Security pioneer HD Moore joins ITSPmagazine at SecTor 2025 to break down which cybersecurity “rules” still matter—and which are dangerously outdated. From password policies to AI vulnerabilities and the hidden risks in our own firewalls, this keynote conversation challenges us to rethink what we take for granted.
During his keynote at SecTor 2025, HD Moore, founder and CEO of runZero and widely recognized for creating Metasploit, invites the cybersecurity community to rethink the foundational “rules” we continue to follow—often without question. In conversation with Sean Martin and Marco Ciappelli for ITSPmagazine’s on-location event coverage, Moore breaks down where our security doctrines came from, why some became obsolete, and which ones still hold water.
One standout example? The rule to “change your passwords every 30 days.” Moore explains how this outdated guidance—rooted in assumptions from the early 2000s when password sharing was rampant—led to predictable patterns and frustrated users. Today, the advice has flipped: focus on strong, unique passwords per service, stored securely via password managers.
But this keynote isn’t just about passwords. Moore uses this lens to explore how many security “truths” were formed in response to technical limitations or outdated behaviors—things like shared network trust, brittle segmentation, and fragile authentication models. As technology matures, so too should the rules. Enter passkeys, hardware tokens, and enclave-based authentication. These aren’t just new tools—they’re a fundamental shift in where and how we anchor trust.
Moore also calls out an uncomfortable truth: the very products we rely on to protect our systems—firewalls, endpoint managers, and security appliances—are now among the top vectors for breach, per Mandiant’s latest report. That revelation struck a chord with conference attendees, who appreciated Moore’s willingness to speak plainly about systemic security debt.
He also discusses the inescapable vulnerabilities in AI agent flows, likening prompt injection attacks to the early days of cross-site scripting. The tech itself invites risk, he warns, and we’ll need new frameworks—not just tweaks to old ones—to manage what comes next.
This conversation is a must-listen for anyone questioning whether our security playbooks are still fit for purpose—or simply carried forward by habit.
___________
GUEST:
HD Moore, Founder and CEO of RunZero | On Linkedin: https://www.linkedin.com/in/hdmoore/
HOSTS:
Sean Martin, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.seanmartin.com
Marco Ciappelli, Co-Founder, ITSPmagazine and Studio C60 | Website: https://www.marcociappelli.com
RESOURCES:
Keynote: The Once and Future Rules of Cybersecurity: https://www.blackhat.com/sector/2025/briefings/schedule/#keynote-the-once-and-future-rules-of-cybersecurity-49596
Learn more and catch more stories from our SecTor 2025 coverage: https://www.itspmagazine.com/cybersecurity-technology-society-events/sector-cybersecurity-conference-toronto-2025
Mandiant M-Trends Breach Report: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025/
OPM Data Breach Summary: https://oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation/
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to share an Event Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
___________
KEYWORDS:
hd moore, sean martin, marco ciappelli, metasploit, runzero, sector, password, breach, ai, passkeys, event coverage, on location, conference
[00:00:00] Sean Martin: Marco,
[00:00:02] Marco Ciappelli: Sean,
[00:00:03] Sean Martin: you, you know where I wasn't.
[00:00:05] Marco Ciappelli: I know where you were. Yeah, you were not. You were not where HD was, which is a sex store in Canada. But you were there last year, so I don't feel too bad. I wasn't there either last year, so
[00:00:17] Sean Martin: I know you, you missed it last year. I got to go. I'm really sad I missed it. It is really, uh, phenomenal community up there and, uh, obviously sector, uh. Ca it's Security Education, uh, conference in Canada, Toronto, Canada specifically. It's a sector, uh, name now, uh, a Black Hat slash Informa event.
[00:00:40] Sean Martin: And, uh, of course we, we love our friends at, uh, at Black Hat and the community up in Toronto. It's phenomenal when, when you say hd
[00:00:48] HD Moore: Yeah, it was my first time going back and since 2008, and it was kinda cool to see the same folks there. Um, Brian and Bruce still introduced everybody and you know, it was great to see.
[00:00:57] Sean Martin: Yeah. Two, two good guys. And, uh, [00:01:00] a lot of good sessions and, uh, they, they were smart to have you, uh, keynote this year. Hd. Congratulations on that.
[00:01:07] HD Moore: It was surprising. So they actually had accepted a talk that was completely different though. It was a very nerdy session note at SNP and then last minute like, Hey, do you mind doing a keynote instead? And then I lost the next two weeks of my life to figuring out a keynote. So, but it came out okay.
[00:01:20] Marco Ciappelli: Well, I think, I think with your experience in the, in the community and the industry, and, uh, I'm sure it takes time to prepare it, but, uh, you're not certainly short of topics that you can talk
[00:01:32] Sean Martin: you've, you've seen some things. You've seen
[00:01:34] Marco Ciappelli: You've
[00:01:35] HD Moore: that. If you've been in security more than five years, you definitely have all the war stories.
[00:01:39] Sean Martin: Exactly, exactly. Well, for, um, for the folks wondering what, what it is we're doing here. So this is part of our, uh, event coverage for sector 2025. And, uh, we've done a couple episodes, uh, with some folks and we're thrilled to have HD on one of the keynote speakers. At the event, and we're gonna hear all about what he [00:02:00] spoke about at the event and what some of the feedback was from the community based on his talk, which is all about rules.
[00:02:05] Sean Martin: I'm not gonna say any more than that. Um, but before we get into the, uh, the, the nitty gritty that our rules hd, maybe a few words about what you're up to, it runs zero and, uh, and anything else you wanna share before we get in?
[00:02:20] HD Moore: Um, you know, still trying to build the, the best widget for exposure management. So both direct vulnerability detection, finding vulnerabilities that don't have CVEs, finding misconfigurations, and then doing, you know, very broad, top to bottom, inside out discovery and putting it all together. So that's kinda what I do all day, is how do you take like all the different clues about what devices are and what part of your environment, and use that to figure out where you're most at risk and then fix it.
[00:02:44] Marco Ciappelli: Easy peasy, right?
[00:02:46] Sean Martin: Sorry, just the, the easy button for, uh. For detection of all the, all the stuff that we don't know about yet. Um, we had a great chat at Black Hats and I would encourage everybody to listen to that. Um, 'cause we, we talk [00:03:00] a bit about what you just described. Um, that's not what this is about. This is about rules and in, in your abstract, um, you know, one rule, and we'll get into, uh, what this is all about, but change your passwords every month.
[00:03:16] Sean Martin: Right? And I presume. You, you have some thoughts on if that's a good idea or a bad idea? What, how does that really relate to what we're trying to accomplish in the grand scheme of things? Um, so the, the, the title of your recession, uh, was the Once in Future Rules of Cybersecurity. So you said you got, you got the keynote invite and you put this together in a few weeks.
[00:03:41] Sean Martin: What, what was the catalyst for this topic? Why, why did it come to, to the forefront?
[00:03:46] HD Moore: Um, generally keynotes, you hear a lot of like, kind of grand ideas or how the world's changing or, um, you know, or. These days you just hear people talk about ai and I figured it'd be better to kind of go back a little bit and say, here's kind of how we got into security. Here's what we thought [00:04:00] we were trying to do, here's what actually happened, here's what we're doing now.
[00:04:03] HD Moore: And just kind of contrast like what we previously took as givens in security versus where we are today in the world. And passwords are a good example of that, right? In the early two thousands, um, during my first pen test, we would tell customers, you need to rotate your password every 30 days. And it has to be long.
[00:04:17] HD Moore: It has to be complicated. And if you write it down while smacking out the roller, and we'll look under your keyboard at night to see whether you've written it down on a post-it note, all that stuff. And you know what happened is that, you know, people just picked really bad passwords. Then they would do summer 2025 and Autumn 2025 and summer 20 25 1 and summer 20 25 2.
[00:04:33] HD Moore: And like basically, you can't expect people to be good random number generators all the time. And. Now if you look at what the recommended, um, mechanism are for password management, typically we're asking people, these password managers, what's more important as opposed rotating your password quickly. Just having a unique password per site and having a, you know, secure way to literally write it down.
[00:04:52] HD Moore: So we went from telling people that they had to change it all the time, never to write it down to saying you must now write it down all the time. And then having unique password per site that you never.[00:05:00]
[00:05:00] Marco Ciappelli: I, I have a question. I mean, and it is related to password. 'cause I, sometimes I tell the story on, we used to have password back in, in the day just to enter in the, you know, in the castle, like, you know, the door is closed or the, the town walls are closed and what's the password that we. Kind of like still, already just to start a very old way to manage things.
[00:05:20] Marco Ciappelli: But my question for you is for these kind of rules and not specifically the password. One is, is it because they were kind of wrong to start with even in 2000, looking back in retrospective? Or is it because the technology, um, and, and, and the way we interact with the internet and the computer nowadays has changed.
[00:05:39] Marco Ciappelli: So was it like bad by default or they become bad rules?
[00:05:45] HD Moore: I think a little bit of both where that rule came from about changing it all the time really had to do with expectations that people would share their passwords. Like kind of your password example, right? Everybody's the same password. You go to the castle, you say, here's the current password of the week of the day.
[00:05:57] HD Moore: But everyone knows the same password. And when you ask [00:06:00] your coworkers to go log into a web portal, you say, what's the current password today to log into the portal? And the idea was that everybody was sharing passwords back in the nineties and early two thousands. And the way to get around the, the issue of people sharing password was to force 'em to change it all the time, as opposed to guarantee every user had their own password.
[00:06:14] HD Moore: So once we changed the expectation that everybody had to have a unique password per human being, then the needing to change it all the time stopped becoming a requirement.
[00:06:24] Sean Martin: Now when you, when you define rules, um. The specific one around passwords is a rule, was a guideline. I think it was a recommendation that then later over time was retracted. Um, to me that's a policy that then turns into a control. Right. Some technical control. Um, how do you define rules in that regard?
[00:06:49] Sean Martin: And, and what are, I don't know, how did you present that, uh, concept to folks,
[00:06:54] HD Moore: Sure. I mean, we certainly have. Tons of policy, like you can have a password policy, but the context of rules here is [00:07:00] just what are the things that we all take for granted that we assume are the right way to do it. So if you walk into a building during your security training, what do they tell you to do on day one?
[00:07:06] HD Moore: Like, is that still true? How has it changed over time? So less so like the details of the policy and more of just kind of like the common sense or quote unquote common sense, um, mechanisms that we use to manage security in our daily lives and work.
[00:07:20] Marco Ciappelli: And do you have some examples in the presentation about the good rules? The one that we can still consider pillars of the way we, we do cybersecurity.
[00:07:30] HD Moore: Oh, for sure. I mean, what's, you know the interesting thing about passwords is the good part about passwords. We, we said you have to have a unique one per website. That's still a good rule. We found out repeatedly as every website got compromised and you'd end up in these giant, you know, password leak databases, people then do password stuffing attacks, then try your same password from site number one against site number two.
[00:07:49] HD Moore: Like, that's actually been a really good role. Having a unique password per portal you log into is still a great thing. Um, other roles we looked into where, um. [00:08:00] Uh, let's see. Trying to think of a good example of that. Um, when you come up with a recovery mechanism, you, your recovery mechanism still has to be just as secure as your initial authentication.
[00:08:08] HD Moore: So if you have, you know, a two FA, for example, but your two FA goes to an SMS line to have cell phone someplace, well that's probably not good. It's probably less secure than your initial password was. So one of the early rules was what if your recovery mechanism should be, should also be just as strong as your initial authentication.
[00:08:22] HD Moore: Otherwise, attackers wouldn't go through the front door. They would just do a recovery process instead.
[00:08:28] Sean Martin: Were there any, any stories, uh, that you shared? I mean, we were joking earlier. You've seen some things, um, when you, when you were, when you were doing your keynote, uh, did you share any stories with folks that, uh, their interest, raise their hair on the back of their necks or anything like that?
[00:08:45] HD Moore: Sure. One funny one was around the passwords, right? I was doing a pen test for a credit union back in 2002, and the guy we're working with, his name was Dave, fantastic. He was it manager. He'd been there for 12 years. He'd worked his way up from the mail room. Kind of been the lowest person on the wrong all the way to the head of it.
[00:08:59] HD Moore: [00:09:00] And he was really excited to get the pen test. It was their first real security assessment. He just rolled out this policy that set people to change passwords and was very excited to see like what would happen. So us being like cocky pen test people, we'd show up and we dumped the same database and crack all the passwords.
[00:09:13] HD Moore: And the very first thing we noticed is like hundreds of employees, all the same password of F Dave. Like, it wasn't just that people had the idea, it's like no, they got together and intentionally decided they were gonna have a password of F Dave because they were so mad about this policy. And Dave took it very personally, like he was so mad about it.
[00:09:29] HD Moore: He was like literally in tears on day two and he actually quit his job after the assessment was done. Because of that, it just pulled the rug line, his entire worldview and how he worked this coworkers and the only, um. Uh, silver lining. That story is we ended up hiring at my job, so we ended up hiring Dave to come and join our company as customer success because he was such a great people person.
[00:09:50] Sean Martin: That's
[00:09:50] Marco Ciappelli: I, I, I love it. And, and this goes a, a long way to go that during, you know, October is cybersecurity awareness month. It's not cybersecurity. [00:10:00] Very popular topic. Right. You, you bring it to the company here that the department of no, or department or it's gonna take me forever to do these things. I don't wanna do it.
[00:10:09] Marco Ciappelli: And that's definitely. You know, that kind of culture that, I don't know, do, do you feel it's, it is changing nowadays? Is technology helping to make it a little bit easier than what it used to be? Or, or people understand that cybersecurity is part of being in an office,
[00:10:25] HD Moore: I think folks understand it, but until it's really their problem, they don't care. And we still have the same challenge of like, every CISO job is a little bit like playing duck, duck goose. Like you don't want, or, you know, musical chairs. You don't wanna be the last person sitting there when the breach comes in.
[00:10:39] HD Moore: And there's only so much you can influence as a CISO to prevent that from happening. Like, so your job is to accept the risk and then possibly the scapegoat and hope it doesn't happen on your watch. And it just, it is what it is. I mean, obviously there's, uh, companies out there that, uh, really bring, you know, security as a core value and is driven top down.
[00:10:55] HD Moore: Those are fantastic. Then you have other companies that are constantly being pulled in front of the Senate for, to talk about their [00:11:00] latest giant data breach and. There's nothing that we're gonna do differently that's going to prevent that from happening next year. I mean, that's just the way it is, right?
[00:11:07] HD Moore: It's never gonna be worth the, it's never gonna be worth the cost to really secure things to prevent that from happening. So instead, what we have now is every one of us has 15 different, you know, credit monitorings in the background. Like we've overlapping credit monitoring programs across all of us.
[00:11:19] HD Moore: Now we've just kinda given up, right? The, I would say the OPM breach for folks who aren't familiar is probably the worst one in the history of the us. That's every single person who ever applied for a position of public trust or a clearance. Their entire life history was leaked in that breach. And you don't really need anything else at that point.
[00:11:36] HD Moore: Like if you have the OPM data leak, you have the detailed history of everybody's person. You've ever worked anywhere, in a sense, position in the US all at once. And after that kind of every other breach kind of pales the comparison in terms of the impact to, you know, security services, defense, et cetera.
[00:11:52] Marco Ciappelli: Do you, do you think there's bad publicity for. Cybersecurity because we always talk about the [00:12:00] negative things when bad things happen, but people don't understand that there is for breaches that happen. There is so many breaches that do not happen. So are we di are we having an a healthy dialogue with with the communities?
[00:12:16] HD Moore: That's a good point. You only hear about security when something wrong happens, right? You don't hear about all the things that didn't explode or that didn't happen in between. But we also take it for granted. But I mean, that's also kinda the point, right? If you're gonna be able to do business on the internet, you're required to take security seriously.
[00:12:30] HD Moore: You're required to do all these programs, and of course, you would only hear about it when it fails because that's you screwing up like what the. You know, we assume that security will be a top line priority for every company we do business with. And we only really get upset when we find out that isn't true and it becomes something that affects us personally or otherwise impacts, you know, we care about.
[00:12:50] HD Moore: Um, but it doesn't make it any better. And so, you know, you talk about security being the Department of Nos and a lot of, you know, CISOs would like to say that, oh, we're security enablers. That's true. Like [00:13:00] if it wasn't for security, you couldn't do anything at all at your job. You could not do online insurance.
[00:13:03] HD Moore: You couldn't do online e-commerce. At the end of the day, you're still gonna be a department of. Slow down of know of, you know, check the boxes of follower policy, of, you know, accept the risk, et cetera. Like there's no way around that, right? You need somebody to be the person who's gonna raise their hand and say, hang on a second here, let's, let's make sure we're doing correctly.
[00:13:21] Sean Martin: I am wondering, I, because I had a conversation the other day about, uh. Uh, we, we overcomplicate things to some degree and, and some rules sound good and may reduce the risk a lot, and therefore it's a good idea to, to implement a rule, to, to help, yeah. Protect the business. Um, but then there, it's just not feasible.
[00:13:45] Sean Martin: And I'm going, I'm looking at back to kind of this access, maybe not necessarily passwords, but access control and PKI, um, great idea. Hard to implement, expensive to maintain, has its own flaws if you start storing your keys in [00:14:00] public public domain. So are there rules like that where we just haven't seen adoption?
[00:14:07] Sean Martin: So there are good ideas, but not really feasible in terms of adoption that still exists? Or maybe we should look at it a little more closely and learn from.
[00:14:18] HD Moore: The example where we're finally starting to cross that, uh, line from something that would, you know, what we want it to work, how we want it to work versus how it actually works is around pass keys and hardware tokens. We've gotten the point now that like, instead of having to remember your password manager, you literally just opened up your phone, do a biometric thing, and then it unlocks the website.
[00:14:33] HD Moore: And you know how the, the authentication sequence you're doing with unlocking your phone may not be the most secure thing in the world, but the device, you know, the authentication material, the key material lives inside of a hardware enclave in your phone. And that actually is protected. And depending on your enclave, it could be, you know, secure, like in the case of an iPhone or terrible, like in the case of BitLocker, as we saw with computer attacks against BitLocker.
[00:14:51] HD Moore: Like you don't have a pin on your BitLocker, it's bad news. You still have to call it data loss of your, you lose your laptop 'cause of the weaknesses there. So we're getting there. I feel like [00:15:00] passkey are a good example of, you know, where we're able to actually. Simplify authentication and get to the point where users have strong authentication everywhere.
[00:15:06] HD Moore: Uh, and then that's. Only as secure as the enclave or the OS protection, of course for the PA key. But we're getting there. Um, where I think there's other cases where we're just not gonna get to. Like if you want to, let's say steal your information online in a way that no one else can access good luck.
[00:15:21] HD Moore: Like no collab providers actually gonna encrypt your data at a per row level. They're not gonna be able to do half the work they wanna do. We talk about things like home homomorphic encryption where your cloud provider can't see what you're doing with your data, and yet it's not really worth the cost to do that yet.
[00:15:34] HD Moore: So we're. We're a long way from being able to, you know, do real private computing. Um, as much as we talk about things like SGX and, uh, trust execution and things like that, like the whole Apple private computing cloud, all that really depends on the hardware being secure. And there are some really neat attacks that came out in the last week or so of doing direct, uh, uh, attacks on the ram sticks themselves, basically creating like an interposer of their memory stick and using that to basically leak crypto keys and decrypt and so on.
[00:15:59] HD Moore: So [00:16:00] the, the, you know, short version of that is like we spent all this effort trying to create these like private. Compute clouds and trusted computing only for somebody with a $50 bit of kit to be able to break into your server and steal the password anyways, so what does it actually matter?
[00:16:13] Marco Ciappelli: Hmm.
[00:16:14] Sean Martin: Interesting. And what, what were some of the, uh, I know. Somebody like you must have a lot of people come up to the stage and wanna talk to you, and obviously you had a booth at Sector as well. So I presume a number of folks came by and talked to you at the booth. What was some of the feedback or, or follow up questions that people had after, after you shared some of these things?
[00:16:36] HD Moore: Uh, one of the examples I've provided is that we talk about the, um, network perimeter being this kinda like hard crunchy outside and the soft chewy inside. That's what the old security model was and supposedly we've made it better. We've now made it so you've got beyond Corp and you know, zero Trust and all this kind of fun stuff.
[00:16:50] HD Moore: But we really haven't solved the problem. We still have networks full of iot devices. We still have. Uh, firewalls that have gone being the thing that we depend on to protect our networks now being the number one way [00:17:00] into the network. So I think a really funny stat there is Mandiant has this breach report that I put out once a year, and the top four initial access vectors for 2024 were all security products.
[00:17:09] HD Moore: There are people getting compromised through their Paloalto firewall, through their Avanti Endpoint manager and then through their Fortinet appliances. So we've went from these products being what people bought to secure the networks, these products. Now being how they get compromised and calling that out I think was something that a lot of folks are not really willing to say publicly, and I think it makes a lot of sense to say no, like these products actually are.
[00:17:30] HD Moore: The worst thing going on for security right now is your firewall. Like you're paying money to a quote security company to then get breached by vulnerabilities that shouldn't be present in those products. That should have been. Know, fixed decades ago based on the type of flaws we're seeing. So a lot of folk can know, reach out saying, wow, I'm glad you called out these vendors for doing all these shady things and causing more problems than they solve.
[00:17:49] HD Moore: Um, and also thank you for not talking about ai. Those are the, the two big things that stood out.
[00:17:54] Marco Ciappelli: you don't want to talk about ai? That's, that's what, that's what
[00:17:57] HD Moore: You can, but I, there's enough people talking about ai. I don't think we
[00:17:59] Marco Ciappelli: I [00:18:00] know, I know, I know. I was just making a joke. But I, I do wanna talk about, uh, as we, as we wrap this, about the future a little bit. So we, we talked about maybe the, the rules that are worth to keep, the rules that are, need to be trust and not, don't even, even look back.
[00:18:16] Marco Ciappelli: You think there with the change again, of technology and, sorry, I'm gonna have to say AI and, and all of that. Do, do you think, what, what kind of rule do you think we, we will have in the future that. That will be necessary to, to add to the arsenal.
[00:18:32] HD Moore: I mean, the one that, um, the one that's still true so far is like segmentation is still a thing that we aren't doing very well. Like whenever you have devices that have shared trust and you have to put 'em all in one spot, like you have to put all your iot or OT equipment in the factory on the same network.
[00:18:45] HD Moore: 'cause it has to work together. Like you have to put that off in its own segment. You need to isolate it, you need to monitor it. You have the same problem now happening with AI and with data. Like you see the, the various prompt injection attacks are kind of endemic. Like there's no real way to fix them.
[00:18:58] HD Moore: That's just how this technology [00:19:00] works. It's like trying to prevent cross side scripting inside of JavaScript in your browser. It's like, no, that is. That's literally how the technology works. There's no such thing as an injection. It's all injection, right? So if you talk about doing agent AI flows and how you're pulling data to different sources and pulling those into your queries and whatnot, by definition it's vulnerable To attack it's def, it's gonna be vulnerable to somebody manipulating a response and then causing it to then redirect your.
[00:19:21] HD Moore: Instructions to something else. So kind of as a technology, a AI and flows are fundamentally broken. At this point. There's no way to separate your data layer from your control layer until we fix that. We're just gonna go repeat all the same problems we had with cross site scripting and injection all over again.
[00:19:36] Sean Martin: At, at scale. 'cause we put, put it in the hands of everybody. Um, I'm gonna ask this future question. Um, and do we need to rethink the way we think of rules? Um, 'cause the examples we've given are a. We have technology, we use passwords to grant access, and then we write a rule around that. So what's the rule?
[00:19:59] Sean Martin: We change your [00:20:00] password every 30 days or use a password manager or, and I'm wondering, are we missing the point of the rule by asking it from a technical perspective or does a future hold, uh, a rethink of how we ask that question and answer that question for rules.
[00:20:18] HD Moore: That's a good point. Um, a lot of what we do around like network segmentation is because we have to, because the network side is just really fragile and there's no authentication. And if we didn't have that problem to start with, we wouldn't have to worry about doing the segmentation in the first place.
[00:20:30] HD Moore: So could we redesign our network stacks or administration protocols or something else to get there? Um, it's one of the things I'm excited about with like pass keys is that we're finally moving from like a, a secret that you have to keep in your brain to a secret that's actually stored in the hardware that you're kind of unlocking on the fly.
[00:20:45] HD Moore: And so you can have, um. Uh, some of the HSMs are out there, the hardware storage modules for series crypto keys. They only have a four digit password, and that's okay. Like it's amazing that you can actually have a really, you know, important secret protected only by a four digit code. And that being a [00:21:00] totally reasonable way to defend something as long as your hardware is secure enough to prevent brute force attacks.
[00:21:04] HD Moore: You guessed more than three pins in a row. Like it wipes the machine. Right? That's, that's our way of solving this problem. So we're starting to finally change the rules a little bit by kind of moving the tack vectors by having stronger kind of built in security. And it took us a long time for the technology to catch up.
[00:21:18] HD Moore: Before that was actually a thing, you know, for the last 20 years, whenever somebody said, oh, my hard drive will auto unlock. It's like, great, well gimme 20 minutes and a debugger and a JTAG cable and now it's unlocked anyways, right? So it took a while for us to kind of like, um. Deliver the security. We've been promising in a bunch of areas to be able to change those base levels of technology.
[00:21:35] HD Moore: But I think you're right. Like things like passwords, maybe we should just shouldn't have them anymore. Maybe there should be something else like identity keys, authenticated, like crypto toss for everything. Um, same thing with like network access. Maybe we just don't have web-based management anymore for network devices.
[00:21:48] HD Moore: Maybe we can put a different way to do it.
[00:21:50] Sean Martin: Yeah, and you mentioned Zero Trust earlier, maybe. Maybe we have to accept that. OPM is reality, right? Everything, everything is exposed and [00:22:00] assume, assumed, assume, uh, breached or assume accessed and, and active coordinator, I'm, I'm just thinking of recovery, right? Um, you talk about three password attempts and you wipe the machine.
[00:22:13] Sean Martin: Well, that's only good if you, if you have a way to recover if
[00:22:16] HD Moore: Yeah, and somebody else can't trigger those three attempts.
[00:22:18] Sean Martin: exactly. Exactly. Uh, well.
[00:22:21] Marco Ciappelli: the only thing I can think about, it's, you know, the first rule of cybersecurity is that you don't talk about cybersecurity. That's,
[00:22:29] HD Moore: And
[00:22:29] Marco Ciappelli: oh no, that, that was the fight club, right? That was a fight club. I'm sorry. Uh, it was fun. Um,
[00:22:36] Sean Martin: it's always fascinating chatting with UHD. Um.
[00:22:39] HD Moore: the Sean.
[00:22:40] Sean Martin: Yep. Good, good stuff. And, uh, yeah, glad you had a chance to, uh, connect with the, with the folks in Toronto at secor. Um, I presume folks who registered and, and attended have have a way to connect, uh, to your presentation at some point. Uh, and, uh, [00:23:00] hopefully do that.
[00:23:00] Sean Martin: And if, if you make that public, let us know and we'll, uh, we'll share that with folks as well. Until then. Everybody should just connect with you and, uh, ask their questions directly. And, uh, hd thanks. Thanks for sharing, uh, your story with us about, uh, your keynote at Sector. Hope to see you in another event soon, or, uh, tell another zero run, zero story as well.
[00:23:23] Sean Martin: And thanks everybody for listening, watching to this conversation, uh, with Sean and Marco as we continue to cover events all around the world.
[00:23:32] Marco Ciappelli: Thank you.