octobre 23, 2024
EP 64 – Identity Reinvention: Insights From the World’s First Augmented Ethical Hacker
In this episode of the Trust Issues Podcast, host David Puner sits down with CyberArk’s resident technical evangelist, white hat hacker and transhuman, Len Noe. They dive into Len’s singular journey from a black hat hacker to an ethical hacker, exploring his identity reinvention and the fascinating world of subdermal microchip implants and offensive security. Len shares insights from his new book, « Human Hacked: My Life and Lessons as the World’s First Augmented Ethical Hacker, » which releases on October 29. They also discuss the relevance of Len’s transhuman identity to his work in identity security.
What if you could step out into the outside world without bringing anything with you? No wallet, no car keys, no phone. It’s not a far-flung or far-off scenario. Some people are now getting chips and devices implanted into their bodies for functionality. Others are doing it with nefarious intent. And we’re just in the infancy stage of all of this.
While these kinds of implantations are now limited for the most part to a subculture, after you hear today’s interview with one of its members, CyberArk’s resident technical evangelist, white hat hacker, and transhuman Len Noe, you’ll recognize that it’s likely only a matter of time before there’s wider spread adoption for the sake of convenience and access.
And on the flip side of the coin, new attack methods. Start your car or tap to pay with an NFC implant in your hand. Trigger an NFC attack with an augmented pinky. It’s all happening now. On the occasion of the publication of his first book, Human Hacked: My Life and Lessons as the World’s First Augmented Ethical Hacker, which releases on October 29th, Len’s back on the podcast to talk about all sorts of things related to his identity as a transhuman, which means he has both biological and technological components, including various implants.
We discuss how his transhuman identity ties to his offensive security work, experiences, and transformation from a black hat to an ethical hacker. Quick note, at a couple of points in the interview, you may hear what sounds like a rooster crowing. It is not a sound effect. As it turns out, Len was beaming in from his farm in Texas, where he has 40 chickens, 9 peacocks, and a flock of guinea hens. Here’s my conversation with the always surprising Len Noe.
David Puner [00:02:00]: Len Noe, technical evangelist, white hat hacker, and transhuman. Welcome back to the podcast, Len. Really great to have you here.
Len Noe [00:02:10]: Great to be here, man. Thanks for having me back.
David Puner [00:02:13]: You got it. There’s a lot going on in your world. And when you were first on the podcast back in Episode 2 in May of 2022, we focused on the fact that you’re transhuman, which essentially means that you are comprised of both biological and technological components, which means that you have a bunch of implants.
All in the name of research and cybersecurity advancement. And we covered a lot of transhuman ground in that episode. But here we are, almost two and a half years later, and you’re just about to add another title to your already very full belt of titles there. And that is Author. Your first book.
David Puner [00:03:00]: Human Hacked, My Life and Lessons as the World’s First Augmented Ethical Hacker, releases on October 29th, just after this episode releases. I read the manuscript. It’s really gripping. It’s really great. It’s an account of your experience or odyssey, really, as the world’s first augmented ethical hacker.
So I guess to start things off, what inspired you to write the book? And have we tapped into something entirely new? Are you going to keep on writing books from here on out?
Len Noe [00:03:35]: Well, uh, that’s two questions. So what inspired me to write the book was honestly, it was a fluke. I’d been talking about the idea of potentially writing a book around this, but what I pitched to Wiley originally is not what came out.
David Puner [00:03:50]: Okay.
Len Noe [00:03:51]: It really wasn’t. And, uh, the answer to the second question is, yeah, I think we have. I didn’t realize that I could enjoy this kind of work. I mean, I failed literature and comp in high school. You know, I’m taking some college classes now to learn how to be an author. Now that I am one, I figure I might want to learn how to do it the right way. I felt so bad for my editors. Oh my gosh.
David Puner [00:04:15]: And in the book, to get down to details of it, of course, you talk about your transition, or transformation really, from black hat hacker to an ethical or white hat hacker today. What was the most challenging part of this transformation and how did it shape your current perspective on cybersecurity and identity security?
Len Noe [00:04:36]: I find it really interesting the way that you phrased that question, because the hardest part was my identity. People don’t seem to realize when you’re involved in something like a motorcycle club, or anything that’s going to take up that much of your life, it becomes a part of your identity and how you see the world and how you react to the world.
David Puner [00:04:57]: Right.
Len Noe [00:04:58]: One of the funny things that people might get out of this is, you know, I’ve been married for going on 15 years, and my in-laws still don’t call me by my actual name of Len. They still call me « hacker. » It wasn’t just a name. It was a lifestyle. It was an identity, and the hardest part was stopping myself from taking those opportunities as I started to see them, because it’s like, I’m not gonna do that anymore.
David Puner [00:05:26]: Right.
Len Noe [00:05:27]: One of the things, and I know you’ve probably said it a million times on this podcast, Dave, is we have to think like the bad guys. We have to think like the attackers.
David Puner [00:05:36]: Right.
Len Noe [00:05:37]: I just have to think. You know, I just walk into the room and it’s like, okay, where are the security cameras? You know, where’s the exit? Can somebody get behind me? I’d never sit with my back to a door. I just naturally think that way.
David Puner [00:05:49]: Right. In your book, I wrote down a few of the quotes that struck me the most, and one of them was, « I naturally think like a criminal. If I know how they think and attack, I know what and how to prevent it. » Which is really kind of, speaks to what you just said right there. So, how long ago did this transformation start?
Len Noe [00:06:09]: It started just over, I would say, 11 years ago.
David Puner [00:06:13]: Okay.
Len Noe [00:06:14]: I mean, not much before I started coming to work for CyberArk. I was still active in the motorcycle clubs at my last employer, which, you know, was for a large human resource and payroll company, which we’re not going to name. But, you know, if you’ve ever seen Sons of Anarchy, somebody walking in wearing, you know, the leather vest with the patches on it and parking their Harley in the parking lot. That’s what I was doing. I was hanging my club colors in cube land.
David Puner [00:06:42]: Uh huh. Okay. So when did you realize that you needed to separate the two, or did you really actually have to separate the two? How did that all come about?
Len Noe [00:06:52]: It wasn’t like a separation of the two. It was more like a complete identity reinvention. One of the most catastrophic incidents in my entire life was when they handed me my granddaughter. And as bad as this is going to make me sound, I don’t try and hide from the bad person I used to be, because if I ever forget what I did, I might go back there.
But I didn’t seem to have a problem with acting reckless and showing my own children, you know, bad behaviors and bad examples. But there was something about carrying that on into my grandchildren that, when I looked down into my granddaughter’s face for the first time, when they handed her to me, something inside of me broke. I mean, literally it just broke.
David Puner [00:07:33]: Wow.
Len Noe [00:07:34]: You know, I’m not the person that coined this phrase, but I’m just going to use it because it’s still true: The only things that I had to look forward to were either going to be jail, an institution, or death. And I didn’t want my grandchildren to be afraid of me the way that my children were. And I just decided, I need to make a change. It wasn’t just getting out of the motorcycle clubs. It was a change in attitude. I mean, I didn’t even own any clothing that either wasn’t club-related or didn’t have a Harley Davidson logo on it.
David Puner [00:08:00]: Mm hmm.
Len Noe [00:08:01]: I had to cut off my beard. I decided I wanted to be like every other IT guy out there because that was all I was really good at. People who know me now, I’m kind of one of the recognizable faces for CyberArk, but people may find it hilarious to know that when I joined this organization, I was clean-shaven.
David Puner [00:08:18]: Right.
Len Noe [00:08:19]: And it was almost six months before anybody but my hiring manager and a few select individuals even knew I had a single tattoo because I was wearing long sleeve shirts everywhere I went.
David Puner [00:08:29]: And it’s interesting that you mention the tattoos because you’ve obviously, you’ve got many of them, and you write about this in the book. No, just one.
Len Noe [00:08:37]: Oh, well, one. Just one.
David Puner [00:08:39]: Right. They all turned into one.
Len Noe [00:08:41]: No, I just start—I have one tattoo that starts at the neck and goes all the way to the top of my feet.
David Puner [00:08:46]: Right. Okay. So I mention that, and you mention that, and I picked up on it because we’re just discussing now how you kind of made the transition from being on the wrong side of the law to being an offensive security researcher. It surprised me in the book to learn that your first implant, your first chip, didn’t go in until 2020.
So, how many do you have now? What inspired you to get that first implant? And did you think of it as something that you were doing for your job? Or did you think of it as something that you were just doing in life?
Len Noe [00:09:14]: It was an evolution. I would bet any amount of money you want, David, that you are not going to wake up tomorrow and go, today is the day I am going to just start putting a bunch of electronic microchips in my body.
David Puner [00:09:26]: I think that’s probably right.
Len Noe [00:09:28]: This is an evolution. We’ve mentioned the tattoos. I’m also into body piercings, and I actually do flesh hook suspensions as a side hobby, so I’m one of those guys that likes to have the big sturgeon hooks put in my back and hung from the ceiling and just hang around for a while.
David Puner [00:09:42]: Yep, and you detail all that in the book as well. That is pretty eye-opening stuff if you don’t know about the flesh hooks, which I certainly did not.
Len Noe [00:09:50]: Yeah, I’m not your normal average IT guy. And one more point to the last statement is, you know, I didn’t want to be an offensive security researcher when I started here. To me, at that point in my life, that was me going back down the bad road. That’s like the alcoholic deciding, you know, he can drink near-beer. It was too much of a temptation. I just wanted to be a regular old solutions engineer. And when I first hired here, that’s all I was. I was the first corporate solutions engineer for CyberArk.
So my job was to actually just take care of the demo environment that we use to, you know, show off the product, keep it updated, add new use cases. And that was all I wanted. I wanted to be Joe Average. The fact that I’m back into offensive security happened completely by accident.
David Puner [00:10:35]: You were doing offensive security though in 2020 when you got the first implant.
Len Noe [00:10:39]: Oh yeah, I was.
David Puner [00:10:40]: Okay.
Len Noe [00:10:41]: But it wasn’t for CyberArk at that point per se. It was, you know, I still did a lot of CTFs, I was still in that space because that’s where my interests were, but it was more along the lines of, uh, I was doing it for me.
Honestly, we were at Black Hat for CyberArk, you know, I believe it was in 2018, and Mike Marino, you know, my boss, the director for North America here, he actually gave me the opportunity because it was in Las Vegas. And I’m like, dude, it is 140 degrees outside. It’s Vegas. I am not wearing long sleeves while I’m working at Black Hat. And nobody wanted to talk to, you know, the guys that you could pick out of any other booth. Everybody in there, for the most part, looked the same.
And this was before, you know, we’ve seen a lot of it in recent years, but back in 2018, it wasn’t as common to see a lot of tatted-up people. Most of the people wanted to talk to me, and it was from there that things just kind of rolled, and I was able to find a way to take all of my previous experiences—the skill set that I came into the company with, not really even talking about—and actually find a way that I could still do what I loved but actually have it come out with some kind of a positive result instead of just hacking things.
Now, I could actually still do that. The same types of things in terms of attacking the puzzle, going after the authentication, whatever it was, but I could do it in a way that people could actually gain knowledge from, and it actually was a positive thing for everyone that was involved. And it was great. I didn’t have to worry about being arrested. It was like all of the fun parts with none of the risk.
David Puner [00:12:00]: So now here we are about four or so years after you got that first implant. You detail all of them in the book, so we don’t need to go into like very broad detail about what they are or anything like that. But how many do you have now?
Len Noe [00:12:13]: Currently, I have 10. I have everything from RFID, NFC, I had a credit card, magnets. I even have a chip that enhances my security online. That’s a cryptobionic identity chip that is FIPS compliant, can do SHA-256. It’s my crypto wallet key. It’s a ton of things. So, I mean, it’s not just offensive anymore. Now it’s been actually integrated into my everyday life for even things like OTPs.
David Puner [00:12:39]: Right. And so, one of the things you mentioned in the book was that back in 2017, there was something that hit the news, and I think it was, what, the cover of Time magazine or something like that that said, « Yes, you will all one day be chipped » or something like that?
Len Noe [00:12:54]: You will all one day be chipped. There was a company, and I believe it was in Wisconsin, that basically gave it up as an offer to become microchipped for the purposes of time and attendance, and everybody lost their mind. Right? And instantaneously, it was « This is going to become mandatory. » And the thing that I find hilarious is just the lack of physics involved in this.
David Puner [00:13:19]: How do you mean?
Len Noe [00:13:21]: The things that would have to move in order to make things like this happen are just beyond belief in terms of a mandatory « everyone getting microchipped. » I mean, the closest thing I’ve ever heard that could be even conceivable was, you know, all the rumors when we had to go through that thing, you know, a couple of years ago, that thing called COVID.
David Puner [00:13:42]: Oh, right. Yes.
Len Noe [00:13:43]: The amount of rumors and conspiracy theories about people being microchipped during the vaccination process. And as somebody that’s actually seen the size of the needles that you would need in order to actually put a microchip that’s worth anything into a human, I guarantee you if somebody walked into a room with a syringe the size of an ink pen, there would have been a lot fewer people getting COVID vaccinations.
David Puner [00:14:06]: And that’s another thing that you detail in the book is actually how all of these various implants were, in fact, implanted. And some, it was as simple, I can easily say here, having not done it myself, as an injection with a needle, and others a lot more involved, involving surgery and stuff like that.
Len Noe [00:14:24]: Forewarning to anyone in the book, if you’re squeamish, I hope that Wiley puts the warning in there at the beginning of Chapter Seven. That’s all I’m going to say.
David Puner [00:14:35]: And again, medical doctors are not the folks performing these procedures either.
Len Noe [00:14:39]: No. If you think about it, it’s like, « Hello, Dr. So-and-So, I’d like to set up an appointment. I bought these things off the internet that I’d like you to put inside my arm. » No, I don’t need to be transferred to psych. How do you even do that? So, no, everything has actually been done through body modifications or parlors or what we call body mechanics.
David Puner [00:15:00]: Mm hmm.
Len Noe [00:15:01]: And these are the same people that you would go to to split your tongue or gauge your ears or even do dermal implants like people that have what look like horns and things under the skin of their foreheads.
David Puner [00:15:12]: Right. Fascinating. And there’s a lot of this going on now. While you were the first to do this as an actual ethical hacker, there are people who have done these kinds of implantations prior to that.
Len Noe [00:15:23]: Oh, absolutely. There was a group called Grindhouse Wetware that actually released implants back around 2014, 2012. And they were actually the first consumer-grade implantable technology company out there. But nothing that they had ever produced really was something that I could kind of get with. There was no input-output on it. There was nothing that I could really use it to do anything with. And at that time, I was still more of an active black hat. Greyhat probably would be a better term at that point. But at that point, it’s like I want to be hidden. I don’t need something that’s gonna glow up and make people stare at me.
David Puner [00:16:00]: Mm hmm.
Len Noe [00:16:01]: So they kind of went against my end goals. But these guys were pioneers in terms of how many people are using it for what I’m doing. Most people before me were using it for legitimate use case scenarios. They would put the key to their office on it. They could put the key to their Tesla on it. They could, you know, use it to get into a gym. I’m the first one that came out publicly and said, « These things can be repurposed for an offensive technological advantage. » Since I did it, I know of about four different pentesters that work for large red teams around the United States and over in Europe that have used these in actual engagements.
There was an individual that I met through the speaking circuit, and she actually got an RFID implant right in the middle of one of the b-sides conferences in Newcastle. So once I opened the door, a lot of people followed me through it. I don’t really think they’re going to follow me down the road that I’m going because I’m leaving the realms of what you can purchase off the shelf, and I’m going into uncharted waters because my use cases and what my wants are in terms of the technology are now requiring what is consumerly available.
David Puner [00:17:04]: Before you got your first implant, you experimented with wearables. And the first proof of concept in a restaurant attack—what was that? And what were the security implications? And then ultimately, why did you decide that, okay, wearables weren’t enough, and you had to take that next step into implants?
Len Noe [00:17:22]: Honestly, I wasn’t sold on the idea yet. And I was actually kind of kicking around the idea of attacking contactless technologies prior to getting my first implant. So originally, the idea was to use the wearables as the attack. I was at one of the conferences, and I watched a couple of people beam their contacts between each other utilizing NFC. And it just hit me like a thunderbolt that all of these devices have this technology. I wonder if there’s anybody that’s really tried to leverage it from an attack perspective.
And I wound up going down this mad rabbit hole on the protocol, and it was just, « Wow, this is insane. Nobody is able to look and see that this is right in everybody’s face. » NFC tags and things you can do with this. So I eventually found a ring that had a little bit of black enamel on the top that had an NFC chip built into it. So I decided, « Let’s give this a try. »
So I tested it on my own internal hardware, and then came one night where me, my wife, and a group of friends of ours were all going out to dinner. And I was like, « I know that this place uses a tablet for their guest services. I’m like, I wonder if I can actually pull this off? » You’ve got to think of the mechanics of this. If you’ve ever played with NFC on your phone, you have to hold it—the receiver’s in a specific spot. And at the time, I didn’t really realize it until I started doing the experimenting, but you know, with these small wearables, the receiver and the chip need to be even set up in the correct orientation. So if it’s vertical and your chip’s horizontal, it doesn’t work.
So it was, « Let’s just try this. » We got to the restaurant, and in the book, I call this dinner and a show. And I essentially was trying to see, can I social engineer a mobile device or a device with this type of technology out of somebody’s hands? So, I walked up to the maître d’ and basically social engineered myself right into getting my hands on this guy’s tablet. And, you know, it was one of those, « Hey, is that one of the new Samsung tablets? You know, I’ve been thinking about buying one of those. Can I see it for a second? »
David Puner [00:19:09]: Right.
Len Noe [00:19:10]: And he’s standing right in front of me, and it just goes to show. I’m not going to give away the entire story, but I will say that I had to turn the volume off. I had to enable NFC, and I did it all right in front of this guy, and he had no idea.
David Puner [00:19:25]: Right.
Len Noe [00:19:26]: We talked about what was the hardest thing, changing sides. That was one of the hardest moments of my life.
David Puner [00:19:31]: How so?
Len Noe [00:19:32]: You know, because I had basically—without giving away the book—I had triggered an NFC attack that if I would have completed it, I would have had a reverse connection into the tablet, which is connected to their point of sale system. You know, and when I saw that thing pop up on the tablet going, « Are you—would you like to download this file? » it was like, « Oh no, I really don’t. I don’t want to do that. » I did want to do that. But I didn’t.
David Puner [00:19:58]: We should again point out the purpose of that exercise was again for offensive research.
Len Noe [00:20:04]: Yeah. That was one of those moments where it was like, « Yep, you’re a good guy now, Len. » You know, the attack was done. So in my mind, it actually worked. The only thing I didn’t do was see the actual connection on my listener back at home.
David Puner [00:20:18]: This is kind of a breakthrough of some sort with the wearable, but then at what point do you determine, okay, the wearables aren’t enough to do these kinds of sophisticated mock attacks essentially? When do you shift to the implants, and how does that click?
Len Noe [00:20:32]: Well, it clicks on two different aspects. So, like I said, I had started with the wearables prior to actually getting to the idea of the implants. I was actually sitting on one of the bridges on one of the canals in Amsterdam. Thank you, CyberArk. You know, they had given me the opportunity to go over there to speak, and I was actually running over to a tattoo parlor to try and grab a sticker. Some people collect shot glasses and spoons, I collect stickers.
And at one of the tattoo parlors, they were discussing a different shop, the next town down the railway in Utrecht, where they were now able to grab off the shelf and implant subdermal microchips that were RFID and NFC. And it was like, what? It came to me almost as a surprise. I was, at that time, pretty content with just using the wearables. But when I found out that there was the opportunity to do the same thing with a subdermal implant, that opened up something completely new.
Because one of the things—most bikers, especially if you start getting into some of the more illicit types—we could almost be paralegals. We know where the lines of the law are, and know how to skate right up to them and stop. And one of the things that I had learned just living in that kind of environment for most of my life is, I’m really bad with my Latin, David. So, if I mispronounce this, you know, work with me, but I want to say it’s pronounced mens rea?
David Puner [00:21:57]: Okay.
Len Noe [00:21:58]: Which is essentially Latin for « malicious intent. » So you can actually commit a crime and not be a criminal if you happen to just do something that is against a law, but it wasn’t your intention to break the law. That’s where, they say, police and the authorities have a lot of discretion to interpret what actually happened.
So, for example, if I’m in a location on-prem somewhere that I shouldn’t be—if you don’t have a sign there or somebody opened the door and I just walked through with them—does that make me necessarily a criminal? Not necessarily. Was I intending to go in there and try and do harm, or was I just going, « Oh, these look really cool. I’ve never seen these racks full of servers before »?
And if you are caught with any type of duplication device—so in the past, if we wanted to compromise physical locations, we’d need a copy of a cloned card. We’d need something like a Proxmark. We would need a Flipper Zero or some type of thing that could replay the signal of a stolen card. And that, in and of itself, proves malicious intent. You were trying to bypass it.
One of the things that I discovered is the fact that these particular implants are inside my body. They’re actually covered by the HIPAA laws here in the United States, as well as the GDPR restrictions in Europe. So, at this point, no one can even ask me about these. And it opens up a completely new attack vector that basically provides the burden to prove I was doing something wrong on my victim, as opposed to me automatically being assumed guilty from the start.
David Puner [00:23:34]: It seems clear that having these things hidden enhances your ability to research and create social engineering attacks to get in front of them. But how does it help in the long run to ultimately defend against them?
Len Noe [00:23:48]: Just like we have malicious applications and we have software to counteract those types of code, we also have the opportunity that we have implants that can be used for offensive purposes. And I actually have additional implants that I use to enhance my security.
And one of the questions that I would ask, Dave, is: What is unique about you that I can’t duplicate, counterfeit, or spoof or bypass? And if that’s the case, especially with deepfake AI and all the other types of technologies we have going on right now—the fact that we can actually 3D print fingerprints with gelatin to bypass fingerprint authentication—there’s nothing left unique about us.
Is something like a microchip going to become the next source of truth for us as human beings as we move into a more technologically compromising future? Right now, we’re sitting here on Riverside having a podcast, but you don’t know that you’re actually talking to the real Len. And I have no way of knowing that I’m talking to the real David Puner. We don’t have an SSL lock down in the corner, and we’re living in a world where we can no longer believe what we see and what we hear.
So, is the idea of something like a microchip in my arm that I have to scan prior to logging into Riverside to validate my identity—is that the future? Maybe. Maybe we’re going to have an entirely new market come out: identity validation as a service. Maybe we’re going to give our identities to someone else as a validator for all of our legal business or important transactions, but we need something.
David Puner [00:25:25]: Really interesting. In the foreword of the book, the gentleman who wrote the foreword says that you’re a man who sees the future. Do you agree with that assessment?
Len Noe [00:25:36]: I do. I think that I’m one of the people leading the charge to try and change our perceptions.
David Puner [00:25:42]: Okay.
Len Noe [00:25:43]: This is one of the things that I love to ask people. And when you really think about it, and if the listeners actually hear the words that I’m saying, you’ll know I’m right. Hey Dave, the next time we get together, what would you do if I walked up to you and said, « Hey David, can I look inside your wallet? » Would you just hand me your wallet and let me look through it?
David Puner [00:26:05]: Probably not.
Len Noe [00:26:07]: Nope. But if I—you didn’t know that I had these implants in me—and I said, « Hey Dave, you know, let me see your phone for a second. I’ve got this video I want to show you. » There’s a 50/50 chance that you’re going to hand it over.
David Puner [00:26:20]: Yeah. I mean, I was actually thinking about that when I saw these examples that you give in the book about you would think no, you wouldn’t just give that to a stranger. But if given the right set of circumstances or the scenario that the person paints or whatever it may be, you might be so flustered or you might feel compelled to help that you probably would. And I think one of the takeaways, it seems like, from a practicality purpose, is if somebody is coming at you hot, wanting to call somebody on your phone or whatever it may be, even if it seems like it’s a dire situation, you should think probably twice and maybe three times before actually doing it.
Len Noe [00:26:55]: I can give you a real-world example. I was just coming back from my last trip for CyberArk, and I was waiting at the airport for my wife to pick me up. And you know, I was sitting right up there at the curb. And this woman drove up in a car and was like, « Excuse me, sir… » First and foremost, gotta love Texas. I don’t know where else you could look like me and have somebody think that I’m friendly enough to just walk up and start talking to them. But this woman drives up, and she’s like, « Excuse me, sir, can I use your phone? I’m trying to find my… » Whoever I’m picking up, I don’t remember if it was a daughter’s cousin or whatever.
And I was like, « I’m sorry ma’am, I can’t do that. But if you’d like, I’d be happy to dial the phone and put it on speaker for you. But I will not hand you my phone. » You know, so you can still help people out and be secure.
Back to my original question though, in terms of your wallet. We look at the old ways and we look at things through old eyes. We think that what we have in our purse or what we may have in our wallet contains a lot of important information. I can guarantee you we’re not keeping our medical history in our wallets, right? You may have a couple of credit cards, but you don’t have access into your bank account directly. And if you’ve got a family and you’ve got those family locators, you’re not keeping the ability to track the rest of your family in your wallet.
David Puner [00:28:09]: Right.
Len Noe [00:28:10]: The problem, in my opinion, especially around mobile devices, is we’ve started looking at these things like they’re little toys. And the old days of getting a separate device from your employer, it has shifted to BYOD, and the same devices that we’re using to do corporate functions on are the same devices that we’re watching YouTube and doing Instagram or Facebook on.
David Puner [00:28:33]: Oh.
Len Noe [00:28:34]: So, you want the security for me and my people. I love it. Well, for starters, I can tell you from my own personal experience, I have taken the steps required to make sure that me and the implant—my implanted technology—is safe. Okay. Essentially, you know, we’re going to go in the Wayback Machine for a minute here. Do you remember the good old days of rewritable CD-ROMs?
David Puner [00:28:57]: Yes, I sure do.
Len Noe [00:28:58]: Yes. For all of the young listeners, we didn’t always have things like USB and portable drives. You know, we actually had CDs, and we had to carry them around like frisbees. But just like those old rewritable CD-ROMs, that’s basically the same premise of how most of my chips work. I can write them, I can rewrite them, but you can also eventually close them, which will be that last write, and you’re going to say, « I want it to be like this forever. »
And the thing that people don’t realize is when you start integrating technology—and this isn’t even just for me as a grinder—I’m even including people who are getting any type of technology from a medical perspective. Once you start integrating your body with that technology, you then inherit whatever security and technical vulnerabilities that that technology has.
So, to finish, in terms of me, most of my implants are between my elbows and my fingertips. So I actually went out and bought—I’ve got gauntlet-style leather gloves that go all the way up to my elbows. And I took them to a seamstress, and I actually had them lined with Faraday fabric. So if I don’t want anybody getting to my chips, when I go to places like DEFCON or other large conferences where I’m one of the few that is known to have these types of implants, I’ve documented where on my body they are. I’m a walking target. And as I’ve said many times, my security is nobody else’s responsibility, so I had to make sure.
In terms of how do we address this from a medical perspective, one of the most shocking discoveries I made during the research for my book was the fact that, you know, we expect the Food and Drug Administration to take care of all of the safety concerns around implantable tech, right? There is not a single red teamer or anything of that sort that is employed by the FDA. Most of the security, red teaming, pen testing, validation of medical devices are done by the companies that are actually producing them. And in my opinion, that’s one of the biggest conflicts of interest I could ever imagine. So I think we need to start, as a nation, demanding more transparency in the testing of medical devices.
But I would also say, depending on what you’re dealing with, see if there’s an open-source option so you can get away from that. There’s actually an organization called the Open Pancreas Foundation. And these are for people with type 2 diabetes and insulin pumps, where you can actually get an insulin pump that doesn’t use the software coming from specific manufacturers that are known to have vulnerabilities. And it’s open source.
David Puner [00:31:49]: Wow. There are so many nuances to all of this, and this is just—it seems like—the beginning. So it’s going to be really interesting to see how it evolves. We talk a lot about identity on this podcast for obvious reasons, considering we live and breathe identity security here at CyberArk. So, that said, what is your identity? I know we kind of touched upon this a little bit at the beginning of the interview, but if you were to—someone was to ask you, who is Len Noe, and how do your implants figure into it?
Len Noe [00:32:19]: I’m just another human being, just like everybody else. I just think that I may have taken a step off this beaten path and onto an alternate projection of the future of humanity. See, that’s a very difficult question to ask because I’m not like everybody else. I can do some pretty cool stuff. I think maybe if I get to the point where I have the next implant, where I actually have compute abilities, and I’m not just a passive responder to other technologies, I might feel differently. But due to the fact that right now, I need something else for all of my chips in order to even do anything, right?
So when I can get the single board computer that I can actually set it up to do something, and it’s going to do something while I’m doing something else, then I might feel like it will move beyond me being just a regular everyday human. Right now, I feel like I’m just another, just like you, just with some really cool tricks.
David Puner [00:33:11]: So as a transhuman then, what sort of challenges do you face just living your day-to-day life as a result of being a transhuman? I mean, we know you can’t get an MRI. What else?
Len Noe [00:33:23]: Oh, magnets are not my friend. Magnets are not my friend. To the point of what David’s talking about, I have a magnet in the tip of my pinky, and it’s a biosensing magnet, so therefore it gives me an additional sense. I can feel electromagnetic fields and currents, and just like if you walk outside on a really clear bright sunny day and decide to stare directly at the sun, it’s going to hurt your eyes.
David Puner [00:33:50]: Yeah.
Len Noe [00:33:51]: If I get anywhere near large, powerful electromagnetic fields, it can get very, very uncomfortable. And when you have really—you know, we’ll just say, oh, how do I want to describe my friends? We’ll say rambunctious, okay? You know, when you have rambunctious friends who like to run at you with earth magnets, it can be a little daunting from time to time.
David Puner [00:34:13]: Uh-huh.
Len Noe [00:34:14]: I have a friend who’s like, « One of these days I’m just going to get some steel, you know, metal shavings, and I’m going to just put them in your pocket so then you’ll—how do you get them off? »
David Puner [00:34:23]: This is a friend, huh?
Len Noe [00:34:25]: Yeah, I might want to work on some new friends, but yeah, that’s my friend.
David Puner [00:34:30]: What advancements in identity security do you think are necessary to keep pace with the rapid development of these transhuman technologies?
Len Noe [00:34:39]: I think we need to start looking at the way that they can be actually integrated for enhancement of security. I’ve done a really good job of showing how we can use it for offensive purposes, but the truth is, I shouldn’t be able to do this at all. NFC is a non-secure protocol by design. Once again, just like with QR codes back during COVID, when it comes to NFC, we’ve decided to build the tap-to-pay functionality on top of an insecure protocol.
So I have a real big issue with the fact that we, as a society, are pushing for this tap-to-pay, and we’re telling everybody it’s safe, but the protocol that’s running it does more than allow for tap-to-pay. There are so many different actions. I mean, in my opinion, one of the nastiest new ones is the ability for the phishing and the spear-phishing that I described in the book. I found a way to actually remove that fake first connection and send a phish from an official source. So, I mean, that to me, it shouldn’t be allowed. And if we look at the negative repercussions of what NFC is capable of, I don’t know why it’s not disabled through pretty much every MDM protocol, especially in a BYOD scenario.
David Puner [00:35:59]: Then, I guess, talking about some recommendations—or we’ll get to recommendations you may have in a moment for both organizations and individuals, of course, who are working in these organizations—but we’ve been talking in and out of the future and the future of transhuman technology throughout this conversation.
When we were first talking about this with you a couple of years ago, obviously it was prior to the big generative AI wave, and you mentioned AI earlier in the conversation as well. How has that changed how you’re looking at all of this and what you’re doing with it, and how does AI and things like deepfake technology figure into that equation?
Len Noe [00:36:33]: AI and LLMs are actually the reason I think people are finally listening to what I’m saying. To your point, we had this first conversation years ago, and nobody outside of the people that listened to it really kind of took it for anything more than, « Oh, this is just some kind of a weird freaky guy who probably, you know, he’s not really a threat. One guy does not a threat make. »
But I think now that we’ve seen such a push with generative AI, things like Neuralink, the integration of technology and human beings has moved off of the comic book page, and it’s made it to the front page. And once people like Elon Musk and Jeff Bezos and Bill Gates started getting involved, it went from being fringe to now we need to start taking this stuff seriously.
And how does this, the transhuman, fit into this? I don’t know if it’s going to be something like a self-sovereign identity. I don’t know if it’s going to be transhumanism. I don’t know, in terms of the future, what is going to take. But when it comes to identity, we are moving into a future where our identities are going to become the most important things in the world because, between data models, data profiles from our shopping, our social media, our spending patterns, browsing patterns, us as individuals are what is going to become the ultimate for-sale object.
And like we said earlier, there’s no way to know right now that we’re talking to each other, aside from the conversation we’re having and previous ones, right? So we are definitely in a position where transhumanism has been on the block for quite a while in terms of a potential solution to become a source of truth for an individual.
And whether it’s that or something else, we need some type of validator to prove who we are. And the one thing in the future that I see about identity—and this has been something I’ve been screaming from the mountaintops for over a year and a half now—when we talk about the future of identity security, it is not just our digital accounts. It’s our digital integrated with our physical.
And the one way I like to explain this is if I go into CyberArk and I steal all of your cryptocurrency, I’ve affected your financials in the real world. If I can get to your crypto wallet in the real world, I can affect you in the cyber world.
David Puner [00:38:46]: Right.
Len Noe [00:38:47]: Our identities are not our consumer identities or our business identities. Our identities are us. It’s everything that makes up us. It’s our spending habits. It’s our browsing patterns. It’s our nuances. It’s our common mistakes we make when we type. And these are the types of things that are being tracked to try and create digital models of us to be able to sell to.
David Puner [00:39:12]: Well, it’s endlessly fascinating and certainly super eye-opening. Are there lessons that our listeners can take, whether they’re—our listeners are organizations or individuals within those organizations? What lessons have you learned in your research in offensive security that they can take back to their organizations to help bolster their security?
Len Noe [00:39:32]: Okay. We’re going to break this down into a couple of different ways. So we’re going to start from a business or governmental or enterprise perspective, and then we’ll work our way into the end user or consumer.
David Puner [00:39:42]: Okay.
Len Noe [00:39:43]: So when we start off, let’s look at physical security from a business perspective. The idea of multi-factor authentication in front of every type of privileged data is so common at this point that if you’re not doing this, I don’t know why you’re even listening to this. You need to go back to the basics.
So, for starters, multi-factor authentication—your physical access to mission-critical locations.
David Puner [00:40:05]: Adaptive MFA, right?
Len Noe [00:40:07]: At this point, I wouldn’t even say it—I would always prefer adaptive—but when it comes to physical security, that’s a little more complicated. But from a minimum, as far as physical security, don’t just have something you scan, you hear the click, and the door opens. Make sure it’s a data center. Scan, PIN, scan, biometric—two-factor minimum. We do this in the digital world, but yet we fail almost every time when it comes to the physical access.
And the one thing any offensive security person will tell you is if you can put me physically in front of the system, I can do so much more than I could ever do over a wire. So if we do it in the digital world, we need to give our physical security at least the same scrutiny as digital.
From a business perspective, mobile device management, wherever possible—all of the standard stuff that we already know about—shut, don’t allow pages to remain open. Once you close the web browser, shut down all pages. That’ll just sever any type of Java connection for any type of Java-based beef-style attack.
Additionally, MDM policy to shut off NFC. If you can do that, if you can’t, don’t allow it to remain on for long periods of time. And this is on your phone. This would be on the mobile devices in a BYOD scenario.
David Puner [00:41:24]: Yep.
Len Noe [00:41:25]: If you want to use NFC, allow it. That way they can still do their tap-to-pay, but don’t let it just—once you turn it on, it stays on. Shut it off after two minutes. Again, lock that stuff down.
When it comes to individual security, for starters, make sure you’re up to date on all of your patch management for your apps on your mobile devices and your OS.
Number two, we deal in step-up authentication in a business sense all the time. If you’re not familiar with what I’m talking about, I can work along, and if I want to do something with a really sensitive piece of data, it’s going to be like, « We want you to authenticate one more time, just to make sure that you are who you are. »
Do that when it comes to your pay, tap-to-pay. Realize that there is more to that functionality than just a transaction. I can connect you to a Wi-Fi network. I can send emails. I can download files. I can redirect your browsers to malware-infected sites. These are some of the same types of triggers that can be done on the same protocol that that tap-to-pay is.
So, if you’re not using it, turn it off. And unfortunately, the biggest thing is taking some accountability for our own individual security. Just like I said when it comes to my tech hardware, I have to make sure that I’m protected. Don’t let your mobile devices out of your hands. Stop looking at them as game systems and realize that there are probably thousands more bits of personally identifiable information on that mobile device than you will have anywhere else.
David Puner [00:42:58]: Pretty simple advice, but obviously really impactful and meaningful advice. And, you know, a lot of people, it may be super obvious, but it may not just really register just yet.
So, Len, it’s always great catching up with you. There’s so much to catch up at this point with the book out there and everything like that. And I really encourage folks to check it out. It’s called Human Hacked: My Life and Lessons as the World’s First Augmented Ethical Hacker. It releases on October 29th. If you’re listening to this prior to October 29th, you can pre-order it.
And what else are you doing? You’re doing some work with us on the CyberArk blog. You’re running a monthly column now. That’s great stuff. Enjoying that a lot. And what else? Is there anything else? You still got the podcast going on with Hutch?
Len Noe [00:43:44]: Oh, yeah, absolutely. CyberCognition on the ITSP network. You know, we’ve got a heck of a good back catalog. If you haven’t checked us out, please do. You’ve got basically a transhumanist and an AI guru looking at what life might be like in the future. Additionally, keep an eye on my social media. We’re going to be posting the time and the date and the link for the upcoming book release party coming up here at the end of October. Hope to see everybody there. Thank you very much.
David Puner [00:44:11]: Len, I have a feeling the next time we book you on this podcast, I’m going to have to go through many layers of publicist to get you on. But, really excited for you with the book and everything else going on. Thanks so much for coming on. Really enjoyed having you on the podcast. Look forward to catching up with you again real soon—and the roosters.
Len Noe [00:44:30]: Oh yeah, me and the roosters will be here. Thank you very much, David. It’s always a pleasure.
David Puner [00:44:34]: Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And, let’s see—oh, oh yeah, drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are kind of like comments. Our email address is trustissues, all one word, @cyberark.com. See you next time.