[00:00] Welcome, Jacob Anderson

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To the Point Podcast. I'm Rachael Lyon here with my co-host, Jon Knepher. Jon, hello.

Jonathan Knepher:
Hello, Rachael.

Rachael Lyon:
So have you been following this Moltbook news with the AI social media platform only for AI agents and they're plotting humans' demise? Do we feel like this is real or not?

Jonathan Knepher:
Well, I think they think that they can do that.

Rachael Lyon:
Oh, that was crazy. There was a wonderful Wired article if folks want to go look that up. I just thought that was quite entertaining. So, really excited for today's guest. Joining us is Jacob Anderson. He is the founder of Beyond Ordinary Software Solutions, where he leads a team that builds custom platforms for the DoD, federal agencies, and insurance companies, projects where security, scalability, and reliability are critical. With over 30 years in software development, he's worked across finance, defense, and entertainment, and has founded several SaaS and gaming ventures. We love, we love serial entrepreneurs on our podcast, Jacob.

Rachael Lyon:
Welcome, welcome.

Jacob Anderson:
Thank you. Thanks for having me.

[01:32] Steganography and Covert Channels in 2026

Jonathan Knepher:
Excellent. Well, welcome, Jacob. Uh, I was thinking of, uh, kicking it off here with, uh, talking about COVID channels and data hiding. And what does, uh, what does steganography and covert channels look like in 2026, right?

Jacob Anderson:
Espionage stuff, right? Yeah. So, uh, you know, it's fun that you started off with AI because, uh, Before AI, people, they would romanticize about cryptography because most people didn't understand how to do it, um, and they certainly didn't do steganography, right? You would talk about that, they would always think, oh, it's a picture and you put data in a picture. Yeah, sure, okay, think that way, we love that. But the truth reality now is AI has come along and you have access, you know, the average Joe, to a very sophisticated tool that can tell you how to do extremely sophisticated steganography techniques, right? It's not just putting data in a picture, right? It's the picture has the data in it, or you could embed data in all kinds of things— Word documents, audio channels. There's all kinds of things, you know. And, you know, pretty much steganography is really about trying to put useful information in a covert channel that is obvious and hidden in plain sight. Because if it's hidden in plain sight, it's almost invisible, and that's kind of the power of steganography.

Rachael Lyon:
Yeah. So I'm kind of curious. I love steganography, that idea, because I think it was some engineer at GE that had done that. Like, it was like a vacation photo and had somehow embedded, you know, I guess designs for an airplane or, or some kind of engine of some sort in there. It just looked like a picture from Hawaii. But are you seeing, I guess now that we have more advanced tools, are you seeing some kind of trends emerging of people finding kind of new vectors with which to exploit that are quite unexpected? Or are you seeing kind of, it's kind of holding steady, a lot of the same, but maybe just more of it?

Jacob Anderson:
Yeah, you know, right now it's still a lot of the same 'cause, The actors haven't really figured out that these tools can really do that. Some of them have, you know, the more sophisticated actors have realized that these tools can help them to be even more sophisticated and do even better techniques of data hiding. But, you know, as the data hiding channel gets more complex, it becomes a lot lower bitrate. And so, there, you know, there's like a trade-off between how useful it is versus how covert it is. You know, so.

Jonathan Knepher:
Are there particular ones that folks should be looking out for? Like what's— what might be in use today? What might folks be underestimating the dangers of?

Jacob Anderson:
Yeah, I don't know. I would say anything that's streaming now, like a lot of this, like the deepfake streaming and whatnot. So those are perfect for this, right? Because I can create this deepfake audio and deepfake video, and inside of there I can encode all kinds all kinds of crazy stuff. But you know what? It's okay because I'm creating this whole like animated, you know, pretend fantasy video that people are going to consume thinking like, oh yeah, it's entertainment, la la la. But really it's actually a side channel for all this espionage, right? Very easy to do now, right? We got tools that'll do all that stuff almost real time. And it's very scary if I were in the State Department, but I'm not, so.

Rachael Lyon:
It is scary, isn't it? I think, you know, even just lower-level stuff like, you know, text messages. I don't know who's reaching out to me a lot of times. It's like, "Hi, are you coming tonight?" I'm like, "I don't know you." And, you know, even if I do, I'm not sure I know you, you know. And it's crazy times that we live in. It's trying to navigate what's real, what's not, and then how to avoid stepping in it just inadvertently because you're like, I want to be entertained for a second.

Jacob Anderson:
Yeah, right. You want to be entertained, but you also want to have friends and you want to be able to meet new people who could be your friend. And you never know, that one random text might be that one person you met the other day at this mixer for work and you forgot their phone number or, you know, all these things. So you never know, right? And so maybe Maybe an AI assistant can help you with that, right? Maybe they can be your gatekeeper, so to speak, right? Your little nanny, you know, and they keep track of everything, you know, and you just like follow along and live your life, you know, and they manage all the rest of it. Now, that is a possibility, you know. There was somebody who created an AI for doing that, right, you know, and, um, unfortunately, you know, the internet got a hold of that, you know, and other people tried to set it up too, and you know, it became very permissive about things and it would send other people, you know, your email, your inbox, your this, your that, because, you know, once you realize that you're talking to an AI, you're like, hmm, what can I do, right? You know, I was on a phone call the other day talking to an AI, first time. I'm like, you know, I know it's an AI because of how it kind of circles back on topics, you know? But I'm like, hmm, what can I do? Should I play with it? Should I push it? You know, like, what's going on here, right? Yeah, it's funny times.

Rachael Lyon:
Yeah, it's crazy to hand over your life too to kind of this, you know, this amorphous thing, whatever that might be, you know. And you just don't know where the information is going to go, how it'll be used. And I love to talk about this article I read about in Wired where this fellow stood up a company, software company of just him plus a bunch of AI agents, uh, and his AI agent was lying to him, you know, said it had done all of these things and, you know, done this code, did this campaign. And the guy's like, wait, no, no, you didn't. And, and the AI agent was like, oh yeah, you're right, I didn't.

Jacob Anderson:
Right?

Rachael Lyon:
That's, that, that, that makes me nervous, Jacob.

Jacob Anderson:
Yeah, you know, and I have only seen that with one AI, one particular AI. You know, we won't talk about which one it is. We don't want to make any enemies, right? But there is one AI that has a tendency to claim that it does stuff, right? Like, oh, I did this, I did that. I'm going to make this and that. Like, hmm, I like the enthusiasm. But, and I ask you like, where is this stuff at? Oh, it's over here. Well, that doesn't even exist. You know, like, hmm, interesting.

Jacob Anderson:
Yeah. But I also use that AI because it's like that, right? It's very grounded, right? And it's very honest with me. It never tries to be my friend. It tries to be very honest with me. So I like that, you know, but I also know that, you know, it can be a little daydreamy and flighty.

Rachael Lyon:
As long as you know that going in, right?

Jacob Anderson:
Yeah, yeah, exactly. Right, exactly. Yeah. You know, what's really— I was just thinking as our conversation was evolving is that, you know, one of the other side channels that's going to evolve is these interactive bots. All right. So it's not just like I can generate a deepfake video and, you know, output streaming data and stuff. Now I can have a bot that does it, right? So in the audio side of this bot that's like talking, I can embed all kinds of data. It could be just streaming, you know, military plans, but you won't even know it.

Jacob Anderson:
Hey, you mean you do it in real time? So it's, uh, yeah, exactly. Wow, it's pretty amazing what you can do right now and all the ways that you can, you know, exfiltrate data without ever being detected. You know, so it's not— I mean, you can, you can actually detect when it's happening. Okay, so, you know, that's my little specialty, so to speak, you know, when I was doing all this back at Los Alamos, is finding ways— like, how do you know when someone's embedding stuff in an image? How do you know they're embedding stuff in your audio channel? How do you know when someone's trying to use a side channel? You know, things like that, right? And it turns out that there's— there are ways of doing that, right? There's there are telltale ways of knowing that, hmm, that's supposed to be noise and it's no longer following that noise, you know, Gaussian profile. Like, that's obviously someone's putting something in there, right? And then it's like, was it a bug? Could be a bug. I don't know. And is it periodic? And that's like we're trying to find, you know, ET. You know, they're doing the same thing, right? All these signals out there that are noise, like, which one is the civilization? Well, like, We got the same thing, like which one of these is the civilization, you know, coming across as a side channel.

Jacob Anderson:
But it's fun. It's really fun to try to dig into that, you know, and using all these tools to try to figure out like, is that really noise or is that signal? At what level? And then you hand it off to somebody else who's a lot smarter to figure out like what that is, right? I can say that it is something interesting and then they'll pick it apart and say, this is what it is. You know, and sometimes that somebody smarter is AI. So I did that, you know, I get emails from random people, right? You guys know, you get spam and stuff, right? And so one day I was like, hmm, I'm gonna track this guy down. So I went into the headers, got all the gobbledygook in there, ran it through ChatGPT, and it decoded everything. There was like an address to his house and all these things. I was like, 'Wow, how about that?' And it was like instant bang, you know, I figured it out. Like, okay, that's very normalizing.

Jacob Anderson:
Wow. Yep.

Jonathan Knepher:
What, what's the, what's the prevalence that you've seen, um, for this type of activity, um, especially to like not just in the government space but in the, in the civilian space too? Is, is this something that something that like normal people need to be concerned with? Or is, or is this really only, only your top-level spies are worrying about exfiltrating data this way?

Jacob Anderson:
Yeah, right. No one's doing it yet. Right. Thank God no one's doing it yet. So most people are just using like chatbots and stuff for their own personal interactions. Yeah. But it's starting for sure. You know, we're starting to see people using AI is to first off find bugs, right? I just saw, you know, I was looking at one of the bug tracks recently of some open-source software, and there's like one company that's got like 50 bugs that it fixed.

Jacob Anderson:
I'm like, well, that's obviously an AI. It's like, and they're all solid, they're real bona fide stuff, it's not noise. So if that's happening now, it's going to be across the board, right?

Rachael Lyon:
Right.

[12:24] AI Weaponization and Just-In-Time Espionage

Jacob Anderson:
Now that's the first step of them, like, well, now I can fix a bug, I can find the bug, I can find the bug, then I can then weaponize that bug, I can do stuff with it, right? That's a little more scary and that's starting to happen. And yeah, but the whole like side channel crypto steganography stuff, they haven't really pushed that envelope yet, you know, because most people when they, you know, the average Joe anyway, when they want to actually exfiltrate data, they do tend to think in terms of simple ways of moving data. Like, I want to— how do I hide this in my email? How do I hide this on my, my USB stick and sneaker net it somewhere, you know? Things like that. So, and you know, it's going to get a little more sophisticated later on when people start to realize that these AI bots can do a lot more for them and on the fly, right? So it's like JIT espionage, right? Just-in-time espionage, right? Because, you know, hey chatbot, make this code that does this for me that encodes my thing in this so it doesn't, you know, so someone can't see what it is. And so I can exfiltrate it to this. "Here's your Python script, go." Just like that.

Jonathan Knepher:
Yeah, I think it's interesting too, like, you brought up the open-source supply chain issues, right? I think that's been something that's been very concerning, you know, with the Notepad++ thing that just came out the last couple of days. Like, how do we find the right balance, right? Because other open-source projects are are just flat out getting fed up with AI-driven false bug reports, right, coming in and, and trying to sift through what's real and what's not. How do we reconcile that kind of as an industry?

Jacob Anderson:
I don't know, John. So when I worked on MonoGame and Cocos2D back like 13 years ago, you know, I had— I, I'm kind of grumpy about this kind of stuff, so I told them, you know, like, you got— you know, these are games, right, on your phone. That's everyone's phone. And, you know, model game is everywhere. If you've got a game on your phone right now, it's model game, more than likely. It's on everyone's phone. So, you guys, you got to be super careful about this. You got to lock this down because you are— you have access to everyone worldwide because they're on consoles too and all this stuff, you know.

Jacob Anderson:
And so a lot of times the fever and the excitement of doing something is overwhelming and you forget that there is a consequence to being popular and being a celebrity sort of. Open source tool is that you're in everyone's world, you know. And so long as you slow down and remember that, then yeah, you know, you can probably be reliable, maybe. But, uh, it's the ones that are just kind of like reckless, like the guy that made the little chatbot, you know, that controlled his whole life and he gave it out to the world. You're like, timeout, bro, you know, you got to think about the consequences here. I mean, it's not your responsibility You're not responsible for anybody, but you've got to be responsible to them. Let them know that there are consequences for putting this thing on your phone and letting it control your life. Yeah.

Rachael Lyon:
It's almost like you have to think.

Jacob Anderson:
About.

Rachael Lyon:
You know, like the internet, right? It all started seemingly innocent enough. We just want to share information, right? We all have the good intentions. And like this fellow, he had good intentions. I want to help. I want to be efficient. You almost have to think 20 steps ahead. Okay, and before I share this with anybody, what are all the ways that it could run amok and ruin somebody's life? And that, you know, does that then become an AI question to solve the AI problem? Or, you know, what is that path forward? It's— there's another article I read recently, and it was Sam Altman. He was talking about he'd been coding an app or something like that, and he had asked the AI for some ideas.

Rachael Lyon:
And he was really struck because some of the ideas were actually better than his own. And he was really bummed, right? Because it's, you know, getting smarter, getting more intuitive or whatever the case may be. And he's, you know, he's like, wow, I'm gonna have to like up my game. And so if the AI is getting smarter and smarter, 20 steps ahead, then how do we— do you know what I mean? It's off to the races. And how do you get a handle on it?

Jacob Anderson:
Yeah, and that's an existential question for humans right now, right? Because, you know, we used to rely on experts, right? And now you don't need that. You've got a pocket expert, right? But do you really have a pocket expert? Because the thing about the expert, right, is that there's a level of trust, right? Because I can filter stuff out, and, you know, even though I'm not an expert in quantum cryptography, I can filter some things out when I talk to someone who is an expert, right? I want to talk to an AI, it's a little bit different. You know, I'm like, well, my, my, my, my, I want to say, natural prejudice is that the computer is going to be right. But that's me because I've been doing this for a long time, right? So computers have never let me down, so to speak. But other people, they don't trust computers at all, right? And so those people are, you know, are smart enough to say like, well, that's a bunch of, you know, hooey, and we're not going to follow that. Right. And so on the Sam Altman side, you know, you look at that, you're like, well, are you sure that's right? I mean, it seems right, Sam, right? I mean, I've been in this case too where I've been looking at something, chat tells me this, I'm like, it seems like a pretty good idea. And then I go dig into a little bit like, well, it's not quite, you know, it kind of misses the edge just a little bit, but it's a good idea.

Jacob Anderson:
And it was a good start for a better idea. And that's what I really like about where we're going. And that's for everybody, you know, every single human out there, like they have a great start for something better now. Yes. Right. And so they have enabled themselves to do all kinds of wonderful things. Right. You can, you know, I just saw an article.

Jacob Anderson:
There's some media gal on Twitter or X, sorry, who said that she woke up one day and decided that she wanted to make an app and the app was going to be Monday. I love that. I'm like, yes, yes, please do that. And she's like, I don't think it's going to work. Right. But sure enough, she did it. Bang, zoom. And she got Monday, her own version of Monday, just like that.

Jacob Anderson:
It probably took her like 10 minutes to get it, right? And, uh, but think, think about this, guys. Think about this. So that— so you have Monday, it's this big, you know, consolidator of all this multi-user data, right? But now let's throw all that away because now I can make Monday for me and me alone. Cyber is just me. It always knows it's me because I program it for me, but I got everything from that but for me. And like, cyber's done. Like, yeah, I love that because now I have control of all that. I mean, that's like my perfect dream as a cyber guy.

Jacob Anderson:
I'm like, yeah, I want everything to be siloed for the individual and nothing else. I don't have to worry about, you know, leakage of data or anything like that for anybody else. No one's going to come after me because It's siloed for just me. So, if Microsoft, if you're listening, that's your business plan. Stop doing AI. You guys aren't good at it. Just do that. Enable that, right? Because that's just-in-time me kind of stuff.

Jacob Anderson:
Like, that's the future. That's happening, and that's beautiful. Yeah. Yeah.

[19:45] Cryptanalysis: Offense and Defense

Jonathan Knepher:
So, I have some questions here too.

Jacob Anderson:
About.

Jonathan Knepher:
You know, some of this stuff you've been doing around cryptanalysis and breaking crypto and, and so on. I was wondering if you could talk us through kind of what does that look like as, as you go about trying to analyze things and breaking things without the keys and so on. Yeah.

Jacob Anderson:
Yeah. Now, cryptanalysis is fun, right? That's the part that the government, you know, our government anyway, especially is very sensitive about. And so if you try to do cryptanalysis, for instance, like in France or China, you get put in jail.. But in the US, you know, you can do it. You just, you know, just think, yeah, no, you just got to be careful. Right. But the thing is, crypto analysis is a lot easier now because you've got these tools that will help you with it. Right.

Jacob Anderson:
So AI tools can help you understand what to do. You know, first step, of course, trying to find patterns, patterns in the data that always repeats. And once you get that pattern repeating, then you know that you can probably get some plaintext and that repeated pattern and you can decipher some of the key bits. And then from there you can decide if that— if the cipher is, you know, poorly made or not, if it's actually weak. And if it is weak, you can probably— you can probably get a key out of it. But, you know, unfortunately, in order to do that, you can't go to ChatGPT and say, hey, you know, extract the key from this. It'll laugh at you and say, no, you can't really do that. You're going to need this and this and this, right? And then if you try to get an algorithm for it, you know, you've got to be a pretty good whiz-bang math guy or gal, right? Because it requires a level of sophistication that's currently beyond 99% of the humans that are on the planet.

Jacob Anderson:
Yeah, I've known some really, really good cryptanalysis people, you know, and they're, they're very esoteric, super smart, brainy math people, you know, and that's all they do. And they see patterns in like everything, you know, and Yeah, that's not me. But, you know, if anyone's out there defending, you know, cryptanalysis is important, right? It's important because you got to understand, like, key exchange protocols. And how do I know that the key is going to be exchanged in a secure way? Are you using, like, a cheapo cipher that's, you know, easily exploited so someone else can intercept to get the key, right? And then, ah, and then you got data, right? And you got your text data. Are you, you know, are you encoding it properly so that, you know, someone can't just derive the key from it? Is it a naive cipher, like an XOR cipher back in old days, you just do XOR with your key, you know, you're like, woohoo, nope, I can't crack that all day long, right? So can chat.

Jonathan Knepher:
And it works great if you do it twice in a row, right?

Jacob Anderson:
Twice, that's right. And 3 times, man, 3 times the crypto. Oh yeah.

Rachael Lyon:
So is when you talk about the cryptanalysis, is this, um, kind of like a defensive versus offensive type strategy? I mean, if you want to kind of think about these things in the context of, you know, cyber defense and, you know, kind of attackers, uh, you know, how should people be looking at this?

Jacob Anderson:
Definitely a defense, right? You're looking at how do you protect your data and how do I know. So this is a, this is a measure of reliability, right? What's the assurance that I'm sending data out that, you know, Joe, Joe Blow is not going to just get it and intercept it and decrypt it and then get my keys and then get everything? I wanna make sure that I can send stuff securely to Susie every time. So, it's a defensive mechanism.

Rachael Lyon:
Could we make it offensive? I love a good offensive cybersecurity discussion. I'm a big fan of poking the bear, but I would love your perspective there.

Jacob Anderson:
Right on. Let's go down that hole. So, if I wanna make cryptanalysis an offensive measure, that means I'm trying to get data from people, Right. So the first step, of course, is, you know, standing in between the gatekeeper of a key and the actual user of the key. Right. That's my first step. If I can do that, then I can get the key all day long. Right.

Jacob Anderson:
So I can't get the key. All right. Well, the next step in is I got to get a known document. So I'm going to try to bait them somehow. Right. Cryptanalysis is like, I'm going to give you a document that I know. Right. What's the content? And so you're going to give me back the cipher.

Jacob Anderson:
Right, the encrypted data. And I'm going to look for patterns. I'm going to keep doing that. I'm going to give you another document, another document, and feed you, right? You know, you're going to think you're talking to, I don't know, someone like a bank or something, right? You know, and eventually I might be able to figure out the key that you're using because the cipher you're using isn't that good, right? And so it's got all these repeated, you know, stuff in there, ciphertext in there. And so like you can then predict what the key is, right? So that's You know, that's the naive way of using cryptanalysis in an offensive way, right? And then there's the whole, well, I'm just gonna get your data and, you know, do the math on it because I know what the algorithm is, right? Let's say you just use, you know, naive DES, plain old block cipher DES with nothing special. Well, we can crack that all day long now. So, you know, you pull it out, you look at it, you know, like, I know the S-boxes, I can undo the S-boxes, you know, and I can get your key. You know, all I need is like one or two pieces of plaintext, you know, and from there I can probably derive a key, you know.

Jacob Anderson:
And then the best part of using that is now I can fool you into thinking that you're, you know, encrypting your data securely because you think it's DES, man, it's Data Encryption Standard, it's got to be trustworthy. So I'm like, yeah, but I got your key. So, and you're not going to cycle your key because with private key stuff, right, people don't cycle the keys very often. And so there you go, you just like Hoorah, you know, I weaponized my ability to exploit a very weak cipher. I mean, you can't do that with an AES, right? That's a lot harder, right?

[25:33] Legacy Systems and Encryption Risks

Jonathan Knepher:
Yeah. Okay, so you've kind of opened the door to the older things, right? Yes. Like, are you, are you still seeing like legacy encryption, but also like whole legacy systems out there? And are those still relevant and, and targets that, that you're seeing kind of actively pursued?

Jacob Anderson:
Yeah, people still do use the DES. The DES is very easy to use, very easy to implement, and there's hardware for it. And that's the key part, right? There's— you can buy hardware that implements the DES, so it makes your crypto super fast. Um, and so people still use it. Uh, but then as far as like legacy systems and the older big iron systems, you know, people always use those because they've been around for decades and they're very solid, right? You just put them in a box and let them run and they never break down. And you can, you can do things to them, you can take them apart while they're running. I, I love my IBMs, man, because dang, you can— that thing's running all the time, 24/7. I can pull cards out, put new cards in, change memory, I can put new CPUs and stuff and it's still going.

Jacob Anderson:
It's never down, never. Love it. But the security on it, I don't know, because you never really update it, right? Because it's so hard to update. It requires so much time. The thing's got to go down for like 6 hours, you know, and you're just like, uh, so what do you—.

Jonathan Knepher:
It'S bulletproof to everything but an upgrade.

Jacob Anderson:
It is exactly right, right? Yeah, that's exactly right. But then you gotta just put a big old perimeter around it, you know, like make sure that that thing is just on its own, and there's gates up everywhere, there's alarms, because, you know, like, there's only a certain number of functions, certain kinds of functions that are going to go on that thing. And there's anything outside of that, you know it's someone doing something wrong. And so just every tripwire you can think of so that the minute it happens, you just get on it.

Rachael Lyon:
Yeah. Are there particular industries that you're seeing, um, that are kind of more facing this kind of, you know, significant legacy infrastructure trying to connect to modern infrastructure? You know, are there any kind of industries struggling? And I do a sidebar. I think of that outage, remember, and it was Southwest Airlines was the only company that was not impacted by that particular outage because they were on such old legacy software. You know, maybe your Commodore 64 that you learned to code on, But it actually insulated them. But I'm just kind of curious, are there, are there some kind of trending industries that are struggling with this a little bit more than others?

Jacob Anderson:
Well, the insurance industry has always been that way. They've always been, you know, like back in the old, like IBM days kind of stuff. And they really love their IBMs. This is because it's, you know, for them, they have to be up all the time, right? If there's a claim that's going to come in, they have to be able to process that claim. That's the law. They have to do that. And so if there's a hurricane, the IBM is going to be up. That's kind of the only machine that you can buy that's going to be, you know, good likelihood in a hurricane still running.

Jacob Anderson:
Everybody else is going to be down. Um, yeah, so, and I think the airline industry is also that way. You know, they've got some pretty old systems. They tend to reuse their systems quite a bit. You know, they buy it from some struggling old airline, they bring it in, adopt it, and do whatever to it, you know, like they tend to do that. Um, yeah, I don't know, banking used to be that way, but they've definitely modernized. Um, yeah, so they've come a long way, but the really, really big enterprises out there like the Coca-Colas, the Pepsis, you know, the giant guys, they still use big giant IBM mainframes, you know, gotta love them for that. But they also have, you know, intense fences around these things, right? So, like the NSA and.

[29:31] Full Circle: Securing Environments against AI and Legacy Threats

Jonathan Knepher:
Coca-Cola. So, let's bring this kind of full circle for our folks who are listening. Like, what are the actions that they need to be thinking about to securing their environments, whether it be these legacy cores or against these newer AI threats we've talked about? And how do they do that without, without breaking the things that are important?

Jacob Anderson:
Right, right. You know, you got to make sure that the plane doesn't have to land every time you make a change, right? So yeah, it's putting in the parameters, right? Put in the firewalls, you know, it's using the software available today for monitoring stuff. There's a lot of it out there now. But, you know, it doesn't— so the older systems don't have the ability to be monitored like the newer systems do. And that's why you got to put, you know, perimeter systems out there, which are proxies for that, right? So if they had these events, you know, you know, the same events would happen on the inside system, the legacy system. So you got to put those proxy systems in place, you know. And then, um, you got to have staff, staff that understand what's going on, right? You know, they have to understand how to use all the tools, the SIEM tools and the SOAR tools and whatnot, you know, they could be certified, but certifications are very good in terms of like being able to filter out people who can do something, can't do something. But, you know, that's not the endgame, right? I mean, these— you just have to have people that understand how to use these tools and have experience with them.

Jacob Anderson:
So get your staff, you know, trained up and expose them to these tools, you know, so they use them regularly. And then you got to use AI constantly. All the time, use it to do the nefarious things, right? You know, doing an AI, like tabletop, for instance, right? You can tabletop your security with your AI, you know, talk to it and see what happens. That's a good way to just get an introduction to tabletop exercises, right? And then go from there and hire somebody to help you with the tabletop.

[31:31] Jacob Anderson's Path to Cyber

Rachael Lyon:
Yeah, that's important. Um, so I, I like to kind of bring this full circle, and, and, uh, I always fascinated how people found their way to the cybersecurity world. And I read this article, was it Information Week, I think? But it was talking a little bit how you as a tween or 11-year-old kind of found your way to a Commodore 64 and then it just kind of took off from there. But I'd love for you to share with our audience kind of your path to cyber.

Jacob Anderson:
My path to cyber. So when I was a teenager with my Commodore 64, I used to crack software. 'Cause I grew up poor, so I couldn't buy anything, so I used to just crack stuff, take off the copy protection stuff, you know. Amazing. Well, it was fun, you know. It was interesting learning how all that worked, you know. They did some pretty interesting things back then on those floppy disks. And then I went to Los Alamos out of college, and there I got on a team that was doing cyber.

Jacob Anderson:
My specialty was the data hiding part of it, you know, being able to detect when people do data hiding and whatnot, you know. A little bit about platform exploitation, and understanding like what the vectors are for exploitation. Like, how do you know? Like, what things can you, uh, what things can you take advantage of? And then I went to BBN for a year, worked on GCCS, which is the Global Command and Control System. And there I didn't really do any cyber, I was just doing mostly software, but monitoring how the government, the, uh, we'll say DARPA, does cyber, right? Back then, not as, not as much, Um, and so that's back then was, uh, this is around like 1996, right? And that's when we first heard of, um, someone using like USB stick to, uh, infiltrate a network, right? Because that was kind of like a hot thing, you know, back then, the whole like removable media and being able to inject code, right? And then I went to work at a little like startup company, you know, to do some online entertainment kind of stuff, you know, Fox NFL Game Tracker. And that was really fun because, you know, you go from small little company to giganto, you know, Fox Sports, and those guys are serious, right? I mean, they were just on top of everything, you know, stressed almost to death. But man, they knew everything that was going on all the time. Super serious. And they did not have a sense of humor about security.

Jacob Anderson:
Yeah, right.

Rachael Lyon:
I imagine not.

Jacob Anderson:
Right. It was a fight every day for them. You know, it was great. Learned a lot there really fast, right? Really fast. And then went on my own, went into the insurance industry where there was no cyber at all. Nobody did anything there. People laughed at me when I told them that they should, you know, have passwords. Like, what do we need a password? This is just, you know, policy information.

Jacob Anderson:
No, you know, no one was encrypting anything. You know, they had no idea how to do any of that stuff, you know. And so I was just trying to get them to start to do that kind of stuff, push towards that. You know, more and more, you know. Yeah, that was really hard, but it's paid off, you know, and you see that everywhere now. Like in the insurance industry today, everyone does it now. Nobody doesn't do it, right? It's a de facto thing. So, yeah, and I just, you know, I took a break for a while and then, yeah, I did some— I tried to do games.

Jacob Anderson:
I said, you know, when I was a kid, I used to write games all the time, so I went back around to try to do games. It was interesting. People in the game industry have a very unique personality.

Rachael Lyon:
So yes, yes they do.

Jacob Anderson:
Not quite compatible with my personality. I went back to cyber and software with the insurance industry. It's focused on that, you know, built that back up. So, and that's where I am today.

Rachael Lyon:
That's wonderful. It's always kind of seeing that need, right, and, uh, solving that problem. So what does the path ahead look like? I mean, do you see yourself standing up another company? Are we not allowed to talk about that while you're still at Beyond Ordinary? But, you know, what are you thinking about the future?

Jacob Anderson:
So right now we're focusing on doing DOD work with the Navy, trying to get on with some Air Force stuff and some DTRA stuff, defense. Threat Reduction Agency, DTRA. No one— people don't really know that much about them. So we're trying to get on with them, doing that kind of stuff. So, uh, you know, just trying some options. I'm going to stick with the government, I think. I would prefer that, you know, moving away from the commercial industry. You know, I'm not going to say no.

Jacob Anderson:
We are trying to help some people out with their CMMC. We are certified, so, you know, we can help people out with that, you know, get them up and running really, really fast. Well, for the most part, you know, we're moving slowly away from commercial software, but then, you know, the industry is moving that way anyway, right? I don't know that anybody really needs a commercial software developer anymore. We got AI.

Rachael Lyon:
Well, there's a lot of interesting government work. I used to work with iRobot, you know, and they had their, their kind of PackBot, the military robot division, and it was always so fascinating DARPA grants and all of that to develop technology. But there's a lot of interesting things happening in government, and I can imagine you guys get some really interesting projects.

Jacob Anderson:
I hope so.

Rachael Lyon:
To work on. Wonderful. Well, Jacob, thank you so much. I really appreciate your time and all this interesting perspective, particularly on AI. I mean, there's so much to talk about. I mean, we could go on for days., I think, on that topic.

Jacob Anderson:
Anytime. Yeah, we do it here every single day, doing stuff with it every day. So, but thank you for having me. It's been a pleasure. Wonderful.

Rachael Lyon:
Thank you to all of our listeners. Yes. And to all of our listeners, Jacob, I don't know if you want to contribute to the, to our, our drum roll, please. But to all of our listeners out there, John, we like to do a little drum roll.

Jonathan Knepher:
Smash that.

Rachael Lyon:
Subscribe button. And you get a fresh episode every single Tuesday. So until next time, everyone, stay secure. 

About Our Guest

Jacob designs and delivers secure, high-performance software systems for government and commercial clients, tackling complex technical challenges.

As founder of Beyond Ordinary Software Solutions, he leads a team that builds custom platforms for the Department of Defense, federal agencies, and insurance companies—projects where security, scalability, and reliability are critical.

They focus on:

• Secure enterprise software for DoD and federal use

• Insurance automation and business rules systems

• Intelligent data delivery and decision support platforms