Marcus J. Carey and Jeff Man, both former NSA cryptologists, share their fascinating journeys in the realm of cybersecurity. They discuss how personal experiences shaped their identities and careers in tech. Hear about their transformative paths from the Navy to cryptology and the impactful role of the NSA's red teams in understanding vulnerabilities. They delve into the intricate world of cryptography, including its influence on cryptocurrencies like Bitcoin. Their stories highlight the blend of national security with cutting-edge technology.
Jeff Man's journey to the NSA highlights the importance of persistence and continuous learning in pursuing a career in cybersecurity.
Cryptographic vulnerabilities, such as the reuse of one-time pads, can pose significant risks to secure communication systems.
The formation of The Pit and the success of Operation Eligible Receiver underscore the value of proactive red team assessments in identifying and mitigating network vulnerabilities.
Deep dives
Jeff Man's Journey to the NSA
Jeff Man's journey to the NSA began when he applied for a job after being recommended by a family friend. He had to pass a rigorous background check and undergo several aptitude and skills qualification tests. Eventually, he was offered a position within the Inpose division of the NSA, where he was tasked with conducting cryptographic reviews. Despite not having prior knowledge in cryptography, he went back to school and learned about classic manual crypto systems. As part of his work, he also developed software for electronic encryption and decryption, making it easier to process messages. This marked the initial foray into software-based cryptography at the NSA.
Securing Communication Systems
In his role as a cryptographer, Jeff was concerned with securing communication systems. He worked on analyzing manual paper crypto systems and ensuring that they followed best practices to prevent exploitation. One key area of focus was the proper usage of one-time pads, where he discovered that some users would reuse one-time pads, which weakened the security. Jeff's work involved identifying vulnerabilities in cryptographic systems and providing recommendations for stronger security measures.
Cracking Encryption and Security Assessments
After transitioning to the Operations side of the NSA, Jeff worked on cracking encryption and conducting security assessments. His team would identify and exploit vulnerabilities in systems that were not following best practices or secure protocols. By examining encryption methods and identifying shortcuts taken by adversaries, they sought to improve the overall security practices of the NSA and ensure that their own cryptographic systems were not susceptible to exploitation.
Jeff Man's Contributions and Impact
Jeff Man made significant contributions during his time at the NSA, pioneering the use of software-based cryptography and ensuring the security of communication systems. His work involved enhancing encryption methodologies and assessing vulnerabilities in cryptographic systems. By focusing on securing both internal and external communication networks, Jeff played a vital role in safeguarding sensitive information and improving cybersecurity measures within the NSA.
The Creation of The Pit and Its Role in Hacking
In 1993, after the creation of the first web browser, a small group at the NSA decided to explore hacking and internet security. They formed a team known as The Pit, where they focused on breaking into networks and computers to test their security. The team engaged in activities like password guessing, exploiting idle accounts, and using password cracking programs. They were allowed to continue their work even after a reorganization within the NSA, and they gained recognition within the organization for their expertise in hacking.
Operation Eligible Receiver and Lessons Learned
In 1997, the NSA launched Operation Eligible Receiver, a training attack on the US government and military. The Pit, being experienced in hacking, was not directly involved but had unknowingly inspired the exercise. The operation used a less sophisticated team with off-the-shelf tools to simulate attacks on government networks. The exercise revealed vulnerabilities in the secure networks and showcased the importance of conducting red team assessments to identify and fix potential weak points. This highlights the significance of ethical hacking and emphasizes the need for organizations to protect their networks and assets against cyber attacks.
In this episode we interview two NSA Cryptologists, Marcus J. Carey and Jeff Man. We hear their story of how they got into the NSA and what they did while there.
To hear more stories from Jeff tune into Paul’s Security Weekly where Jeff is a regular co-host and shares a lot of stories and insights.
