can disconnect, but other
people Not perfect. No. Because I I was the person that ruined it. So like
there are consequences afterwards even if they're not direct to my Oh,
right. Yeah. Right? I've had this too. I played a game or whatever and then
like I don't trust Chris because Ever again. He did something with this game. I
was like, we're playing a game. Yeah. Yeah. So that
that's the consequence. You gotta you gotta watch out for that. Yeah. You gotta look
out for that. But, alright. I don't wanna take out too
much of your time. I really enjoyed this conversation. I'm hoping, a lot of people
also gained a lot of insight from this. Well, I think what the plan is
what I'll do is, we're gonna get a few episodes, created, then we'll start
rolling them out so that way I can, like, push one out. It could be
something like that. But Yep. Schedule now. We'll keep you in the loop and Sounds
great. Everything like that. So Jordan, thank you so much for your time, man. Really
appreciate you being on here. We're excited to, you know, see what
more comes from Vector 35, yourself as well, and then your conference coming up.
So I appreciate it. Hopefully, we'll sit there. Thanks. Take care. Of course. Bye
bye. Cheers, brother.
Creators and Guests
