Small Breach to Big Screen: Security and the Movies
Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely—and that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel, and let's dig in!
In today's episode, our sandbox tries its hand in show business. Joining me to pull back the green screen is Atem Kuol, visual effects coordinator at Lucasfilm and founder of Humble Beginnings Films. Atem's also about to launch a cyber-psychological thriller film of his own, so I'm really excited to have him in the director's seat for this discussion. Also with us is CJ Wiemer, Relativity's manager of vulnerability management, and as we lovingly like to call him, our resident hacker—but way cooler than the ones you see in the movies. So grab your popcorn, and take a seat.
Alright, Atem, we're going to start with you. You answer this all the time—how you got into the industry—but also, I'm going to add on for a little flavor. What makes you stay?
Atem Kuol: I actually started my whole career journey in electrical engineering, which is pretty crazy. I was en route to becoming an engineer, and then I went to uni, did the first year of my television and video technology degree. It was a bit boring because it was very much the science side of things, and it was a BSC. I expected to actually pick up a camera, which I didn't even touch a camera my first year. I discovered something called MAMA Youth Project, which is this great organization which helps ethnic minorities get into the industry.
AF: Quick question with MAMA Youth: Are they still active, and where are they located out of?
AK: MAMA Youth are still active right now, yes, and they've got a base in Sky Studios, which is a big sports studio here in London. So, yeah, they're still running, and they're still very much active. I still get messages from them every now and then. They're just a great organization. So, I did university, I got experience working in live TV, which is great. I was working for Revolution TV. After I graduated, I did the Olympics, which was also very amazing—the 2012 Olympics. After that I went on to work in Spain for the same TV channel. After about two years, I sort of had this yearning to join the film industry. The film industry is like this secret club if you don't know anyone, so for me, the film industry was this illusion. Then I ended up, after two years, quitting my job, came back to the UK, lived with my mum, and sort of hit the reset button.
Then I got an email from MAMA Youth Project saying that there's a Hollywood feature film going on. There is a job as a production assistant. They didn't tell me what it was for because a lot of these Hollywood films, they don't really tell you what it is. They just tell you that this big studio has got a film coming on—are you interested? I went in, I figured out that it was Justice League, and then I ended up not getting the job because I wasn't experienced enough for the job that I went for. The visual effects producer ended up keeping my details on file, and when the Justice League did the reshoots, about a year and a half later, I ended up working on the Justice League reshoots, which was pretty sweet for my first job in the film industry.
AF: Yeah, I mean, from us geeky crowd, that keeps us in awe obviously. Justice League is a hot topic lately because of the Zack Snyder cut. I'm going to have to ask you ... You've seen it. You like the four-hour cut? How do you feel about it?
AK: I love it. I want to watch it again. When I watch films, it's sort of a long gap from when you finish filming it to when you actually get to watch it, which is great because you get to forget about the process of you making it. I try my best to watch as a fan and to not necessarily criticize every little thing that we shot and that could have been in the film. So I was very pleased with it.
AF: Your path, you went one direction, you went to—and I'm going to hold on to this, by the way, the term "uni," which is not how we refer to it—but I'm grabbing it. That's my new term from you! So you went to uni, and then you stumbled into the career, and what makes you stay? You mentioned a few times there's like a high to it. There's a moment of you feeling like you brought something together. What is so great about it?
AK: It's like this weird obsession. There's just this buzz that you can't really compare to. I've got friends who work in office jobs, and people kind of fall into the same routine. The thing that I love about the film industry is that every film is different. Yes, you might've done things in a similar way, you might work with similar people, but you never work with the exact same team. There's just this weird dynamic that you have to rediscover in every film, and it really keeps it fresh.
AF: When I was, at the time, looking for the right content to really discuss, which is a passion for some of the people on our team in security, it's films, it's production, it's visual effects. At the time I stumbled upon you when I was looking into Lucasfilm, as you were working with them. I think you're ongoing right now and still working. But it was more so when I read up on you and kind of started going into it. I love Humble Beginnings. I came across specifically Uncovered, and it was this merger of the cyber and the psychological, and I was like, "Oh, that's the perfect blending of cyber because we do a lot of that!" So I paired you today with somebody who I thought would be a great help to you in your journey, which is CJ. So, CJ, can you tell us what got you into this industry and what makes you stay?
CJ Wiemer: Yes, hello! I went to undergrad to study, originally, computer science. After a year of that, I realized I wanted nothing to do with programming. It took me a year to realize that, but I'm glad I did. Graduated with a Bachelor's in a super long title of a degree—Information Systems: Information Security and Assurance—which then landed me a job at Relativity, where I was in customer support, but you got to wear many hats. You were basically part database administrator, part network administrator, part application troubleshooting. Learned a lot there, then went off to be a consultant where I got paid to hack into companies. Learned a ton there and came back to Relativity to work in the IT department before moving over to security. What keeps me here is that no two days are ever the same, especially in the cybersecurity world. You basically wake up every day having to worry about a new thing.
AF: Did you also have the same thing where your university didn't really prepare you for the field, like Atem?
CW: Yeah, pretty much. I think it's because it comes down to nothing is going to replace hands-on experience, right? You can study for an exam all you want, you can read textbooks all you want, but until you're put in front of the keyboard, and somebody says, "Alright, go do the thing," you can't really train for that that well.
AF: The very first day that you started as a pen tester, you went in. Can you explain what it was like that first day? What did you do? Did you have to get past security? Sit down, pop a rubber ducky in, like I know you like to do?
CW: I was hit with a big old case of imposter syndrome, like I think so many of us are. Very much a try to "fake it 'til you make" it kind of thing. It was nerve-racking. I remember getting my first shell, which is a term for basically being able to run commands on a computer that isn't normally under your control. I remember more or less shaking with excitement and nervousness that I finally had gotten it. I was able to take control of a different machine
AF: Every hacker movie, by the way, has this moment embodied in it, where they're always like, "I'm in!" There's always that moment—that was in War Games, it's in Swordfish. It's like every movie that does hacking. They always like to have that moment of like, "I got it!" It's not normally that fast, though, right? Takes time.
CW: Yes, definitely takes time. Sorry, this was not on my first day. This was after I had been at it for a bit. We were left to our own devices and could spin up purposely vulnerable machines to practice on. I think that's what the majority of my first day was: trying to pop a shell on a purposely vulnerable machine that we controlled.
AF: Atem, was your first day in the industry the same thing? You're trying to pop a shell on something?
AK: Yeah, pop a shell, pop a cap, pop something. [Laughing] I mean, I just tried to kind of do anything possible. It was, again, trial by fire, and I love it for that because my TV experience was exactly the same thing. But film was very much impostor syndrome, just like you said. You step onto this film set—very intimidating, massive sets, you know, huge studios—and you just walk in there and have to pretend that you know what you're doing. When they're rolling, I am hidden in a corner somewhere trying to not look at the actors and put them off, or in other situations where it's a bit more awkward.
AF: That's so awkward! So you're like, "I'm not looking at you! But I'm kind of looking at you..."
AK: Yeah, it's weird. It's taken me years to realize what to do, and I still don't know what to do. I mean, you obviously gain confidence throughout different jobs, and I'm sure, CJ, you can relate. Every job you do, you gain confidence, you gain experience, you meet people. The visual effects on set is still a bit new, so sometimes you get a lot of these weird standoff looks. I always say "hi" to people. It's just it's what I do.
AF: Oh, that is the opposite of CJ.
CW: Yeah, no ... you avoid eye contact. You have to pretend like you've been there before because that's usually all it takes.
AF: That's the confidence, though, is pretending you're supposed to be there, right?
CW: For sure. You cannot make eye contact. Just head forward, keep walking past the door that you're not supposed to be going through.
AK: This is weird on a film set because everyone stares at people. I used to think it was what you do here—stare—but a lot all the time, it's pretty much "I haven't seen you around here" type of stare. Then I say "hi," and I realized this is the first one. I saw Will Smith, and I was like, "Ohh, what do we do?" I was like, "Hey," and they said, "Hi." And then it was like, "How are you doing?" Because that's usually what comes after "hi." And then it's like, "Yeah, I'm fine. How are you?" "Yeah, I'm fine." And then I was like, what do I do? This is a guy that I've grown up watching on Fresh Prince of Bel Air, and I don't idolize people.
AF: Did you watch The Fresh Prince of Bel Air? This is in the UK?
AK: Oh, yeah. Massive. Yeah. I mean, big part of our lives.
AF: I have to ask: Do you know the song? Are you going to pretend you don't know the song?
AK: I don't know the song for the sake of this podcast. For the sake of the decibels.
AF: In West Philadelphia ... Okay, that's fine.
AK: Were you born and raised? [Laughing]
AF: So you go on stage, you go on set nowadays, and everything seems normal, and you're a little more confident in it. Now the first day you both had the same imposter syndrome of, "Holy crap! I hope nobody realizes I'm not supposed to be here." Right? You get through this. How long does it take for you to feel a little bit of confidence? I think there's a lot of people who would ask and that when they're listening, they're probably wondering, when will I feel more confident?
CW: That's a hard question, too. I think it took probably a good year, if not longer. I don't know that I was ever super comfortable. I think it kind of stays with you, and hopefully it's at least a healthy amount. It's not you having tons of anxiety about it all the time. I think it comes with practice. It comes with achieving those goals, getting that first shell, realizing, "Oh, wow, I actually did it. I am capable of this."
AK: For me personally, I've never had that blissful point of, "I have arrived. This is great." It's just everything's different. Take on the first couple of weeks, and you get to meet people, and then it becomes beautiful. Then you become more confident, but then you're still kind of on the edge. That's what I love about it. That's what keeps me on my toes.
AF: There's an interesting thing about what you choose to work on. In my research of you, I love that a lot of times for Humble Beginnings, whenever you have to do a subset of a discussion about what you do or what you provide as services, you often have the same thing that says, "Instead of boring you with what year we were founded or what services we provide, I'm going to talk to you about what we make." And you say we specialize in films that inspire. Our key focus is to tug on the heartstrings of the audience by making films that connect and stand out. How do you decide what to work on? What does inspiring look like? How do you even think about this?
AK: I'm sort of constantly at that place where I'm trying to be inspired. I love music, and I need certain songs at different points of the day to stay inspired. I need to be at this place of inspiration because it's just when you're struggling, for me, it's the inspiration that keeps you going. When it comes to projects, it can sometimes happen very organically. There are ideas that I write down over the course of the years, and then when it comes down to it, it's "Okay, great, let's look in this stock of ideas and see what I want to do." Things that come up in the news. It's just all great.
AF: It's interesting you both use the news so much, by the way, both as a hacker and in film, in terms of focusing on what's going on. But you've opened a door, Atem. You mentioned music. Alright, CJ, I'm going to start with you so Atem gets just 30 seconds to think about this. I need you to pop a shell—this is very Swordfish. You get 60 seconds to do something right, and I need you to do this quickly. You got to hack it. It's never going to happen in 60 seconds, by the way, but let's just say I ask you to do this. You get one song to listen to. What song will inspire you to get it done?
CW: Oh, one song ... My gut says I'm going with some sort of punk rock, high energy, maybe lots of yelling upbeats?
AF: That's your Rage Against the Machine.
CW: Yeah, something like that. Maybe some Dead to Me, some Dear Landlord, stuff like that.
AF: That is definitely not at all what I was going to expect, by the way. Having known you, I wouldn't have thought that. So, Atem, you're walking on set. What is the song you choose?
AK: Michael Bolton.
AK: Get ready for it: “Go the Distance” from Hercules.
AF: Nooo ... Are you serious?
AK: I'm dead serious. I told you inspiration. You know, I got to get there. I'm getting ready in the morning or I'm going to set ... Yeah, that's it.
AF: That is awesome. I feel like my kids sing that song to me often. Alright, Hercules. I'm going to bring this back to our cyber-psychological thriller because I know this is something you've been working on. Can you tell me a little bit about Uncovered so we can really get the word out? I think this is such a cool idea that you've started to put together. From what I've been able to gather, the structure of this is very amazing.
AK: Amazing. Uncovered. I'm currently writing the feature film of a short film that I created, and it's an action thriller. It follows Natasha, who's a recent Cambridge University graduate in computer science, as she tries to infiltrate a cybercriminal organization in order to recover her grandparent's stolen life savings.
AF: Very ransomware-ish. That's something we do a lot of specialization in on our team. CJ, you did hacking, you did pen testing. We lured you onto the team, and we kind of did a bait and switch. We brought you on, and we're like, "Yeah, yeah, yeah. Hacking. Red Team, you're going to be great. By the way, I need you to do vulnerability management, and I also need you to lead a team." So we kind of nudged you into management as well. Can you tell us a little bit about what you do here?
CW: I manage the vulnerability management team. We're in charge of the entire vulnerability lifecycle, which is prepare, identify and analyze, communicate, and treat. We basically focus on trying to make the company and our product more secure by resolving vulnerabilities.
AF: Can you explain a vulnerability to Atem? Because I would suspect he's probably wondering, what would that matter about hacking?
CW: Yes, so big difference between vulnerability and exploit as well. Vulnerability is focused; that's the actual weakness, whether that's a bug in some code, in software, or more commonly just missing the most up-to-date patch for the program. Versus an exploit is actually taking advantage of that vulnerability. That's how you're able to pop shells, as we say, and things like that, as you're exploiting the vulnerability.
AF: So there's got to be something there for you to hit.
CW: Exactly. First you're trying to find a vulnerability to exploit. We obviously are in the business of trying to find vulnerabilities so that they cannot be exploited, and ensuring we have all the proper mitigating controls in place to help lower the overall risk.
AF: When you're looking for these vulnerability sectors, do you have a list or was it from experience of the weak points?
CW: It's a little of both. We have a bunch of different tools we use, which do the heavy lifting, so just vulnerability scanners. But then the art to it comes with trying to properly rate those vulnerabilities. Each vulnerability is not going to be the same. They're on different devices which are in different parts of the network, which have different levels of access. That's the skill of past experience with what you know about the environment and how available the exploit is or how easy it is to exploit it. And then the severity level is how you drive priority. We're going to take care of the high severity ones, the bad vulnerabilities, before we take care of the lower ones.
AF: I've never heard you say that was an art, by the way. That's funny.
AK: Do you apply the same method if you were trying to exploit or find the vulnerabilities of a company versus, say, a person?
CW: Oh! Yes, I think you're talking about social engineering where you're trying to exploit a human. I will say, the most common and easiest way to get into a company or to exploit anybody is social engineering. It is taking advantage of that human. I think my job was decently easy being in the Midwest where people are super friendly and want to hold the door open for you. I had it easier there. Don't ask for ID. They will just hold the door, and you're welcome to walk right through. But yeah, I would say a majority of the ways people are getting in these days are through phishing emails or some sort of social engineering.
AK: That's fascinating.
AF: Are you saying that it's the politeness that's the weakness of humanity?
CW: Yeah, one could say that. Absolutely. It made my job easier, that's for sure.
AF: Well, it's true. It's helpful for a lot of social engineering. I have a whole speech about how I think that human beings are our last biggest strength, actually, because I feel like it's become really common to say human beings are our biggest weakness. I think that there's something to be said that a human being, while we've done a lot with AI and machine learning, I don't think we've gotten to the point that we can replicate intuition. I think that if humans would just spend a little time on intuition and actually trust their gut, they probably would stop holding that door open whenever somebody is suspicious as CJ comes through.
AK: [Laughs] With his punk music.
AF: Yeah, with his Rage Against the Machine blasting.
AK: This is more so to do with humans and a social engineering side of things. Have you ever gotten to the point where you're shocked at what you've seen, or has anything ever dampened your day, or you've discovered something so dark or sickening that is kind of just like, what am I doing?
AF: Are you looking for material for the terrorist cell activity on your film? [Laughs] Yeah, we've got bad guys. Go ahead.
CW: There were definitely days where, toward the end, I felt like I wanted to take a shower to wash off the bad energy I had been using all day. You know, part of the job is tricking people into doing things they're not supposed to be doing, but they're only doing them because they trust you, a stranger. And so that felt, you know ... Trying to balance that thought of, "Okay, this is a job. The company has hired me to do this to their employees. I shouldn't feel that bad about it." But the ethical side of it, that part of it feels weird at the end of the day.
AF: There's stuff we find on devices that's concerning or has to be turned over to the legal authorities ... Yeah, that happens. And commonly you'd be surprised how many people use their work computers for these things! What are you doing, right? And these are illegal activities. The most concerning that I think I came across with social engineering is the simplicity of it. It's so simple. We used to go on sites for pen testing and working as a black bag ops. No one was supposed to know we were there. We were hidden in a server room to do pools on the data. And the problem is, we didn't have enough badges. There were three of us. There were two guys and myself. Diversity, right? #diversity. And so we went out to get lunch, and I went somewhere else to get Starbucks, of course, like coffee. And they were like, "Oh, well, you don't have a badge. I'll give you the badge." And I was like, "It's okay, I'll get in." And the reason I knew I was going to get in is because in midday, everyone goes for smoke break, and a guy will let me in. There is no question. There is something innate and the masculine energy will always hold the door open for a lady. There's just a thing about that. I never once in three months ever didn't get in from lunch. The simplicity of the fact that humans always do what you think they're going to do when it comes down to it, when it comes to social engineering. So there's deep, dark things that happen. There are things that we wish we didn't have to see. There is secondary trauma that we have to mitigate against as people who are visiting. We have to be careful about it and step away from it and go take that shower, tuck in your kids, walk away from it. But then there's just the simplicity of humans. They always do what you think they're going to do when it comes to social engineering.
AK: Well, amazing. And yeah, must be intriguing. Every day is not the same, which is great. I think that's a beautiful inspiration to keep doing what you're doing and to always be excited.
AF: There is. I took some notes actually about the three things I feel are the common themes from you two working together. One of them is: Everything is different, and that's the challenge worth holding onto. Atem, you really mentioned that that was the thing that really made you stay. It's because everything is different; it's a challenge all the time. You don't know what was coming up, and I think that's true for both of you.
The second one is the "fake it 'til you make it." I couldn't walk away from this episode without mentioning that because you both clearly elucidated there is a trial by fire. You will have imposter syndrome, but you will gain confidence over time, and I think that's the gem for people. Don't worry, you're going to gain confidence over time.
And this last piece is just that. Atem, you mentioned there's a sweet spot of growth. There's an area of comfortability where comfortable can be complacent, but there's an area of comfortability that's actually where you grow that growth mindset. I think that's true for both of these industries, for what you're doing every day and also for CJ and handling vulnerability management. There's an area of growth that needs to be continued.
I do always like to end on a quote, so I can't help it because there's like such an overlap of somebody who's, you know, he's a British American film director, producer, screenwriter, et cetera. Maybe he's filmed a lot of my favorite movies ... Christopher Nolan. He has a quote, and it reminds me of this conversation, but it's a lengthy one. It says, "I always find myself gravitating to the analogy of a maze. I think of film noir, and if you picture the story, it's a maze. You don't want to be hanging around above watching the characters make these wrong choices, because that's frustrating. You want to be in the maze with them making the turns, at their side, and that keeps it more exciting." I feel like this conversation is very much the maze—that this inception that we found ourselves in today, where we merged this idea of film and vulnerability management and cyber. So I appreciate both of you being inside the maze with me today. Thank you for joining me.
CW: Thank you so much. This is a lot of fun.
AK: That was extremely inspirational. I think you've been listening to my playlist. I mean, Amanda, you smashed that one. I don't know what else to say.
AF: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments, give us a rating—we'd love to hear from you!