ORLANDO, Fla. — The first day of ThreatLocker's Zero Trust World 2025 conference kicked off with a brief welcome address from ThreatLocker CEO and co-founder Danny Jenkins, plus an interview with former LulzSec hacktivist Hector "Sabu" Monsegur and an FBI agent who busted him, Chris Tarbell.
"My goal for this conference is that everyone goes away smarter," Jenkins told the audience, stating that ThreatLocker was founded to help change the cybersecurity paradigm from "default allow" to "default deny."
No longer just for the lulz
The first session certainly brought useful information as master of ceremonies Adam Reid interviewed Monsegur and Tarbell, who now work as cybersecurity researchers and host a podcast together.
Monsegur said he got into hacking at age 12, when he browsed warez rooms using his AOL account and discovered Loyd Blankenship's 1986 "The Conscience of a Hacker," aka "The Hacker Manifesto."
He found inspiration in the line: "Yes, I am a criminal. My crime is that of curiosity."
From there, Monsegur migrated to IRC and taught himself Perl, but his lack of formal credentials meant that "I could not get a job in cybersecurity whatsoever."
Eventually, he joined Anonymous and helped pro-democracy activists evade surveillance during the 2011 Arab Spring uprisings. Then Monsegur and half a dozen other Anonymous hackers formed LulzSec, the prankster group that broke into government and corporate servers for a few months in the spring of 2011. They even set up a phone line, like a radio station, to take requests for targets.
"What allowed me to be successful as an adversary was that I had a structure in place," Monsegur said.
That didn't stop other hackers from identifying him. One low-level hacker told the FBI that "Sabu" was based in New York City, so Tarbell combed through logs of the servers that Sabu had attacked looking for New York IP addresses. They were soon at his Manhattan apartment door.
"Getting arrested was the best thing that happened to me," Monsegur told Reid. "I needed a reality check."
For his part, Tarbell said interrogating Monsegur "humanized cybercrime for me." He added that he also helped bust Ross Ulbricht and hopes that the newly pardoned Silk Road operator "does something good with his freedom."
Lessons from a former hacktivist
Asked by Reid what might be the most common mistakes even seasoned cybersecurity professionals make, Tarbell replied, "Complacency."
Cybersecurity pros often think that strong credentials are enough to protect accounts, Tarbell explained. But that's not enough when smart hackers can get six-figure signing bonuses in the professionalized cybercrime industry and "ransomware groups are becoming as clever as nation-state actors."
Monsegur cited frustration among cybersecurity defenders as an urgent issue.
"If a CISO can't get the budget they need, then they often just give up until they move on or they're replaced," he said.
Other organizations may have the resources, yet don't configure security tools properly, Monsegur added. Or if a company doesn't have the budget or the resources, it can't remediate anything but the most critical vulnerabilities.
"The good part," he said, "is that there's a lot of great resources out there that are free."
Talented staffers can work wonders with free tools, Monsegur said. Organizations with small SOC teams can work with their vendors. But, he warned, if you have no resilience and no backups, you can't recover from a cyberattack.
"We can do something. We can work together," he said, addressing the Zero Trust World audience. "Look at this room and all the talent in here. Even if you guys are working for competitors, if an adversary targets one of your companies, he's probably going to target the other one too. Have a beer together and start talking."
Making email zero-trust
"Email is broken and we all know it," declared Mailprotector founder and CEO David Setzer during an afternoon talk. "It's hundreds of messages every day from people we don't know and don't want to hear from."
Among those hundreds of mostly useless messages are a couple of "time bombs" that could compromise your organization and even destroy your career.
The Simple Mail Transfer Protocol (SMTP) was never designed to be secure, Setzer explained, because the Arpanet academic-defense network it was built for was very restricted.
"You had to be verified to be on the network," he said. "Because the network was closed, the SMTP protocol was open."
Forty-five years later, we're still using SMTP even as the internet is wide open.
"Yet we're still living with the assumption that everything is good," critiqued Setzer.
Warning email recipients that a message originated outside the organization or not to click on any links is useless, he argued.
"We're cybersecurity professionals, and we're asking the end users to do our jobs," Setzer said. "It's pure security theater."
The solution, he said, is to make email zero-trust, to assume every email message is malicious until proven otherwise.
"You have to flip the script," Setzer said, "to turn the assumption of the protocol from everything is good, let's figure out what is bad, to everything is bad, let's figure out what is good."
Naturally, he pitched his own solution, Mailprotector, as the best way to do that. But his observations about email security weren't wrong.
"We'd like to help you use email the way it was intended to be," Setzer concluded.
Cybersecurity as a shared delusion
The most controversial remarks of the day came from Dr. Chase Cunningham, a former Navy and NSA cryptologist, current vice president of security market research at G2 and host of the Dr. Zero Trust podcast.
His talk (and a companion blog post) was entitled "The Grand Delusion: Why Cybersecurity Keeps Failing and What Works." He did not mince words.
"How many ways do we need to solve basic problems?" Cunningham wondered. "We've invested more money in cybersecurity research than we have on cancer research. Cancer will kill you. Cyber may kill you, but it probably won't."
The fundamental issue, he said, is that the cybersecurity industry is built on hype, and market-research firms periodically generate new terms and acronyms to keep the spending going. Yet few of the newfangled technologies make any difference.
"SASE is the dumbest [stuff] I've ever heard," Cunningham said. "SASE is the Honey Boo Boo of cybersecurity strategy."
No matter how much money they spend on cybersecurity solutions, the same simple flaws continue to bedevil organizations.
"People will always use [lousy] passwords and will always click phishing links," Cunningham said.
What the cybersecurity industry needs to do instead, he said, is make it so that it doesn't matter if people do use lousy passwords and click phishing links. And that kind of innovation will come from the "small" half of the cybersecurity market, the one that's not dominated by a dozen giant firms.
Right now, Cunningham said, enterprises are addicted to new, expensive, flashy software solutions that promise a lot but deliver little. Meanwhile, the things that do work are in-house procedures and policies: least-privilege access, organizational cyber resilience, zero-trust authentication, allowlisting, browser isolation and network micro-segmentation.
We'd better get cybersecurity right soon, Cunningham warned. With the proliferation of ransomware as a service, leaked NSA penetration tools and AI-assisted malware coding and phishing campaigns, "everybody, everywhere is a potential cyberwarfare actor."
"We are not in a good space unless we change the way we do this," Cunningham said.
