This is the blog, but if you want to know more about me and my projects, check out the Projects and About pages.

The Infosec Cold Call

Devil Cold Caller

I get asked occasionally about ways to improve corporate information security or what kinds of things get easily missed, and while I’m no expert, and there are an endless number of little things you can miss these days, there’s one way I rarely hear mentioned and I like to remind technical leadership about:

Don’t talk to security sales cold calls!

Studio71, where I’m the CTO, isn’t some huge enterprise company or constantly in the news garnering press and attention, and yet I still get at least a couple of these kinds of calls every week.


Me: “This is Mike Flynn”

Them: “Hi, this is __ from WhateverSec. I just have a few questions for you.”

Me: "Ok, but I really need to go." (No I don't.)

Them: “Sure, I’d just like to tell you about our new AI-powered blah blah crypto currency security solution. Let me ask you, what are you doing now for your corporate security?”

Me: “Ah, we’re happy with our current solution.”

Them: “What is your current solution? What kind of firewall are you currently running in your office? Are you using any monitoring devices on the network?”

Me: “I’m not going to detail our security infrastructure over the phone to someone I don’t know.”

Them: …

Them: “Ok, right. That makes sense.”

Me: “Thanks for calling, but I have to go.” (No I don’t)


How many people do you think happily gave up the brand of firewall…maybe the software version…maybe the network appliances they have at their office? A lot, I bet…but please don’t. What this person trying to research a hack? Honestly, probably not, but it only takes one, and even if they are legit they don’t need to know anything anyway. Oh, did they say they were from Rapid7 or another established company? No they weren’t because they usually don’t ask those kinds of questions, but even if they did, it doesn’t matter.

Feel free to buy whatever it is they have to sell, but whatever it is they don’t need to know your security infrastructure to sell it!

The Sandwich List

Little Lucca Sign

I’m a sandwich guy. Ok, that’s an understatement. I’m really in to sandwiches. I love the variety, the simplicity (or occasionally the complexity), the different textures, the bread, the meat (yes, meat), and usually, the cheese! I’ve spent my nearly 40 years in existence looking for the best sandwiches and then going to great lengths to eat them again and again. For example, I once flew in to San Francisco for business in the afternoon and realized I have just enough time to grab a particular favorite sandwich. I raced out of SFO and after three different and hurried Uber rides I managed to get settled in to my hotel with that beautiful white paper tube of sandwich sitting on one of the two queen beds in my room.

Yes, I rank the sandwiches because of course I do! I’ve told people “Oh you’re going to Portland?! One of my top five favorite sandwiches is from there!” but I’ve never actually written the list out in a place where I can refer back to it. It’s only fair that I do that now as I always feel like there’s an element of cheating when people say something is “one of my favorites.” Out of how many and how often does this list change?! Today’s the day I write that list down, throw it in to the internet, and make my favorites as official as some middle schoolers current Facebook relationship status!

…but first a few ground rules. Well, one really. When I mean sandwich I don’t mean hamburgers, burritos, gyros or any other “sorta sandwiches”. Yes, in a technical sense they are all sandwiches, but also they aren’t because you have to draw the line somewhere and I love all of those things too much to get a “Top Five” out of them that didn’t engulf me in angst. For this list, a sandwich is defined as various non-patty ingredients stacked between two pieces of bread.

5. Sugarfire’s Grilled Cheese (St. Louis, MO)

Sugarfire Smokehouse is a BBQ chain in St. Louis, MO. I love Sugarfire, and I always hit it up when I’m back in St. Louis, because they are great BBQ but also really inventive and downright weird with their specials. So many places have great BBQ, but Sugarfire does some weird stuff and it’s brilliant. I was there in June and say “grilled cheese” as a special and thought to myself “Who the hell would come to a BBQ joint and get a grilled cheese?!” …and then right before I ordered I heard the three guys in front of me all order the same thing: Grilled Cheese. Then I looked at the ingredients and it…well…it’s not…I mean, there are multiple cheeses and it is grilled, but there’s also a ton of meat and a jalapeno popper on top…that was stuffed with smoked pork.

It was messy and it was top five good.

4. Dan’s Super Subs’ Hotel California (Los Angeles, CA)

Comes With: Canadian Ham, Turkey Breast, Swiss, Cheddar, Our Avocado Spread, Crispy Bacon Deli Mustard, Mayo, Lettuce, Tomato, Onions, Our 1000 Sauce, and Diced Pickles.

It’s just a great sandwich and one time I was there I saw Mark Summers eating at the counter. What else do you need to know? The bread is great, the avovado spread and 1000 sauce are in the perfect amounts, and it seems like a small thing but damn I love that chunky diced tomato and pickle “relish” on top.

3. Joan’s on Third’s Fried Chicken Sandwich (Los Angeles, CA)

With jalapeño cole slaw, garlic aioli and butter lettuce on rustic roll

Another LA institution, but this one is tucked in the middle of Beverly Hills off of…wait for it…third street. As you might guess, this sandwich isn’t cheap, but good god is is amazing. For one, fried chicken is one of the world’s most perfect foods and then you put it on a lovely roll with aioli and a little heat from the slaw?! It’s a beautiful thing. The key is to get your order and get the hell out of there before the paparazzi show up chasing Justin Bieber while he’s grabbing a coffee.

2. Lardo’s Porchetta Sandwich (Portland, OR)

It’s a delightfully simple sandwich: porchetta, piquant gremolata, and caper aioli on a crunchy roll and it tastes extra awesome on a rainy day in downtown Portland. I love Portland, and there are so many good places to eat that have great sandwiches (hell, Lardo has several others that are amazing), but nothing is a beautiful, simple, and delicious as the Porchetta at Lardo.

1. Little Lucca’s Ultimate Club (San Francisco, CA)

Turkey, Ham, Bacon, Cheese

Look at that description. It’s a bit of a lie. There’s more to it than that, but also not really. It is truly turkey, ham, bacon, and cheese (I go with swiss), but it also includes the Little Lucca garlic and pepper spreads and your choice of huge fresh roll (I go with the soft sweet roll). I also will add jalapeno bacon because that’s how I roll, but it’s not needed. This sandwich is just unquestionably awesome. It’s huge, it’s relatively simple, every ingredient is fantastic and eating it makes me happy and then very full and then happy and then sad that it’s gone. When I describe this sandwich to people they never sound impressed, but if I bring them along they take a few bites and look up from across the picnic tables we’re sitting at behind the South San Francisco location that was clearly someone’s little house at some point, and say “You were right. This is amazing.”

Paywalls are OK, but Dumb Paywalls Aren't

I have hacked the paywall of my hometown newspaper’s website,, two or three times now. The first time came with more fanfare than I expected and the subsequent times have been more quiet, but each time I get some version of this pushback:

Twitter Convo

Look, I understand this point of view. You can, and many have, debated the business merits of paywalls for media companies such as the St. Louis Post Dispatch (yes, they over-thought the hell of their domain name). I think paywalls can and do work well, but it’s only viable for the big national sources and it doesn’t make business sense for regional news sources, but I understand why their employees might disagree.

What I can’t understand, and it’s the same reason why I keep testing their paywall every time they roll out a new version, is why they keep implementing their supposedly critical business solution is such a crappy way at a technical level.

To review, every single paywall has been implemented entirely on the client side. The first version was based off of a meta tag, and the most recent version was done primarily in CSS. It is even a paywall at that point? You’re requesting the article with their browser and they are giving the whole thing to you, but then they hide some of it…but you still have all of it sitting on your computer! This is akin to them giving out free newspapers with the last few sections stapled together unless you pay for it. All I did was leave a staple remover on the table. If your media business is struggling to survive you should come up with something stronger than a staple to keep your business together.


The Top Five Highlights of Defcon 27

Voting Village at Defcon 27

I love Defcon. For years, since I was a young script kiddie in high school, I had attending Defcon, the crazy huge hacker convention held every year in Las Vegas, on my bucket list. Now, Defcon 27 was my third Defcon and I seem to enjoy the conference more every year.

I could, and have, talked about Defcon and my love for the Defcon community at length…but I won’t here. What I do want to share is a short list of some of the best things I saw, learned, and experienced this year at Defcon.

5. Social Media Manipulation

One of the first main conference talks I attended this year (meaning it will be posted online at some point) was about social media manipulation. The primary point of the talk was discussing a particular botnet worm that a group is using to generate fake clicks, comments, and other engagement, but the talk was an interesting tour of the dark side of social media all together.

When I attend Defcon I do it as myself and work hard to keep my “day job” at arms length so that I can enjoy the conference and not feel like I have to tie it back to my professional work in any way, but obviously in my role as CTO of Studio71, this topic is of particular interest and I think there’s more the Studio71 team can do to research this topic in the future.

4. Everything Your Dev Team Does is OSINT Fodder

I’ll be very short here as this talk was off the record, but it’s amazing to think about how much information you and your teams leak by using standard development tools, such as Jira. Click a link from a ticket and your referrer information tells that site little bits of info. Is all of it bad? No, but added up and it could be. Something to think about.

3. Biohacking Disclosure Issues

Some people go to Defcon and hyperfocus on one or two topics they are particularly interested in, such as hanging out the whole time at the lock picking village. I love to talk to those people, but I’m more of a Defcon omnivore, roaming around the conference popping in to lots of lots of different things that sound interesting even if I have no plans to follow up with that topic later.

For example, on a whim, I walked in to a talk on biohacking and it was a panel discussion on the issues involved in biohacking (ex: finding security flaws in medical equipment such as a pacemaker). It’s not entirely shocking, but the medical industry has a long way to go in regards to responsible disclosure of exploits and ensuring all devices are as secure as possible. Really interesting stuff, and the key take away for me is: If I ever have to use a device like a pacemaker, dialysis machine, etc, ask a lot of questions and search the internet for the device maker before you move forward. The last thing you need is a pacemaker with exploitable software lodged in your chest for years.

2. The Fake TSA

There was a long line (no uncommon) to get in to the Defcon Arcade party on Saturday night. Just as the doors opened and the line started moving a group of guys wearing blue polo shirts ran up next to the line, set up a table, put bins on the table and started asking people to present their bags, take off their shoes, and walk through a metal detector. This was a joke. It was very much a joke…and yet…that wasn’t clear or that bit of monkey brain we all have that was programmed by almost two decades of travel didn’t want to question it for a lot of people. People started to grumble while taking off their shoes, and as I walked around the TSA stunt I heard one of the “agents” telling someone: “Dude, calm down. It’s a joke!”

Don’t let security theater seep in to your monkey brain.

1. Hack the Vote

The Voting Village is always equal parts awesome, enlightening and depressing…ok, maybe it’s 60% depressing, 20% awesome and 20% enlightening. This year, I took part in a group discussion, again off the record, with various election officials on what they can do to improve their security. I really feel for the gentlemen we worked with. I really believe they are doing everything they can to protect the vote in their counties (from a midwest state) but they are handcuffed on two key elements: The antiquated, potentially un-patched, voter registration system managed by the state, and the lack of decision making power to force a move to paper ballots.

I’d love to find ways to help on this, but the red tape and infighting make that so difficult, but even if I could step in an officially help these two midwest counties, what could I do that they haven’t? Maybe tighten a few things like forcing longer passwords, but if the State is unwilling or unable to upgrade their system and confirm that basic system maintenance is taking place, what can anyone do about it? The Federal government is the only entity that can, and we all know that one party is…disinterested…in making these critical changes.

See you next year, Defcon.

(And see you in October, ShellCon!)

My First Mention in Variety

I’m late on this on the blog, but after a few years of working in entertainment and two years of living in Los Angeles, I got my first name drop in Variety.

A few weeks ago, we were talking internally about the entanglement of buyers and sellers and products and platforms, when someone wondered aloud about how many different ways there are to sell branded content in the market. Our CTO, Mike Flynn, was in the office at the time and took that question as a math challenge. He immediately set about doodling an equation to explain the cacophony.

Big picture? It’s nice and doesn’t matter much, but it is cool. I’ve also had posts on the front page of Hacker News a few times and that’s certainly lead to more emails, but it’s still cool to get a mention in the Hollywood press.

via Variety

mikeflynn @ GitHub thatmikeflynn @ Twitter