Dr. Eric Cole - Former McAfee CTO | No One Is Safe Anymore

The number one thing that probably gets me the most fresh rate and most upset is people are still using passwords. If you're using a password today, your system is already compromised 95%. Because most people don't realize this, what if the biggest threats to our world weren't missiles or armies, but invisible lines of code? Today's guest has spent decades operating in the shadows of cyberspace, protecting governments, corporations, and critical infrastructure from attacks. Most of us will never see. Most people think cyber attacks are going after government and big companies. That was true five years ago. The current attack factor we saw over the last 18 months is, that's too hard. Trying to break into the government is difficult. Breaking into individuals, simple and easy. If companies actually fire employees and replace them with AI, we're on a path where 30, 40 years, humans could be obsolete. These advised intelligence agencies expose the psychology of hackers and reveal how fragile our digital systems really are. If I go in and create a deep fake against the president, it's currently on our laws. It's not illegal. How can we live in a country where somebody can create fake media and there's no penalty? The more decisions you make, the bad decisions almost become irrelevant. If you're afraid of making decisions and you're slow, you're going to lose out to the competition every day. So Eric, you are one of the most dangerous people in America. You can hack a nuclear reactor in 37 minutes. You've advised presidents and billionaires. You've built a company, two billions. You've had multiple exits in the high seven figures. But your personal biggest fear isn't for an adversaries. It's not cyber criminals. It's people like me and a lot of my listeners who are walking around completely defenseless in this digital war zone that they don't even know exist. And you've said before that we're all targets, but most of us are easier to hack than a 1990s Windows computer. So when you look at one thing that people do every single day that frustrates you that really just makes you want to scream, what is that thing that people are doing? The number one thing that probably gets me the most frustrated, most upset is people are still using passwords. I mean, passwords, I say are so outdated. If you're using passwords, you minus, we'll go back to the 80s, put on bell bottom pads and listen to the BGs. I mean, nothing gets the BGs, I love my music, but it is so archaic and so easy to crack. If you're using a password today, the probability that your system is already compromised is close to 95%. Because most people don't realize today's attacks are stealthy. They want to get into your account, monitor it, and most people think, oh, they want to wipe out my entire bank account. No, what they want to do is steal eight to $10 a month from you and do that for years upon years and just think about it. If you went to a restaurant and you bought a meal and you put the tip on there, if somebody added five additional dollars to that, you probably wouldn't notice. Most people don't check the exact amounts at the end of the day. If there was an additional $7 charge on your credit card, most people don't notice that because today, with all of our online apps, we're always doing small purchases, and that's what the attacker is doing. They're compromising your password, and it's so easy. You have to go to MFA, multi-factor, or what we call two-factor authentication. And yes, what I always get back is, but Eric, that's annoying, right? Every time I go to log in, I got to go to my phone and type in the code, and it's so annoying. My response back is, you know what's annoying? Having your entire bank account slowly drained over the last next 10 years, having your identity stolen, having your child targeted or bullied or not accepted the college, because somebody posts fake videos under their account. That's really annoying. That's very annoying. I always say, pick your annoyance. You either have a small annoyance or a big annoyance, but as you said, most people think cyber attacks are going after government and big companies. That was true five years ago. The current attack factor we saw over the last 18 months is, that's too hard. Trying to break into the government is difficult. Trying to break into commercial is difficult. Breaking into individuals, simple and easy. I know that you are the author of the Wall Street Journal number one bestseller, Cyber Crisis. Now, this book speaks about protecting businesses for sure, but one of the main cyber crisis that you see is the average person just getting slowly drained over the next 10 years, 15 years. And this is sort of like the current model for cyber crime. And this is how it, this is how it becomes profitable. I'm assuming this turns into a whole criminal enterprise, because if I'm just doing the math very quickly, if there's how many people in the US, whatever, what is it, 330, 340 million, something like that. And I can only imagine what percentage of those people do not have two FA. I mean, I don't think the two FA is across the board, common. I mean, I have two FA on everything. Awesome. Everything. You may be so happy about it. You may be so happy. I'm so enraught. And I don't even like two FA on my cell phone, because I'm so stressed about somebody doing like a SIM swap or stealing mine. So I have two FA on an authenticator on my actual device. There's maybe even better ways we can talk about how to protect yourself. But I come from tech. I'm neurotic about my security. And I don't want any of my stuff hacked. I don't want any because I, especially when you put yourself out there, at least in my head, I feel like I'm a target, because I feel like people are always trying to get into my social accounts and trying to get into my email. Yeah, you're even a bigger target because of your audience here. Bigger target. Exactly. Because of what you're doing. Listen, I'm not as incredibly rich, but I see some of these crypto guys, because I've had some of them on my show. And I've had the CEO of Ledger, the wallet. I've had him on my show. I've had one of the co-founders of Ethereum. I know there's like nine of them, but I had one of them on. But they all tell me these horror stories of like, multi-multimillion dollar hacks and whatnot. And I think that that stressed me out so much, that that's what made me want to do two FA on everything. Because I don't want my identity stolen. I don't want my money stolen. But I don't think the average person is that stressed about it. I don't think, especially if they're taking 10 bucks from my mom or my grandma, like they're not going to notice it, but then do the math, right? So 10 bucks a month times 10 million, 20 million, 30 million, 50 million people. I don't know what the numbers are, but that adds up to like a lot of money over a period of time. So this is the cyber crisis that we're all dealing with right now. Exactly. And just to give you some perspective, last year in 2024, the amount of damage cybercrime caused to Americans was 20 billion. Now to show you how bad it is, we're only halfway through 2025. And the numbers are ready estimated to be 31 billion. And here's the scary part about those numbers. That's what's reported. So imagine how much is not reported on there that could cause damage. And you're right. The cyber crisis was written for businesses, but the important thing is for listeners is three years earlier, I wrote a book online danger, which was really meant for audiences. We talk about not clicking on links, multi-factor, all those things. And what I found is businesses are coming to me going, Eric. It's great that you wrote a book for individuals, but we need something that's more executive focus because executives typically are not going to read those self-help books. So that's cyber crisis was sort of a revamp of online danger for businesses and executives to sort of wake them up and realize there are targets. Just look at how many ransomware attacks are against businesses. And the average business is typically have to pay anywhere between 500 to 5 million in a ransom payment. And I go back to the company going, if you would have spent 200K, you could have avoided that $5 million payment. And the other mystery that people are realizing is insurance companies are waking up and going bankrupt because they're paying these ridiculous ransoms and they can't afford it. So two or three years ago, companies like I have insurance. If I get hacked, I pay the ransom. The insurance company covers it. We're good. In the last two years, insurance companies like wait a second. We can't afford to be paying out $80, $90 million a year because 10 or 12 of our clients have ransomed. So now they're getting so much more particular. And we're seeing a lot of ransom payments where the insurance company is coming in going, nope, you fail to meet the policy. And therefore because your systems weren't up to date, we're not paying. It's the example I give with life insurance. Most people go in on their life insurance policy and they check the box, I don't smoke. Yeah. Well, you realize if God forbid something happens and you pass away and they go in and subpoena your credit cards and see that you go to a cigar bar even four times a year, they're going to go in and say you smoke when they're getting the policy. And we're seeing that same thing with corporate policies where they're going in and saying every system must be patched. Every system must be up to date. And then the insurance company goes in after a major breach and says, well, you have three servers that were in patch. Now, they have nothing to do with the breach. They want an isolated network. But because you failed to adhere to the contract, they're not paying. And now the company has to eat that $5 million. Listen, I have an issue with security with insurance companies. Yes, I know. That's how we hold it. We could obviously spend the whole show on that. But if an insurance company is that particular about enforcing a policy, which I know they are, I feel like it's very easy for an insurance company to screw a business over. Because, and the insurance company, they'll never call it screwing a business over. But for the average small business owner, say, sub 10 million, OK, maybe they have somebody who is responsible for IT, maybe not. Maybe they have, maybe they have, it's outsourced. It's very hard to keep track of absolutely every single thing that is required in an insurance policy. So, I mean, I don't know what the solution for that is outside of just being very diligent. But I guess the real solution is business cybersecurity is really just educating humans on best practices. Because, you know, an executive that gets compromised or responds to a phishing email or clicks a link in a text for whatever reason, even though they shouldn't be clicking it, or they do something that, you know, it doesn't, they should pay a little bit more attention, but it's not, it doesn't seem like it's a big deal when they get that email. It doesn't seem like it's a big problem when they ask for this person's phone number or this person's contact information. It does, it kind of seems normal, and then they're not trained, and they just do it, and then that leads to the breach, and then you have to deal with insurance. So it's much easier, I think, to educate your team and your staff on best practices, and really that all cybersecurity issues are really just human issues. Bingo, at the end of the day. They're hacking individuals, not really the servers, and my general advice, once again, this is what I do, and I'm not actually giving advice when I would come after me, but I don't actually have cyber insurance, even though I'm a cybersecurity company, but I have a ENO and Arizona emissions umbrella policy, which if something really bad happens, because I don't want to lose the business. If something really bad happens, it's covered. If I make an error or mistake, but I don't have anything specific because for me, an ENO policy is about 5,000 a year, that's for a $10 million cover, which is good. But if I tried getting cyber insurance very particular, it would be about 45,000. So to me, you get the general coverage to protect losing the entire business, but you focus in on then implementing, and like I said, the other biggest thing, and I know it's far into a lot of folks, but passwords are the one problem. The next one is embedded links. So at our company, any email that comes in, all the embedded links are turned off. We do straight tax messages because the number one vector of attack, as you said, is you get social engineered, right? You get the message, you, the Florida one. There's a toll that you need to pay, right? And the idea is that the toll is, oh, it's $9.75. So people are like, oh, not a big deal, but they want to get your credit card and personal data so they can do more damage. What if you turn those links off? What if now when you get an email from Amazon or your bank, the link cannot be clicked? So now what you have to do is say, okay, Amazon sending me a message, I need to go into the app. Apps are really secure, links are not. So I go into my app and I check and see, oh, is there a problem with my order? Well, if I get a message from the bank, then a link can't be clicked. It's turned off. You can automatically do this in your email client. Super simple, a Gmail or anything like that. Gmail or anything else. You just turn off embedded links for everybody and then you go in and say, okay, let me open up the app for my bank and check it. You go in and do that, when you turn off embedded links across your company. Once again, huge vector of compromise completely removed and taken away. So this is, I'm assuming what most people fall victim to. And when they click that, when they get a text saying that they owe a $9 toll or they get an email from what looks like to be a very, it looks like Amazon or it looks like Google. And they click that link. Are they already compromised? What happens next? So it's what I sort of call the double whammy. So the first thing they do is as soon as you click on that link, it does what we call a drive-by download. It's drop in malware on your device. Then, so even if you then go in and you get to the login screen where like ask you to enter in your name and a credit card and all that, even if you say, oh no, no, this is bad, you're already compromised. Then what they try to do is get you to enter in credit card, bank info or other data. So then they can steal your credit card and then do charges. So it's sort of a double when they want to monitor your device and also do that. And a perfect example of this, and it's a shame it got buried, but a few weeks ago, on a Friday evening, we had the largest password breach in the history of the internet. It was close to 40 billion passwords. But here's the thing that makes it so interesting. Every other password breach prior to that was a company getting breached. If you remember the Marriott breach, that's where they went in and took all the passwords from Marriott. But in this case, they didn't compromise Microsoft or Amazon or Facebook. What they did is they compromised over 30 million devices with exactly what you're talking about. And they stole the passwords from individual devices. So this is sort of the first breach that says what I was saying is true where they're compromising individual devices. Now me mean, if 30 million devices all had their passwords stolen, that means most devices are already compromised and already have malware on it. And unfortunately, the story got buried because what happened within 24 hours was the attack on Iran. And of course, for some reason, that gets more news coverage. Now let's just be honest, attacking another country with bombs and all that stuff doesn't impact you and me on a regular basis. But having our devices compromised with passwords does yet the media just is more focused on the global than on the individual. So two things you need to do there is one. And I know a little bit of an inconvenience, but once a year, I actually re-image my smartphone because this way, if there's malware on it, it's not gonna be their most phones are compromised for years. And people have no clue. So if you just do a re-imaging, that's gonna help and that's super simple. And then the second thing is, delete apps you haven't used in 30 days. I don't know if you're like you, but most of my friends, you look at their phone and it's like, boom, of course. It's like hundreds and I ask them, I'm like, when was the last time you used this app? I have no idea. Well, here's the thing, if an app's on your phone, even if you're not using it, it can still have malware, it can still infect your system. The app can be compromised. The app can be compromised, but here's the good news. If the app is compromised and not the device, if you delete the app, the malware goes away. It's tied to the app, not the phone. So one of the things that I always do is any apps you haven't used in 30 days, delete, and I'll give you a challenge. It sounds crazy, but I'm doing it. Run your life on less than 10 apps. On my phone, I only have 10 apps. I love it. And now the probability, because I check my phone and I run advanced malware and stuff on the malware analysis tools, and it's not compromised, because here's the reality. Your mainstream apps, like your Uber, your Amazon and all those, I mean, they are so tight, they have so much security, they're so locked down, those are not going to have malware in them. But it's all those free apps that you get from who knows where, and a great example is one of the number one downloaded apps over the last 10 years is this flashlight app, where you can actually go in and make it like a flashlight or a strobe light or neon lights, which people really love for concerts and parties and stuff, it's super cool. If you actually go in and look at it, it's actually made in China. And we've shown that there is some backdoor monitoring in that, but people download apps, they don't look at where it's from, they don't look at any of those features, and here's the reality. You could live your life without that. You don't really need a strobe flashlight app. We're talking about an iPhone, which is pretty secure in terms of like, it's pretty safe in terms of cybersecurity, compared to like a lot of like Windows devices and whatnot. Like iPhone is pretty secure and say, like on my Mac, I'm sure I have Chrome extensions right now that have malware built into them. And on top of that, all of my credit cards and all of my information is like saved in my browser as well. So I mean, you're just, yeah, I'm saying it, and I'm like, shit, like I think that I'm pretty smart about technology and I'm still doing dumb stuff. So I can only imagine what the average person who didn't spend their life in tech downloads, uses, doesn't pay attention to. Now, and you nailed it. When you get a brand new iPhone, and I take it out of the box and I turn it on, I'm careful with saying this, but it's very close to unhackable. I mean, it is really, I mean, Apple does an amazing job. I mean, they really lock it down, but I compare it to buying one of the safest vehicles, which is Volvo. I think Volvo was still considering one of the safest vehicles. When you get that brand new Volvo, it is a safe car. It is very, very safe and secure. But if I go in and do something stupid, where I go in and have substances I shouldn't have and I drive it 100 miles an hour and I run a red light, you can still get injured. You can still get damaged. It's the driver that makes the vehicle unsafe, not the vehicle. And the same thing with an iPhone is, if you just take that iPhone and you install five or six apps from trusted sources, you're doing great. But it's when you start putting all the free, free, free, and you've probably heard this, free is not free, you're the product. So when you go in and say, I'm doing free, it's tracking and here's a fun thing. Go into your iPhone, go under settings, go under location tracking and look at all the apps on your phone that are currently tracking your location. I will guarantee that you're probably going to start saying four letter words like, what? Because most people have no clue. I do this at events and I'll just randomly grab somebody's iPhone and I'll look at their location and there's 30 apps and they're sitting going, I had no clue this and this. But we are being spied on and tracked because of all these free apps. So is the worst possible outcome with all this malware, the drive by malware, the accidentally putting your credit card number in or using an app that's free or downloading a Chrome extension or all these sort of like bad practices that people do? Is the worst outcome somebody taking 10, 20 bucks out of your bank account every month or is there real threats about, for example, someone going through your emails and publishing your life online, going into your, I don't even know, your bank account and draining your 10, 20, 50,000 dollars, like how real are those significant threats versus? And I'm not saying that 20 bucks a month is good, but I think that when people think about cyber security, they're always stressed about, okay, what happens if somebody takes 100 grand out of my bank account? Or somebody posts all these naked photos of me online and then my life's over. What is real, what's a real threat and what's not? So they're all real, what it comes down to, what I call sort of the funnel. So if you started, or maybe a pyramid's better, so you start at the bottom and the number of people that have five or 10 dollars being stolen, tracking location, doing basic things like that is very high, very high percent. But what happens is over time, if they're stealing 10 dollars from you and you don't know it's for a year or two, at some point it will escalate. And now that becomes a smaller number, but it can still happen where you can have your bank account wiped out. We see corporate espionage all the time where they'll break into the email of a COO or CEO and they use that to do competitive analysis, the steel trade secrets. I think I told you I do expert witness work. It used to be one case every few years. This year I actually have four cases in which that happened where a competitor broke into the email and stole trade secrets. And then when they went in and investigated, because the good news is if you're looking, they can't cover up their tracks very well so you can tell it happened, but they find out after the factor in one case I'm working, this company has been noticing that every time they go to release a new product and they have pricing and they have this campaign, one of their competitors releases almost the similar campaign, I mean, similar advertising, similar messages a month before them and captures the market share before them and then they lose significant money. And after four or five times they said, it's not a coincidence and they brought us in and we went through the logs and the intrusive detection everything and we're like, yep, sure enough, they've been breaking in and monitoring that and they just had no clue that could happen. The other thing that is less likely but it's still happening and to me it's probably the most horrific thing is your children being abducted and targeted and it's terrifying. Do you know the United States? I mean, we're one of the biggest countries superpowers. We have the highest rate of child targeting and being abducted than any other country in the world because we're so reliant on tech and the way they do this is and this is why it's apparent. I'll go on my soapbox for a second. As a parent, you need to watch your kids devices, lock them down, follow them on social media because what these attackers do is they go in and they'll find pictures or now with AI, they'll do deepfake, they'll generate an 18 year old that doesn't exist and they'll start targeting your child following them on Snapchat or TikTok or others. If fake person and they build a relationship with them, oh, hey, how you doing, and they do this for a year or two and then they go, hey, my parents and I are coming to Virginia on a trip, we've been following each other for two years, we're really good friends. I feel like I know you, hey, do you wanna meet up for coffee or do you wanna meet up and just say hi and meet each other in person and not all but a high probability of kids like sure, it's trustworthy. If they drive, they don't always tell their parents and then they go and get targeted and get abducted and then the unfortunate part is once it happens because they're so good, it's very hard to get the child back afterwards but if you can prevent it and monitor and tell your kids, hey, don't ever meet up with somebody, track carefully who you're monitoring and parents get more involved, we can actually stop that from happening. Now yes, it's not everyone but it's a big enough percent that we're not at the top of the pyramid that this is happening all the time and it's about monthly where I'll actually get a call from a parent where that type of activity happened and they're like, what can we do? And I'm like, unfortunately it's an area where prevention is ideal but once it happens it's very hard after the fact. So you were talking from $10 to some very serious things for you and your family. So we were first and I've listened to a couple of your interviews and you started in the CIA in 1990. Yes, yes, okay, so when you started in the CIA there was no internet, there was no worldwide web the way that we understand it today. Google was what, 96, 97? Google was 97, Amazon was 98. Smartphones, Apple, the smartphone didn't come out until 2007. So yeah, you're really, like I was there before. You were there before all of it. So you saw the internet sort of come into fruition. You saw smartphones, you saw this technology being built and we were leading the way and we're creating, you know, this incredible infrastructure before the rest of the world. But then you're saying that we got lazy and that we didn't do a good job of understanding what we were really creating and sort of giving to our population and we're not giving them a rule book on how to use it. And this is what the, and I'm surprised that, I mean, I'm surprised that the people that led the way, I don't know, I'll say it in terms of technology and innovation, why don't we lead the way with security and protection and not just building first but building best? It's one of those, it's the unfortunate reality. Functionality always leads and security follows. Great example is if you look at automobiles. Automobiles came out in the 50s and 60s. Seat belts weren't actually a thing until the 70s. And I remember growing up, I don't know if you follow Ralph Nader, but he was sort of unsafe at any speed. He was the one that really pushed that and it's crazy because I was born 1970 and I remember when I was six and seven years old that people were so infuriated against seat belts. People were cutting seat belts out of their car. I mean, people were not wearing seat belts because they were like, this is crazy, but they didn't realize it saves lives. Now today seat belts are normal, airbags are normal, but it wasn't when they first came out and unfortunately, that's how a lot of people think functionality leads. And I remember in 92, when the web came out, I was one of the biggest critics of it and I got a lot of negative criticism. I mean, I got death threats and stuff because I was like, listen, we can't release this without the security embedded. Now, eventually down the line, your SSL, secure socket layer, transport layer security, all those came out, but I'm like, we should delay releasing the web until those features are there because most of the early websites were trivial. Like before 2000, I mean, you could deface or break, I mean, it was like the example I give is, it was like people where they have their doors unlocked and their windows open and you know they go to work from dying to five in the office. So I mean, it would be trivial if you wanted to walk around the neighborhood. Nobody had alarms, nobody had that. I mean, that's to do whatever you want. That's how it was with the web and unfortunately, because we got so much money and so much value and benefit. Today, there's still a lot of people that essentially have their doors unlocked and their windows open on the internet because they just don't realize how bad it is. So you've given some really good tips. The average person's listening to this is now stressed out and they're wondering how to go through life now with all these people trying to abduct their kids, God forbid, steal their money, all these other horrific things. What are some other things that they can do? Like how do you navigate life without being paranoid all the time? So I always joke, not to my level, but a little dose of paranoia. It's not a bad thing, right? It's good to have that and remember, in the real world, we tell our kids, don't take candy from strangers, don't go in car with strangers, look both ways. I mean, there's a little paranoia. And my favorite example, nothing against these companies because I use them. But when I was growing up, my parents would always say, and they teach you in school, don't get in a car with a stranger. Don't get in a car with a stranger. Don't talk with a stranger. Today, we not only get in a car with a stranger, but we pay them. Coming over to your interview, I got in a car with a stranger. I have no idea who this person was. They could have been targeting me or abducting me. We have no idea, but our standard has gotten crazy where we went from not getting a car with strangers to now putting 10-year-olds in cars with convenience. As a convenience. And we're so obsessed with convenience in real life with Uber or Lyft or whatever, or in cyber life with the latest app that lets us strobe our philosophy. We're so obsessed with convenience that we forget about safety and security. Because we're like, oh, that can't happen to you. That happens to other people. That's not gonna happen to me. Right? There's stories about people that have gotten to Uber's and are abducted and killed. But millions of people get into Uber's every single day. Now, here's where I'm sort of a practical security guy. Is, I'm not gonna sit there and say, don't use Uber. I use Uber, but here's two things you can do. You can go into Uber and you can check the settings to only get Uber's that have five star ratings and have been on Uber for two years. Because here's the reality. The ones that are getting abducted are ones that are brand new. It sees Uber drivers that do it a month, they're targeting somebody, they're trying to hijack or take over. So you just go in, it takes 10 seconds to go into Uber and just up the settings. And then the other thing that very few people do that's so important, check the license plate. Like, I watch an airport and I see so many, I'm a observer and awareness. I see so many people, the car pulls up and they're like, oh, it's supposed to be a great Tesla. And they just get in and they never check with me. I always walk around to the back and check the license plate. And then I check the picture of the drive, you always do some verification. So it's one of those where it's not avoiding it. It's just adding in a little healthiness. The other thing, and I don't promote it, I probably should get stock in the company. But one of the things is I basically live my life on an iPad. Now here's the reason. An iPad is a simpler operating system. Most of the malware that you see that does the drive by downloads are impacting Windows or MacBooks because those are much more complex operating systems and it's much easier to exploit. Very few of those exploits will actually run on an iPad. So now, even if I've slapped you for some reason, and I go in and click on it like I'm not supposed to, the malware will drop, but it won't run because an iPad is simpler. So it's a little bit of an inconvenience because it doesn't have the full functionality. But for the last year, I don't use Windows anymore or MacBooks because I even make mistakes. I'm tired and I would get infected. Like the one that I would always get hit on is mistyping. So an example of it is about a year and a half ago, it was like 10 o'clock at night, I'm a morning person. So I'm usually in bed by night, but I'm working with the client and they're like, Eric, we need to have a meeting the next morning. So I go in to my home computer because I didn't have all the apps and I go to type in go to meeting. But I go in and I mistype and I would go T meeting. I left out an O because I'm tired and typing little quick. Attackers register all the similar domain names. So that went to a malicious site, infected my computer and then I had to spend the next 24 hours. Don't do this. But if you go to goo, like GOO, GLE, it's malware. If you go into sort of GOO, GLE, it's malware. They register all these similar domains. How can a domain registrar not just do a scan of all the domains and then start like sending a list to the FBI just to like shut them down themselves? Is it a money thing? So here's the problem. We know who they are. Yeah, it sounds like we know who they are. Here's the problem. They're in Russia. They're in Iran. They're in North Korea and there's China. Now, there's something interesting about those four countries. One, it's not illegal to hack outside the country. So if you're in Russia and you're hacking outside the country, not illegal. Second, they don't have extradition treaties with the US. So we know who they are. We can go in and here's the crazy thing. We go in and block them. So we find out and we block them. But then what do they do? They pop up again. So they'll go in and they'll do Google with three O's. We block them. They'll do great outside the US. And they just keep doing it. This is why we were talking before the show. You asked what I'm working on. What are my big projects? And this is probably a 10 year plan. I believe in having 10 and 15 year targets is to have global laws on cybersecurity. Because we have to remember in the real world there's physical boundaries. When I go to Russia or Canada, I have to go through custom control. I have to go through passport. They check and verify and then I have to follow those rules. If I'm in Russia and I break the law, I go to jail. But the reality is if I'm in the US and I go to Russia over the internet where there's no boundaries, there's no jail, there's no law, there's nothing there. So we have to recognize we live most of our lives in cyberspace and there's no countries, we're one world. And then when you're surfing the web, do you realize you could be going to data centers in the Philippines and you have no clue? So to me, unless we have global laws on cyber where countries cooperate, participate and there's arrests and extradition, this problem's not going away any time soon. Having global laws on cyber would be great. But that's assuming that Russia and China are going to adopt those laws. I think you could get like NATO to adopt global laws on cyber. I don't think that would be a stretch. But Russia and China, that's going to be a stretch. North Korea, they're just never going to do it ever. I mean, unless I'll tell you right now, if we went in and I'm trying to push this with the White House, but but cyber secondary, no guarantees. But I'm pretty sure if we want to rush a right now, sorry, if we went to China right now and said, listen, will zero out your tariffs? If you agree to a global law on cyber, I'm pretty sure that's a good negotiating stick. So if we just went to them with no monetary value or benefits of the country, but these tariffs that we're talking about now, I mean, huge impact to China. And if we negotiated lower tariffs for signing a cyber internet, I'm pretty sure they would listen. It's interesting, because I've had a few people on here that also, one of the co-founders of CrowdStrike, Dimitri. Oh yeah, I'm good friends with George and Dimitri. They're my buddy, you're so good guys. And he writes a lot about China and he speaks about China. Oh yeah, he's really big at China. Very big on China. And basically his thesis is anything that isolates China is actually not good, because the best way to sort of quote unquote deal with China is to work with them more and get them more ingrained into the US, basically, as opposed to isolate. That was his thesis, at least. I don't know if I'm not a geopolitical expert by any means, but it's sort of dovetailing off your point where you're saying if we can negotiate tariffs and sort of like come to some sort of agreement, then we can get them to play ball with cyber security, which could be an interesting point. And it's really just finding ways to get a little bit closer to them so that we can get them to do what we want them to do as opposed to saying these are tariffs, which really isolate them to a degree, which in his argument is not a smart way to deal with China because then they're kind of like removed from the US or left to their own devices. They find ways to do business and to exist without us, even more so than they already do. And that could be more dangerous than keep your enemies closer. I don't know, that's the right thing, but that's the way that that's an interesting perspective. But I don't think it's the worst perspective because if they have no cyber laws, I'm sure that you have some sort of idea of, okay, tariffs are good for maybe some sort of financial benefit to the US, but what does it cost us if we don't figure out the cyber problem with China and Russia and all these other countries? Do you have an idea of what the actual monetary impact of Chinese hackers, Russian hackers? Because you can make the argument that if a Chinese hacker and a Russian hacker, and I didn't realize this, it's not illegal for a Chinese or a Russian hacker to hack the US so they're not breaking laws. They're not breaking laws. What is the dollar value associated with that activity compared to what the tariffs are, quote unquote, gaining us, right? I mean, it would probably be pretty close. The problem is we don't track it that closely, but we still know, I mean, we're talking hundreds of millions of damage from China on corporate, I mean, there, you don't remember the country is sort of have basis. So China is known that they don't really do direct monetary, they do intellectual property theft, that they want to steal our tech so they can produce a quicker and better. Russia is all about monetary driven. So they're all the monetary driven ones, and then your Iran and North Korea are more disruptive. They're the one sort of denial of service and those types of things, but now I, I'm very aligned with sort of Demetrius and we've had this conversation, and I was one of the ones that was sort of in the minority of banning TikTok. Like I, I thought this whole thing of banning TikTok, not allowing people to do TikTok, is about one of the stupidest things on the planet because you know how many Americans make their livelihood and living and run businesses on TikTok. So you are impacting Americans so bad by doing that. I mean, it was estimated that just that 24 hours, if you remember, where it was down, that that cost people at least $10 million because they couldn't run their businesses, or couldn't do anything. My whole thing was don't isolate China and say you're evil, and we're gonna ban you because it hurts America. What I said was negotiate, go with China, listen. If you wanna keep running TikTok, okay, but you have to adhere to these privacy laws. You have to go in and start putting your servers in the US, not in China, and they would have been open to all that, but instead we take this harsh, you know, I mean, enemy thing where we wanna fight with everybody and just ban them, I'm like, that's the silliest thing. Let TikTok operate, but make them adhere to our rules and privacy so it can actually be a net positive, not a net negative. There was the argument around TikTok saying that it's trying to influence like a younger generation with suggesting certain content. I understand why that's concerning. So is Mark Zuckerberg? I mean, Mark Zuckerberg. I mean, Mark's a brilliant guy, but do we trust Mark? Well, do we trust China? I mean, no, Instagram is very toxic for like, you know, the young person's mental health is not great at all, but I was gonna make the argument that, listen, if China, you know, I was stressed out about having TikTok and it's a Chinese app, and from what you're talking about, if it's not illegal to, as a Chinese national to hack the US, they don't need TikTok. They're not, they're not using TikTok. It's gonna hurt us more than it hurt staff everyday. Get rid of TikTok tomorrow, and just as many people's phones are gonna be compromised with malware. Bingo, you, can you run for political office? Cause we, we need people like you with, in Congress and stuff, cause, cause this comments say, nothing against them, but a lot of the folks in Congress and others are in their 60s. It's alarmists. They, they're very stupid. They just don't understand the tech, and it's like, guys, we gotta wake up and one other, just alarming statistic that people don't realize is we are the only country that doesn't have unified federal laws on data privacy and cybersecurity. Most of our laws right now are California is the most aggressive with New York secondary, and because most companies have, have people or customers from California, they have to follow the California laws. This is CCPA, right? Exactly, but California is really driving it. The federal government doesn't have it. I mean, Europe, GDPR. GDPR, yeah, I mean, you're educated. You know this stuff. We don't, why don't we adapt GDPR? Why don't we have federal laws? We don't have federal laws to protect our citizens, which is insane. Canada, we have Kanspan. Exactly. Every other country has federal laws on data privacy. I don't know why that, you know, it's so funny because coming from like an entrepreneur, business, background, it was always frustrating these laws because it meant that I couldn't solicit people. I couldn't send them cold emails, right? So I'm like, oh, I can't send a cold email to somebody in Canada unless you have a previous business relationship because, you know, then it could be marked as spam, and there's like significant fines. Same with Europe, same with California, but it was so wild to me as a Canadian, I could send spam emails to almost anybody in the US, nonstop, and as long as I give them the option to unsubscribe, and as long as I'm not lying to them, it's all good. And that was like, that was wild to me. That was so wild. And I think that, you know, it's gotten so bad that, and it's not just spam emails. Like when I'm trying to, you know, sell a product, okay, maybe being a little bit selfish, I'd like to send a cold email to somebody, but on the receiving end of it, like I can't use my phone anymore. It's just on do not disturb nonstop because my number has been farmed out so many times. I can't use it. I can't use my phone to receive an incoming call. I have to, like I have to leave it on do not disturb. At the end of the day, I'll look through all my voice mails and my calls, maybe two voice mails, and people that I actually care about, maybe 40 calls from spam and this and spam that. And I know there's apps that kind of fix it, but it's not perfect. And even my email, I probably get 100 spam emails a day now. And it's almost to the point where I'm like, should I just start a new email and then give that email at the people going forward? Like it's ridiculous how much spam. And now text has started too. I get spam texts all the time as well. So I mean, yes, some regulation would be good. And I'm talking from like a business perspective, I think some regulation would be good. Forget the personal privacy, data security perspective, which is a whole other level of why regulation should be good. I didn't realize that we didn't have anything at all. I was aware that it's easy to reach out to somebody without having a prior business connection. I didn't realize that there's no safeguards for data and privacy. Because I guess they all kind of fall under the same thing. Exactly. Yeah. And to me, I mean, there's a balance. Yes. Like one of the, I mean, I constantly am sending emails to Congress and they probably think I'm spam. So they might delete it. I'm right, laws for them. And here's one of the simple laws is if you're sending a message, text or email that is soliciting information with links like credit card or false information or false data, that's illegal. But if I'm going in and informing you about a product or solution that might be of interest to you, I think that should be OK. But I don't have to be a limit too. Yeah, there has to be a limit of how many you do. But I think there could be a balance where you don't have to say because to me, there's a difference between a cold email and spam. I agree with that completely. And unfortunately, we're trying to bundle them together, which I think would hurt businesses, because I don't know about you, not all of them. But there's times where I receive a cold email. And I'm like, cool. I didn't know that existed. And you do it. So I think there has to be this balance here where we're trying to do these extremes of all or nothing. But I think middle of the, I mean, balance is one of my favorite words. Middle of the road is where we need to get to with security. Quick question. What's your go to when you got 10 minutes before a meeting or a workout? For me, it just used to be whatever I could grab, which usually meant skipping meals entirely or just grabbing something that left me crashing an hour later, because it was just full of garbage. That's why I'm partnering with Hule. This black edition ready to drink is a complete meal. So it has 35 grams of protein, six grams of fiber, 35 essential vitamins and minerals. It is no sugar added, gluten free, under five bucks. I always keep a few of these in my fridge. And honestly, it's solved the whole back-to-back meetings. Go, go, go, non-stop, no time to eat problem, super well. And this one's new for me. It's Hule's daily greens. I had the blueberry this morning. Honestly, first impression, it was way better than I expected. It's developed by registered nutritionists and dieticians. There are 42 vitamins, minerals and superfoods, only 25 calories, four grams of fiber, and just one gram of sugar. I throw one back first thing, before my morning calls, every single morning. Look, if you're running a business, time is the most valuable asset. Hule makes healthy eating simple, and they also just launch the target source nationwide so you can get it everywhere. Try both products today with 15% off your purchase for new customers with my exclusive code, scottatwhule.com slash scott. Try both products today with 15% off your purchase for new customers with my exclusive code, scott. S-C-O-T-T at huule.com slash scott. Use my code, fill out the post checkout survey to help support the show. That is huule.com slash scott. They really make healthy living tastes amazing. Even if you're on the go, healthy eating, healthy lifestyle, doesn't have to taste bad, it doesn't have to suck. Netsuite is a success story partner. Now, every business is asking the same question. How do we make AI work for us? The possibilities are truly endless and guessing is just a little bit too risky, but sitting on the sidelines is also not an option because one thing is almost certain, your competitors are already making their move. So you can't wait anymore. And with Netsuite by Oracle, you can put AI to work today in the right way. Netsuite is the number one AI cloud ERP. You're trusted by over 43,000 businesses. It brings your financials, inventory, commerce, HR and CRM into one single source of truth. That connected data makes your AI smarter. So it doesn't guess it knows. And whether your company earns millions or even hundreds of millions, Netsuite helps you stay ahead of the pack. If I needed a tool like this, I'd use Netsuite. Now, right now, get the free business guide demystifying AI at netsuite.com slash scott.clary. The guide is free to you at netsuite.com slash scott.clary. That's netsuite.com slash scott.clary. Talk to me about your time in the CIA. I think that's so fascinating. Obviously, a lot has changed since then. But I think that the CIA is just this ominous. Nobody really understands what you can do, what you can't do. I know that you have interesting stories about like, you are an incredible hacker. So I mentioned something at the beginning about hacking a nuclear reactor. Why is somebody in the CIA hacking a nuclear reactor? And what was it, 37 seconds? So when I always joke, it's because I believe, you know, people need a little bit of humbleness. I go in and I say, I am not an extraordinary hacker. It's just most people have extraordinary bad security. So it's like one of those back to my example. If everyone's leaving their doors open and their windows unlocked, I'm not a great criminal. It's just easy to exploit and break into. But to answer your question, I'm always glad you go there. Because when I go in and say, I'm a professional hacker or I was a professional hacker for the CIA, it wasn't for malicious. It was to protect and secure on infrastructure. So a lot of people don't realize the 90s were in the midst of a cold war. And we're concerned about nuclear attack from Russia and other countries. Well, most people don't realize a nuclear reactor can be turned in to a nuclear bomb. You've gone in and we've saw some meltdowns like Fireball, I mean, that was as devastating as if a bomb went off. I mean, in terms of the wipeout and stuff, so we were really concerned and I could talk about it now. I couldn't talk about it back then. In the 90s of somebody hacking in to our reactors and basically detonating it and causing, and here's the problem. None of our satellites, none of our Air Force or anything would have caught that. So my specialty is nuclear reactors. I worked with the NRC, the Nuclear Regulatory Commission. Most people don't even know they exist, but they regulate non-weapon nuclear reactors in the United States. And I helped to write the security policy to help protect and secure them. So my whole goal at the CIA was, hey, one of our big, we call them soft targets because they're typically focused on functionality. Nuclear reactors are all about uptime availability. So believe it or not in the 90s, they were running on old systems that weren't patched, that were connected to the internet from monitoring and tracking. And we didn't realize how just easy and simple it would be for somebody to break in. So I went in and figured out how to break in, find vulnerabilities, and then wrote regulation that said, this is what you need to do to protect and secure those reactors. So it was all done from an offense guiding defense. The only way to be good at defense is to think and know how the offense works. Because most people don't realize there's no way to prove a system is secure. I can't go in and run an algorithm that says, okay, this is secure. The only way you can do it is by getting smart people trying to break in and find vulnerabilities and weaknesses. So it was sort of that whole philosophy is, like you said, the CIA's so misunderstood. Our job at the CIA is, first of all, we can't do any operations on US soil. And too, our job is not sort of breaking and causing harm. It's gathering, supporting to secure America. So we sort of have, I mean, Tom Clancy, I love him, but yeah, I mean, he sort of gives us this bad picture. It's really a very good solid organization. It's just misunderstood. So you, my job there was it, well, because it's very secretive. Exactly. It was in there to go in, attack, nuclear reactors and other countries. It was really to understand weaknesses in our system so we could better protect and secure them. I kind of had a slightly like a first row seat to a similar style organization because my dad worked for Ceasis. Okay, yeah. And I mean, yes, some parts of his job were exciting, but the majority of it was actually very, very boring. Yeah, it was very, very boring, but it was a lot of, it was a lot of threat detection. It was a lot of figuring out like, what are the attack vectors enemies could use and then stress testing those attack vectors, you people, systems, infrastructure and otherwise. With fast forward to today, 2025, are these types of attacks, are these still concerns? Like, is there ever a chance that, because obviously that's never happened where an enemy is hacked into a nuclear power facility, but these kinds of sort of strange attack vectors are these still a focus or are there other types of attack vectors that people like the, you know, the North Korea is of the world who go after. So it's one of those where we forget the past and we get sloppy. So the way you protect nuclear reactors, critical infrastructure is what we call air gaps. We're basically the critical systems that running the nuclear reactor are not connected to the internet. So if you break in the servers on the internet, there's no way that you can go in and be able to get in. But then what happened over the last five years is for functionality. Oh, we want to be able to monitor and build everything else. They started going in and connecting to the internet and great example of that is the colonial pipeline. If you remember two years ago, now what's interesting is it only impacted the East Coast. So like, I talked to people in Texas in California and they're like, what was that? That like it didn't really impact them. I will tell you, in Virginia, we had four days where every gas station was closed. We actually ran out of gas because of the colonial pipeline hack. And I mean, it was there. We're like, no kidding. We're going and buying bicycles, like we were getting concerned of how long and when it first happened that Monday, we went and gasped up all our cars, 15 minute wait at the gas station. Like there were lines like back in the 80s and then we were really cautious with driving. But by Thursday, we're like, this could get really ugly, really quick. And that whole attack was caused because they used to have air gap and they connected those systems to the internet for monitoring. And then they went in and eventually broke into it. And then the other interesting thing is, which is the unfortunate reality, is it's cheaper, quicker and faster when these companies do get breached to pay the ransom that it is to try to fix it. So with colonial pipeline, if they didn't pay the ransom, it would have taken about three weeks and they would have lost about $90 million in revenue. But if they paid the ransom five mill, they were up and running in a week. So it's the unfortunate one where it's cheaper and better and I got a lot of press on that because the attack occurred on Saturday. And Sunday, they're coming out colonial and everyone's like, we're not paying the ransom, we're not negotiating, we shouldn't negotiate. I went on every news station and said, they'll pay the ransom because they have to. There's no way they can incur the devastating impact of not paying it. So I got a lot of criticism, it's funny. Then Monday, Tuesday was sort of black bulls from the media because I was like, oh, you're raising, you know me blah, blah, blah. And then you're mongering. And then Thursday, when they paid the ransom, every new station won an interview me because I predicted it correctly. And that's the unfortunate reality is, our security is so behind that it's actually better to reward the attacker than it is the self of the curators. It encourages it. It encourages it because now they're going to keep doing it. Where else are you concerned about cyber attacks from not financially motivated? Because financially motivated, sure, somebody wants to make five million bucks, they can go after any business in the world that they just have to do a cost-benefit analysis. Is it going to cost the business more than $5 million to be at a business for a week? And if they go after that, business will pay up, easy calculation for the hacker. But in terms of like national security, so shutting down the power grid, I don't know what other national security, potentially attack vectors, there are, I'm sure there's a lot. But what are some of the things that you're most concerned about? What are some of the things that, I don't know, China, Russia, Iran, North Korea, other bad actors around the world actually want to hit us with the you've seen at least? So one of the big ones is deep fakes with AI. Yeah, that's sort of new, but that's going to be huge. I mean, I don't watch a ton of movies, but I like watching ones that are cyber-related is I just saw it on the airplane G20. And essentially, I mean, it's an interesting movie, but the whole thing is they basically got the 20 world leaders, including the US president, kidnapped them, and they had them read 30 words, and then they started creating deep fakes of these presidents out there. And it was like crashing world markets, it was crashing impact, because imagine if a video came out from FBI director to a senator, to even the president of the United States, that basically said, yes, we have this major thing, and it's a total deep fake, but people don't realize it, and they would respond and react to it. So this whole disinformation, where you can basically create almost identical videos and voice of key individuals, I mean, that terrifies me, because people trust a video on the internet. People trust false information. So yeah, those deep fakes are really, really terrifying to me of the economic impact that could have. How do you protect against that, though? That's not even a hacking thing. That's not a cyber security thing. That's not putting an air gap so that key infrastructure isn't connected to the internet. That is finding a way to educate the world that what you see online is not true. I don't know how to protect against something like that. That's incredibly horrifying. So the way you protect against it is once again, a federal law. You can, there's algorithms that you can run pretty quickly to see something's a deep fake. What if there was a law that said every social media platform had to go in and run the deep fake algorithm against any video that's being posted? That wouldn't be hard. I mean, you're talking the computing power is not that intense, but you need to go in and start putting out there. Here's the other crazy thing. I mean, this bog goes my mind. If I go in and create a deep fake against the president and put it out there, it's currently on our laws. It's not illegal. What law are you breaking? There's no law that says you can't go in and create, now I'm not claiming. Now, if I went in and said, you know what I mean, this is the president, but if I went and said, here's an interesting video. Why can't I create an interesting video that simulates, I mean, look at all the memes out there. I mean, memes are basically a funny deep fake, but they're not illegal. So I mean, it's crazy. How can we live in a country where somebody can create fake media against key individuals and there's no penalty that anyone could do? Why isn't there a law on that? How long do you think it's going to take for a lot of you passed on that? Because I mean, you mentioned before the people that make these laws, I've watched like the Senate hearings. There's people that are just so, so, so ancient. People that are just old. That's a good word I love. I was thinking of a nice word because old is absolutely correct. So ancient is better. Listen, they've been on this earth for a long time and they're trying to make decisions and pass laws about things that do not 100% understand. Like I've seen it with all the social media hearings, the data privacy hearings, crypto hearings, like all it's, and they're just asking the dumbest questions because they don't understand what's going on and you're just thinking, oh my god, like these are the people that are going to be creating the laws and they still haven't created proper laws. Unless there's some huge, you know, Cambridge Analytica level media pressure requirement for somebody to change, nobody does anything. Like I think that, listen, there's still ambiguity about crypto and how long has, how long has that been going on? Like there's still ambiguity about, and I mean, like yeah, it's gotten a little bit better and like this administration is trying to be a little bit more proactive with setting up rules and regulations about crypto and what, you know, what you're allowed to do and what you're not allowed to do and what if it's considered a security or not or whatever. And then there's like the whole like XRP case that was like ongoing for forever and that was supposed to be like, you know, defining the whole category. That's slowly winding down and that's, but how long, what, five, six, seven years? I don't even know how long has been going on for forever. So the point is the new tech and laws that affect new tech don't, the laws don't happen quickly. I mean, it's probably, I mean, the deep fake in AI stuff. I know that's what's going to be at least five years now. Now imagine what's going to be like in five years. Now the irony is, it should be done this year. Like you go in and definitely good is you probably saw, I think it was like 45, 50 days the new administration came in, Melania Trump had the law about, you know, I mean, if you put false images or false information about younger people that that has to sort of be illegal and stuff, which I think was great, but why so narrow? Well, why is it more expansive? I mean, what we need to do is get key people. Like if we can get Melania and she's awesome and really big on cyber and some of these to spearhead it, we could probably get them through a lot quicker, but unfortunately what it comes down to, it's up to you, me and every listener to just sort of be local enforcers where we just tell people, listen, you can't trust these videos. We don't trust these videos and just spread the message because if we can go in and spread the message of, listen, deepfake is on the rise. Most videos you see out there is total BS and just don't trust videos without verification and validation. We can start to tackle it, but it's almost like we as citizens have to lead the way because Congress is way too behind. Yeah, I agree. You think that's what a cyber war looks like? You think that it's somebody in North Korea getting really good at creating deepfakes? Absolutely. And I think it's one of those where you're talking asymmetric warfare. You go in and what if you start going in doing deepfakes? You then start targeting and compromising devices which were already there and you start withdrawing money from those accounts. You start going in and attacking cryptocurrency and you could crash. I mean, you do those three things strategically. You could crash US markets. I mean, it would not be hard to imagine if we start doing deepfakes against stock and certain stocks where we have the CEO of a large company. I don't want to pick on anyone because they do have good security, but deepfakes you can't protect. Let's say CEO of Cisco or Microsoft or Amazon or even some of the new AI companies, right? NVIDIA and they go in, what if the CEO of NVIDIA you know, you did a deepfake and I mean, you got to hand it to the CEO. I mean, the black leather jacket, I mean, he is looking good. I mean, I love his look and stuff. I mean, he's definitely got to get, but what if you did a deepfake video going, hey, because of all the new tariffs and because of everything, NVIDIA productivity is going to be down 70% for the next six months. I mean, that would crash the stock. And by the way, today I can do a video as a consumer, I can't do a video deepfake of somebody that looks exactly like them, it's not perfect, but I can emulate their voice immediately. Today I can emulate anybody's voice and it sounds with the inflection, the tonality, with about 10 seconds of audio from them speaking, I can just copy their voice. And deepfakes, listen, I think that they're, I think that I mean, I'm sure that if there's somebody who had really good tech, they could make a pretty good deepfake already, but I don't think that the average consumer can just do it yet. But it's still like maybe six months away. It's six months away and here's the trick is to get a deepfake believable. You want to have as far out as zoom out as possible. So if like, for example, you tried to go in and do a deepfake of me in this frame, it would be a little choppy and like, you could tell it's a little robotic, but you go in and zoom out and put me on a stage where it's a smaller Eric and it's not as clear. And the voice is perfect and the voice is perfect. And the video might be a little blurry, but you mean, that's okay because you're on the stage. I mean, that's, that I think is three to four months away. I think so too. And then the close up, I think he has gonna be about a year, but we're, I mean, we're on the page. It's not like this is impossible, like landing on Mars, who we're talking very soon and it just, I mean, it gets scary and that's what most people think, like cyber war is, I mean, breaking into the government or breaking into huge companies, it's not, it's disinformation targeted and like you go in and crash a few stocks with a few bag things. I mean, it's just targeted attacks that could just cause devastating impact. What is the, I mean, if we look at sort of the Iran, Russia, China, North Korea, I guess these would be considered like cyber enemies or like, I don't know how to describe them because they're not all classified in the same bucket. Obviously, I wouldn't put Russia in China, the same bucket as like North Korea, for example, but if you look at sort of the capabilities of our cyber enemies or people that we're not exactly aligned with, what are some of the scarier things that you've seen outside of potential defects? Like, what else can they do? Cause I, and also I'm curious, you probably had front row seats to see how they protect and how they prepare. And I know that you've spoken about a few different things that even Russia does where they disconnect from the internet. I'm very curious about why they would do that. Cause we definitely don't disconnect from the internet. Well, we don't even know how we can, we are the internet. Yeah, so that's the craziest part. I've been asking for 15 years government officials and asking myself, do we have a list of all the connectivity points to the internet? Do we know how we're connected to the internet? And the answer is no because if we didn't disconnect it from the internet, the internet goes down. So how do you protect yourself? If you can't filter the borders, imagine running our country, where anybody can go in and out without border. Like, if we didn't have border patrol and we didn't have all those control gates, I mean, this country would be overrun so quickly. So we have physical border control. We're controlling who can come in and out of our borders. But on the internet, we have no border control. We're one of the few countries. Russia, as you said, has border control. The reason why they go in and disconnect from the internet once a year for 24 hours is to basically show that if a cyber war broke out, they could actually be out of it and still run their country. They could run their country without internet connectivity because they have an internal internet to do that. US can't do that, which means if we're under attack, we can't stop it. Most people don't realize when the conflict broke out between Israel and Iran a few weeks ago. And this is very, very telling of what Iran is thinking. Iran disconnected from the internet. Iran is currently not connected to the internet, which means we can't launch a cyber attack against Iran, which why do you do that? That's the precursor for war. If I'm consulting for a country and we wanna launch a cyber war, the first thing I'm gonna say is lock down the hatches, disconnect from the internet. And now when I say disconnect, it's one way. Packets can't come in, but they can still fire out. So now, from a warfare standpoint, if Iran starts launching a cyber war against the US, we can't do anything because we can't attack them back and we can't do that, right? We can't do that because the way the internet was designed, we never did. So to be one of my big things is, okay, and I'm not criticizing administrations because both of them did it, but the last president, the current president, they're spent trillions of dollars rebuilding our roads. They're spending trillions of dollars rebuilding businesses. Why aren't we spending trillion dollars of building a separate internet, at least for the government or commercial, so we can control their ingress egress points. We should not be the backbone of the internet and the US should be separate. It shouldn't be the same, but why aren't we spending money on doing that? That would be the best, if you're looking at our future, that would be the best investment is building that out because here's the reality. We're so focused on physical warfare. If you go in and build out a list of the top five nuclear powers, US, Russia, I will tell you, Iran and North Korea, which are probably two of the biggest threats to the United States are not on that list. We don't allow them to have nuclear weapons and that was part of the attack. But you go in and you look at cyber capabilities and cyber nuclear weapons, China, North Korea, Iran, Russia, and then United States. So they're all up there. They're all up there because they realized like North Korea realized they're not going to have a nuclear weapon. Now they would shoot some of the rockets as a diversion tactic, but they was spending the last five years on building out cyber hacking and cyber warfare capability. A lot of people don't realize more than half of the economy of North Korea is run because of cyber attacks against the US. That's how they're making a majority of their money. And Iran, once again, has major cyber capabilities. And once again, we gave them the weapon. What I mean by that is, do you remember Stuxnet? No, what's that? Stuxnet was an attack eight years ago as a joint effort with the US and some other countries. We actually broke in to a nuclear reactor in Iran and melted it down. We basically did an attack against their nuclear reactor, melted, well, here's the issue. When you put malicious code on a server and you break in, they have that malicious code. So now they have the code for breaking into nuclear reactor and the PLCs, the programmable logic controllers that run the nuclear reactors in Iran, same brand and model that we run in the United States. So we basically have given them a cyber weapon that they now can perfect enhance and now they could potentially use it against them. Why haven't they yet? Because I believe two things, one, I believe they have, they just haven't activated it. The way a cyber attack is going to work is, it's not like a traditional bomb you launch it it explodes. The way you do a cyber attack is you break in and you put the code and then you wait for a certain time and you activate it. So I believe they have access to our critical infrastructure, critical service and devices. They just haven't activated it yet because they know the retaliation factor. So they're just waiting for the right moment because when they do that, I mean, you're talking devastated. I mean, you're talking World War Three. I mean, if they did that. So I think they're carefully planning it and exploiting it, but they're waiting to do that. Another great example is most of our financial data, government information and others is encrypted and it's encrypted with RSA and AES which today is considered unbreakable. But what we're seeing is they're breaking in and doing what we call harvesting. We're seeing them steal encrypted data from banks and encrypted data from businesses. But here's the crazy part. Our disclosure laws say unless they can actually read the information, we don't have to disclose it. So if somebody steals encrypted data and they don't have the keys, they don't have to tell anybody. Wow. And now what they're doing is they're harvesting all these encrypted databases because it's estimated if you look at quantum computing that at least in 10 years, some people say five, some say seven, I'm always sort of conservative. So at least 10 years, quantum computing will be so advanced that it will actually be able to break RSA and AES in minutes. So now what they're doing is they know they're building up quantum capabilities in these countries. They're stealing all our encrypted data. So then in five, seven or 10 years, they can decrypt it and use it against us. Imagine if in five, seven years, all of our financial data, all of our passwords, all of our information are now public for those countries. I mean, to talk about cyber warfare at a whole new level. So what do we do to protect against this? Like this is so I asked you like, what were the scariest capabilities of these countries? I mean, these are some of them for sure. So the next 10 years is going to be a rough 10 years. But I guess the question is, you mentioned like Iran's not activating because it would mean World War III. This is more of a geopolitical, I guess, talking point and question. But do you, I mean, from your time in the CIA, do you believe that China, Russia, Iran are actively trying to like really end the US or is it just like a safety precaution on the off chance that there is a conflict? Like do you think that, and I know that there's three very separate countries. I think North Korea, I think we can argue are not fans of the US. But do you believe that like Iran wants to see like true death to America? Like do they want to see, you know, like the West just collapse? I don't know if I believe that China really wants to see that. I don't think so. I don't think Russia really wants to see that either. Yeah, no, you nailed it. It is safety measures. Safety and it's, it's all monetarily driven because here's the reality. If the US went under, if our economy completely collapsed, the world would China relies on us. Iran, Russia, they're making so much money on either business or cyber attacks from us. They don't want us to. So to me, it's, you said, why haven't they done it yet? It's more precautionary, but it's also monetarily driven because now if I go in, let's say in five or 10 years and I have all the banking information from major banks, what I'm going to do is I'm going to go back to that bank and say, okay, you're going to pay us a million dollars a month or a year as safety protection. Go back to the mafia in New York City. And that's what we're getting to is like the mafia didn't want the stores to go under. They don't want because then they would lose money. They just wanted to scare them enough so they would give them whatever it was. $100 and pay money and they would do this for years. They actually wanted the businesses, like they would promote them. They wanted the business to do successful because the more successful the business, the more money they made. And that's where I think we're really heading is this extortion ransomware is unfortunately going to be a business model in market where I think most Fortune 500 companies in five to 10 years are going to have line items for ransom payments. So when you go in and you do your profit and loss statements, you have your revenue, you have your expenses, right? Your building expense, your insurance expenditure, this, you're going to just have a ransomware expense where maybe one or two percent of revenue you're just going to have to pay for ransoms because we're behind the curve and we're not staying up to base. Now you sort of said the next 10 years could are going to be bad. I would sort of just change the word could be if the point is if we act now, like if Congress started passing laws and we started locking down our systems and doing two FA and rebuilding and putting more security. It's your point. They have this information, that's my point. Say, okay, yes, I'll let you think in a second, let's put those out. No, jump figure. They have, they have the information that they've stolen from financial institutions already. They can unlock that with quantum. You're saying that just going forward, we have to be a little bit more strict so that they don't keep getting more information so that at some point that information holds no value and they can't use it to exploit companies and individuals. So for example, it's not the easiest, but it's not impossible. What if the banks had a three year plan to change everyone's account? I understand. So now by the time they decrypt it, the accounts are all no longer valid. Yeah, and they have no leverage. And they have no leverage. Or what I do and citizens can do this is every three years, I actually do go into my bank and I go listen, I work in cybersecurity, I'm a little concerned and can I change all my bank accounts? And now I don't have that many, but I go in and I change all my bank accounts periodically. Just change the account number? Just change the account number. Yeah. What you do is there's typically, you do a 45 day so any checks from the old account will still allow and then after that, they won't allow and they won't allow any EFTs from the old account number. And yet it takes a few hours, but it's much better than somebody breaking in a white thing out my entire account. So there's things individuals can do where we just like re-image our systems or change our accounts every, and just do things to reduce the exposure factor. And to me, that's where individuals have to take action because the big companies in government are too slow. You gotta listen, you gotta protect yourself at the end of the day. I mean, something as simple as it's not to the extent of changing your account numbers, but I love using virtual cards. Like I'll spin up a virtual card for a payment and when I'm done with it, I just cancel it. It's so simple and it's like I have a dashboard and get rid of the card, okay, two things happen. First of all, if the card's compromised and no one else can ever use it, but also sometimes I forget what I'm paying for. So then if I have like a subscription that I don't wanna pay for anymore and then I cancel the card, then I don't have to pay for the subscription. So I love the virtual card, but this is like on a much easier simple, just like you can do this with any bank, I think now you can spend a virtual cards, use it, cancel it and whatever. And then take that to the next level. So not only do I do virtual cards, but I also have a burn phone, do you? So I have a burn phone that basically has a number and whenever I go to websites or cause you know, some of these to get stuff like, because there's a lot of free content, you have to put in your phone number. So I put in the phone number that burn phone and then when it gets too much, typically nine or 12 months, now it's gotten so crazy. It's about every six months. I go in and the few legitimate, like there's maybe one or two legitimate people that have that number. I just text them and say, hey, I'm changing my cell phone number. Here's the new one and then I give them the trusted one that I've had for 15 years. And then I just go and here's the cool thing. You just go in and call up the provider and you just say you want a new number. They do it over the phone, it takes, but you don't even have to get a new phone. So the idea of like a burn, because on my iPhone, I have two numbers on it. Or do that, yeah. I have two numbers on it. So I have a second one that I pay like 15 bucks a month for that I, a burn number, a burn number. And it's like not like, you don't even have to use an app for it because most phones can support two Sims now. And you can do virtual Sims. So it's very simple to do. Yeah, so you don't even need a second phone. Yeah, I'd even think about putting a second number on your iPhone, that's a great idea. And you can actually choose when you're texting somebody to want to choose from primary number or secondary number and you can just have two numbers. And I think it's meant, actually, for like when you're traveling abroad, but it works for whatever you want it to do. So yeah, very, very smart, very, very smart. And I actually should do that more often because I've just been using that number to sign up for things, especially when I don't want them people to like, no, you're real number, I mean, numbers. I guess I'm kind of using it the same way. You are, you already got it, yeah. But it's just like little things like that. And then I also, I also have like a burner email address that I use when I sign up for stuff, but it like links back to my main email address. So I get like all my 2FA codes on it if I want to use it. So anyway, but it's just about, listen, it's just about being smart, protecting yourself, 2FA, not doing dumb stuff. The last thing that I think is interesting, we sort of spoke about your work with the CIA. Obviously your work with like past administrations also was focused on, I'm assuming, just protecting from foreign actors and whatnot. But you also worked with the Gates Foundation. And I'm curious what billionaires do differently than the average person. And I'm also more curious, is a billionaire cyber security infrastructure more robust than the governments? Or is the government's more robust than a billionaires? So I'm sorry, I would definitely say a billionaires infrastructure is more secure than the government. And for a couple reasons, there's less individuals. And just to be clear, I did a little with the foundation, but it was mainly with the personal. Oh, with Bill Gates. So when he basically split away from Microsoft, all of his security and IT was done by Microsoft staff, and he wanted that to be separate and isolated. So I was one of the folks that originally helped set that up. And a lot of it was just the things that we talk about is, so one of the simple ones, and like I said, I can talk about it now, because it's there for it, is for G1, we gave him nickname. And so that was for G1, was G2, Melinda? Potentially. Oh, I always wanted to be careful, right? Hypothetically, it could be okay, fine. But like one of the simple things we did for him is, he had three computers. He had one computer. He used for internal communication with his staff and financial. He had a second computer, he used for web surfing and public. And he had a third computer that he used for dealing with Microsoft. Just simple isolation, right? Simple devices and accounts. And once again, I mean, we have so many devices. What if, and I actually do this, I have multiple iPads. Like I, the super thin, you carry, I mean, it doesn't take much to carry them to like three pounds. And I have one that I only deal with my finances and others, one for my high-end business clients, and then one for public surfing. So, and once again, iPads are like 700. So that's what's 21, 2,100. Most people will spend $3,000 on a high-end laptop. So it's like, so just simple things like just having isolation of those services that are there. They had two factor out of the gate. So, so just two factor. And then once again, just heavy filtering of even back then, we didn't allow attachments. We didn't allow embedded links. We really limited and restricted the functionality. And once again, that's about it. I mean, it wasn't like we had super high-end lasers. I mean, it was zap, or anything. It was pretty basic, fundamental components and security places. And then the other big one that we did early on, and now we recommend for all folks is on any device that's connected to public Wi-Fi. So if you're connected to Wi-Fi, hotels, airports, you have to run a VPN. Always. Always. It's super simple. It doesn't take up a lot of resources and encrypts everything. And once again, just goes a long way of locking it down. And then the last thing is endpoint security in every device. Most people think of it used to be called antivirus. Now it's called EDR and point detection response. People who would only run it on their laptops. I run it on iPad, phone, everything. Once again, not a guarantee, but you encrypt all your traffic with a VPN, and you run EDR with a high setting that if and doubt, it'll block or allow it. So you miss a little bit of legitimate, but you don't get any malicious. And I mean, those basic foundational things, and you're going to be in really good shape. Are there any particular VPNs that you would stay away from or that you recommend? I mean, I usually recommend the ones in the US, like open VPN or open SSL. I like the ones that are based on standards that are public, because when you have a lot of smart people looking at it, you're going to find it and make it a lot more secure. So I'm very big into open source for VPNs, because it gets a lot more visibility than a small, nothing gets small private companies, but a small private company releasing a VPN is not going to have the same code scrutiny as an open source. I really, for those, prefer open source. Indeed is a success story partner. After hiring, indeed is all you need. Let me give you an example. If I needed to hire a new editor for this show, I'd go to indeed and be super specific. Not just can you edit audio, I'd say I need someone who's edited a conversational podcast for at least three years, gets our style and knows our software. Someone who's done this before. And here's the thing with indeed sponsored jobs. I'd get people who fit that description. I'm not digging through resumes when people who've edited one YouTube video, I'm getting actual podcast editors who know what they're doing. People who've worked on shows like ours and can prove it. That's what makes a difference. You get people who actually are what you're looking for. According to indeed data, sponsored jobs posted directly on indeed are 90% more likely to report a higher than non sponsored jobs. And people are finding quality hires right now. In the minute that I've been speaking to you, companies like yours have made 27 hires on indeed according to indeed data worldwide. Spend more time interviewing candidates who check all the boxes, less stress, less time, and more results now with indeed sponsored jobs. And listeners of this show will get a $75 sponsored job credit to help you get your job. The premium status it deserves at indeed.com slash clary. Just go to indeed.com slash clary right now and support our show by saying you heard about indeed on this podcast. Indeed.com slash clary terms and conditions apply hiring do it the right way with indeed. HubSpot is a success story partner. If you're into this show, you're probably someone who likes to learn from people who've actually done the thing. That's why I want to put create like the greats on your radar. It's a great show. It's hosted by Ross Simmons. Part of the HubSpot podcast network. Ross breaks down some of the greatest creations and creators of all time. What they built, how they thought the actual process behind it and he's not just talking theory. He's been doing this stuff for over a decade. What I appreciate is that he makes it practical. Like how do you actually systematize creativity? So you're productive, but you're not burning out. So if you like learning from history, understanding how great work gets made and you want something that's easy to listen to, check it out, listen to create like the greats wherever you get your podcasts. Do you believe that you work with past administrations, billionaires, CIA? Do you believe that the US is going to win the war on cyber the way we are right now or does there have to be some radical change? Not just on an administrative level, but with private companies. Like what else has to happen so that we can guarantee that we can win this war going to the future? Yeah, so the path we're on right now is not a good one, right? We're behind because as we said, we are too focused on functionality. So to me, one of the simplest rules is when I come into businesses or I consult with these high end individuals, their perception of cyber is you're the negative guy. You're the guy that's going to say no, you're the guy that's going to say don't use it. I love tech, I use tech, but essentially what we have to start doing is when we're evaluating any new business decision, any new technology, we have to step back and instead of one question which is asked today, what is the value and benefit? So like you look at AI, what is the value and benefit? We can create content, we can get more visibility, we can do all this stuff, but what companies and organizations need to do is ask a second question, what is the risk and exposure? And then ask yourself is the value worth the risk? Because to me right now today, the way we're using AI, if you look at the risk of data leakage, information leakage and targeting, it ain't worth the risk. Like to me, I use AI very limited, I do have a digital twin, I joke, I love it there. Every morning at 430, I basically argue in debate with myself with the digital twin and one time was funny, I get so heated that I'm at a hotel and there's a knock on the door and it's security because I guess the neighbor was complaining because that was too loud. And they're like, are you having a party? I'm like, no, I'm just fighting with myself. I'm just debating, sorry. I think there's limited use, but I don't actually use AI publicly where I put any of my information or business decision publicly because that's then available to anyone or anyone else. So I think we gotta look at the new tech, AI and everything else as a tool. I get so frustrated when I hear these executives go in and say, AI is gonna replace your job, you're gonna become obsolete. I'm like, yeah, if we dehumanize ourselves, right? But if we continue to be human, AI can never have emotion, it can never have feeling. And if we let AI take people's jobs, we're basically downgrading our intelligence to that of AI, we're turning ourselves into computers. And if we do that, if companies actually fire employees and replace them with AI, we're on a path where 30, 40 years, humans could be obsolete or extinct because we don't need humans anymore. That's the worry. But if we- Exactly, but if we go in and step back going, this is insanity at every level and AI is a tool, we should actually be telling people, AI is gonna enhance your job and make you more valuable. It's not gonna replace you. We should be training people and how to use AI as a tool to make themselves more valuable as humans and not the other way. So to me, we're sort of missing the boat, where we're only looking at functionality and not security risk. And we just need to change how we look at things that all functionality needs security. And whenever you're releasing new functionality, security should be embedded and new tech, like AI is a tool, it's not a replacement. Couple of thoughts on that. So first of all, fully agree. I don't think that a lot of companies are looking at AI, like that they're looking at AI in terms of how do we just get rid of as many salaries as possible so we can use AI? I do believe that people should be using AI to sort of 10X or output or to upskill themselves, for sure, that's important. And it's a mixture of both. Like, yes, AI can speed things up, automate processes, it can help somebody do 10X to work they were before, but the person also has to be willing to learn how to use it properly. But they can't be overly dependent on it because there was just a new study that showed the people that are using AI for all of their tasks, for their thinking, their searching, their writing, it's showing a decline in their cognitive abilities. So you still have to be as an individual, somebody uses AI, but somebody who still doesn't use it for everything, and you still have to learn and improve yourself, you still have to read, you still have to write, you have to do yourself to do all the things that help you perform at the best level. So you can't just outsource 100% of your thinking to AI, but you can use it as a tool. And there's some, again, the happy medium as to how you use it, they're overusing it without ignoring it completely. I also think that I don't think that too many people love Sam Altman. I don't think that too many people look at him and are like, he's acting in the best interest of humanity. I feel like there's a significant amount of negative sentiment as to how he's built. But how he's built open AI, even like from switching it to a nonprofit, to a for-profit, I think a lot of mixed emotions about that and what incentives are actually driving the company forward. Is it actually AGI? Is it actually betterment of humanity? Is it just making more money? And I think that people have different perspectives on that. But I do believe that more companies, and I don't know how this is going to manifest because this is not how companies operate, but more companies that are responsible for bringing AI into the world do have to understand the power that it's going to have and build it responsibly and not just give sort of lip service to the ethics around AI. And I think I personally feel there's a lot of lip service and people saying we care about AI ethics and we care about AI security and we care about, we care about how it's going to impact jobs and humanity, but I don't believe if I look at the actions, the actions aren't aligned with what people are sort of preaching about AI security. Even if we look at, listen, I don't have an issue with Elon, but Groc just went off the rails and started becoming super anti-Semitic in the past 48 hours. So if you really cared about security, that would have never happened because there would have been some sort of safeguard in place, it doesn't turn the AI that you've built into this thing that starts calling itself Hitler, which is in the past, it was calling itself mecha Hitler in like the past week, right? I don't know if you saw this in the news, but it was absolutely crazy. So all these founders and CEOs can say that they care about security and safety, but it doesn't seem like they actually care about it with the actions that they're taking because they're moving so damn fast. The reason why they're moving fast is because when they move fast, they can make more money and they can stay ahead of everyone else. So I think it has to be more of, I don't know if it's government regulation, I don't know, I don't think it's gonna come from a business perspective or private business perspective because I think that private business founders, entrepreneurs, CEOs, they are motivated by profit and creating shareholder value and safety and security and slowing things down that runs counter to creating massive shareholder value. I don't know what the answer is. I think it's a hybrid, but to me, one of the new areas is AI hacking, where you actually go in and hacking groups hack the AI model. I mean, that's what happened with GROC is you had a group of people that basically wanted to either target Elon or target GROC and they fed a ton of new information and GROC learned. That's how it works. So it wasn't that Elon or anybody running GROC did that. It was any AI tool works on the data set and with a public AI tool, you can influence the data set. So if I go in to any AI, whether it's chat TV or GROC and I have a bunch of computers and I feed it a ton of information aggressively, I can retrain and turn it into anything I want. So that was actually a hack against GROC. It wasn't anything Elon or the GROC folks did. No, and I didn't think it was Elon and the GROC and the whatever, the GROC team or the X team or whatever. I was just saying that they launched it and there was not enough safe guards in place. There was no protect against it. You need, I mean, in some of these have it, but it's AI ethics built in where it won't allow large amounts of messages or won't allow other things. Now I actually think the GROC could be a good lesson learned because it probably is going to get either lose a lot of market share or something like this. I mean, it could potentially go on. I mean, it's something devastating enough. I know a lot of my friends are like, I'm just going to switch to the chat GPT. So I mean, this could sort of be a good wake up call for it. But the other thing too is like, look at what we did with cloud. When cloud came out, one of the ways we secured it is you had public out and private cloud. So I could run my own service in the cloud but nobody had access to first public. And I think what companies need to do and it's what I do is if you're going to use AI, you need to have a private AI internally that never goes out to the internet and then public. And I think if we as individuals and companies started sending up private and not using the public, that's one way we can quickly secure and still get the value without having the leakage. But but you're right, unless vendors get enough reputational hit which is the grog one and there's regulation and there's consumer pushback, it's sort of all those things have to happen. But my question is by the time it happens, will it be so bad that we can't basically put the genie back in the bottle? I actually, you know, as you're saying this, I actually now believe that maybe grog was actually a blessing in disguise because it was almost like a canary in the coal mine situation where it showed the potential implications of having AI without the safeguards in place. And it was bad, but it wasn't like really bad. But enough to wake people up and say, oh shit, this isn't great. We shouldn't do this, we shouldn't do this. So it's better that it happens with some stupid, probably just some hackers trying to be assholes versus somebody who's impacting AI to actually have a significant impact on a country or whatnot. So yes, it wasn't good, but yeah, maybe you're right. Maybe it was, you know, it's this nice little wake up call that we understand the power of AI and that the average, because it's all, listen, I love what you said, it's not just the vendor or the private company because we can't trust the private company to always make the best decision for the rest of the world, obviously, it's just the fact incentives are different for a private company. The government moves slow. So what moves the government quicker and what makes the private company act in the best interest of people outside of the shareholders? It's public sentiment. So when something really bad happens or even moderately bad, the public will make both of those groups move quicker. We have a lot more power as together than we do separate, yep. Very much so. And maybe this is the wake up call that people needed so that the public will say, hey, listen, Elon, Groc, Claude, Anthropic, open AI, like all these companies, okay, we love what you're building. But like, let's slow down a little bit or at least just focus on safeguards that this can't be manipulated. Because on the other end of the spectrum, if you're talking about slowing things down in terms of AI development, the concern is, well, all these other sort of nation states that are not the US are not slowing down. So China and Russia and North Korea are building AI as quick as possible. And we don't want to let them outpace our own AI development. So there is, this is balance, right? You wanna have, you wanna be able to increase your AI capabilities as quick as all these other countries so that you can defend against them. But also you don't want to build something that's, it's a scary spot to be in. You don't want something to go crazy and go off the rails either. But it's one of those where we gotta go back to older software models. We can build without releasing. Correct. I mean, if you look at Microsoft, Microsoft used to take two to three years to build an operating system before they released it. Now what we're doing with all these AI, we're building in a releasing it immediately. There's no internal beta testing, basically the community and the world is beta testing. So I think what we need to do is, I mean, these AI companies should still aggressively be building, but what if we just did a slower rollout? What if we actually did alpha and beta testing, and we didn't release it for a year or two? Now we're not behind, but we're just not putting the consumers at risk. Yeah, exactly. And the only reason why we release as quick as we do is because of money. Yeah, exactly. That's really it. Where can people connect with you? I want you to tell them what you're working on now, what to look forward to in the future, also like where to connect you on social. I mean, your book is a cyber crisis, protecting your business from real threats in the virtual world. I know you have other books. You can probably get this book on Amazon, or wherever you go. Exactly. Amazon book stores. Yeah, so what are you excited about in the future? And then also where can people connect with you online? So the big things I'm really excited about for the future is one, and I'll be a little careful. But one is I'm actually looking at exiting one of my companies. Gradually. So I think you mentioned we didn't get into a lot of it, but I'm a big fan of building companies over three to five years, getting them to about eight to 10 a mile, and then doing evaluation of five to six, so then selling them for 30 to 40. I find doing that as opposed to trying to build a $100 million company over 20 years is a much better model. So I'm in that cycle, and then I start up a new one behind it. I'm also working on a new book. So look for that at the end of the year. What are you going to, what is the premise of the book? Basically, what we just talked about. So I mean, all those, so about sort of AI and security, and basically the fact that we're at war and what can individuals do to protect and secure. So I definitely look for that also trying to get a federal law passed on cyber security. And then the longer term plan is that migrates into a global law on cyber. So those are sort of my big projects. Then I go in and you can find me, Dr. Erichold DR, ERIC, COLE, I love giving away information. I love giving away data, so I do a lot of posts. It's all cyber security. And then I have two podcasts that are cyber focused on sort of bullet proof of how to implement security into your life to be better protected. And then for techy people, I have life of SSO, chief information security officer. So really giving back, I also do my blogging, Dr. DR, ERIC, COLE.org. So Dr. Erichold.org, and then also my company site, if I can help you in any way, is secure-anchor.com. Perfect. Amazing. You've given a lot, I guess the last question that I'd like to ask, because again, you've had a very interesting life. But if you could summarize sort of all the wisdom and all the experience, and it could be just business, life, cyber, doesn't matter how you want to sort of take the angle on this, and you could just pass on one really great lesson to your kids. One of the things that's been the most important to you, what would that lesson be and why? So there are two principles that guide everything that I do. And I believe they're critical to success and interacting with other humans. The first one is, smart people know the right answer. Brilliant people ask the right question. I think in so much communication, if you look over my life, most of my problems, most of my arguments, most of my issues and relationships in business was because I thought I was the smartest person and I tried to give answers and I didn't listen. So I think if you listen more, and one of the things I always remind myself and remind my kids of, is we have two ears and one mouth. Maybe the universe was trying to tell us we should listen more than we hear. So my rule is when I'm in communication with anyone or I briefed to a board, I always ask three questions before I give an answer. I always want clarifying information. Don't assume we know everything, ask more questions and listen as opposed to giving answers. And then the second, big one that's probably the most keen to my success in business is let data drive decisions not emotions. To me, I used to make so many decisions on emotions and make a lot of really bad decisions. Then I got paranoid because I was making so many bad decisions on emotions. I would then delay on the decisions I made, which would then lose out on opportunities. Now what I do is when I have to make a decision, I ask myself, do I have enough data to make a good, not a perfect decision, but a good decision? If the answer is yes, I make a decision, I don't wait. Then if the answer is no, I say, what do I need to do to get enough data so I can be confident in that decision and then I make it as quick as possible? So now if you look at my life on a weekly basis, I'm probably making 100 decisions. Now people go but Eric, aren't you gonna make a couple of bad ones? Yeah, but here's the trick. If I only make, because I'm afraid, if I only make three decisions a week and one is bad, that's one third, that's a pretty big impact. But if I'm making 100 decisions a week and one is bad, that's one percent. Who cares? So I've actually learned that if you do the data driven and you're trying to make decisions as quick as possible on having enough data and if not getting the data, the more decisions you make, the bad decisions almost become irrelevant. And that's how you change the world and grow a big business because if you're afraid of making decisions and you're slow, you're gonna lose out to the competition every day. It's also, I mean, this is not just how you build a good business. It's how you build a good life. A good life, exactly, yep. You've worked with some very interesting people. You've worked with McAfee. You've worked with, which administration it was the Obama administration, right? You've worked with Gates. I think it would be fun if you could pick one lesson from each one of those people. What was that one lesson? And you could pick one from the Obama administration, one from McAfee, one from Gates. And what were those lessons and how did they impact your life? So Obama, sort of biggest lesson I learned from him was you get up three hours before your first meeting and you spend that on yourself. You spend that on sort of South evaluation, meditation, journaling, and then planning out your day and saying, what are the big things that I need to accomplish today? That was one of the things that, once again, politics aside, he was a super smart president. I mean, and he accomplished a lot. You know what I mean, in there, and that was his rule, he goes, Eric, if I had an eight o'clock meeting, I got up at five. If I had a seven o'clock call with somebody overseas, I would get up at four, he goes, but what I found is, if you get up and you rush right to meetings, you're never grounded for the day and you end up rushing making bad decisions and your mind is racing. But if you get up three hours and you basically look at your agenda, you get very clear, you get grounded, you solve any internal problems and you get very clear on what you want to accomplish in each of your meetings, your productivity goes through the roof. So that was sort of the big one with him, with Bill, it's, know your strengths and weaknesses and most people go, oh, play to your weakness. What Bill always said is, higher people that play to your weakness and you focus on what you're really good at. Most people don't realize this. Bill was never CEO of Microsoft. He knew that's not a strength. He knew that his strength is on problem solving innovations. So he would spend his time chief research officer on always looking at evaluating, questioning what was doing and always optimizing and improving. He played to his strength. The stuff he wasn't good at, he hired other people to do. He knew he wasn't good at a CEO, so he hired Steve Bomber, one of the best in the business. So always play to your strength and not your weaknesses. And then John McAfee, I saved him for last, because he's my favorite, is crazy is good. That they always say there's a fine line between brilliance and insanity or their next door neighbors and his whole philosophy that he taught me is you should have both houses built. You should have a brilliance house and right next door you should have a crazy house and you should spend 50% time in each house because that's how you truly innovate and the one thing with John that a lot of people don't realize, he bought and sold McAfee four times. He basically sold McAfee for a lot of money. Then the company that bought it basically took what they wanted and McAfee sort of became this little thing. He bought it back for pennies on the dollar, rebuilt it again, sold it for top dollar, let them drain it, get it small, buy it back for pennies on the, I mean that was his cycle for repeating and sort of my favorite John's story really quick is when I would go down to the least to meet with him because you know he got it, he couldn't get back at the US and stuff and we would always go to dinner and you'd be like Eric, you pick where you want to go to dinner. I would always pick sushi and after about four or five times is like Eric, do you eat anything other than sushi? And at this point I had a really good relationship with him. So I'm like, John could I be honest with you? And he said yeah, I'm like, the reason why I pick sushi is I know you're brilliant but you're also crazy and I know if I say the wrong thing at dinner you might get very aggressive and if we're at a steak house and you have a knife, that might not end well for me but you can't do a lot of damage with the chopstick. And then it was funny, after I said that there's this awkward porous and I'm like, okay, so he's gonna stand with a chopstick and he goes, you're very smart. He goes, he goes, you're right because I might do that. He goes, so you're a really smart man. I'm like, so that's sort of my John's story as we wrap up. You've sort of said, for the entire interview, cybersecurity is really everyone's responsibility. If you look at your life now, what would be your responsibility? What is sort of your mission on this earth and what do you think your purpose will be going forward? So my mission now is all about contribution. It's all about giving back. It's one of those where I'm sort of at a point in my life. I don't need to work, right? I could be fine for the rest of my life. I don't believe in retirement. I believe if I retired, I would hurt myself or hurt others because I would just be bored out of my mind. So I'm never gonna retire. So now I'm at the point now where it's not about, you know what I mean, the making the money anymore or the legacy, it's about contribution and giving back. So that's why I give so much free, I write books, I give away with online danger. I actually bought 3,000 copies. So it cost me about 40,000 and I gave them the schools and teachers and churches and stuff. You know, me people that normally couldn't afford that to give back. So I'm all about contribution giving back. I go to a lot of seminars like motivational, which people like, what is a cyber guy? And it's really like you did to help educate and give back. So yeah, I appreciate you let me be on the podcast with sharing my message with the world. And then here's the craziest thing. Craziest thing is for the last five years, I focused 100% on contribution. Like I'm like, okay, this is a terrible business idea. Right, it could lose money, but it's gonna help people be safer and help protect them and I do it. And the more I focus on contribution, the more money I make. It's the craziest thing to be here. People say that, but it's so true. When you focus on money, it ends up being a struggle. When you focus on your purpose, your mission and contributing back, you end up not only being happier and having more fun, but you have to make it more money too.