Risky Business - Risky Business #742 -- China bans AMD and Intel, pivots to Linux on the desktop
Episode Date: March 26, 2024On this week’s show Patrick and Adam discuss the week’s security news, including: FVEY protests China’s widespread hacking of western politicians China bans ...western CPUs, Windows and databases Apple’s leaky M-chip prefetcher Nigeria holds ex-IRS investigator hostage in Binance stoush Researchers bring Rowhammer to AMD Zen and DDR5 And much, much more. This week’s show is brought to you by Thinkst Canary. Its founder Haroon Meer joins this week’s show to make a passionate case that security vendors don’t all have to go for explosive growth. Slow and steady with a focus on excellent and relevant products will win the race, he says. Show notes Justice Department indicts 7 accused in 14-year hack campaign by Chinese gov Parliament network breached in China-led cyberattack, Judith Collins reveals China blocks use of Intel and AMD chips in government computers Announcement of Safety and Reliability Evaluation Results (No. 1, 2023) Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica How Ukraine is using mobile phones on 6ft poles to stop drones Russian military intelligence may have deployed wiper against multiple Ukrainian ISPs | CyberScoop US penalizes Russian fintech firms that helped others evade sanctions UN probing 58 alleged crypto heists by North Korea worth $3 billion Detained execs, a bold escape, and tax evasion charges: Nigeria takes aim at Binance The DOJ Puts Apple's iMessage Encryption in the Antitrust Crosshairs | WIRED Mark Zuckerberg told Facebook execs to 'figure out' how to track encrypted usage on rival apps like Snap and YouTube, unsealed documents show ‘Far-reaching’ hack stole information from Python developers ZenHammer: Rowhammer Attacks on AMD Zen-based Platforms One Man’s Army of Streaming Bots Reveals a Whole Industry’s Problem Apex Legends hacker said he hacked tournament games ‘for fun’ | TechCrunch
Transcript
Discussion (0)
Hi everyone and welcome to Risky Business. My name's Patrick Gray. This week's show is brought to you by Thinkst Canary and its founder Haroon Mir will be along later on in today's show to make a passionate case that security vendors don't all have to go for explosive growth. You know, slow and steady with a focus on excellent and relevant products is a good way to do it too, he says.
That is coming up later.
But first up, of course, it's time for a check of the week's security news with Adam Boileau.
And Adam, first up, we're going to talk about the Justice Department in the United States charging a bunch of Chinese APT operators.
And, you know, I think there's some sanctions as part of this.
And big Five Eyes announcement. China's been hacking us.
What a surprise.
Yes, we've seen a coordinated set of releases
from the Five Eyes governments targeting various Chinese hacking groups.
The Americans focused on APT31,
which it said has carried out like 14 years worth of hacking
against all sorts of things in the US.
And this particular indictment has some criminal indictments.
It has some sanctions.
There's the usual kind of wanted posters
with pictures of some of the people behind it.
But it's really pointing the finger at China
and saying like, this is not acceptable.
Yeah, well, China has done, it's just so funny
because it's a playbook at this point.
China comes out and says, how dare you?
We would never, right?
And that's been the reaction.
I believe there's also been like a bunch of activity attributed
to China as part of this.
Yes, we've seen attribution to fronts for the Ministry
of State Security in
Wuhan. That's APT 31, aka Violet Typhoon, I think. And that attribution is backed by a lot
of technical details and things because we've been watching this group for quite a long time.
And I think in light of the recent ISun leaks like we have a much better understanding
of kind of like how that public private partnership between the state apparatus and private companies
doing the hacking plays out well I think we do I think uh you know we do in the sort of public
unclass realm right I'm guessing I'm guessing most of the five eyes agencies you know knew how this
worked but it's great for us to understand it as well yeah yeah it's really nice to see the the inside plumbing and to also like
it explains a lot of the like when we see those groups also doing you know more normal crimey
things or uh cryptocurrency thefty things on top it makes more sense right like yeah it makes more
sense but but what i meant by the attribution is they've actually attributed specific incidents, you know, not just attributing to organisations and contractors and whatever, but I believe like the hack of New Zealand's our parliamentary services organisation that runs the domain
that all of our members of parliament's computers
are domain joined to, for example.
So they got hacked, I think, by APT40 in this case.
So that's the Hainan Island branch,
a front company in Hainan
for the Ministry of State Security, APT40.
I believe that's also the group that did the
Australian Parliament back in 2019. So they've got a modus operandi of fulfilling those particular
requests for the Ministry of State Security. And like here in New Zealand, where China is a massive
trading partner for us, we've been very reluctant to point the finger at them. And this is one of
the first times we've seen, if not the first, where we've been very reluctant to point the finger at them and this is one of the first
times we've seen if not the first where we've seen compromise of government entities attributed to
specifically the Chinese Ministry of State Security. I mean some of the commentary around
this coming from Kiwi politicians though I mean this is like it seems like they're doing this
reluctantly because I don't know look look, within the Five Eyes alliance,
New Zealand definitely has a reputation for being somewhat soft on China, shall we say.
Yes, we are definitely the weakest of the Five Eyes. We're the one that's left out of all the
good stuff, I imagine, because we are very soft on China. Trade is super important for New Zealand
and our government has been not at all aggressive in responding to you know what's
honestly very rude intrusion into our democratic process and things uh here in New Zealand so
I mean I do find this a bit funny though because New Zealand is an exporter mostly of commodities
just like Australia is and we saw what happened when China put you know trade bans on us which
was really not very much.
We just found different markets for commodities because that's how commodities markets work.
You know, you're just sort of shuffling the, you know, the order of countries that they
go to.
Yeah.
And I think, you know, they'll buy the stuff off the Belgians and we sell it to them or,
you know, whatever.
Yeah.
New Zealand's absolutely going to have to face reality at some point.
We have trade relations with China and we have everything else relationships with the west and we're going to have to at some point pick one and accept that
reality which so far we have been unwilling to do but the commentary in new zealand around this you
know opinion pieces and stuff have definitely been asking you know why is our government saying that
quote china is our very good friend unquote in same breath. Why are our politicians still licking these guys up and down
when we're dealing with this sort of stuff?
Yeah, exactly.
So, you know, it's nice to see some attribution,
but, yeah, the response could be a little bit sterner, in my opinion.
Yeah, yeah.
Anyway, we've linked through to Arza's write-up on that,
and, you know, you can click through to all sorts of indictments and stuff.
But it was one of those big, you know, big sanctions packages and whatever.
So moving on to other China news, though, and this one, this one you've actually done a fair bit of research on for us for this week, which is China is blocking the use of AMD and Intel chips in government computers.
And they're also moving like off Windows and all of that, as we know.
So what's real funny
is that finally, finally, we're going to have Linux on the desktop. It is actually the year
of Linux on the desktop, and it makes total sense that it's communists who do it first,
but not for the reasons we thought, because it's the people software, but because they want to be
authoritarian jerks who reserve the right to invade places so they want to use linux dear oh dear yeah this is
it's very awkward for all the people that built linux you know for free software you know free
as in speech reasons to have it being used by an oppressive government anyway uh we've seen some
reporting that uh that one of the chinese ministries that's responsible for such things has published a list
of like approved CPU manufacturers so if you're a government entity or you know a state-owned
business or something in China you are required to use stuff that's approved and on this list and
that has only Chinese CPU manufacturers and also lists operating system vendors all of which are
like Chinese Linux variants and also some database applications.
So the net result is basically, yeah,
you can't put new IT systems in that use Intel or AMD processors
that run Windows or use Western databases.
And that's a long process for them to kind of rip that stuff out,
but they are aiming to have that process done by 2027.
Well, they're aiming for a few things by 2027,
like, for example, being ready to invade Taiwan,
which doesn't necessarily mean they will invade Taiwan in 2027.
But, you know, I find this whole thing just so interesting
because, you know, if you take Taiwan out of the equation for a moment,
the use of Western technology is a sovereignty problem for china like it's got to the
point where your technology supply chain is so critical that reliance on an adversary's sort of
yeah text tech stack is just unacceptable from a sovereignty point of view now i think probably
what they're being one of the things driving this is because they're anticipating that they might wind up in a military conflict with the West over Taiwan.
But I still think even if that were not the case, doing something like this is probably prudent, right?
Unless you are in lockstep with the West.
I've just got so many feelings here.
But let me ask you too, what are their options?
If they're not going to use Intel and AMD, what can they actually use?
Well, obviously China has a giant technology industry.
Their ability to manufacture a really high-end CPUs is still somewhat limited by access to
Fabtech.
We've seen American sanctions focusing on controlling access by China to the highest end, finest grade European fabrication technology.
But they do have a strong domestic tech industry.
There are a number of domestic CPUs,
most of which are based on ARM architectures,
like open architectures like ARM, like RISC-V.
We've seen some Chinese Spark clones,
like Spark 9 era kind of CPUs.
So they're going to be running Linux on Spark.
Well, they have a bunch of domestic Spark.
They have one x86 compatible processor on the list of approved vendors, and that's actually a subsidiary
or a company that's part-owned a joint venture
with Vaya Technologies out of Taiwan,
which made the like
centaur and cyrix cpus back in the days when they were a thing so they've got downstream derivatives
of old you know cyrix and centaur cpus that are about kind of 2013 intel xeon ish in performance
so i mean that's acceptable right for an average office in the you know ministry of agriculture or
whatever like who cares yeah yeah certainly not you average office in the Ministry of Agriculture or whatever.
Like, who cares?
Yeah, yeah. It's certainly not up to the modern AMD or Intel standards, but absolutely possible.
And especially if you're not running a super heavyweight operating system.
So they do have options.
The software options are less great, right?
There's a couple of Chinese Linux distributions, like a Debian-based one.
There's one maintained by some military university in China.
So Linux on the desktop
and all of the applications that have to come with that.
You know, that's a...
I mean, as someone who's run Linux on the desktop
for the better part of 25 years,
like, that's a...
It's a hard road, but you can do it.
Well, the other thing that I wonder, right, is that, like I was saying, okay, well, it's a hard road uh but you can do it and well the other thing the other thing that
i wonder right is that like i was saying okay well it's a matter of sovereignty and whatever
and dependence on a foreign tech stack controlled by major corporations in an you know adversary
country you know where you're really better off running linux though right because it doesn't
have the same level of um you know it doesn't have the same level of qa the supply chain for
open source software is fairly open to infiltration.
I mean, I keep thinking back to that Ben Hawks talk a million years ago at KiwiCon, where he
looked at how easy it is to introduce a memory corruption bug into an open source library in a
way that someone reviewing your commit just wouldn't pick up on right so unless you're doing a insanely
good job of monitoring everything that's going into the distro that you're using you know you
could find yourself in a similar position to where you started yeah i mean i think my gut feeling is
that overall if you were nsa you know c Yeah, would you be happy or sad about this?
You would be probably happy about this
because like, is it, you know,
certainly the equities conversations are easier.
Like if you're dealing with,
we've got a Windows zero day,
like they have to balance that equity
and decide whether or not it's worth
more defensively or offensively.
When we're talking Linux on the desktop bugs,
right, that's not,
that equities conversation
is way more straightforward.
So I would imagine if you were offensive cyber in the West,
the software side of this probably is going to make you happy.
Yeah.
If you're, you know, thinking like economically,
like this is, China is Intel's largest market.
It's 27%, I think, last year of Intel sales were into China.
So from an economic point of view, that's quite a big whack.
But I think the thing that really stood out to me about this is
China is sufficiently worried about what being,
you know, from a sovereignty point of view,
being dependent on someone else's tech stack means.
And at the same time, where does all our tech come from?
Where is it all made?
Where are all our computers actually manufactured in China?
So why are we not as worried?
Yeah, I mean, this is a good question.
One deeply funny thing that I've just noticed is that you have, into this week's run sheet,
you've pasted a link from the China Information Technology
Security Evaluation Centre,
which is a Chinese government website
which lists a lot of what's allowed for use
and it doesn't support HTTPS.
Did you not notice that?
I actually had not noticed that, but that's...
Oh, dear, oh, dear.
I mean, some of these...
So I don't know. Maybe this really...
Like, with that in mind,
maybe this truly is a cork-popping moment
for our friends at Fort Meade.
I mean, maybe some of these CPUs
don't support crypto acceleration yet,
so you can't do HTTPS fast enough to serve it.
But yeah, I...
We had to turn off HTTPS
because it was slowing down the government.
Yes.
Dear, oh dear.
Yeah, so I don't know. Dear, oh dear. Yeah.
So I don't know.
Like, this is a complicated and kind of a big issue.
Yeah.
Well, I mean, this is the cool thing is this is a big,
bold experiment from China that, you know, impacts them, not us.
I mean, it might impact Intel shareholders, but whatever, you know?
Yeah.
I mean, I feel like we probably made enough money out of that.
But, no, really it's the, like, where does this go five five years from now are we at the point where we have to build domestic manufacturing capability
for all of our tech probably yes right like that's a that's a big and very expensive pivot
i don't know man i think that would be too far i think that's perhaps being a little bit dramatic
like if i'm gonna be honest but you know i think there's certainly going to be you know a need for
more secure and assured supply chains for computers for certain uses let's put it that way
but um you know the average like farm machinery dealership uh in my part of australia probably
doesn't need a high you know a high assurance supply chain for the cpu that goes into their
computer yeah no you're probably right but you know it's just that kind of like the end of globalization where we no longer
all run the same tech stack or talk the same network or have the same operating systems like
that's a pretty big shift for the tech industry as a whole i think true now look staying on the
topic of chips uh we've seen a lot of headlines about some
supposedly unpatchable vulnerability in, you know, Apple's M series of chips, M1, M2, M3.
We've linked through to Dan Gooden's one here from ours, his write-up on it. I really didn't
get a chance to look into this one, but, you know, what's the go here? Because I had someone ask me
about this on the weekend and I'm like, I don't know.
And I've been busy with a whole bunch of stuff.
So tell me like I'm an idiot.
Shouldn't be too hard.
So this is some research
into a micro architectural information leak,
side channel that affects cryptographic software
on Apple M processors.
The guts of it is there is a way to kind of observe
how prefetching by the CPU,
so when the CPU sees a particular pattern of activity in a program,
it might go and prefetch some contents of memory
so that it's indication fresh
when the CPU goes to actually use it.
And you can observe that kind of
cache state from another process on the same cluster of CPUs and the academics in question
have implemented the ability to steal cryptographic key material from other processes that are doing
crypto operations and this is very hard to fix because it's kind of intentional behavior and fixing it
um you know you can work around it in software but fixing it in hardware is kind of difficult
so it's a pretty impressive attack but from a practicality point of view you need to be running
malicious code on you know on the cpu as a regular user and then from there you can infer cryptographic
key material and it you know takes a while from there, you can infer cryptographic key material.
And it, you know, takes a while.
But are you getting key material
from like the TPN module
or the secure enclave
or whatever they call it?
No, this is from other processes
running on the CPU.
So yeah, because like the way you described it,
I'm like, well, this isn't allowing you
to elicit anything from the TPM.
So I mean, interaction with TPMs
are complicated. In theory, the key match shouldn't be leaking out of the TPM when you're dealing with a TPM so so I mean interaction with TPMs are like are complicated in theory the key match shouldn't
be leaking out of the TPM when you're dealing with a TPM back thing but there are other places where
that's not like the TPM isn't necessarily involved there's also a case where this only happens
on the performance cores so Mac M m process apple m processes have performance cores
and efficiency cores and the efficiency cores don't have this cage prefixing optimization
so code running on those is not vulnerable so one of the so really really what this gets you
is as you said you can run this as user yes so really what this gets you is being able to do
stuff as a user that normally you would is being able to do stuff as a user
that normally you would only be able to do
if you were like kernel-level access.
Yeah, if you're in kernel, then yes,
you could steal keymat from other places.
In this case, yeah, you can do it as a regular user.
And the worst case would be if you were doing it
like in a browser with JavaScript in one context
and stealing keymat for other things.
So it's an interesting attack.
It's great research in terms of practical,
like I'm not sure how much practical impact this is
other than it being a bit aux for Apple to have to think about.
And the mitigation options for this are one,
run all of your crypto code on the efficiency cores instead of the performance core which given if it's only
handling you know certain bits of important key processing maybe that doesn't matter
a big picture I imagine we will see Apple introduce an option where code can opt to turn
this kind of prefetching off so So high security applications like OpenSSL
or whatever else could have that.
And there is a similar feature
on some Intel processors as well.
So we would, you know,
and it's not as easy to exploit as on Mac,
but, you know, turning off optimizations
during high security operations
is not a thing that's without precedent
in other environments.
Yeah.
I mean, we have seen that
with other Intel stuff before, right?
Yes.
And like putting, you know, gates around bits of code so they can't be optimized in certain
ways is not unusual.
Yeah.
Yeah.
I mean, we did see some fixes along those lines for some of these speculative execution
bombs, right?
Yeah.
Yeah.
Exactly.
Now, let's talk about Russia dropping wipers on Ukrainian telcos because it's something that they're doing a lot of at the moment.
But I want to first talk about some comments by General James Hecker,
who is the head of US Air Forces in Europe.
And he said, and I mean, you know,
I don't know if anyone else has sort of confirmed this,
but he did this talk where he's talking about how Ukrainians
have taken thousands of cellular phones,
rigged them up to microphones
and put them on poles all around the country
and is using them to detect those Iranian Shahid drones
because they sound like flying lawnmowers.
So they're using them to do like acoustic,
I think the Ukrainians actually call them mopeds,
like flying mopeds because
they're just you know they're not they're not subtle and they move pretty slow so they can
actually get with a network of these things they can actually infer headings and then send mobile
crews to go shoot them down with like smaller anti-aircraft guns right so that saves them a
lot of patriot missile uh you know the pack-2 interceptors or whatever. They're very expensive per unit.
So there was a sort of real cost asymmetry there.
But this is fascinating, the idea that you could just use a bunch of smartphones on sticks to have an acoustic sensor network that could, you know, really help you mitigate the risks posed by these drones and you know it might explain uh why russia has really stepped up
its campaign to drop wipers on on ukrainian telcos yeah that's it's a really interesting
link that one because i hadn't really put those like when you told me about this mobile phone
listing thing i thought that's that's cool tech and there's some kind of precedent for
doing acoustic listing like before radar was developed, the British were doing this to detect German aircraft
and bombers and things coming across the English channel.
But yeah, like the link between this and mobile phone,
like mobile network wiping,
that was not one I had made until you pointed it out.
To be clear, this is purely speculative on my part.
I mean, you know, the Russians haven't shown themselves
to be particularly strategic in all of this, but, you know, I do wonder if that I mean, you know, the Russians haven't shown themselves to be particularly strategic in all of this.
But, you know, I do wonder if that's why, you know,
that's a capability that you would want to shut down
because these Shahids, they're all getting shot down,
which, you know, would be frustrating, I'd imagine, for the Russians.
Yeah, I think General Heck has said, like, in one recent attack,
84 drones came in and 80 of them were shot down
by cheap anti-aircraft
weapons as opposed to as you said expensive missiles and so like if Russia had made that
connection then targeting the mobile network would be super smart as you say that's not necessarily
their MO but either way we have seen you know renewed targeting of Ukrainian mobile networks
we saw what four different mobile operators in Ukraine
having wipers dropped on them
and this was, I think, maybe we mentioned
it on the show a couple of weeks back or at the
very least it was in Catalin's
The updated malware, we did talk about
that. Yeah, the updated version
of the wiper that was used
in Viasat, now supporting other
architectures and being used inside
telcos in Ukraine.
So wiping the guts for telco,
especially embedded systems in a telco,
like got to be such a pain in the ass.
Yeah, to go and like figure out
how to get the firmware images back onto those things.
Yeah, exactly.
And especially, I mean, telcos have loads of old gear
that may be out of support or, you know,
it's not always straightforward.
So like Ukraine's been very-
You're downloading some firmware
image off a torrent or some weird sketchy chinese site for some matter you know like i know yeah i
know yeah you're downloading it off some url that doesn't even have a domain name it's like an ip
slash whatever yeah yeah someone's fdp server in the middle of nowhere yeah yeah it's not it's not
a great time you know bob's you know Bob's hobby collection of historical firmwares.
Yes, exactly.
Hosted on FTP.
Yeah.
I mean, Ukraine's showed itself to be very resilient
at getting this kind of stuff back up and running
without too much fuss.
But man, I feel for all of the people doing that recovery work
because it's just, it's going to be a long and very tiresome,
you know, a couple of weeks at the office.
Yeah, I mean, the sense I get is that Ukraine's security
is about what you'd expect, you know, for any kind of country
with an economy developed to that extent.
You know, perhaps a little better, I'm not sure.
But yeah, again, you really do get the impression
that the thing that they do well is the rebuilding stuff,
which is real funny because you can imagine, again, you really do get the impression that the thing that they do well is the rebuilding stuff, which is real funny because you can imagine, like, you know,
you're tasked with causing a country grief
and you've found plenty of vulns, you've found plenty of ways in
and you keep nuking their stuff and then it just bounces back
like one of those, you know, one of those things you punch
and it just comes back on.
Exactly, yeah, exactly.
So, I mean, yeah, our hats are off to everybody in Ukraine
frantically rebuilding telcos systems all day every day
because someone's harming it.
Yeah, they're probably going to wind up with their own firmware archives
that they can stick on their own MPP server.
We can all use it one day.
Oh, dear.
And, look, staying on Russia-Ukraine stuff,
there's a new bunch of sanctions from the US Treasury Department
and, interestingly enough, I mean mean this is all sanctions evasions stuff that these firms are being accused
of but there's definitely a cryptocurrency nexus with a lot of this stuff yeah uh the u.s have
sanctioned 13 russian linked fintech companies most of which like fintech in this case is a
euphemism for cryptocurrency cryptocurrency that have been involved in
circumventing the various sanctions providing Russia a way to move money in and out and around
and pay for things and it's you know apropos of that conversation around you know Chinese
communists using free software to oppress people it's kind of funny that you know cryptocurrency
which was also a way for libertarians to avoid paying taxes or whatever else, is also being used to now fund a dictatorship
and extreme regime like in Russia.
So I guess we have to think before we build some things
out of computers, don't we?
Funnily enough, I did see something the other day,
and I'm going to have to fact-check this before the show goes out,
but Swift the the giant
payments network globally is actually building support for central bank uh cryptocurrencies
which i find very interesting i'm guessing central bank cryptocurrencies won't be like
the cryptocurrencies we've got now where if you stole them you have them and that's it forever
i'm guessing you will be able to zero them out once they're gone but it's yeah it's a real
interesting thing
that finally blockchain is actually going to be used
in transactions that are legit.
And all it takes is a central bank.
Who thought that centralised financial systems
were the right way to do it?
Yeah, the Bitcoiners listening to this
are probably weeping and raging in equal measure
hearing us say that that's cool.
Yeah, they're busy crying over that
and all of their apes.
Yeah, I'm with you.
And in what I promise is our last cryptocurrency story of the week,
walk us through all of this crazy stuff that is happening in Nigeria with Binance.
So Nigeria as a country has been a place that has adopted cryptocurrencies a lot more than most.
And that's in part because there's a, you know, kind of a computer crime underground.
There's plenty of experience with computer crime and with cryptocurrency in facilitating crime.
But also because the main fiat currency in Nigeria has been really unstable.
There's been massive inflation.
There's been all sorts of
problems uh since they unhooked you know let their exchange rate float relative to to other currencies
and many nigerians ironically saw cryptocurrency and especially like the u.s dollar pegged
cryptocurrencies as a safer place to put their money than the actual national currency i mean
if you're if you're living in a place with a really volatile currency that's headed to the toilet i mean i would think
tethers is i mean as shonky as they are yeah still going to be a better place to put your cash i mean
it's a relative metric and if that relative is metric is good then yeah go for it so there's
quite widespread use of crypto in nigeria the n government, you know, is in all sorts of financial troubles
overall. And they've been looking at ways to try and, you know, kind of counter the widespread use
of cryptocurrency and make themselves some money in the process. Binance is huge in Nigeria. It's
one of the main players there. And a couple of Binance employees were actually in Nigeria
to meet with the Nigerian government
and talk about some of the ways
that they could work together to, you know, blah, blah, blah.
And the Nigerian government actually arrested two Binance execs.
One of them is a guy that used to work
for the US Internal Revenue Service
as a cryptocurrency investigator.
Did a bunch of the pioneering work
on helping the IRS investigate crypto and track people down and get paid.
And so they are essentially being held hostage by the Nigerian government to try and, you know, get a whole bunch of money out of Binance.
And, you know, they were looking at the huge fines levied on Binance in the US and going, hey, we wouldn't mind some of those billions too um so like that's already a pretty horrible situation then one of the binance guys escaped
nigerian custody and fled back to kenya leaving the other guy that used to be the irs investigator
by himself as their kind of like sole hostage and like what a wild situation that we have a you know ex-american cryptocurrency
investigator who now works for binance being held hostage in nigeria because the state is trying to
shake down binance for a few billion dollars i mean that's the thing right like you know is it
a shakedown or do they have a legitimate point that if everyone starts using tethers instead of
the domestic currency the domestic currency will never recover you know i suspect you're right and that it's just a
shakedown yeah i mean i it seems that way but i mean who can really who can really say like we're
not experts in uh in what's going on in nigeria but certainly the way that it reads does not feel
great and i feel sorry for the guy's kids who This guy's an American citizen. And, you know, his kids are back in the US.
Oh, man, there's guaranteed a bunch of State Department meetings
happening about this and lots of lobbying and diplomacy.
And, you know, in cases like this,
you find that the most sensible thing you could do
is not talk about that publicly,
which is why every time some dual Chinese-Australian citizen
gets arrested for writing a, you know, edgy blog post post in China, the government doesn't talk about it a lot.
But there's always that lobbying happening in the background.
Yeah, so I'm sure, I hope the State Department are involved because it's pretty rude and I feel sorry for the guys' wife and kids stuck back at home.
So hopefully they can figure that out.
And that story, of course, was on the record and we've linked through to it uh in this week's show notes now let's talk about the
antitrust action against apple over its uh over its app store i think it's a you know it's a
decent action making some good points which is that apple is engaging in anti-competitive behavior
uh i mean the amount of money it makes out of its app store is just mind-boggling i think it's
anywhere between sort of 70 and 90 billion dollars a year right it's how much they make but you know
apple's always said no we need to charge fees so that we can ensure a secure marketplace and whatever. Do you think they're spending $90 billion a year on security? Probably not. I don't know that that's a particularly
solid argument, but there are elements of the DOJ's complaint here that feel a little nuts.
I know you've had a decent look at this, but give me your feelings on it.
So like the app store side of things,
like, yes, I think you're right.
They don't spend $90 billion a year on security.
And much as I would prefer an app store
that is a slightly more closed ecosystem
and slightly safer,
which I feel like Apple has delivered
versus the mess that's the Android app store,
you know, big picture,
does Apple do everything that it could?
Like, does it prioritize
user security and you know people's privacy and security over making money consistently probably not right there are areas where they think they do a good job one of the ones that's
a little bit weird in this in this story is uh the case of end-to-end iMessage crypto. So the DOJ is arguing that this is anti-competitive
because Apple doesn't make iMessage available
on other platforms.
You can't run up iMessage on an Android phone
and securely message your Apple friends.
You end up falling back to SMS
and that's not very nice.
Whether or not that's...
That one feels like a stretch to me as well right because that all
hangs off iCloud accounts and you know if you start letting third-party apps into the guts of
your messaging system I understand why Apple wouldn't want to do that right and you could
use WhatsApp you can use Signal there are plenty of options for cross-platform messaging I don't
think it's right necessarily to force Apple to do that.
But I also think, well, if WhatsApp and Signal can do it safely,
why can't Apple?
And maybe they've got a point.
Yeah, I mean, in the end, Apple's core pitch is that
their highly integrated ecosystem is better
because it's highly integrated
and because they can make a deal with those things.
And everyone who's ever owned an apple product knows that once you get your first apple product buying the second and third and fourth apple product is really easy and once you're in
that ecosystem getting out of it is quite difficult because all of a sudden you have to throw away
your watch and your ipad and your home pod and your you know once you're in that world it's hard and
you know there is a there is a logic to that but on the other hand i don't know that there are other
vendors that have publicly linked privacy and security to their public image you know like
apple and also to their business model pretty heavily and also to their business model and
that's the thing that i find I've always rolled my eyes
when Apple's like, no, no, we can't allow other, you know,
and I don't mind that they don't allow other stores.
That's fine.
The thing that I have a problem with is that they're essentially
ripping off developers, right, by clipping the ticket
to the tune of 30% in the name of security, you know,
pulling in $90 billion a year gross revenue in
their app store. That's just, I mean, it just, it's wrong. Yeah. And if you compare to the other
platforms and we've seen it, you know, the way that Apple controls like in-app subscriptions
and purchases, that feels a bit, a bit gross. Like if I download the Amazon Kindle app to read on my,
you know, read a book on my phone, I can't use the Amazon store in-app,
right? I have to go to a separate Amazon website and do it. And that's purely because Apple wants
to clip the ticket, Amazon doesn't want to let them clip the ticket, and that's a bad user
experience. And, you know, Apple does make a lot of money and they charge a premium for their
products. And as you say, they probably don't spend all of it and they charge a premium for their products and as you say they probably don't
spend all of it that they are gatekeeping there on on security and honestly like i for me the
solution i would like is that they keep making 30 billion dollars whatever it is a year and then
they spend all of it on security that would be nice but i don't know that they're going to spend
90 billion dollars a year on the on the
security of the app store but i mean ultimately where we might wind up with this is the government
forcing apple to allow third-party stores and i'm not sure that that's really the outcome that
anyone wants i mean what i would really like is for apple just to charge developers less just stop
stop ripping off developers and then everybody's happy yeah i
mean the the path that the eu seems to be trying to go down or forcing them to have a separate app
store like that's that seems to me like a terrible idea i do think they could ease off on the on the
royalties on on their percentage in the app stores but what if what if amazon launched an ios app
store would you use it no i wouldn't even if it was much much cheaper even if things there were 20 cheaper you wouldn't
switch no probably not because i buy apple stuff because i'm willing to spend the premium to have a
more robust experience and of course i'm not you know i'm privileged in that respect that i can
afford to but look at mr. High Roller over here.
Paying his extra 30% like it ain't no thing.
I mean, it's, you know, in the end,
how much I spend in the app store is a pretty small, you know,
amount of my tech spend.
I mean, I spend more on chocolate than I do on apps, right?
Yeah, exactly, right?
So, and I'm willing to, you know,
do I want the cheap chocolate that cuts corners, you know, on quality of the ingredients
or do I want the expensive, tasty, you know, finest Swiss chocolate?
It's real funny, isn't it, though?
And this has occurred to me before that you'll think nothing
of going out and buying like an $8 beer, you know, several times over.
But when someone wants to charge $4 for an app,
you're like, whoa, easy there, buddy.
You know, what do you think I am, made of money?
Yeah, exactly, right?
And craft beer, even more expensive. So, you there, buddy. You know, what do you think I am? Made of money? Yeah, exactly, right? And craft beer, even more expensive.
So, you know.
Yeah.
Anyway, moving on, I want to talk about a story
that's getting a lot of play, which is this,
and I believe it's sort of being misinterpreted
by people who are reading about it, right?
And the story is that Facebook broke Snapchat's encryption
to understand how Snapchat users were using the app.
And you think, well, hang on, they broke the encryption?
The sort of imputation is that Facebook did some sort of hack to Snapchat and was able to monitor people.
It's not really what happened.
Like what they did is they came up with some package that people could install on their smartphones, which would do a
person in the middle and send a bunch of telemetry to Facebook. But then they recruited people and
offered them incentives to participate in this. And it was really like a market research thing.
They've been accused of like anti-competitive conduct and whatever. I got nothing to say on
that because it's about duplication of features and doing this sort of underhanded thing.
The only reason I wanted to talk about it is that i think people might be under the impression that their communications over snap were somehow uh compromised when that's
really not what happened here no facebook makes like a vpn kind of product um which i've been
acquired called anavo and that particular team was tasked with implementing snapchat interception on device
so you install the app um and then it would you know use ssl certificates like install fake
certificates or a fake ca or whatever in the cert store so that they could then locally person in
the middle uh the snapchat comms and then do and analyze it send it back to facebook for them i mean you know just
a bit of install a few certs do a couple of hard-coded domains off yeah yeah exactly exactly
uh snapchat the app itself actually has a bunch of anti-disassembly and and things to try and
prevent this sort of shenanigans but yeah clearly they did the work and then they were you know kind
of having this installed by people as sort of a research tool
where they were paying you to run the Anavo app on your device.
So a bit sneaky and as market research goes, not super great.
There was actually an email in this court case from Meta's former CTO saying that if we ever found out that someone had done
this to WhatsApp, we'd be really upset. So it's a little bit hard to take your own medicine there,
Facebook, perhaps. But yeah, not broken on the internet like some of the reporting has suggested.
Yeah, I mean, the headline here, this is the Business Insider one, is Mark Zuckerberg told
Facebook execs to figure out how to track encrypted usage on rival apps like Snap and YouTube, unsealed documents show.
And it's like, yeah, that's technically true, but it might be leaving a bit of an inaccurate impression, I guess.
Yeah, yeah, exactly.
Now let's talk about what's going on in the old Python ecosystem, Adam.
Katalin Kimpanu has some reporting on this for us,
which is going out today.
But yeah, fun stuff.
Yes.
So Katalin linked me through to a report from Checkmarks
into a supply chain attack in the Python ecosystem.
And we've certainly seen supply chain attacks before.
In this case, it was like a fake,
some malicious packages in the PyPI package repository.
But what was interesting about this one is, A, that it was relatively successful, and
B, it's a very polished campaign.
So some developer accounts were compromised.
It looks like they had their cookies stolen, probably from a browser plugin or something
that was malicious.
That was used to gain access to github and then a bunch of extra dependencies were added to projects that would pull in trojan
packages and those changes were made and the trojan packages themselves were pretty cunning
so like for example using a requirements.txt file that lists dependencies and having a whole bunch of like horizontal white space
at the end of the file to make the malicious bit
kind of scrolled off the side of your browser
when you're looking at it.
So like things like that to just kind of make it a bit sneaky
and then onwards into access to,
there was some guy that had a big Discord community
that got his GitHub compromised and onwards to compromise of people guy that had a big discord community that got his github compromised
and onwards to compromise of people using that service it smelt north korea that's the thing
about this that we haven't seen any formal attribution from anyone but it's just like
the level of polish and the real worldness of it just made me think this smells like dpik
once again up in people's cryptos stealing their stuff
going about their business to fund their weapons programs now let's talk about zen hammer adam
this is like a ro hammer style attack that affects amd zen based platforms i mean yeah it's kind of
literal ro hammer it's a bunch of work from eth zurich looking into the applicability of ro hammer
on amd platforms In the past,
AMD's architecture has just been a little bit more difficult to implement Rowhammer-style
memory flipping, bit flipping and memory attacks. These researchers have sat down and done the hard
work and looking through their paper, it looks like it would have been a bunch of hard work,
a lot of maths and stats to be able to pull it together but yeah they've implemented row hammer on amd zen and two and zen three systems with ddr4 memory and they've
also implemented it on ddr5 memory and i don't think that we have seen row hammer style bit
flipping attacks on ddr5 before so a pretty kind of solid advancement of the you know of our
understanding of row hammer style attacks making it kind of practical advancement of our understanding of Rohammer-style attacks,
making it kind of practical on AMD systems.
AMD got told about their research and working on some mitigations,
but we kind of understand how to deal
with Rohammer-style things and how effective we can be.
But yeah, they've done hard work to make it real
on a wider range of systems,
so good job to them, I guess.
Yeah.
We've got a funny story here.
I guess this is more of a reading list item
for those who want to go and check it out.
But there's a story here on Wired
about a guy in Denmark who's been sentenced
to a short stint in prison
and forced to give up a bunch of money
because he was doing like streaming fraud
where he was putting, what was it, like fake music on streaming platforms
and then forcing listens or something and wound up making like 290 grand?
Yeah, like he was uploading, like he'd take like Danish folk music
and then like alter the tempo a little bit or, you know, stretch it or whatever,
upload it and then make bots stream it.
And he was the 46th highest earning musician in Denmark
as a result of this, which is, you know,
like that's some dedication to the bit.
But maybe he flew a little too close to the sun.
I think maybe he did.
Like I guess maybe artists in Denmark don't get paid a whole bunch
because like he only made like what, 2 million Danish kroner,
which is about 300,000 US dollars.
So yeah, I guess artists in Denmark, not well paid.
But yeah, he's been snapped.
And funnily enough, he got snapped because some of the artists, the real artists whose
music he had kind of taken and then adjusted so that it didn't trigger the fingerprinting,
some of them spotted it and made a fuss.
Whereas normally this probably would have just been like,
it would have been blocked by Spotify, whoever,
and they would have forgotten about it.
So yeah, funny story.
And I'm just amazed that, yeah, he managed to pull it off.
You do wonder how much of this sort of thing happens
that goes undetected, right?
Because the late Dan Kaminsky, I mean,
his whole business was around the sort of ad fraud stuff.
And this is sort of adjacent to that.
Yeah, yeah, exactly.
Like, you've got to wonder how, quite how much of this happens,
because it's got to be a lot.
And it's not that difficult to rig up a bunch of accounts and run fake streams.
And, you know, the streaming services are not super well incentivized to go fix it.
Like, what do they really care when it's such small bickies overall,
you know, any individual fraudster so yeah the amount of the amount of click fraud happening on uh twitter is
actually quite high these days which is interesting so then the when you measure the click throughs
from uh twitter ads there's been some work done on that the proportion that are you know not real
is quite high it's real funny what's happening over there i i actually am getting marketed to
by twitter as in like be an advertiser and now they're doing this whole thing where you can
have 4 000 keywords that you can choose to block so you don't appear adjacent to those keywords
and i don't think they really understand that the problem isn't adjacency when it comes to
advertising on a platform like that the problem is the dominant stuff that's promoted is quite awful.
So anyway, sorry, that's a complete sidetrack comment.
But it is interesting watching Twitter sort of go, oh, crap,
you know, we have to sell some ads.
Let's introduce these brand safety features that are just
completely unsatisfactory and aren't going to do anything.
But anyway.
That whole platform is basically just fraudulent now. So, yeah, it's kind of hard to make that just the amount of absolutely insane stuff
that gets shoved in front of you now i definitely spent a lot less time there um now last week just
as we were starting to record the show there was this news story that a apex legends gaming
tournament um two participants in it like they were live streaming and they got hacked like
someone inserted like uh cheating modules into their systems while they were playing so you know
you're seeing these streams and all of a sudden like you know a lot of cheat uh stuff is appearing
on their display like showing them where other players are and whatever and information that
should be hidden and both these players like whoa hey i've been hacked you know there's something
going on here it really wasn't clear what had happened,
which is why we didn't talk about it last week.
But we've got a bit more detail now.
Lorenzo's written this up for TechCrunch
and it comes down to someone did it for lols.
The thing that I find interesting about it though
is the person who did it
is not telling the game maker how.
They're basically saying,
well, you figure it out,
but says that it's entirely like an in-game exploit, which cool yeah i mean we've talked a bunch of times over the years about how
scenes other than computer hacking have great hacking in them you know whether it's mod chippers
or pirates yeah jailbreakers or anti-cheat yeah and so like yeah seeing this happen in the gaming
world is always pretty funny this guy
destroyer 2009 was talking to tech crunch about his hack and uh said yeah he had some kind of bug
that got him like it sounds like code exec and he only used it inside the context of the game
process and then used that to load cheats and and have some fun and mess with people
and he did say like whilst he hadn't told respawn the the
developer of apex legends about the specifics of the bug that he had not gone outside the process
into the people's computers and hacked them properly like that it was contained and that
he was trying to be somewhat respectful of them and actually the two players that he picked
to hack apparently he chose because they were nice guys good sports uh players that he picked uh to hack uh apparently he chose because
they were nice guys good sports uh and that he liked them so yeah it was definitely a case of
that's odd logic but sure you know yeah it's a case of like for the lols uh actually thinking
about some of these things is perhaps above average for a um you know for a for the lols
hacker uh the developers atpawn are obviously scrambling
to try and figure out what's going on,
and some of them are posting some of their feelings about it.
But overall, it's just a really interesting story
and warms my heart in a way that there are still kids out there
doing it for the LOLs and not all getting rich and doing crimes.
Yeah, I mean, this guy said they know how to patch it
without anyone reporting it to them.
What I'm interested, though,
is how he managed to deploy this to the endpoints, right?
That's the bit that I am curious about,
and I'm guessing it's got to be something through the lobby or whatever.
It's got to be something cool.
Yeah, yeah.
I mean, I guess these things are...
Games are multiplayers with a network integrated.
He must have found some way to figure out
where the gamers are,
so perhaps through the lobby system where IPs are shared.
No, it's got to be an association with their username.
Yeah, so some way to be able to get through,
figure out where they are,
deliver messages to them,
whether it's in-game through a lobby,
through a chat system,
or whether it's direct over the network
or whatever it is, we don't really know.
But either way, solid work.
Yeah, definitely.
A hundred percent.
And mate, with that,
that is it for this week's news segment.
Adam Boileau, thank you so much for joining me
to have the conversation as always.
A real pleasure, my friend.
And we'll do it all again next week.
Yeah, thanks very much, Pat.
I will talk to you then.
That was Adam Boileau there with a look at the week's security news headlines.
It is time for this week's sponsor interview now
with Haroon Mir, the founder of Thinkst Canary.
Thinkst makes hardware honeypots
that you can sprinkle around in your environment.
They can pretend to be basically anything you like. And then when someone starts interacting
with them, you know you have an attacker on your network. And that was really the big innovation
here when they were new, which was the idea of putting honeypots on the inside of your
environment, not on the outside. Thinkst Canary also runs a bunch of infrastructure that lets
you easily spin up Canary tokens and they integrate the hardware stuff with the Canary also runs a bunch of infrastructure that lets you easily spin up Canary tokens and they integrate the hardware stuff
with the Canary token stuff in their console.
It's great.
Lots of people use it.
Everybody's happy.
And you can find them at canary.tools, right?
So throughout Thinkst Canary's 10-year history,
Haroon has really resisted the temptation to raise VC
and turn Thinkst into a major vendor.
And it's really a mentality and mindset thing. And he's going to talk about that. It's like a reflection on 10 years of Thinkst into a major vendor. And it's really a mentality and mindset thing.
And he's going to talk about that.
It's like a reflection on 10 years of Thinkst.
So I'll drop you in here where Haroon says,
some startups have a tendency to fixate on the wrong stuff.
So here he is.
I think people make a mistake
when they start over-indexing on the shininess of the new problem
instead of, well, we'll catch it when these problems,
when they start to settle and when they start. I think largely it's a question of which companies
get the headlines and which companies get the funding over a particular period. if if we had to say over the last uh 10 years uh for us catching attackers
has become fashionable like when we started uh for for a period we still had to convince people
that assume breach was important um we'd have people telling us people people used to think
that that was like a defeatist attitude right like we're not gonna we're not gonna install
something that's gonna tell us when we're gonna get when we got owned we're just not gonna get owned and
it's exactly right you can understand why people would think that way back then but now you just
want to you know hop in a time machine go back and must their hair and just say oh yeah you sweet
summer child yeah so i think that's one of the big things. I think more people have come around to the thing that says detecting attackers is important.
You need to know when badness is happening.
Sadly, it's funny because when we started Canary, you and I had quite a few chats on the hope for new style product companies.
Because like we were out and the Signal Sciences guys were out.
Dio were out. Sen we were out and the Signal Sciences guys were out, Dio were out,
Senrio were out. And when you think about it now, it was the start of us talking about
hacker-led companies and whether these will start making a big dent in the field. And I'm
less bullish on it now than I was then. Like, I certainly see some- See, I'm not, and that's probably because I'm up to my ears
in high-quality startups 24-7, but I'm quite bullish, actually.
So I'll tell you, I'll qualify it.
I certainly think hacker-led companies are still great.
You see Andrew with Grey Noise.
You see HDN Team with Rumble, all of that stuff.
So I'm still fully for it.
I still spend lots of time convincing hacks or friends to start companies.
But over the last 10 years, what I've also seen is lots of people figure out that that's a good marketing ploy.
And so you see lots of companies dress up like hacker run companies now because it gives a sense of authenticity.
And so what you end up with is just a new style of growth hacking that says, this is how you should talk authentic.
And this is how you should act authentic when actually you're not.
Name names and I'll name names and I'll bleep them out.
I'll bleep them out, I promise.
So instead of names, I'll tell you behaviors.
One of the behaviors that you see happen a lot more now is a type of astroturfing,
where people push investors, friends to say, hey, say cool stuff
about us on Twitter or say cool stuff about us. You actually get it from quite a few people.
It's quite common now to get a spreadsheet from people saying, we're doing this. You can say these
things about us. You can go on and say these nice things about us. And again, for me, the whole point was to do stuff that was cool enough that other people would want to talk about you.
Because if you did it, it's a natural forcing function that nudges you to do the right thing.
If you do the right thing, people will speak about you.
And if you don't, it's a reminder that says, well, maybe what you're doing isn't that cool yet.
And maybe you don't, it's a reminder that says, well, maybe what you're doing isn't that cool yet. And maybe you should. And so there's lots of things like that that have kind of seeped into
the marketplace a little bit. And it's interesting because we started off talking about how
technology flaws coalesce the same way because of human nature, the way companies are run end up going the same
way because of human nature. Like there's such predictable patterns with companies where they're
young and they're hot, they're edgy, they try new things, they make new products, they get old and
stodgy, they stop making new things. And all of this is because that's natural behavior inside companies. Like you import, you start getting in
quality management and quality management optimized for the top and the right. And they're not
sweating the details on all of the copy in their ads anymore. Or they're not sweating the details
on should this really be three steps or can this be one step for the user of the
software and the software starts to get old and creaky because now you've got people just pushing
out features a certain way and and for us in the company one of the the biggest challenges over the
last I'd say two years has been how to fight that doggedly. And it's funny because initially,
you think you're getting it right because you're so brilliant. And of course, you're getting it
right because it's you and six of your friends, and everyone thinks exactly the same way.
And at every stage, as you grow the company, you've got to put in deliberate effort to say, no, this is what matters.
This is how we do this.
And you keep thinking you've solved it, except every time your company hits an inflection point, you realize you have to resolve that in a way because there's new people and new people are optimizing for different things. And again, because no podcast chat with us
goes without me praising Apple. It's one of the things that I think they've managed to do
impressively, which is as a company to still have people care about a set of things about the
product that still manages to shine through. And I think in InfoSec or with security products,
it's one of the things I feel we don't see enough of,
which is deep care of the product that survives a certain size.
Because I think you get, specifically in our industry, you get products that the people that you know,
who would have seen this a few times, right? When I get these babby little startups who come with me
and we've got the whole risky business life cycle
of startups these days, right?
Right.
So the best time for people to join us is around series A, right?
Because my joke is my internal like slogan,
we'll get you from A to B, right?
So if someone's got a good product,
they want to get from that sort of series A phase to series b uh you know we can really help get them there and then
from there it they tend to hang around because it's like loyalty spend at that point but you know
we're kind of less relevant to a to a series b company because they're doing that whole thing
of up and to the right and big marketing teams and sales operations and whatever and hey they're
still going to sell some stuff through risky biz, it's good ROI and whatever,
but it's not existential that they're with us anymore, right?
And then they get acquired by some monstrous organization.
We get kicked to someone in marketing
who eventually resigns
and then nobody in there remembers who we are
and we just get another sponsor.
So it is, you know, I have seen this a million times
is what I'm saying, Haroon.
I am very, very familiar with this process.
I am so with you.
And the thing that's interesting-
It is how Babi is formed.
It is how Babi is formed.
It totally is.
And interestingly, recently I had this chat with Ross, who's this guy.
Recently, he's been putting out lots of thought pieces on venture insecurity and stuff like that.
And he was talking about my constant fights with VC was bootstrapping. And this process that you just
described is one that plays out consistently, but it's one of those things that I think is a bug,
not a feature. Like it happens consistently, but I think what happens with that process
is a lack of focus on the product. And by product, I mean the customers being served.
And again, it's a very natural process. It's absolutely the natural thing that at some point,
the founder was talking to you and doing the RB interview
and that graduates over time to the founder is now doing other stuff. But what's interesting for me...
The founder is now relaxing on a boat in the Mediterranean.
So yeah, so interestingly, like that's the last stage for lots of people. But what interests me
is even the stage before that, when the founder thinks he's still working, he's just not doing the same stuff.
Like he's graduated.
I mean, I've had this conversation as well.
I mean, with people like Ryan Permay, who I've known for a long time and he founded Silence.
And him telling me, like I remember the first time he got into the elevator at work and he had no idea who the person standing next to him was, but he was pretty sure he worked there.
So this is a thing that happens.
No, it's exactly that.
But what's interesting for me or the thing that I really want that we're really trying to get right with things.
And again, largely stealing from the Apple model is Apple managed.
So you'll see these horror stories of people having to do a product demo for Jobs and his upper echelon team.
And he's literally going like, is this keyboard big enough?
Like, does this feel natural when I use it?
And what you see is, and make no mistake, he's making bajillions and parking his S-Class in handicap parking.
So none of it is a fairy tale. But what's interesting is
they've managed to create a culture that says, as long as you're building the product that we're
still proud of, that matters. And so he's graduated in many cases, like he's a founder and he's now earning bajillions, but they manage to still
focus on the product matters. And by extension, then the customers matter because that's the
thing that the customers are exchanging money for. And I think part of that thing, founders need to
desperately fight. And it's really hard for them to fight because it's not someone evil pushing you in
that direction. It's just circumstances. More development is being done. More engineering is
coming in. You can't touch every part of the product. You can't touch every part of the company.
And for us, the thing that we actively try very hard to keep is the reminder in the whole org that that's
the stuff that matters and and the thing that we feel you can steal uh and i know this will annoy
lots of the apple fanboys uh but hey i picked a side long ago um the thing that says actually as
a company you grow so that everyone at every stage knows that's what we're going to judge the product on.
So, you know, it's funny.
It's a funny conversation for me because, you know, I've reached the point with Risky Business where I don't want to scale it anymore.
And the reason I don't want to scale it anymore is because it will be very difficult to maintain the quality of the product if we scale it up anymore.
So this is the interesting thing.
And again, why I like Apple is because they showed
us that you can be a trillion dollar company and still do that. Can I be a trillion dollar company?
That'd be nice. But again, I think it's important because previously people would fight the
dichotomy by saying either you want to be artisanal and care about your 10 customers, or you want to actually scale
and make a difference. And what we feel strongly is that you can do both because you still have
growth if your product is good. The other day, I retweeted this tweet where someone said,
you're doing sales because you're bad at marketing. You're doing marketing because you're bad at product.
And we genuinely believe that, that we can choose to focus on those other things because that's the normal part.
Or we can hold on to our belief that if we keep focusing on the product, that other stuff will come naturally.
This doesn't count as marketing?
Come on.
Oh, no, no, no.
So, again, I think we do some of it. And even the blog posts that we do and stuff like that is important marketing.
But again, you'll notice all of it for us will hinge very tightly on this is our product.
This is our product working.
And so we'll never be out talking, here's a partnership we did,
here's a new funding round we did. Because those things show company growth, but not product growth.
And I'm with you 100%. So hang on, let me just, you know, because we're kind of running over time
at this point, right? So, you know, you've gone from founding 10 years later, how many people
work for Thinks now? 42. 42? Yeah. So what's the plan in another 10 years later how many people work for thinks now uh 42 42 yeah so what's the
plan in another 10 years yeah that's how many people will be working for thinks in in another
10 years and will you be able to hold your products to the same standard that you do now
oh so so let's put it on the record and you can look this up in 10 years yeah yeah so so i
absolutely so so we almost never have
people count targets, right? So we base our targets on what are we trying to do.
I'm not saying a target. I'm not asking for a target. I'm asking for a prediction. Very different.
Yeah, that's interesting. So in another 10 years, I could see us being twice our size people wise, like, uh, which again is much lower than
the rates of growth for, for lots of people. But I can tell you, if we are not deeply focused on
the product, then I won't be there. And Marco won't be there. Um, like, like we stick around
because for us, the joy is seeing the product work.
Amen to that.
A pleasure to chat to you as always.
Probably people don't know every time that Haroon and I do one of these, we usually start about an hour before we hit record and just catch up.
So I always look forward to our scheduled sessions, mate.
And yeah, look forward to the next one.
Cheers.
Always cool, Pat.
Bye.
That was Haroon Mir from Thinks to Canary there with a chat about building a product-focused company that isn't trying to immediately list on the NASDAQ. Big thanks to him for that. You,
of course, can find them at canary.tools. And that is it for today's show. I do hope you enjoyed it.
I'll be back with more Risky Business soon. But until then, I've been Patrick Gray. Thanks for
listening.