#93 Matt Holland: Zero Day
The Knowledge Project with Shane Parrish- 2,402 views
- 29 Sep 2020
The Founder and CEO of Field Effect Security, Matthew Holland, is one of the world’s leading authorities in cyber security. He explains exploits, hacking and defending while providing insight on the mind of the attacker, Huawei, Snowden and what you should be asking your cyber security vendor. GO PREMIUM: Support the podcast, get ad-free episodes, transcripts, and so much more: https://fs.blog/knowledge-project-premium/
It's that going to the doctor scenario, when you have a pain, you don't want to necessarily find out what it is because people are naturally averse to bad news.
You can't be like that with cybersecurity if you don't have a cybersecurity vendor, if you don't have a company helping you out with that problem, get on it. Everybody is a target at this point.
Your company is not small enough to be off an attacker's radar. I have seen five person companies actually. I've seen two person companies attacked and hit. So, you know, my advice is don't be don't be afraid to to ask for help.
Hello and welcome. I'm Shane Parrish, and you're listening to the Knowledge Project, this podcast on our website, F-stop blog, help you sharpen your mind by mastering the best of what other people have already figured out. If you enjoy this podcast, we've created a premium version that brings you even more. You'll get ad free versions of the show. You won't hear this early access to episodes, transcripts and so much more. If you want to learn more now, head on over to F-stop Blogs podcast or check out the show notes for a link.
This week, I'm talking with Matthew Holland, the founder and CEO of Field Effect Security.
For the past decade, it's been the guy that every three letter agency in the Western world has called when they have a problem that they can't solve. Before Matt started feel the fact he enabled allied governments to pursue their lawful mandate. This episode is all about cybersecurity exploits, hacking and defending. And while this is a world we all hear a lot about, rarely are the people talking as knowledgeable and informed as Matt. In fact, I'd say he's one of the top three in the world at what he does.
Let's dive into the mind of an attacker, what's possible and what questions you should ask your cyber security vendor along the way. We'll talk about Snowden, what it's like to work at an intelligence agency, and, of course, Huawei and national security. It's time to listen and learn.
The Knowledge Project is sponsored by Medlab for a decade, Medlab has helped some of the world's top companies and entrepreneurs build products that millions of people use every day. You probably didn't realize that at the time, but odds are you've used an app that they've helped design or build apps like Slack, Coinbase, Facebook Messenger, Oculus, Lonely Planet and many more.
Medlab wants to bring their unique design philosophy to your project. Let them take your brainstorm and turn it into the next billion dollar app from IDEO sketched on the back of a napkin to a final ship product. Check them out at Medlab Dutko. That's Medlab Dutko. And when you get in touch, tell them Shane sent you Ravid.
Air producers, award winning air purifiers, some of the best in the industry. Every day we breathe in nearly two thousand gallons of air and research shows that poor air quality impairs cognitive performance. To keep your air clean, Rabbitt Air offers high end air purifiers with customized filtration, smart sensing technology and advanced HEPA filters that can trap particles point three microns in size at a ninety nine point nine seven percent efficiency visit. Rabbitt Eircom.
That's our EBITDAR Dotcom or call them 24/7 to speak to a consultant.
This episode is also brought to you by 80-20. 80-20 is a new agency focused on helping great companies move faster without code. The team at 80 20 can build your next app or website in a matter of days, not months. Better yet, they can do it at a fraction of the cost. You walk away with a well-designed, custom tailored solution that you could tweak and maintain all by yourself without the need to hire expensive developers.
So if you've got an app or website idea or you're just ready for a change of pace from your current agency, let the team at 80-20 show you how no code can accelerate your business. Check them out at 80-20 Dot Inc. That's eight zero two zero dot AI and C. So I've known you since 1999, we met two thousand you. That's crazy. Yeah, world we used to work together at the intelligence agency. Yeah. And then that was the most insane period of time ever.
Right. We're in this small team. September 11th happens. The world forever changes. Our team works nonstop for effectively seven years. Like I don't remember any of us having vacation from 2001 to 2008 other than like a random Monday or something. Yeah.
I mean, firstly, I think vacations probably largely overrated just because I'm a workaholic. But yeah, no, it was a really neat way to to start. I mean, our career is just a year or two apart, but it was definitely a very interesting experience being thrust into a an environment where everything you do contributes much more than you would ever think is coming out of university. You know, you're you want to get a job with a good salary.
All of a sudden you're in our case, we're doing things that actually matter to the country that have a very significant outcome. And it it's like going from zero to mature very, very quickly overnight. Yeah, yeah. I remember one of the first meetings I had with you. We were trying to figure out how something worked. And I stood up, you know, in my university sort of bravado. And I was like, oh, I'll tell you how this works.
And then I spent like 30 seconds explaining this thing. And then you looked at me and just deadpanned like, you're absolutely wrong. Here's how it works. You stood up for forty five minutes. You worked through, like, every instruction that happened in the operating system. And I was just blown away by your level of knowledge.
I mean, that's kind of you to say there's probably a factor of blown away at how much of a jerk I was in the process of that, which I'd like to say has changed, but probably not so much.
But, yeah, it was it was a really it was cool. I think the environment that we got to work in was learning from people. The you know, for me that that time in my life really defined what a good team was. You know, when you learn something, you share it with other people in the office. I remember, you know, there was five or six of us in particular at one point where it was a very large research focused group.
And any time you learn something or I learn something or one of our colleagues learn something, it was a really neat discovery. But we took the time to educate each other. Yeah. And I think what that fostered was a team that, you know, a level of trust that I had never experienced in my life. I remember, you know, entering that team, being massively humbled. And, you know, once once the ego got dealt with and you could really jump into that environment, it just it catapults one's growth.
And I still look back to those times and consider myself extremely lucky. And I guess I always acknowledge that at that time in my life, largely defined who I am today. I want to come back to that in a second. I remember it is weird to hear you say sort of like you were humbled. You were literally the best in the world at what you do. And we're going to come back to that through this interview. Is it drinking whiskey?
You're pretty good at that.
I remember showing up like it used to drive me all the time in your Mazda. What was that? There is my six buddy. That was that was the smelled like toffee nightlight. Yeah. No, that was the that was the dream cyber mobile. We spent a lot of time together. What made you leave.
So I, I reflected that quite a bit. Just because I get that question often and I don't think I've ever really had a good answer that that wasn't necessarily immature. The ultimate reason I left was because I saw a limit to what? I could grow into and what the vision of the group I was in achieving, like there was a ceiling arbitrarily put on top of that. And I'm the type of person that I don't work well when somebody says this is as far as you can go or this is what we're going to do, regardless of what the evidence or ideas are, good ideas, bad ideas, whatever, that that start.
And it was not an environment that I said I can grow here anymore. What are the big indicators of that which you probably laugh at this, but there's a there's a management competition. I screwed up the entire the entire interview, but it was the same problem where somebody would ask, you know, the interviewer would ask me a question and rather than give the answer of, you know, I would I would build a team to do this. I would request funding to do this.
I would, you know, reach out to universities to bring them into the into the fold. So, you know, that's the answers they wanted to hear what I gave them, where the technical responses to the questions they were asking. So how would you solve this problem yet? My answer was, well, I would do X, Y, Z, and then I would do this. You didn't play the game? No, it was just I answered the question and I think that was the first time it really dawned on me that I probably don't fit into the mold that they were looking for.
So I think that's when I started to the I guess the the ball started rolling on my departure.
I remember it changed probably about eight months before you left, like it started to get more. I don't know I don't even know how to word this. Like, when we started, it was very fast moving.
We had a lot of authority, a lot of control, a lot of decision making power. And then slowly, as we became more successful, the irony is like that sort of became less and less over time. Yeah, I remember having a conversation with one of our mutual colleagues at the time, and I remember being very irritated about the, you know, the arbitrary handcuffs that were being put on our ability to innovate research. You know, I remember a contentious time that you and I actually, you know, stood up at a town hall and got a giant argument with a director.
Stu, if you're listening, we're sorry.
And it was it was very frustrating. And I remember that colleague saying this is just part of businessmen. Like once you once you're part of a group that does something really good and people take notice and they, you know, they want to turn that into a larger part of the organization. And with that comes what you're seeing now, you know, formalized. You can't work more than this. You have different reporting responsibilities. And, you know, at that time, I just I just wanted to innovate.
I just wanted to come up with new solutions to the problems that operations were running into. You know, not being able to do that in its raw form was extremely frustrating.
And see left and we can't talk about what we did there, but we can talk about what you did right after you left. And so you started Linchpin and you you had an unconventional sort of way of starting that company, which is releasing a privilege elevation to get some attention on Microsoft. You want to talk about that?
Yeah. So that was a that was a funny period. So, you know, at the time, my business partner and I, we we thought, you know, how can we make a splash? Because when we left, you know, our attention was to, you know, augment the world that we left with, I guess, a privatized twist on things. So we thought about, OK, how can we how can we really stir things up a bit?
And at the time, Microsoft was releasing a mandatory driver signing as part of Windows Vista, which is showing our age right there. And, you know, there's so much hype around it and the way it was being advertised, what it was going to be, the silver bullet to stop all malware, to stop, you know, anything bad that could be happening. And anybody who has spent any time, I guess, on the offensive side of the House, you know, was looking at that and saying, no bullshit.
Yeah, it'll it'll be it'll make things better. But it's not going to be the silver bullet that everybody thinks. So we said, all right, well, why don't we just do something kind of funny and, you know, show them? So what we did was we wrote a tool called Dunn. What part of the name of the company was done with OutServe, which is Vistar pwned in reverse, you know, got a signing certificate under this fake company, legitimately registered fake and reality, and released a tool that would load it was a signed component that would load an unsigned driver.
And it was not to do anything other than show how easy it is with the most simplest, goofiest approach to get around this problem. And so at the time, I was in Australia with my business partner starting things up, we're working out of a closet, really kind of a ragtag set up to start. And at the time, there were people being arrested for violations of the DMCA Digital Millennium Copyright Act, which, you know, back at that time was a really contentious thing because it was changing what people could or could not do with computers.
And it was it was a really big. So when we release that, some people are like, oh, that's kind of neat and other people are, you know, one person in particular was like, this is a violation of the DMCA. You should be arrested. It's not really that cool. I'm going to go and release a tool that actually exploits Atai drivers and video drivers and then basically does the same thing. But I've done it a lot cooler.
So take that linchpin haha. And in reality that that was I remember that guy. Yeah.
That was so much worse because and I don't know if it actually resulted in the revoking of Atai and invidious signing certificate, but it was something that you know, to us it was, it was, it was just it was well it was stupid to say that we were violating the DMCA and to the response was just so much unbelievably worse. And it was a very weird first few months of the company. Do you ever miss sort of working at the intelligence agency?
I miss people. I miss a lot of really good people. They're amazing people. It's a very underrated people think that all sort of government employees are lumped in the same same group. They're not as we can both. It has to. Yeah. So so I miss the people. I miss having first hand exposure to the mission. You know, I think back to some of the things I got to see and be a part of that no one will ever know about.
And that is really cool. It was really neat being a part of that. It creates memories that I'm pretty sure if I were to run into somebody 30 years from now on the other side of the world in a bar, you know, immediately there's that connection of like, hey, we did that. That was really cool.
So, yeah, I mean, I miss aspects, but I don't miss the the handcuffs that were were ultimately a part of my departure from there. And then when you left, do you ever feel like there was they didn't want you to succeed because they wanted you to come back. They're part of you that felt like they didn't want to give the contracts, they didn't want to. I don't know if there's any any interest in me coming back. I think there was definitely skepticism as to whether I could succeed, which I'm fine with that.
I mean, you know, clearly at the time, my business partner and I were the first ones to kind of make that jump and do that together. And there's a lot of skepticism as to whether we should be allowed to do that, whether we are able to do that. I remember having a departure interview with the Hyatt manager who sat me down and said, you're going to go sell to China, you're going to enable China. And I looked at him in the eye and I said, what on earth would make you think I would ever do that?
That is the most ridiculous thing ever. So so I think there was a bit of fear that we would enable, you know, adversaries of of allied countries, which. Yeah, I mean, in retrospect, I can understand. I just think at the time it was a it was an immature view. I remember going to a meeting a couple of weeks after you left and they were like, oh, we're not going to buy anything from him.
And I was like, we're going to end up giving this guy like 50 million bucks a year. I want to say I was closer to reality than they were.
But I mean, so so the idea of going private was taking the handcuffs off and create an environment where we put really, really smart people together. You know, part of our recruiting strategy was immediately going after the best people in the community and taking all barriers out of their way and making letting them do amazing things. I want to dive into that a little more because you were able to replicate an entire wing of an agency. If you want you want to say that with one twentieth the number of people and have higher, how are you able to do that?
You just same people. You just took them out of the environment. And what enabled that?
Largely removing barriers. I mean, I think that was a big component of it, you know, giving them an environment that they could excel in, which, you know, breaks down into what tools do you need? Do you need to put in a purchase requisition to get what you need, or can I just get that for you? Like that was one of the comments from one person I remember early on when they joined. They're like, OK, these are the things I'm going to need to do my job.
And I'm like, OK, I'll be back in thirty minutes. And here's your stuff.
And the reaction was really like, we can just do this. It's like, yeah, go be a genius, go produce amazing things. So I think that was a big component. I think making it clear that everything that we were doing was as a team. And I think as an aside, this is one thing I think people who are entrepreneurs sometimes get caught up in that. It's about them. It's about their journey. And the way I approach it is now we're all in this together.
I'm really lucky to have you in the company and creating that environment where they knew that they were lucky, that I appreciated them and that whatever we do, we're doing together. I think it's an empowering message to build a team around.
I remember one of the things I took away that I've learned from you is when you started doing that with people and you were like, what equipment do you need to do your job? And you just go out and get it for them. And they were astonished by how simple that was.
And that's something we do with everybody here, too. We just sort of like, what is it? You need to do your job to the best of your ability. There's a downside to that, too, which is really interesting, because then you lose the excuse of the equipment. It's a problem.
If only I had the right tools I could deliver. Right. So you there's this subtle sort of undercurrent to it, which is I expect you to be amazing at what you do and keep getting better.
Yeah. And I mean, I think for some people sometimes just that belief helps them get there. And so you did LPL from, what, two thousand and seven. Seven to eighteen to twenty eighteen. What are some of the lessons you learned about growing that when you ended? How many people were there?
So, so globally, I'm going to jump in the partner company that we we were sold with. But I think for at the time close to 90 to 100, we sold in twenty eighteen, but I didn't leave until December of twenty nineteen. I want to, I want to come back to that. But what are some of the lessons you learned from growing, scaling, running that company, recruiting.
I think one of the biggest things was, you know, starting a company from scratch. You know, at that time I had a computer science background. I clearly had a lot of experience in cybersecurity. You know, I took some accounting courses and marketing courses in universities. So I think there was a bit of a foundation as to OK, if I remember doing a business plan, because that was one thing you did. You made a business plan.
But one thing through the linchpin experience that I that I got to have is I got to do every job. So I got to literally be the janitor. I got to be the marketing person. I got to be the primary salesperson. I remember doing really challenging sales pitches in front of audiences that didn't even want me in the room because I was, you know, stamping on their their creative territory. I got to write code. I got to manage projects.
I got to be the the evangelist in the company and going. From there to field effects with that base, I think allows me to really, you know, make decisions that are more informed, it allows me to to, I guess, understand and appreciate all the different parts of field effect and that which is a much more we're going to come to feel. Yeah. In a second. So I think so I think there was that I think the ability to make decisions and be confident in those decisions, not get caught in paralysis of decision making.
That is something that I think at first I struggled with. But over time, the ability to filter out the noise and focus on the things that actually truly matter have have really helped. Why did you leave? I mean, right before you left, you're the you're the guy every three letter agency and basically the allied world would call when they had a problem they couldn't solve and you would solve it.
Why leave? I was going to make a joke about that. They ran out of problems, but they didn't have problems done. Our problems are actually the same reason, I think and this is actually where I think I realized why, you know, the root factor of why I left CSC, it was a similar scenario where guys got bored.
Yeah. Yeah.
But it was a it was a change in in what I could do was, you know, I started to see a ceiling on what I could achieve. And it became clear to me that, you know, I was the square peg trying to fit into the round hole because of ambitions and more creative things that I that I thought we could do. And that was that was actually a pretty interesting experience coming to terms that, you know, I was the square peg in the round hole because it definitely took time to you know, the goal is not going to change.
Yeah. And you go through this evolution of like, what's wrong with everybody? Why why is nobody on board with this? And then the realization that, oh, shit, it's me, I'm the problem here. And then the the appreciation of OK, OK, understanding why that is. And I think that that ultimately made the transition very easy actually. And it's not something that I look back with at this point with any animosity or anything. It was just part of life.
You exited with more than enough to sort of walk away for the rest of your life and just sort of like sit on a boat in Costa Rica and never have to worry again.
And then but the sharks, thresher sharks. But then you you start to feel the fact and how many employees are, you know, almost a hundred. You're almost 100. You're entirely self-funded. To this point, so you basically took all this money you made and you were like, oh, I want to do this again and I'm going to put it all on the line, like what went into that thinking?
I had several factors. I think I really enjoy solving hard problems. And the the current state of the cybersecurity industry to say it's a hard problem is an understatement. It is a is a unethical shit show, I would say. And it it really bothers me where it's hot. So I think there's a there's a large part of me that wants to fix that. There's also the aspect of I'm like ultimately a serial entrepreneur. And I remember chatting with my wife, like when that transition was happening.
She asked me, like, why are you doing this and what else am I going to do? I'm just going to start something else. And it's either, you know, a cyber security company that I'm once again running that I believe can change the world and fix a lot of problems. Or I can open a coffee shop. Probably going to take the same amount of time. So how about the the cybersecurity firm and how important is she been through this?
She's amazing. I don't think I could ever thank her enough. I think the the the formula for for for my success, she is she is a huge part of that. She is a workaholic. Yes. If you could if you could sample what makes her run, you know who she is and somehow create like a vaccine, inoculate the world like you would have world peace hands down. And that obviously is a strong statement. But she is a phenomena.
Anybody who knows her would would definitely agree with that. I would agree. She's amazing. She is pretty cool. You mentioned sort of the state of the cybersecurity industry. Talk to me a little bit about that. Where are we? What's it look like?
I mean, there's nobody in the world, from my point of view, that would have a better aperture into not only how things are, how they're sold, but also the attackers mindset in terms of what you're buying versus what you're consuming and how it's impacting your business.
This is the part in the discussion where I get angry. That's OK. We get a lot of scotch.
So I think to answer that question, the first thing we need to do is look at what the cybersecurity industry actually is, because I think that it gets muddled. The the way the public looks at it, the way it's reported on, it's just everything. It's like a grab bag for. Yeah.
So I think there's there's three groups or pillars of cybersecurity. There's the one there's the offensive side which we've talked about the the ransomware, the intelligence agencies. I say offensive, but it's that traditional hacking which, you know, it's largely been glorified thanks to Hollywood. Mr. Robot gets it right, though. I don't know. I remember in Swordfish, he says in like 40 seconds later, everything, you know, it's largely horseshit. Is not ours with VR goggles.
Yeah, but if you ever seen, Mr. Robot that that is actually an accurate representation, if you ever are curious. But it is a you know, it is this glamorized thing that is entirely misrepresented, but it is an economy in itself. There's an economy behind ransomware and they get paid for it. They are successful. There's an economy behind intelligence agencies. That is ultimately what drives dollars and cents on the defensive side. The second bit and by the way, the first beat only exists because humans are generally horrible at writing software.
So that wouldn't exist if people were actually good at security models and implementing software. The second beat only exists because the first bit exists. So that's the defensive side. So let me I guess the best way to describe it is as a consumer, it is probably the worst experience you could go go through. So if you if you're going to go buy some cybersecurity, are you buying an antivirus exactly what I want or do I want to buy. Yeah.
Buy some cyber because that's largely because it's a joke. It's about. Yeah, it's a black box industry. Right. A lot of a lot of businesses, a lot of people don't know what they're actually buying and that has been exploited by the industry. And this is the part where I get angry because none of the solutions out there, there there are a few that are that are decent, but like look at what your options are. Do I buy an antivirus?
Do I buy any spyware? I do. I buy firewall. SHEIN Maybe an IDs intrusion detection system, maybe in point, detect and respond, maybe user behavior and analysis, maybe a network monitor, and the way that vendors will try to push it forward, as they say, you actually need all of that, which is total crap. You do not need all of those things. They do not work well together. So that that whole thing angers me to no end.
The third bit is a category that isn't actually cybersecurity. I read an interesting article recently and it kind of clued me in. I was like, actually, yeah, I know this third thing or pillar exists. That is entirely wrong. And it's that bit that happens in, you know, on the Internet, social media, that type of thing that isn't actually security related. But people like to kind of put a box around that. So an example would be, you know, election interference.
So how do you what are the organized influence and influential campaigns on on social media to to get people to vote in particular directions? I do not think that cybersecurity. But that also gets lumped in so that that is the third bit, which is kind of like faux cybersecurity. It's a little bit confusing because then you lose track of what's actually happening. But I mean, intelligence agencies have been spying on other countries for over. One of the things that have changed now is not only the amount of consumer data and the value of that data, but also that people are spying on companies now as a means to fast track their R&D.
Yeah, why invest hundreds of millions of dollars when you can sort of just hack into somebody else's computer and download all their work and then claim it as your own? You know, I mean, it highlights why, you know, people come. Needs need to take this this problem seriously, and I don't think it necessarily extends just to large companies at this point, legal firms, accountants, huge targets, huge targets. I mean, you think about what they're dealing with in regards to confidential agreements, financials of individuals and companies.
And that's one thing I think we've seen over the last couple of years is the the attention that state sponsored groups are going after. It's no longer, you know, the sonis of the world that is now your your your law firms, because there's a lot of intelligence value there, patent firms. I mean, there's a lot of intelligence value there. So the you know, how seriously smaller companies need to take this threat I think is really gonna fund it.
Super interesting. I mean, I was talking to KPMG just last week and they're like, oh, send me this. And I was like, how do I send it to you? And they're like, just put it in. I like, what? What are you talking about? Like, I'm not putting that in email. Yeah.
I mean, I sort of compromised with like I used quick forget dotcom and like, uploaded something. And it's like this is good for like six hours, so you better download it. But it's amazing to me that the lack of thought that goes into the information you share and how that manifests itself or what's exposed. Right. Because if somebody breaks into that computer, that whole email chains, they're now the files they're already. But the a lot of the emails stored in the cloud, it's a lot easier to access than people realize.
What makes you want to tackle this problem like this is like the greatest intractable problem ever with tons of competition, like the government's doing a host based. You have private sector doing all of these things, cobbling together solutions like what makes you think that you you can have a better outcome for customers, not arrogance, a joke.
But that's I mean, nobody knows the industry better than you do. But like, seriously, there's billions of dollars going on here. Yeah.
So, I mean, if we if we looked 20 years ago, it's the same problem. One of the things I tell people when they join who you know, when I hire from intelligence agencies is that be prepared to be disappointed because the problems that you are going to see will shock you, that you know, that they're still out there. So the techniques that are 10 years old are the problems that should be 10 years old are still happening today.
And, you know, I think that that's a large referendum on how not good the cybersecurity industry is at actually trying to solve the problem. And if I look at, you know, the vendors out there, I'm not going to name any specific competition. But what I see is a sales strategy that is like a warped used car salesman strategy. And that's probably an insult to use car salesmen out there, because it's much worse. It's it's all about the transaction.
It's all about, you know, getting getting that done, taking the customer's money and saying good luck. And that isn't result not responsible for anything. Yeah. And that's not making anything better. How should that work?
Like how do people buy cyber isn't the I wasn't on sort of like the acquisition of cyber side but like this Gartner Quadrant. Is that sound familiar. Yeah. Yeah. So that is I guess a measuring system, a measuring stick to help the vendors or customers or prospective customers. Companies I guess is a better term to guide them in buying what they they may or may not need. There are a few problems with that. The Gartner Quadrant system is often outdated.
We were, for example, field effective marketing, a managed tech and response service well before it was defined in Gartner.
And ironically, at the time, we had a hard time, you know, gaining traction because that's always looking at like existing sort of technology and threats and looking backward, saying like, oh, these people accomplish this, but not looking forward in terms of where the industry is going.
Yeah, so so that that that that is a it is a useful classification system. It is just behind the curve continuously. The second thing is, I don't think businesses actually necessarily know what they're looking for.
Yeah, like how would you be educated if you're like a law firm, an accounting firm, you get one hundred employees you don't have like a cyber guy or girl. I know. Like, how do you how do you go about doing that?
So so I mean, that's that's ultimately the realm that field effects that's in the small to medium business space because, you know, it is infeasible for every company to have an I.T. team. And in our experience, I mean, an I.T. team is good. They have expertise, but they may not necessarily be security experts.
Is that kind of like Shopify for cybersecurity? Because Shopify is really arming? You don't have to worry about building a store. You don't have to worry about managing inventory. You don't have to worry about their arming the rebels, if you will, against Amazon, like are you giving world class technology to. Small and medium sized businesses as a means to you, like you don't really have to know all the ins and outs of cybersecurity, but then it becomes trust based, like, why would I trust you over another vendor?
That's a great question. I mean, I think trust takes time. You don't just magically get trust right out of the gate. And I think that is a that is something we put a lot of time into building. We take time to create a customer relationship, ask customers what their needs are, what are their problems, and then, you know, tell us about your network. How can we help you? And, you know, early on in that process, I think it becomes clear that we're not just out trying to sell software in a commodities way.
The first thing we do is do an external view of the network and identify, OK, here's a problem right here. We want to help you fix problems. It's not just here is a solution that you have to run with. It is all about us helping you be better, fixing problems and sustaining that moving forward. And that not is largely a component that I don't think most vendors in the cybersecurity industry get. They are more interested in showing you got this really cool interface, which, you know, no one in your company is probably going to know how to use.
And then if you don't see something, it's like, oh, it's not our fault. It was in the interface somewhere and you didn't. Yeah. You didn't see the logs.
So why why didn't you action that and not I mean, I think the assumption that the average business is going to care about cybersecurity is is a false starting point because businesses, you know, you buy your computer hardware, you get your it set up. If I'm a business and, you know, out there, I'm not starting my day off thinking, oh, I can't wait to buy some Sabre's or understand, you know, cybersecurity. And that is the baseline that that I think for, you know, an effective solution.
That's what you're dealing with. You're dealing with a company or a customer that doesn't care about cybersecurity, but you need to help them. The baseline of the the interface could be an office manager, not somebody who has a computer science degree or somebody who has any background or interest in cybersecurity. So having a system that, you know, is set up and built and implemented to work with people who don't necessarily care or will care or should even care, because that's not their job.
That's what we do. Well, that's a good point.
Like, you're not trying to make them care. You're just trying to say this isn't a worry for you anymore. Yeah. Yeah.
And when something comes up, here's a very concise way of dealing with it. Not a you know, a series of links. Go Google this, learn how to implement a VPN, learn how to use a firewall or how to patch your system. It's a it's a guided approach to this is specifically what you need to do.
What's that around? And what people don't often see, which you can do uniquely, is sort of what's the mind of the attacker like if you're looking at acquiring valuable information from a company, walk me through that whole process. Like, how do you think about that? How do you go about doing that? What does that look like?
So initially an attacker is going to profile the target and then that can look like different things. So if you know, the target has online services, they'll provide those services to see what's there. Are there any email addresses on your website that are really easy to identify? What type of social media presence is there? And that ultimately will lead into typically a social engineering campaign, either in the form of, you know, an email that is received that looks really normal, that you want to trust and hopefully will get you to click on something or double click on attachment or it'll go to your phone and click on that.
And that exploitation occurs. The other approach that we see quite a bit is people don't use multifactor authentication with just a basic email setup. So brute force, brute force and passwords works. Somebody gets in well, scope out your inbox and see what's there, who are your customers, what's your routine. And then they will perform perhaps a financial redirection. So in that case, they would get an idea of what your entire portfolio is and email all of your customers and say, hey, here's your new payment instructions and they will have all the outstanding invoices already you listed and ready to go.
So they can immediately say, you know, you owe us X amount. This is where I want you to send this money now. And that is remarkably and surprisingly effective and hard to track down, even though there's like a total with bank accounts will come to cryptocurrency and sort of ransomware later. But with bank accounts, it's it's easy to see where the money goes. It's really hard to get the money back once it's gone. Yeah. And that's conventional sort of attacks, right.
Versus sort of somebody like Boeing or General Electric or sort of Cisco who would have a lot more valuable IP and probably worth a zero day or sort of like develop. A customs boy, can you walk me through how that would work, hypothetically, of course. So you're interested more the pointy end of the stick? Yeah, yeah. So you know, the way the way exploitation works is a specific platform you'd like to walk through.
Let's walk through windows.
OK, so if you're going after a Windows box, it's either a server or workstation and typically servers, if they're Internet facing, gives you the ability to hit a direct. So if you have a a zero day and you know, a Web server, for example, that is something you can directly access and an exploit. That that is a very direct way, I guess, of of attacking the other approaches. You have a Windows client, you're sitting at your desk, you have a laptop and you're just, you know, typing away and you get an email that is probably the most common way.
And what that looks like is, again, back to the scenario where you're trying to convince somebody to trust an email. So they click on a link. What happens? Like, walk me through. I click on this link. Yeah. Yeah. So so the first thing that happens is, you know, the browser would be exploited.
So whatever browser renders that link web browser exploit would basically gain code execution and end modern browsers are definitely getting better at protecting against that type of thing. So, you know, Chrome is every browser has a sandbox now. Most browser flavors are, you know, some measure of Chrome. So even Microsoft Edge is now based on chromium and so brave and so is like Firefox isn't there is no no, Firefox is not. I think they're still rocking their own their own set up.
For now. They just fired their threat team. She's near that.
So.
So, yeah, gains execution inside the browser. And then the goal is then to gain privilege in the operating system. So that could constitute a sandbox escape to get out of that browser sandbox, a privileged escalation to ideally execute at a higher privilege level to to basically nullify any security on the host and ideally good execution in the operating systems. Karl, and once you're there, it's largely game over, but you get kernel on individual to walk me through how you like.
How does that become network access to a Superman level or so.
So once you have that, you you there really is no barriers to do to doing anything on that post. So if you want to open up, comes back to mother ship, you can do that. If you want to access a whole bunch of data, you can do that.
But how do you open up comms like isn't everybody monitoring these links now in terms of like how you exfil information? No, no. It's it's so so we're kind of diving into why this is actually a really hard problem and why any specific pillar doesn't work. So if you only buy a network monitoring solution, you won't see really anything that I've described thus far. If you buy an end point only solution, there may be hints of things that have happened depending on the sophistication of the endpoint solution.
But as soon as it gets so particularly deep in the kernel, you're not going to see that. So it's a very challenging position. That's why having a holistic approach is so important. You need network, you need an endpoint. So if you get by either one of those things, the other will pick it up. And how does that work, like on a particular client? I can understand how those things communicate. But then how do you how do you take an attack on one company and then translate that into a defense on another company with something you haven't seen before?
So I guess largely that depends on how well the cybersecurity solution is implemented. If it is part of a network where you can dynamically signature and attack quickly and create an artifact, we'll say that can be applied across the network of other customers, that is a way to combat against that. I mean, the zero day problem is something that's always going to be there. I think this is something that a lot of vendors don't actually realize, that no matter how much you lock down your operating system, there's always going to be a creative group out there that does things better that can get around it.
I mean, if you look at Apple, Apple iPhone for the past and almost a decade, they've been adding an increasing number of security mechanisms into the operating system that largely limit an operator to only being able to do specific things. But that is largely crippling from a security standpoint, because all you need to do is get around these set of mitigations and you now can own any Apple device in the world. And a really scary thing is recently a company called Vupen that is, you know, they buy a zero day exploits, not sure, but they go after that.
But what they do is I can speculate, but they buy zero day exploits. And they they posted something recently where they said we're we're full up on iOS privilege escalations. We got enough. Yeah, and if that isn't a wake up call to Apple, I don't really know what would be as basically the industry is saying, yeah, your operating system is not as secure as you think it is, but it's kind of like the Great Wall theory, right?
Like you have this big wall around. But once you're on the inside of that wall, it's like there's no defenses after that. Yeah, and that perfectly describes Apple. That actually describes every mobile operating system out there.
Well, Android, talk to me about the specific challenges with Android because they have have like a host of other problems that aren't common occurrences that have to be dealt with. Like everybody has a different version of Android that they're running. It's always at a day that's. Yeah.
So Android is an interesting beast because a lot of its most common platform is. Yeah, yeah. And it gets a lot of positive attention out there because it is an open platform. You know, you could download a nightmare. Yeah. You can download the source code and you can see what's running and that is a component of a secure operating system. I guess that, you know, the average person can go out and audit what's there. The average person could if they want to make that download it pilot put it on their phone and maybe add some additional bells and whistles.
The concept is very noble. The reality of it is not so great because what we have today is there is the main Android branch that, you know, evolves that Google releases. Android 11 just got recently released and vendors will take that and they will adopt it as is, or they will customize it or they will, you know, take particular parts of the what's called a changed history. It's basically the the changes that have been made to the code base.
When that is taken in context with vulnerabilities, the fixes may or may not make it in. So you could have, you know, the latest Samsung phone running Android 11 that doesn't actually have all of the security fixes that the main Android branch has because somebody is accepting or rejecting. Yeah, yeah. And I can tell you that one hundred percent certainty. I have not looked at Android 11, but what I have experienced over the past two decades, there are problems in the Samsung version that have been missed because humans, again, are part of the equation.
And, you know, on the list, it'll say, you know, Seedfolks TV fixed, but those fixes aren't there. Bad guys are Tackers. We'll know that. And they will exploit that. And there is literally nothing you can do to defend against that if you are a target. And that is a pretty frightening proposition. So you would rather go up against an Android phone than an iPhone if your attacker.
That's an interesting question. I think the odds of getting exploited are higher on Android, although the the nature of Android also creates a scenario where there's so many different flavors of Android, it makes it much more difficult to create a mass attack. Whereas in iOS, because it's the same version of the of the operating system across the board on every device, if you can find a problem and that you get all those devices on Android, you get the nuances, nuances in quotes of some of the decisions that individual vendors will make, that that makes it very difficult to take an attack on Samsung and apply it to, I don't know, Google phone or is that the iPhone?
So it's I would say generally it's the security position on Android is is is worse. You know, the the odds of being hit in a mass attack are potentially lower. But if somebody is targeting you, I would say that the odds of you then being successful against you are higher on Android for sure as phones or, you know, if you want to call them personal computers, it's like those are personal computers, right.
More so than we think become more prevalent. They'll become the service of which gets commonly attacked. Walk me through, like, how does phone exploitation even work? Like, is it the same sort of system that you would use for Windows or Apple? Is it different? Like how do you attack the phone? You have this thing on all the time.
It's got a mic, it's got a camera.
So the unfortunate answer is the exact same way you'd go after every other type of computer. iOS is just an operating system. Android is just an operating system. There's there's no there's no special features that make it impervious to attack. There are different security mechanisms in place that an attacker needs to get around. But it's the same deal. So if I'm going after your Windows laptop, in the scenario that I described, where I send you an email on mobiles, it's the same thing.
And it's actually worse in some cases. About a year ago, a company out of Israel called and a social group, they got busted for having a WhatsApp zero zero click mechanism. So there's some quick lingo. Dive here, one click versus zero click, one click. As you have to social engineer somebody to the point where they can click on a link and exploit the phone. Zero click is where there's nothing you can do. You are just owned and you have no idea by you.
You don't even see a message like you're just yeah, no decision on your part.
You're sleeping in the middle of the night in this case. And a social group, you know, sends you a malicious bit of content via WhatsApp, assuming they've been able to figure out your WhatsApp ID and then exploit your phone. And congratulations that that whole step of getting around sandboxes, privilege, escalation, that it's all the same concepts. But in this case, it is a direct way to attack a device that you own.
So previously, like tools like that were only in the hands of governments and they were generally targeting individuals or small corporations. Is that changed?
I think the accessibility is different. There's like an asymmetry to this, right? Like some some person, some teenager, guy or girl sitting in their garage can literally have a massive, disproportionate impact. I'm thinking of the attack on Twitter recently and how how you know, that was a social engineering.
Yeah, yeah. And, you know, in the context of going after mobiles, I mean, that that's that's it all comes down to the accessibility of the attack factor and the creativity of the person running the attack vectors. So I was thinking, you know, with NSO group, you know, there's there's a lot of articles on them about who they sell to and don't sell to. They have a whole group now, our whole internal group within the company that I've read dedicated to making sure they make ethical decisions.
I don't personally trust that they're making ethics.
Why do you need a group to make ethical decisions?
I mean, that's an indication that, you know, ethics weren't a component in founding of the company. That's probably a whole other discussion. But, yeah, I think, you know, the the point that the attacker and what that looks like is is, you know, it's much more plausible that it is not an intelligence agency. You know, you look at the the groups that are running out of, you know, other countries. I'll pick on India a little bit just because I've seen some, you know, some IP reports on, you know, some some problems coming out of there.
But firms of social engineering efforts, you know, it doesn't take a lot to go after Android. That's two years old. And how many I haven't looked at the statistics of how, you know, what the the market coverage is of Android versions. Pretty confident that if you're rocking a version of Android that's a year old, you're probably a pretty big target. And that, you know, again, I don't mean to pick on Android, but that is just a reality of how that ecosystem is evolved.
People don't really. Lies the scale at which this affects the economy, right, like you see these ransomware attacks, which I want to come to next in terms of like twenty million dollars paid in Bitcoin. But what you don't see is the trillions of dollars and IP that have been transferred to foreign governments over the last decade.
Recently, we've seen a lot of intellectual property leaks. I kind of feel that, you know, it's if you were going to steal intellectual property and then create a competing product with Trace's, which, you know, wow, I got busted for that.
I want to come back to our internal rage meter just went up. You know, it's a much more, you know, deniable scenario where, you know, things hit the Internet and people say, OK, I just it was out there now. So it's public domain knowledge so that, you know, having separation from the attacker and the beneficiary of of, you know, the results of the attack, you know, makes a lot of sense. If one's goal was to get a hold of somebody's intellectual property.
I mean, once it's out there, everybody's going to consume it. You know, you look at the leaks of the whole eternal blue leaks. It's a series of tools from an essay that got leaked Windows vulnerabilities, went to WikiLeaks, NSA, or is that the CIA ones that got released false? I don't know. That was that was NSA, CIA ones, or am I making that up? No, there was one that was rooted in what happened was was that group was that leak.
I guess the one I'm referring to was from NSA and it was is a whole treasure trove of tools. And this one was particularly interesting because it really there are events that occur that destabilize, I guess, the defensive posture, ransomware in general. I don't get how it even exists. It is the easiest malware to detect and stop how there's even an industry around that blows my mind. But the attack vector that people use to wrap ransomware, the payload weaponized.
That chain that I talked about earlier basically allowed a point and exploit capability on patched windows machines to walk me through ransomware. Like what? What happens depends on the flavor. But the the the the overall goal is to extort money out of the victim. So there's different ways to do that. If you attack an individual, you would potentially encrypt their personal photos, credit card information, maybe other personal compromising information and then say, give me X amount of money or I'm going to I'm going to expose all your photos or I'm going to delete it all.
When it comes to businesses, it's more of going after intellectual property where if a particular workstation gets compromised, ransomware runs on that workstation, encrypts everything, potentially deletes, deletes everything at the time, typically making a copy of it because there's value in that. And then we'll go through all the network shares and do the same thing. So there's one one particular there's different groups, I guess, of ransomware actors out there, some that are, you know, won't call the bluff and others where if you say, oh, I'm not going to pay you, they will 100 percent follow through on what they're going to do.
And this is weird. I guess subindustry has emerged from ransomware actually being a thing and being accepted where companies will actually act as a negotiator. So if you think back to those really cool movies where you know, there's a really cool ransom or a hostage negotiator trying to talk somebody out of the scenario that exists for ransomware, and it drives me to the bargaining for me.
Yeah. Why is that a problem? Like, do do you like your customers have ransomware problems like. Oh, no, because they they they use surveillance. We we protect against that, that vector. But the one thing how do you stop that. Like if it's that easy to stop, why doesn't everybody stop it. I wish I had an answer to that. I don't think, you know, a network monitoring solution will not stop ransomware. There's nothing you can do about that, Barnhurst.
Yeah, you have to be on host and you have to have a measure of sophistication and tradecraft to to identify and block it. We've seen we have some coexistence scenarios where I won't identify the companies, but they are very, very large, successful companies, cybersecurity companies, and the ransomware gets by them. But we stop it. And it blows my mind that, you know, based on the news, that it's easy. Like that's something that you're worried about.
It is a very, very basic profile to stop identify. I might be jaded because I've been doing this for twenty years and in the grand scheme of things that I've been a part of, ransomware is definitely low on the sophistication. Ah, do you think it would exist with a cryptocurrency and anonymous payment forms? Because it's always seems to be, at least in the news, it's always like you need to pay in Bitcoin so I can run away with this money.
And I would say. To be harder, because that is definitely a very convenient payment structure to pay, to pay with Bitcoin, the I'm just thinking in the cases where we we've seen financial redirections and those are anonymous accounts that are used and then torn down.
So there's there's definitely how hard is that to track? Like, if you're sort of like the FBI or the another three letter agency like to follow that path? I, I don't I don't know about that. It's not my not my background. But I would say the the challenge would not necessarily be the difficulty. It would be the average person or business getting any agency to care to track it down because that intel agencies, law enforcement agencies aren't sitting around waiting for things to do.
There's really big problems they're going after and trying to fix and solve. And, you know, a small company, you know, law firm getting ransomware is is just low on there.
It's not even a matter of payment for them. In some cases, it's life or death for the business because you can effectively turn the business off overnight and just eliminate it, especially if you're small and you don't have these sort of like big bank accounts to pay.
Yeah, yeah. I'm aware of, you know, businesses that have been shut down because of ransomware. The payment is just too high and it's much easier just to say, well, get thrown in the towel, we're going to fold up shop and maybe start again.
And this is ultimately why I don't like I get very frustrated that companies will pay ransom or not take the time to hire a company ahead of time.
Like it's much, much easier and cheaper to be preventative and to to harden your system and be ready for attacks. I mean, that that is the reality of today. And anybody who thinks otherwise is, you know, they've got their head in the sand. You're going to get ransomware and bad things will happen. And hopefully it doesn't kill your company or compromised customer data. That's that's a whole other aspect of this equation that I don't think people take into consideration of their legal obligations to report compromises and customer data.
Now, there are fines. I remember before covid-19 dropped, there was discussions about, you know, six figure fines going to Canadian companies if they are ransomware and customer data gets compromised. And it is shown that they weren't taking the problem seriously ahead of time. So they didn't have the adequate security protections in place.
What's adequate like that sounds so subjective. Yeah, yeah. I mean, is that back to that Gaertner. I checked the box. You can't sort of, like, fire me.
So so if I was a, you know, virtual sisso, I would probably, you know, reference the Gartner Quadrant to make sure that, you know, the executive board is covered in regards to liability.
There's almost like two layers to this, right?
There's the apparent layer, which is like I want to solve cybersecurity, but the real layers, like I want to keep my job. And easiest way to do that is not take any risks and go with the industry standard.
And ultimately, when it comes down to accountability, that is a safe way to go. It is, unfortunately, even if your own.
Yeah, yeah. It's it's the safe way to go. But it is not the best thing for the company. It is not, it is not forward facing it. I think it's being naive in regards to the type of attacks that are coming. So if you're a customer and you don't know a lot about this, what are the questions you should ask to sort of reveal the type of solution you're getting for real instead of sort of like checking the box?
You know, right off the bat, I would say, how are you protecting my company? Tell me how you're protecting my company like full stop, what happens when something goes wrong and you'll probably get a whole bunch of, you know, sales jargon? What's the difference between a good answer and a bad answer to that question?
If somebody uses the word next generation, seemless will stop everything. Yeah, I we've got machine learning any of that, if any of that comes up, big red flags.
So if somebody can give you a good answer to what happens when your system fails.
That gives you comfort that I think that is a that is a good position to move beyond, when I said earlier that, you know, the cybersecurity industry is like a bunch of unethical used car salesmen, it's because there's so much jargon and salesmanship that goes into this. For example, the the process of buying a car. What do you expect when you go to a dealership to buy a car? What do you want to walk away? Assuming you really like a car or a brand, what do you expect to walk away after a transaction occurs?
The car? Yeah, unfortunately, with the current cybersecurity industry, there are sales persons all over the place that will will say, you know, what you need is you need some wheels.
And then another salesperson will say, I can sell you the engine and another salesperson will say, I'll sell you the steering wheel. You probably only need the steering wheel, but I can say it's going to it's going to get some rims over here, too. And it is up to you as a as a as a company to put those things together and make use of that. So you're cobbling together the solution yourself and each vendor? No. Vendor's responsible.
Then it's like, oh, this person there's a lot of finger pointing. Yeah.
And ultimately, the the only working cyber solution and I don't care what the sales point is, the only true working cyber security solution is one that looks at it from where is your data? How are you going to be attacked? Across the board, so it needs to include an end point component, a network monitoring component, a cloud component potentially in Iot component and X, Y, Z for things that we don't even need to know it exists yet.
This is where this whole concept of next generation drives me nuts because people say we have this next generation thing. And what I'm seeing right now is the exact same thing I've been seeing 20 years ago, regardless of whether it has a machine learning component or not.
Like what does that mean? Next generation? Like if you knew the next generation of exploits, you'd be well.
Well, ultimately, it doesn't mean anything. A good solution should be iterative. A good solution should be engineered to handle the future without needing to put a sales tag around a you know, this is what we have now. We call it the next generation thing that the world has never seen. It's got machine learning, A.I., blah, blah, blah, blah, blah, which ultimately doesn't mean anything if you are a buyer. All it does is confuse you, drives me nuts.
So much jargon in this industry in particular. Right. And a lot of it is, Scelzi, like it's created by the. Yeah. Sales teams, the sales force, the. Yeah.
The the number of times I have had to worry about this, you know, these features that are sold to businesses around the world being on the other side of the coin just years ago, never I've never had to worry about machine learning. By the way, the existing machine learning implementations and a lot of solutions out there is the exact same thing that I've seen in anti viruses back in 2005. They just didn't call it machine learning. It was just training analytics to look for anomalies.
And so when you're an attacker, what did you worry about? Oh, that's an intimate question.
Getting caught. I mean, ultimately, yeah.
I mean, so as an attacker, it is a continuous balance between risk and losing the capability. And this is what does that mean? And I'm speaking from you know, back when I was at CSI, it means that, you know, when I said earlier that on the you know, that first pillar of cybersecurity, you want to call it a pillar, there's an economy behind it. So there's a cost to building capabilities to to go after a particular target.
If you lose that capability, that immediately is an expectation of, OK, find a new one. And it's difficult. There's there's cost to that. There's labor.
And and that that is a very big component that goes into the the I guess, the risk equation as to how you're going to approach an operation, how aggressive you're going to be, and different different agencies around the world will do different things.
I mean, you look at China and Russia, they're remarkably aggressive with a lot of, I don't say disregard to their own intellectual property and what they're using, but they're certainly not quiet about what they're doing. It's like spray and pray, right? Yeah, I find I find it really intriguing. It makes it makes me wonder a little bit like, do they have an army of thousands of people in warehouses cranking the stuff out, which they probably do, which is really scary.
Yeah. One of the things that I always found really fascinating about intelligence problems was there's always a country with more people who are just as smart, if not smarter than you and just as good, if not better technology than you. And yet you're tasked with sort of defending or in some cases acquiring information against these people and the hubris that sort of goes into we know best.
And yeah, that was always an intriguing calculation back back at CSC. It's a good debate to have. I guess if you've got something that took a lot of time to build, do you throw it down a hill and hope for the best or do you protect it? You put shoulder pads and knee pads on it and try to make it last as long as possible. And so talk me through that.
They're like, how do you see that? Because allied governments, friendly governments, whatever you want to call them, have exploits that are zero days that they don't release, that have huge national security implications like we've seen some of those become public and have massive implications within the NHS hack in Great Britain, the result of a stolen zero day from an allied government.
That one's tough. Why should they disclose? And what's your like? How do you think about that?
So so from what I so full disclosure, I don't have as much exposure to what the internal debate is on that. I'm aware that it happens. I think a lot of it comes down to what the perceived value is gained versus lost. If you if you if you don't disclose something and you use it operationally, is there more good for the the mission, the country, its people by not. Disclosing it versus disclosing it and losing a capability, yeah, it's a tough one because, you know, the the adversaries of allied governments aren't going to disclose.
They're not going to care if they have something they can weaponize, they will use it. And I think, unfortunately, that is probably the tone that is set globally that underpins a lot of these the decision making, like if if you're being attacked constantly and having your intellectual your nation's intellectual property stolen, I mean, you could disclose all the vulnerabilities you have and you know about as a nation. It's not going to stop them. It's just not going to they're there.
You know, going back to the open example of there are more out. There was a backlog, apparently. Yeah, yeah.
Speaking going to probably push some of your buttons here. You might want to take a drink. Talk to me a little bit about.
Wow. And I'm just going to leave it there, expand on wow. So we've had many conversations about a chestnut.
That situation is so we always had a bit of an interesting, less than smooth ride. I would say they came out of nowhere with all this tech.
Yeah. Which which miraculously happened right after a Cisco leak giant Cisco sars-cov-2.
It's a coincidence. Yeah. So, you know, there's there's documented ties to the Chinese federal government with that company existing. There is I don't know if they were ever convicted. It was back in 2003, 2004. But there was a there was a very clear cut case that WOWI was using conveniently leaked intellectual property. This is back to, you know, if I was going to steal your intellectual property, it is much more deniable if I leaked onto the Internet and then use it and come out six months later and say, oh, look, I just found this out there and I used it.
Really convenient coincidence. Yeah. And you know where we are today. Wow. A basically, you know, price undercuts other other vendors. And, you know, I ask how do they get to that point that that sounds like they have a lower R&D budget? And how do you have a lower R&D budget? You get intellectual property via creative means, you know, today with them being banned from the US. I don't disagree with that. I have different thoughts about the whole tick tock situation, but we dive into the wow.
I think. Why don't you just agree with that? Why don't I disagree with them being banned? Yeah. I mean, I agree with them being banned. Yeah. So so I mean, I don't think there is a framework to build trust. I don't think they have. Earned that trust and giving, you know, if a nation is going to rickett their entire country with a new type of wireless gear, especially with the complexities of 5G, you need to trust that vendor.
You need to be sure that the interests of that vendor are, at the very least, not opposed to the interests of the country that you're in. And I don't know how anybody could possibly say that about.
Well, I remember when the Brits did this whole thing, like we're going to set up this accredited lab. We're going to test it. So we're going to allow British Telecom to use it, but we'll test everything that's deployed. I remember just like that would fall apart in a second because the minute there's a zero day, you're going to deploy it right away, especially if it's leaked on the Internet. And then you've deployed code that you have in code review and then the whole thing just falls apart.
I'm like, OK, well well, it doesn't scale to the realistic pace of software development. So let's let's imagine that a government does have a program in place where every iteration of source code and these aren't small systems. We're talking billions of lines of source billions.
Let's assume you have a crack team of amazing source reviewers that can say with confidence, yep, this looks great. Or better yet, they have a set of automated tools to be able to derive that answer, which is challenging, probably possible, extremely challenging. The realistic outcome is the time for, say, Whiteway releases a new iteration, the time from that release, because if they are a vendor that actually believes in securing their product and that new release of the firmware has, you know, fixes, time matters, you're against the clock before, you know, vulnerabilities could be discovered and put out because all it takes is for them to release that firmware once have somebody ripped that firmware apart and identify differences between the old and new.
So you're immediately up against the clock. And if this ideal analysis process is being slowed down in any way, you're immediately compromising the vendor and giving them the the argument that this system doesn't work. Because what they and I don't necessarily disagree with that. If I was the vendor and my releases were being slowed down by a month, I would get pretty cheesed because something I fall. Yeah, you're slowing down fixes and. Oh, I'm sorry, your routers just got hacked.
That's on you. That's that's not on the vendor at that point. So I don't think that concept is one that actually works. And the way to avoid that is sort of like just not allow that in your critical infrastructure or do you think it should be not allowed in any infrastructure? Your personal take?
My personal take, I again, I'm completely fine with the ban.
I mean, they're still allowed to sell into Canada. I'm not aware of what the I think it's not allowed in that the I mean, my knowledge is that a day will have to, like, factor this. But I think it's not allowed in the critical components of Canadian telcos, but it's allowed on the periphery. But I mean, that's like silly when you think about it, right?
Because you don't want to ever be held hostage to somebody who can you can turn that off and somebody who's more patient than you. Right. Because you could just go twenty five years with no incident. And then all of a sudden there's an incident.
But you've built up twenty five years of trust and credibility to the story you tell yourself is we haven't had an incident. It's cheaper because it's likely we subsidize and not only R&D, but subsidized by the government. Yeah.
So I mean, ultimately this is I don't have any problem with my way being banned in the US. I would not I would not argue about that. By the way, the name of the vendors, Rhodium Buben started sorry and started 002, OK. And they're the ones that buy the easier it is. Yeah. I always lump them together, just you know. Well same parent company I would imagine. Yeah. Yeah. What do you think of Snowden.
Yeah, I feel like you're asking questions that is slowly taking years off my life. So I've been doing that since I met.
You know, you're great, but I do not agree with what Snowden did in any way.
And that is that is putting it very, very kindly, regardless of, you know, at this point, there's been things that he brought to light that has been declared illegal. The the unfortunate assumption is that. Agencies, security agencies, intel agencies are, you know, these devious groups that are like, let's do whatever we can, and I don't think the average person actually realizes how difficult that job is, how normal the people are who do that job.
They have families, they come in. They want to, you know, solve a mission or solve a problem, make things better. And the way he went out with this giant trove of information, which I'm going to come back to, completely ignores the the the way that technical implementations get approved. It's not like developers are sitting at their desk and say, I have this great idea, let's go do it. And all of a sudden it's running in operations without any, you know, accountability or review.
There is a team of lawyers depending on the size of the country that will look at that and say, this is OK, this is bad. I remember being a CSI and arguing for something for I don't know how many years, but there was there was a problem legally and it didn't get through. And that that vetting process, people take extremely serious. And if something goes through that process, there is a measure of legality to it.
There are a group of lawyers who honestly like to say no to ideas that have said, yeah, this is OK. So the idea that anything that has been deemed illegal, you know, I'm not in a position to say that's right or wrong. But what I can say is the process that those things would have gone through. People underestimate the sheer size of the bureaucracy to get anything really crazy.
So so that whole side of things I find unfortunate, because the the byproduct of that is distrust for agencies that are working extremely hard to keep country safe. And it is extremely disheartening for those people to, you know, get dragged through the mud publicly when the public doesn't actually have an awareness as to how much they sacrifice on a day to day basis. Like I couldn't count the number of long nights that I've seen people work. You know, it can break families, it can break relationships.
And it has. Yeah, definitely.
So the other side of it is, you know, trusting his intentions. So he had gripes about, you know, those types of illegal, you know, mass monitoring or mass surveillance programs in the U.S. Why did he go public with such a large archive that had nothing to do with that?
Why did he expose completely legitimate legal intelligence gathering programs that have a ton of people's names associated with that? Why did he go out the door with that? And that, I think, is what I have a much larger problem with and that, you know, there was no thought process. You know, it sounded to me it seemed like more he was just giving the intelligence community the middle finger. Yeah.
I mean, I sort of took away the same thing from that whole thing, which was even if he felt just in what he was doing, it would have had a different sort of feel to it when it came out.
And you don't need to reveal the techniques. You can just reveal the details of the programs. But the actual techniques that he revealed, the software techniques, the exploitation techniques that I mean that that definitely cost people lives that had a huge impact on people working there.
Yeah. And how far back did he set programs? How much did you know? Entire agencies need to go into damage control because some Yahoo! Decided that this thing over here was illegal. And then, oh, here's a whole bunch of other interesting stuff, unredacted being released. Yeah. I think people think, oh, there's no names associated with it. But like on the original documents, there's definitely names. And I think we both assume that every intelligence agency worth their salt in the world has unredacted copies of all of those documents.
Yeah, yeah. To the best of my knowledge, WikiLeaks doesn't receive redacted versions of things. I mean, that's that's largely my opinion on him. If he's so you don't think he should be pardoned, a little part of me will die if he's pardoned. And why do you think he's in Russia?
Is there is there something to that story?
I mean, the where's a safe place to go when you've burned, you know, a particular group like right into the pretty back end of your safe place is Russia? Yeah.
I mean, yeah, I'd be really curious to actually know what his living conditions are like right now. And, you know, hopefully they're not comfortable. But I mean, he brought it upon himself there. There's other ways he could have done that and come forward with how could he have done that differently? What do you think? Well, I think internally there's lots of outlets for that stuff.
He said he followed that there was no documentation released that I can remember that he did follow those. Yeah. I mean, you look at the the whistleblower protection and that's in place now. Was that post in there or. Yeah. You know, I was just thinking that I don't know whether it was post Snowden. I mean, maybe his decision to do that would have actually improved the. Protections for whistleblowers and, you know, that's probably important to acknowledge, but it's I thought he was the best thing to happen to Linchpin, though I remember like and I don't mean that in a negative way.
I just remember, like, what happened in the immediate aftermath of that was they locked down the process by which people get hired. So, like, I don't think you or I would make it through today from start to finish because of our backgrounds and sort of different quirks of our personality. And and so what happens is like post Snowden, you end up hiring I call it the storm trooper problem, which is like you end up basically hiring the same type of person right there.
They're sort of like never had a problem in their life. They get straight A's. They do all the right things. They tie their shoelaces the right way and they come into the organization and they get promoted.
And the process for promotion now is sort of like, here are the ten things you need to do to get promoted, because it's so sort of like laid out and so bureaucratic that you end up year 30 and all of a sudden you're you're in charge of solving a problem that nobody's ever solved before.
But you're in a group of people who all see the problem the exact same way as you all share the same blind spot. So I remember when that started happening, it was like, oh, man, this is like great news for Matt because you're hiring, in a way, the misfits of the the industry. Right.
The people who don't want to go to meetings, the people who don't want to fill out the forms to go travel, the people who just want to be able to do their job.
Yeah, I'm trying to think back of what was there. Was there an effect? I don't actually know if I could speak to that without violating an NDA, honestly, but we don't want to get you in trouble.
Yeah. This year. Yeah.
I think how you characterize the the mindset of these organizations are. It's pretty accurate. I mean, the way we both sat in meetings or they're like, oh, we can't hire this person because there's like a flaw in their background and and there's some legitimacy to that, too, right. Like you, you're trying to manage top secret information. You're trying to manage risk and manage an organization. But the flip side of that is like you're hiring effectively the same person.
Yeah. You're not wrong. I definitely don't disagree. I think from one benefit, the linchpin from that was definitely it pushed people out the door. Yeah, absolutely. I think that's a trend that that continues to this day. I mean, I'm I'm still, you know, full disclosure, actively recruiting for intelligence agencies, the people that are excited to leave and do something more. And, you know, for the lack of better, better terms be unleashed to solve technical problems.
Like there's that there's that hunger there. And it's I love that perspective of unleashing people that have sort of like had handcuffs before.
And it's like now your ceiling is not bureaucracy. Your ceiling is your own ability.
Yeah, I've been doing this for fifteen years, almost as an entrepreneur and, you know, two companies. And I've gotten to witness people going go through that unleashing process. And it is really cool to see how, you know, one month after they're they're just blown away with what they are now afforded to do. And what what what you know, I'm not saying don't do this. It is just here's the goal. Here's the problem. Solve it.
Let me know what you need. We'll catch up every once in a while. In Canada, people typically join join the company with one year leave of absence or a five year sabbatical component. And I always I always laugh about that because. Yeah, I mean, nobody's ever gone back. Well, yeah. So yeah.
So from a risk standpoint, that makes sense. So I never I never argue with that. But from a practical standpoint, nobody's ever gone back and it's become something that I've seen weaponized against the employee, you know, oh you're you're going to this company. We're not going to give you your one year leave of absence. And it's like, OK, that is extremely bad decision. And you're showing some really unfortunate, true colors. You know, does that ever make somebody stay or does it, like, push them at that door faster, pushes them and motivates them?
Yeah. Chips on shoulders, man. There's something to the motivation that comes from that that just drives people.
I mean, Google's Project Zero is largely built from people who have exited the intelligence industry with a chip on their shoulder. I don't know if that's worked worked out so well, but I want to just sort of like and on some of the lessons that you've learned, growing field effect now to hundred people. That's the critical phase for a lot of companies, like a lot of companies break in this sort of like forty to one hundred people range because you start reaching the ceiling, the processes that you put in place, but also the ceiling of the people who've got you here.
How do you think about that? How do you scale and how do you go beyond that and crack through that sort of ceiling?
I think the the first component is, is making sure that everybody is going in the same direction. You have to be very straightforward, frank, honest, when you know, looking internally, but also what the company goals are. And everybody needs to know what the company goals are. I don't think that, you know, execution is not necessarily something that comes naturally to a lot of people. And for me right now, I want to buy one of my biggest concerns as we approach one hundred as we go through covid-19.
I mean, when this covid-19 started, there was, you know, a decision to be made to go aggressive or or cower, I guess, from the scenario. And, you know, in my opinion, it was very clear we go aggressive because, you know, our competitors are probably going to be Category B and damage control. So. Yeah. So you can get ahead. Yeah. So so execution is a big part of that. And it takes a bit of time to to understand what execution looks like in each particular problem or a given company.
So that discovery of, you know, how do we execute as a group has been something that I think is is extremely important. And largely the company is absolutely doing amazing at it. And and that that, I think is is one thing that, you know, always resonates in my head that, you know, everybody has great ideas. But how you push through is execution. You need to you need to material materialize those great ideas into things that are reality.
Is there anything else you want to say about the state of cyber before we wrap this up? Have I am I swear jar.
I don't know to say whatever you want. Yes, I think we're already explicit at this point.
So, so, so.
So I would say, you know, if you are a company looking for help, it is it can be a challenging thing. I think it's it's that going. The doctor scenario, when you have a pain, you don't want to necessarily find out what it is because, you know, people are naturally averse to bad news.
You can't be like that with cybersecurity if you don't have a cybersecurity vendor. If you don't have a company helping you out with that problem, get on it. Everybody is a target at this point.
Your company is not small enough to be off an attacker's radar. I have seen five person companies, actually, I've seen two person companies attacked and hit. So my advice is don't be afraid to to ask for help. Hello. At Field of Tech Dotcom. Yeah. The second thing I would say is anybody out there looking for, you know, a really cool opportunity for a really cool company. You know, the experts of the world, regardless of what company you're working for right now, we're always looking for our people.
That's amazing. Like my kids call you Uncle Matt, but they also whenever Elon Musk comes in, they say, we know somebody is going to do more than Elon and sort of like and they're pointing to you. So we're looking forward to seeing how this progresses over the next couple of years. I don't know how to respond to that, but that's very, very kind of them. Thanks for chatting. Yeah, thanks for having me. It's good to.
Hey, one more thing before we say goodbye, the knowledge project is produced by the team at Farnam Street.
I want to make this the best podcast you listen to, and I'd love to get your feedback.
If you have comments, ideas for future shows or topics or just feedback in general, you can email me at Shein F-stop blog or follow me on Twitter at Chainey Parish. You can learn more about the show and find past episodes at F-stop Blogs podcast. If you want a transcript of this episode, go to F-stop logged Tribe and join our learning community.
If you found this episode valuable, shared online with the hashtag The Knowledge Project, or leave a review until the next episode.