What Is An Ethical Hacker? | Thomas Johnson | Modern Wisdom Podcast 105
Thomas (Tom) Johnson (guest), Chris Williamson (host)
In this episode of Modern Wisdom, featuring Thomas (Tom) Johnson and Chris Williamson, What Is An Ethical Hacker? | Thomas Johnson | Modern Wisdom Podcast 105 explores ethical Hacker Exposes Human Weakness As Cybersecurity’s Greatest Vulnerability Ethical hacker and social engineer Thomas Johnson explains how modern hacking targets people more than machines, because human behavior often bypasses even the best technical defenses.
Ethical Hacker Exposes Human Weakness As Cybersecurity’s Greatest Vulnerability
Ethical hacker and social engineer Thomas Johnson explains how modern hacking targets people more than machines, because human behavior often bypasses even the best technical defenses.
He shares his journey from teenage hacker to Home Office–recognized security professional, detailing real-world engagements where he gained deep physical and digital access to organizations through persuasion, disguise, and inexpensive hardware.
The conversation explores offensive tools (USB implants, software-defined radios, covert cameras), password cracking, and data breaches, alongside nation-state cyberwarfare, critical infrastructure attacks, and the value of data as a strategic resource.
Johnson stresses education, better personal security habits, and the urgent need for more ethical hackers, highlighting both the career opportunities and the existential risks of an increasingly connected world.
Key Takeaways
Humans are both the weakest and strongest link in cybersecurity.
Most sophisticated defenses can be bypassed if an attacker manipulates a person to reveal passwords, plug in devices, or grant access; cultivating skepticism and trusting your “gut feeling” is a powerful defense against social engineering.
Get the full analysis with uListen AI
Social engineering uses psychology to bypass technical security.
Johnson gains access by blending in, borrowing authority (e. ...
Get the full analysis with uListen AI
Short, reused passwords are effectively broken security.
Eight-character passwords—even with mixed symbols—can be brute-forced in hours, and reused credentials across sites make it trivial to pivot from one breach to multiple accounts; longer (12+), unique, non-dictionary passwords or mnemonic phrases are essential.
Get the full analysis with uListen AI
Cheap, accessible hardware can be weaponized for serious intrusions.
Off-the-shelf tools like USB Rubber Ducky, Bash Bunny, Raspberry Pis, software-defined radios, covert cameras, and radio bugs can clone access cards, inject payloads, intercept signals, and exfiltrate audio/video with minimal visibility or cost.
Get the full analysis with uListen AI
Nation-state cyber operations can cause real-world physical damage.
Cases like Stuxnet, which sabotaged Iranian nuclear centrifuges via malware on air-gapped systems, demonstrate that cyberweapons can quietly infiltrate and then damage critical infrastructure, making information warfare a central front in modern conflict.
Get the full analysis with uListen AI
Everyday consumer tech can be turned against its users.
Keyless car entry can be defeated with relay attacks, cheap IoT cameras are often misconfigured and searchable via Google, and apps like selfie filters may be harvesting training data—highlighting the need to choose reputable devices and manage exposure.
Get the full analysis with uListen AI
There is a massive talent gap and strong earning potential in ethical hacking.
Qualified penetration testers can earn £65k–£120k per year, with an anticipated 1. ...
Get the full analysis with uListen AI
Notable Quotes
“If you can talk someone into giving you the passwords or plugging a USB stick into the computer, then all of this very expensive cybersecurity mitigation is useless.”
— Thomas Johnson
“For the price of one fighter plane, you can hire 200 hackers. Information warfare is going to be the future of war.”
— Thomas Johnson
“The hackers are the good guys. The cyber criminals are the bad guys. The knife is hacking; Gordon Ramsay is the hacker, Jeffrey Dahmer is the cyber criminal.”
— Thomas Johnson
“The entire character set of eight characters, including uppercase, lowercase, numbers, and special characters, in its entirety, can be cracked in two hours now.”
— Thomas Johnson
“As things are progressing we're gonna be faced with lots of new challenges, and if we don't adapt as a race, we're gonna end up destroying ourselves.”
— Thomas Johnson
Questions Answered in This Episode
How can organizations systematically train staff to recognize and resist sophisticated social engineering attacks beyond basic phishing simulations?
Ethical hacker and social engineer Thomas Johnson explains how modern hacking targets people more than machines, because human behavior often bypasses even the best technical defenses.
Get the full analysis with uListen AI
Given that many powerful hacking tools are inexpensive and legal to buy, where should regulators draw the line between legitimate research equipment and dangerous dual-use technology?
He shares his journey from teenage hacker to Home Office–recognized security professional, detailing real-world engagements where he gained deep physical and digital access to organizations through persuasion, disguise, and inexpensive hardware.
Get the full analysis with uListen AI
What practical steps can critical infrastructure operators take to protect air‑gapped or legacy systems that were never designed with modern cyber threats in mind?
The conversation explores offensive tools (USB implants, software-defined radios, covert cameras), password cracking, and data breaches, alongside nation-state cyberwarfare, critical infrastructure attacks, and the value of data as a strategic resource.
Get the full analysis with uListen AI
How should individuals balance convenience and privacy when using IoT devices, cloud services, and popular apps that may be quietly harvesting data?
Johnson stresses education, better personal security habits, and the urgent need for more ethical hackers, highlighting both the career opportunities and the existential risks of an increasingly connected world.
Get the full analysis with uListen AI
With such a large skills gap in cybersecurity, what education or policy changes would most effectively create more ethical hackers instead of future cyber criminals?
Get the full analysis with uListen AI
Transcript Preview
To me, you've got to understand that data now is worth more than oil. Um, so they're going to put a lot of money into securing that, and they're gonna put a lot of money into defending that. Now, I'm genuinely proud of, of living in England and in Britain, because we have some of the best security professionals in the world. But you have a lot of threat actors as well. So you've got China, you've got Russia, you've got North Korea. You've got all the states that wouldn't necessarily get on with us politically. And you have to understand that for the price of one fighter plane, you can hire 200 hackers. So information warfare is going to be the future of war.
I am joined by Tom Johnson, ethical hacker and social engineer extraordinaire. Welcome to the show, Tom. It's great to have you on.
Hello. Thank you very much for inviting me.
Uh, it's gonna be an exciting one today. This world of ethical hacking and social engineering is something that I've seen a little bit about online, but I don't really know all that much. But I guess we're gonna, we're gonna delve into it today, right?
Absolutely, yeah. I mean, would you like to start off at the beginning, how I got involved in it?
Yeah, absolutely.
Or would you like me to tell you what it is, first of all? (laughs)
(laughs) No. So yeah-
(laughs)
Let's, let's, let's find out. How do you define ethical hacking and, and social engineering and what you do? And then, and then let's find about, out about the, uh, the genesis story.
Absolutely. Okay, so social engineering, according to a guy called Christopher Hadnagy in America, is the art of using human psychology or misusing human psychology to get a target to do something or say something they shouldn't do or say, and that is grassroots. So if you can talk someone into giving you the passwords or plugging a USB stick into the computer, then all of this very expensive sort of cybersecurity mitigation is useless, because they are literally giving you the keys to the kingdom. So that, in a nutshell, is what it is.
I understand. Yeah. I suppose as these, uh, technological firewalls, uh, and safety measures become more sophisticated, the, uh, ways around it that don't require you to just brute force try and break through something that's heavily encrypted, I guess this sort of falls to the, the one remaining weak link in the chain, which is always going to be the, the several-million-year-old brain that sits inside of the person controlling the system, right?
(laughs) Well, uh, in my opinion, humans can be the weakest link, but they can also be the strongest link as well, because they think in a different way to how computers process information. So have you ever had a gut feeling before, Chris?
Install uListen to search the full transcript and get AI-powered insights
Get Full TranscriptGet more from every podcast
AI summaries, searchable transcripts, and fact-checking. Free forever.
Add to Chrome