Software Huddle - reInvent BTS, Sam Altman, SEC on Solarwinds, Apple RCS, and more
Episode Date: November 28, 2023Our special episode is back, and we have a special guest this time. Join Sean, Alex & Merritt in this fun conversation. Timestamps: 00:00 Introduction 01:19 What is a CISO 08:10 Balance of Power 1...3:50 reInvent BTS 19:45 Sam Altman 32:29 SEC & SolarWinds 38:40 iPhones will support RCS 49:04 Meet us at reInvent Links: Factors to consider in relation to the SEC Materiality Framework https://www.lacework.com/resource/sec-materiality-framework.html OpenAI announces leadership transition https://openai.com/blog/openai-announces-leadership-transition AWS reInvent 2023 https://reinvent.awsevents.com/ Follow Merritt: https://twitter.com/MerrittBaer Follow Alex: https://twitter.com/alexbdebrie Follow Sean: https://twitter.com/seanfalconer
Transcript
Discussion (0)
Hello and welcome to Software Huddle. This is Sean Faulkner and I'm here with my co-host Alex
Debris. Alex, how are you? I know you've been down for the count recently. Yeah, I've got my usual,
you know, pre-Thanksgiving cold and sort of regaining my voice, but you know, I'm here,
I'm excited. Yeah, I feel I'm a little bit nervous because both my kids have been sick recently.
Reinvent's next week. I feel like I'm like really like potentially stepping on the landmine right
now and just like praying if I am going to get sick, like I'd rather have it happen right
now than next week.
So for lack of sort of a better title, this is our banter episode where we chat about
recent news, what's happening in the world of tech.
Also, we're trying something new.
We have a new addition.
We have a guest, Merit.
Welcome to Software Huddle.
Hello.
Thank you.
Excited to be here.
And don't worry, if you don't get sick this week, you will most likely get sick after
reinvest.
Absolutely.
That's good.
Yeah.
I mean, even if you were 100% healthy, a week in Vegas, you're most likely going to walk
away with something.
I always take my Vegas survival kit, which is essentially electrolytes, throat lozenges, and instant
coffee because no hotels actually have coffee in the room, which I feel like having caffeine
on hand is a must for me.
Yeah, absolutely.
Yeah.
Well, hey, we all got to get through somehow.
Yeah.
So you recently joined me as a guest on another podcast, one that I host that's focused on privacy, security engineering.
I thought you were so awesome on the show that you would be the perfect guest for this version of Huddle.
You are the field CISO at Lacework.
So maybe we can start with you can explain what exactly is that?
Yeah.
Yeah, so I've been at Lacework for a few months now.
I think I'm going on five.
I came from AWS where I spent over five years in like a team that is the deputy CISO.
And before that, I worked in all three branches for the U.S. government doing security on behalf of the American people.
I think we are kind of making up the role of field CISO, but I like it.
You know what I mean?
Like on some level, it's whatever you think it should be.
And I mean you, the individual.
So I try to like play to my strengths.
A lot of times it ends up being a mix of, you know, I would say that the meat of it is customer CISO conversations, being a CISO whisperer. Having come from, you
know, being a CISO myself and being, you know, at the scale that, you know, AWS requires, I can have
a lot of empathy for folks. And even though we had a well-oiled machine, like it's the kind of thing
where you still have to do the weekly drumbeat of, you know, metrics meetings and instant response. And, you know,
there's just a ton of stuff to watch if you're Amazon and you can harness that and productize
it to some extent that, you know, there's beauty in it too, but it's a lot of work.
And a lot of times I think folks assume that just because you get better at security,
it's going to be less work. It's like, no, you're going to focus on different stuff.
So, or hopefully, you know what I mean? Like once you've got your automations written, you're still going to refine
those and tune them. You're going to have, you know, those muscle groups that you still get
better at over time. So a lot of my conversation or a lot of my work is conversations with CISOs
about those muscle groups, about what they are doing today around trouble ticketing and turning,
you know, alerts into actions or, you know,
how they focus on which threats to prioritize or other kinds of things that, you know, Lacework
is on the customer side of the shared responsibility model.
So we're some of the ones that are helping folks get good intelligence for what to act
on.
But you still have to go take that and make it meaningful and get the value out of it.
And I want customers to be getting that value.
So that's the majority of my job.
You know, stuff like this is sort of like, I guess, my job.
Although I kind of do it for fun slash because I enjoy, you know, learning from other folks in the industry and having the opportunity to be one of the folks who's, you know, helping everyone. It's such a siloed kind of intentionally lonely role that I think stuff like
this is really helpful for us to talk through.
And then of course feeding that back into product and, you know, giving,
being the voice of the customer. There are very established, you know,
mechanisms for tech companies, you know,
Lacework is a cloud security unicorn, like for
folks to do like product feature requests or things that are very specific to what exists now
and what extended functionality they might want. But there's not great mechanisms for like how
folks are interacting with it. You know, what has been working well, what's easy to operationalize,
what they're, you know, excited about and what's like, what's easy to operationalize, what they're excited about,
and what's the positive feedback. There's a lot of ways in which the conversations that we have
with CISOs are really meaningful for product teams who are busy heads down doing their daily
standups. So I also try to be part of the core business. Yeah, absolutely. Are you working
mostly with other large organizations, maybe not as large as AWS, but pretty large organizations and things
like that? Are you working with smaller teams too, or maybe it's mostly just the CISO that's
sort of organizing that, but doesn't have a big broad team or what does that look like for you?
Yeah, good question. Yes and yes. You know, I think initially the thought was that we would be especially sort of effective supplementing folks is that no matter how good you are, you have to have really good operational intelligence to act on.
So, you know, for example, we have learned that when you just do alerting on CVEs in your environment, like, it's not very useful.
You're going to have maybe hundreds of thousands at scale if you're a big shop. So what you really need are what's running and also what's running on the stuff that I have said
I care about, you know, and then on the threat side, you know, like, because we can like torture
ourselves all day about the latest, you know, hardware vulnerability or cool things in zero
days. Ultimately, most bad actors are using legitimate
credentials that have been mismanaged. That's just a fact. So like they're escalating permissions,
they're getting in and moving laterally. You know, it's all like the unsexy stuff that
security teams have to work on day to day. And so we do a lot of triangulation, you know,
mosaicing those actions together so that you get, you the customer, get alerts that are meaningful based on just like what's anomalous for you and what you've told us you care about.
So the idea, as you can imagine, then for a big shop, that's actually especially important because you might have, you know, like there's no way to scale the manual labor it would take.
Not to mention humans are like not, you know, perfect calculation machines
the way that computers are. But to be able to kind of parse through, you know, in an AWS user,
like let's say that it's an AWS shop that is, you know, a fortune 200, they might have hundreds of
thousands of AWS accounts at scale. Every KMS call that's ever attempted goes into their CloudTrail logs. You know what
I mean? Like finding that needle in the stack of needles is just something that computers are
better at and that we then, you know, train for. And, you know, I think we're going to talk a
little bit about, or maybe a lot about AI today. But on some level, there's this part of, I think,
all of us, especially in security and
dev world that are like, yeah, I think you, it's a little princess bridey where it's like,
you keep using that word. I do not think the word means what you think of me.
You've been doing this on some level for decades, you know what I mean? And Lacework is one of the
companies that sees security as a data issue or like as at least the path to better comes through using data intelligently.
On that same note, I don't know if this question makes sense, but do you feel like the balance of power right now, like are the good guys completely outgunned by the bad guys given like how hard, like you see the sophistication of some of these attacks like MGM and Retool, how they're like, you know, looking at people on LinkedIn and calling in and getting passwords or Okta, all that sort of stuff.
Like how hard is it as a CISO right now?
Is it to just like manage all those potential threat vectors?
And now, of course, AI coming in, like how does that balance of power feel between, you
know, trying to maintain your security versus the bad people trying to get in? You know, on the one hand, I think that certainly we can give examples of ways in which, yeah,
things like AI are accelerating the sort of creativity of bad actors.
On the other hand, like, I don't think that we are well-served kind of like creating some
cops and robbers narrative here.
Okay.
For the most part, you know, the stuff that you need to be doing to build a robust security program is the stuff that you should be doing anyway.
Like, you know, templatizing your environments and using, you know, an exceptions process that only gets invoked under certain parameters that you're
kind of constantly refining.
Coming back to known good states and taking advantage of golden armies or whatever you're
using for machine images.
You know, like there's a lot of ways in which this actually just looks like doing computing
at scale.
Like you need to be doing this for your devs to run hard and fast anyway, and to have stuff
that's built in with an awareness of what permissions they should have. Security done
well feels a lot like just doing your thing right. And so I think there's ways in which I care about
new attack vectors or what we're seeing around TTP, you know, practices of bad actors. But I
don't get too strung up on any one du jour group or whatever. And in the case of, you know, some
of the ones that you mentioned, so, you know, the Caesars and other, which is actually Caesars is a
laser customer, and they lit up like a Christmas tree when the permissions that shouldn't have been used started getting used.
You know, so I think it's always going to be a mix of trying to do this kind of, like, intelligent pruning and reducing your likelihood of having bad days.
And then saying, like, we've still got to have stuff that works.
We're going to connect to the Internet.
Like, we're going to have someone with admin support permissions or at least some degree of those that can get escalated. And so like that means that we also need to have
reactionary and remediary muscle groups built up. And so it's just going to be a mix of those. And
it's a lot, it's a lot, you know, it's dressed in overalls and looks like work because that's
what it is. Yeah. Also, Alex, like Merit had mentioned, you know, a lot of these attacks end up being
someone's uncompromised accounts.
And there's a lot of, I think like most, there's a sophisticated tools, like attacks, like
the retools and some of the things that you're seeing with like MGM and Caesar.
But like, I think most attacks are not necessarily that sophisticated.
And part of the problem is that a lot of businesses, probably the majority of businesses, don't even hit the baseline threshold of what would be a reasonable security posture.
So even just putting the basics in place, this kind of baseline of two-factor authentication,
if you're using encryption key, key rotation, all these types of things,
a lot of organizations just aren't doing those things so then that leads to i think um
what appears to be just like an escalation of issues like i think the number of really
sophisticated attacks are far and few between and compared to kind of just these like baseline
things that happen yeah agreed there's lots of eat your veggies work to be done out there but
i also don't like to victim blame you You know what I mean? Like it,
yeah, it is, you know, Alex is right. Like it's a, it is a sort of a Sisyphean rock drill being a CISO where you just push the rug a little further, but those who do it, you know, effectively
are not trying to play whack-a-mole. They are, they have like a systematic approach to these
things. So in your weekly metrics meetings, like as you get better, you're not asking like, oh my gosh, you know, how did these seven, you know, rogue employees get permissions to hopefully.
You're saying like, why did it take us two hours to notice this slightly anomalous thing that we never contemplated?
You know, why not an hour and 59 minutes?
Like what mechanism is it that led to this?
Or why did we threshold it at 999 dropped calls
and not a thousand?
You know, like, are we doing the right stuff?
Are we focused on the right stuff?
Are we, you know, recovering
and kind of building self-healing in where we can?
And are we looking at the right metrics
that are not gamified,
but are actually an indication of us getting better over time?
So I think, you know, like those are the kinds of like Sisyphean rock drills that I'm talking about. I don't think that – like I think that CISOs who are really frustrated with their jobs, you know, should look in the mirror a little bit.
Like they need to reframe it for their leadership or maybe, and if their leadership genuinely
doesn't prioritize security, then maybe they need to get a new job.
You know what I mean?
Like, I think that we need to be doing, we, the security industry need to be doing a good
job too of characterizing the stakes and making these business decisions more transparent
for folks who, who care about outcomes,
but don't necessarily care exactly how many CVEs you patched on Tuesday.
Okay. So we have, as we mentioned, re-invents coming up next week. All three of us are going
to be there. As a former AWS insider, Merit, we were curious to know, within AWS, what's the kind of re-event ramp-up?
Do you have any sort of behind-the-scenes stories from your time there about the level of craziness kind of leading up to re-invent?
It is really fascinating because putting on an event of that scale obviously takes a ton of planning.
People spend all year planning.
I mean, some of the marketing and events folks.
But you would also be surprised how much gets done in like the four days before there have been,
you know, like I always had to, I, every re-invent I went to, I gave a talk. Um, and like there would
be changes I was making until the 11th hour for sure, because it would be like, oh, this thing,
actually this talk isn't going to
come until after year. So it's still embargoed or, you know, we're rebranding this or whatever,
or like we weren't able to get a license for this picture that you wanted to put in your deck or
whatever it is. Anyway, there's a lot of moving pieces. And I think it's always really exciting
when you walk in, you can like feel this like pulse of energy because all the geeks there are, it's like Christmas, you know, it's really exciting. But at the same time,
you know, there's a lot of ways in which I think we're getting better at it, but like
distilling down what we need to care about, how we can kind of like ingest the meaningful stuff
and not just the volume of stuff that you're going to get through
tonight is the challenge.
You know, I work on that anyway.
Yeah.
What's it like leading up to reInvent, like sharing stuff that's coming out across teams?
Like sometimes I'm surprised I'll like talk to some AWS people and they're like completely
surprised that this new announcement happened or something like that.
How does that get disseminated or does it not until, until reInvent and sort of,
you know, even AWS folks are finding out there?
Yeah, not really.
It's pretty secret squirrely until the, because in part, because they want to have that wow
factor of unveiling stuff.
And in part, because, you know, like there's trade secrets and other reasons why you don't
want to tell everyone everything unless they need to know or until they need to know.
I think that overall the dissemination to like the field, for example, you know, comes after it's unembargoed, you know, like after it's public.
So there will be usually this kind of trickle of blogs and other announcements leading into re-invent and then the big ones will be during
the keynotes. But, you know, you also have to remember like this is a huge organization with
a lot of little pockets of stuff doing interesting stuff. And they may not even know about each other
unless they happen to like have a friend who works in that area.
There's a lot of ways in which the security product teams may or may not know a security SA in the field, for example, and are most likely not aligned with them directly.
So they're relying on some of these mechanisms to get that out. And those are the same things that you and I have to rely on, which is blogs and tweets and everything else.
You know what I mean?
Not to mention that Amazon employees can't go to the talks themselves.
So they're kind of scrambling to figure out what was said based on know, based on everyone else's reports until it gets
posted online. So it's kind of a funny, it is definitely a, I don't know, like a cultural
phenomenon. It always surprises me, like how decentralized those teams are. And like,
I always assume like they know each other across all these different teams, but I mean, first of
all, it's a big org, but then also just AWS is so decentralized that, you know, those teams just
don't talk to you as much as you assume they would.
It's true.
We should move on after this because, like, it feels like I'm talking about my ex a lot.
But, yeah, there's a deliberate, like, business mentality or, like, conviction there that, you know, five is better than none.
And so they'll let teams build in parallel, even with it.
Like there's no deconfliction process to get started on stuff.
And, you know, the premise or like the idea would be that like the best one survives.
But in practice, it means that there's lots of overlap and sometimes kind of,
I was going to say conflicting, but it's not necessarily conflicting, but like
narratives that aren't lined up with each other. And I think AWS like leans into that and says
like, yeah, we're building building blocks and you stitch them together. You know, they're getting
a little better about it. But I think that has been the mentality is like, we're a builder's
paradise. We are not here to sell you the Barbie dream house.
We're here to sell you a Lego set that you can go build stuff with.
And I think that's one of the reasons that I was interested to go to the customer side,
which is that I spent a lot of times like telling customers, yeah, that's on you.
And it's just like a fact that it is, of course, like with any cloud company, you have
only responsibility for the layers of the stack that you have. But it also rang a little hollow
to tell folks time and again, yeah, that's a you problem. When I, you know, felt like it'd be
interesting to go work in those kind of managed layers that allow you to do more for and on behalf of the customer.
Awesome. Well, let's move away from MeritX and get into the news.
Good thing it was a quiet news week. There's just nothing going on in the world.
AWS is like Hotel California. You can leave, but you're never really gone.
So like here we will be next week talking. But so it's fine. But yes, let's do it anyway. All right. So I originally I was going to kind of follow up on a story that
we covered a couple of months ago about RCS or rich communication services, and Apple, but there's
been so much going on in the world of Sam Altman and open AI, I think that we'd be remiss if we
didn't, you know, start with that. And I'm not sure that we'll even get off of it because there's so much to cover.
But I will mention this is Wednesday, November 22nd
that we're recording this.
It's going to come out next week on Tuesday.
So there's another five days basically between now
and when this gets released.
So everything that we say is probably going to be
completely out of date at that point
with how quickly things are changing.
But let me kind
of run through the timeline and then feel free to kind of jump in. So it started Friday the 17th.
So last week, November 17th, Sam Altman fired from OpenAI. The board essentially gave publicly
anyway, vague reasons. He hadn't been candid with them was kind of their byline. Later that day,
Greg Brockman, co-founder, and some other senior researchers announced that they were quitting.
And then Mira Marotti, the current CTO of OpenAI was placed as the interim CEO.
And then on Saturday, Brad Whitecap, the CLO, put out a statement to all the employees of OpenAI saying that
Sam hadn't been fired for malfeasance or data breach or anything like that.
It was just a breakdown in communication.
It wasn't an AI safety issue.
And then there was some other information that came out the same day around the AI safety
concern.
And there was kind of rumors that maybe Sam Altman was moving too fast and without taking
proper precautions for the board.
But the board sort of stayed by this,
at least publicly, that that was not the case.
Investors like Sequoia and Microsoft
were exerting pressure on the board
to reverse their decision, reinstate Sam as CEO,
and resign as the board by 5 p.m. Saturday.
There was a big campaign on Axe on Saturday
from existing employees showing their love for Sam,
saying they'd join Sam if he started something new.
And, you know, this I think if you're following along, we got one side of the story, which was kind of the employee Sam side board wasn't out there posting about their side.
The timeline for Saturday came and went that Sunday, a bunch of senior open AI people plus Sam Altman gathered in the OpenAI office in San Francisco to try to work
through everything. Some of the board was rumored as being open to Sam returning, feeling perhaps
the heat of firing the guy who recruited a lot of talent at the company. It looked like, I think,
people's perception was Sam would return as CEO. There was a picture that Sam Altman posted on X
wearing a guest badge saying that this
was the last time he'd be wearing this as a guest.
And then the board was still sort of cagey about the reasons for the firing, but it really
looked like that wasn't going to hold up.
And there was a new deadline of 5 p.m. on Sunday, but essentially that timeline came
and went.
Still no news.
Then later it came out that the board had sent a message to all employees that Sam Altman
would not return as CEO, standing by their decision, still no clarity on why.
They also announced a new CEO. So Meera Marathi was out after about 48 hours,
in part because she came out supporting Sam, presumably. Emmett Shear, former CEO of Twitch,
was then placed as the interim CEO. And this was all by Sunday night.
Then there was a sort of a staff revolt threatening to quit. Monday, Microsoft announced
they're hiring Sam Altman and Greg Brockman to lead an advanced AI research lab. Microsoft owns
49% of OpenAI. So presumably Sam, Greg would still have access to everything they were already
working on, you know, saving them probably a ton of time versus going and starting something new.
And personally, I thought this was a pretty brilliant move by Microsoft because they're probably going to get a lot of the best AI talent and just give these guys essentially free reign, do whatever they want and get out of the way.
And a lot of the future of Microsoft, I think, is kind of betting on open AI.
So the fall apart is going to be bad for them.
Then November 21st, last night, 10 p.m. my time in California,
Sam Altman's back as the CEO of OpenAI.
They're reforming the board, removing several members,
presumably those that led to the coup,
former Salesforce co-chief, Executive Brett Taylor,
former U.S. Secretary of Treasury Larry Summers,
and Cora founder Adam D'Angelo will be part of the new board of the
ai startup and taylor will serve as the chair of the board so that is where we are right now after
you know four or five days amazing quite an incredible story there i'm yeah i'm curious
to see what happens going forward like one thing that's interesting you know what we'll find out by
the time this this publishes but like there's a article i believe in the washington post today
because i i one thing you were saying is hey most of the side we've seen, but like there was an article, I believe in the Washington Post today, because one thing you were saying is,
hey, most of the side we've seen
has been like the pro-Sam, pro-employee side.
We haven't really gotten the other side.
But there was an article,
I think in the Post today, maybe the Times,
about just like previous issues
Sam's had with different people.
I didn't realize that PG, Paul Graham,
had sort of forced him to resign
as president of Y Combinator.
As they switched to Michael Seibel, I believe. And then also there was some stuff about how,
you know, between like 2019, 2020, the turnover at opening, it was like 50%. So
I'm pretty high turnover there and maybe getting his own people in, in some way that sense. So
it'll be curious. I'll be curious to see that side of the story come out you know adam d'angelo people are talking about him he's the the core of the core
of founder who's who's on the board we haven't quite heard his story yet i'll be curious to hear
if he can put any meat on that bone just like what what happened here what they were thinking
why this went this way it feels like a you know greek drama when you yeah we should have had chat dbt do it in puppet form um yeah you know
i think it's i think it's an interesting study in itself but i also think it's going to be
sort of an infamous uh example of you know a number of things including sort of like corporate dynamics, leadership tensions.
And ultimately, my personal read is that there's also a fair amount of,
I don't know if friction is the right word,
but of dynamics involved between the open source world and the corporate world.
And even startup corporate versus established corporate. And so I think that, like, while we generally expect that friction to be, like, healthy tension between those, you know, where, like, I mean, I advise a company called Expanso that is the corporate version of an open source technology called Bacalao that does distributed internet of things,
you know, like does Kubernetes at scale.
But like there, so I, and I liked it for that reason
because I love the open source community.
I love the tech that gets built
when it's being maintained by folks
who are passionate about it.
And I love the dynamics that it builds
between devs and security folks who,
you know, like it just gives inherent security benefits. Yes.
I know there are also glaring security problems. Thank you. Love for Jay.
But you know, like it's an area that we all, you know, see,
I think we in tech world see as this like really healthy area of growth and growth and of, of activity. And then in this case,
it seemed like they just, you know,
this board was like a uniquely sort of nonprofit-y entity.
And that then when Microsoft swooped in, it was basically like, well,
are you sure you want to break up with them? Because, like, you know, it's just very telling, I think, of what will or like it's a harbinger of some of what will probably echo out in other ways as we see not just AI, but other technologies built with that kind of structure or that kind of hybrid approach.
And so I'm curious to see how that plays out.
And of course, like the board doesn't,
is not required to tell us all the reasons,
but generally things become more transparent over time just because things
come out, whether litigation or whatever, you know what I mean?
Like you can go through discovery and then those will come out or whatever
it is. So I'm, I think we still only know bits and pieces of this story or we're seeing
like,
what's the Plato's cave.
We're seeing like the reflection on the wall,
you know?
Yeah.
I mean,
that's always my argument against sort of any conspiracy theory that
involves a lot of people is like,
people can't keep even a small group,
a secret,
let alone,
you know,
be able to keep,
I don't know,
like,
you know, that faking the moon landings as an example under wraps, like someone's going to leak that
essentially at some point. So I agree, like at some point there's going to be more information,
I think that tells different sides of the story that's going to come out. Maybe, you know, we had
the Uber movie docuseries that was on Netflix. Maybe we're going to get the OpenAI.
Someone's rushing to do this right project right now.
You heard it here first, so please send royalties here.
We work documentary on hold and rushing to do this.
Exactly.
We work dramas, old news, time to hop on the OpenAI drama bandwagon.
Yeah, we'll see.
And, you know, it's going to be interesting, too, I saw that like Microsoft shares went up 1% overnight. You know what I mean? Like there's
ways in which also some of these forces have, well, implications, but also responsibilities
that are larger than the individuals. Like you don't, if you're a board, if you're a corporate
board, you don't get to just fire someone because you don't like them. Like there have to be underlying issues
that you have a duty of care to. And so I think those will be the things that, you know, we'll see
come to at least more light, maybe never full, but I'm, yeah, I'm, I'm curious. And I'm also
curious about, you know, how it's going to influence the product itself and whether this, you know, will.
I don't think that Sam Altman was ever like particularly restrained, but I think he had an MO that was sort of like what he was used to, like a risk tolerance that he was used to doing before. And I wonder if this will push him more in one direction or another,
because again,
we're just human and it has to have an effect on you.
I mean,
like I can't imagine that it wouldn't change some dynamics.
Yeah.
Yeah.
It's amazing to think like how close we were to like,
like would chat GPT have just gone away or been sold off for parts,
but like,
you know,
let's say 700 of the employees leave and also
no one's going to give them funding now because no one's left there. Like, is that just sold for
parts to stability AI or like, does it just implode in like a hundred million users just
evaporate overnight? Like, it's pretty crazy to think how close we were to the brink on,
on that sort of thing. Yeah. I think that it, I mean, this could be a Harvard Business School case study, right? I'm like, what if it had just imploded?
Like, what, you know, I think that's, so Microsoft obviously made an opportunistic move, but
also it's no coincidence that Altman was going to say yes there because they already
were investors.
They have, you know, a lot of, I would imagine, I don't know the details here, but like,
I would imagine that they have mind share and legal share over some of the underlying technologies
that would allow him to, you know, continue building and not have to start from scratch or
be preempted by non-competes or non-disclosures. You know, like there's all these ways in which I think, you know, it'll, it is just such
a melodrama that it's actually like playing out too fast for us to like see these through
to their conclusions.
Like, you know, I was actually thinking today, do you think Emmett Shearer or even Mira for
that matter, like put CEO on their resume?
Check their LinkedIn if it was updated.
Yeah.
I'm not sure that LinkedIn can even, you know, measure that time diff.
Oh man, that's great.
But it's pretty wild.
Like, and we talk about all this, but like think of all the other sort of big stories
that have happened in the last, like since Friday that were, that are barely getting
covered.
Like the, the cruise founder, Kyle, Kyle Vogt, like he, he stepped down.
And then also yesterday CZ at Binance, um, you know, stepped down and has to pay like
a $4 billion fine and things like that.
Might go to jail for a little bit of time.
Like, it's pretty crazy.
Each of those, like a big story in their own.
And it's just like, they're just completely getting subsumed by the, by this open AI drama.
There's, there's your conspiracy theory is they, they they they conspired to you know there's
like someone who just didn't want to have a headline um yeah great i've been actually
tracking also the all of the sec uh developments uh we well it was like whatever it was two months
ago when the sec came out with like their refined language around requiring a four day window for disclosing material cyber instance that the Wall Street Journal reached out and asked me what material means. And I said, that's a good question. You know, like, we're gonna have to, I think the SEC like left it open to an industry standard that we'll have to construct. And then while I said
that out loud, I thought, who but we, right? And so I got together a group of 20 or 30 CISOs and
we put one together. So I've been, as a result of sort of being more attuned to that issue lately,
I've also been tracking those developments. And there was even a ransomware gang who made,
who filed a disclosure on behalf of the victim to the SEC because the victim wasn't paying them off. unintended consequences or at least having, you know, and then recently they also SEC
charged the SolarWinds CISO individually as well as the company.
And like, don't get me wrong, I'm sure there it seems like there were some egregious
kind of flaws in or lack of strategy there and that employees raised it repeatedly.
And, but like, also I kind of like hiring the person who continuously tells me we're
not good enough.
And it doesn't mean that I'm going to go do everything that Chad tells me.
It just means that I like having someone who points it out because even if I don't have
it, like, you know, I want to know.
And so I just worry that that's going to create this personal liability standard sort of building off the Joe Sullivan stuff that just like makes us as CISOs like more tuned into a fear based decision system instead of, you know, a rational risk based one.
And I'm curious to see how that plays out.
Also, for what it's worth, I think any of us, on the one hand,
I'm sure SolarWinds could have done more for their security.
I don't know of a shop that is perfect.
On the other hand, a two-year protracted nation- state level campaign would get into pretty much any shop I can think of, you know, or at least the vast majority, especially ones that have, you know, supply chain implications or hardware and software as a lot of folks do.
So, you know, anyway, just some thoughts on other news headlines, as you mentioned.
That's super interesting.
I hadn't heard that.
So that C-set that they're going after personally, would that be like a fine he would pay?
Would it be potential jail time?
Or would it be like, hey, you can't be an executive at a public company for four years?
Like what sort of punishment are they looking for there?
Yeah, the SEC is civil, so they could refer it over to DOJ or other folks, but they can't put him in, and like, I guess they could send him to debtor's prison in some sense.
You know what I mean?
Like, there can be judgments.
But yeah, they're seeking other damages.
They're trying to bar him from ever, you know, holding an officer's position again and other civil damages.
Yeah.
Wasn't the Uber,
Uber's former head of security or CISO,
uh,
also,
um,
uh,
charged or was liable for,
for something there as well.
Yeah.
That's Joe Sullivan.
He was convicted criminally actually,
um,
which is different.
Uh,
yeah.
Uh,
that's a hairy one.
Candidly. He's also a friend of mine, but yeah, it was one of those where it was like,
you know, there's no way that the entire board didn't know about a check that you write to
for a hundred thousand dollars.
I mean, come on, but you know, he was the one who got personally indicted for it. And yeah, it was, I think, I just think we're at a
high watermark with personal, like liability, whether it's civil or criminal for CISOs,
and that's going to change the tenor of what folks are willing to do that job and also, you know, what it takes to kind of like,
you know, manage it effectively, because we've just introduced a couple, at least
degrees of risk, if not categories of risk, like on some level, these risks existed,
but like we hadn't seen them being implemented the way that we are now. So yeah, I think it's really important.
And I also think that it will, I at least hope that it will basically give folks the tools that
they need internally to go to their board and say like, this is a business imperative,
not just for me personally. But like, you know, there's more enforcement going on. And also the standards
of the industry, you know, are MFA, are, you know, handling, you know, sensitive data with
encrypted standards that are up to date or whatever you can think of that are standard
security practices. And that, you know, I certainly hope that folks who, for example,
are using Lacework will have that to fall back on to say, like, we're doing what industry
standards dictate, which is to have good alerting and to, you know, refine how we respond to those.
And like, I don't, I can't imagine a regulator saying you have to be perfect, but it certainly
means that you're going to have to get up and like, you know, jog with the rest of the class.
Is there anything to add?
No, I don't think so.
That stresses me out.
All that sort of like that just feels like such a hard problem to stay up on all those evolving threats.
And that seems like a hard job.
I think it's an incredibly difficult job under the best of circumstances.
All right.
So I want to touch on one last news item, which I mentioned before, selfishly because I sunk four years of my life into this product.
And we also talked about it a couple of months ago.
So, Merit, have you ever heard of RCS or Rich Communication Services?
I have heard of it, but until you told me that you wanted to talk about it today, I hadn't been like looking around.
Yeah.
It's like the, I mean, it's a, it's a carrier standard, so it has not a very good name.
I know some of the wonky carrier stuff, but yeah, I'm not, I'm no expert in it.
It was a totally new term to me a few, a few episodes ago when we did it.
So you're, you're ahead of me on that point.
Yeah.
It's a, it's a terrible term.
It's not a consumer-facing thing that people get excited about.
But essentially, for those that maybe didn't listen
last time or forgot, but essentially,
RCS is a telco standard.
Came out over 10 years ago.
But it's been what Google's sort of been pushing
and working with carrier ecosystem
to push as an update to SMS and
MMS. And it gives you essentially the same type of functionality that you would get from iMessage
or WhatsApp or any of these modern messaging applications, except directly within your phone
and, you know, across carrier, across applications, assuming that those applications support this
open standard. And the big thing with that we talked about last
time was, you know, there was an article that came out about how the EU was putting pressure
on Apple and they'd launched an investigation back in September to iMessage about it essentially,
I think, being anti-competitive because they weren't adopting this standard.
And in the four years that I spent at Google running office hours on like a weekly basis
with our partners building on this technology, there really was not a week that went by where someone didn't ask me, like, when's Apple going to support this?
So then when we talked about this last, we talked about the challenges with Apple supporting it and so forth and what would actually happen.
But then last week, buried beneath all the open AI drama and everything else that's going on, there are other CEOs stepping down.
Apple announced that in 2024, they will support RCS inside iMessage.
And iMessage isn't going away.
They're still going to give you a green bubble if you're part of the RCS universe.
But you'll be able to essentially...
Just your little punishment.
Yeah, so your little punishment.
So you'll still be able to essentially communicate across Android and iOS at a more like sort
of iMessage level experience, group conversations, higher quality videos, higher quality images,
all that good stuff.
I'm like surprised, honestly honestly that this came out because i
recall one of the reasons that i have like half memory around this is that it got kind of spicy
because um cook said when someone said like well you know what am i gonna do when i can't send my
mom high quality videos of my kids or whatever he said i guess you should buy your mom an iPhone. You remember that?
Yeah.
It was like, I mean, it's kind of been working, but that has been, here we are with a dozen different cables just because Apple keeps changing it.
Well, I think historically Apple was able to defend their not supporting it, even though
it's a standard because they support SMS and MS, right?
Like you fall back to that if you're communicating on iMessage, you don't have data or you're
communicating with a non-iOS device.
But they've been able to defend it by saying, well, there's not enough sort of reach or
penetration of RCS for us to adopt it once it gets there.
But now there's like a billion users on RCS.
So making that argument becomes very difficult.
And then I think on top of that,
as Apple starts to get more and more,
you know, go to market and foothold in Europe,
Europe historically, I mean,
this is where, you know,
Microsoft's had a lot of challenges,
like it's going to be looking at these things
from like anti-competition
with more scrutiny than other parts of the world and sort of hold people to
task for it. So I think that all that pressure led them. And I'm sure there was a lot of
conversations between Google and Apple at the very highest levels around this as well.
I mean, what do you think? Do you think they did it as a business move or do you think they did it
as an attempt to evade anti-competitive regulatory smackdowns.
It's probably a combination, I would guess. Like there's so on on Google offers like a way to sort
of monetize through what's called RCS business messaging or RBM, another fantastic acronym.
It's an acronym within acronyms, which was the API that I worked on. And it's a way to
essentially create like chat bot experiences directly through native messaging. And then
Apple has Apple Business Chat, which is sort of their competitive product. So I don't know if
these two worlds are going to kind of like merge together. Can we create those on ChatGPT?
Yeah, I mean, like when I was doing this, the what we had was like DialogQuo and IBM Watson, and they were much more rudimentary.
Now you could do a much better experience.
You probably can, right? Yeah.
Yeah, you could create like a really, really great experience.
Well, you still need your APIs and like your building blocks, but like you could, you know, do the app level descriptions and a generator probably.
Yeah.
Yeah, absolutely.
It's kind of interesting too.
I wonder if there will be arguments in favor of interoperability for some of those reasons.
You know what I mean?
And then security ramifications of them too.
Yeah.
I mean, one of the things that Apple said was they weren't going to support end-to-end peer-to-peer encryption on RCS.
Because I think, if I remember correctly, the RCS standard either – I don't think end-to-end encryption was part of their original standard.
But Google introduced it for peer-to-peer as essentially like a sort of an upgrade on the standard.
But I think Apple came out and said they're not supporting it.
And so I'm curious as though – I can't remember the exact standard.
So it could be that they're saying, like, we're going to follow exactly what the standard
is.
And then it's a way to kind of create like a less ideal experience than what you're going
to get on iMessage, where they do have end-to-end encryption.
But I'm not sure.
So there's still going to be some differentiation besides blue versus green bubbles in iOS in terms of what you're getting from a security perspective,
at the very least. Interesting. I like, thanks. I hate it. Like, I don't think that security
should be something you have to pay extra for, you know? Yes. Yeah. It should be secure by default.
I mean, don't get me wrong. I think that the world that we live in is one where security is a white shoe commodity.
And those who are, you know, least prepared to personally absorb the costs of insecurity are often the ones who are most exposed to it.
Whether it's through, like, the places they're shopping, the credit cards or debit cards they're using, the cell phones they're, you know, like all of those things, you know, provide wealthier, more sophisticated users with better secure experiences.
And I, so I'm saying this with the caveat that I know the world we live in is already
rigged this way, but like, I just really have this strong conviction that like, one of the
reasons that Apple could choose to go do this is that it's the right thing. And that if they are able to democratize security and privacy in ways that are meaningful across user bases,
that that would be a good enough reason to do it.
Yeah, absolutely. I agree.
Do you think this will meaningfully cut into other messaging apps usage, like WhatsApp, Signal, things like that?
Or is it still going to be enough of a gap or other reasons to use those that, you know, even if this is the default,
it's not that not that great? Yeah, I mean, I think that it's hard to say. I mean, it's like
kind of like a social network where once you've had some level of network effects, it's really
hard to get people to kind of move off of it. So if you already have, you know, your WhatsApp groups
or whatever, like set up and you're in conversation, like, are you going to be like, Hey, like, let's go to this other messaging platform.
That's exactly the same and level of features. Like you, you have to be other than like runs
natively. Um, I do think that most sort of, um, B2C conversations is today over like worldwide
over SMS. So certainly this would be a better experience there because
some of the things that we were working on at the time that I was at Google was you get
verification. We fix a lot of the inherent problems from a securities perspective with
sort of the B2C messaging, like SMS is inherently not very secure. It's hard to know when someone
sends you a text message, whether it's actually coming from a business or not. Over RCS, you can actually validate who the business is.
You can have end-to-end encryption. And there's an approval process. So it's not just like anybody
can just sign up and start spamming people. So there's more checks and balance. It's more of
a modern system. So I think that there's a lot of value there plenty of spam texts from like i mean i got some yesterday pretending
to be the ceo of my company asking me to buy apple gift cards for everyone yeah i i get i get those
all the time too you know what i mean and so i like i'm not sure that like it was the the green
bubbles that were causing the insecurity like they're're, you know, iPhone users send junk mail to,
uh, you know, like, I guess my point is like the security of the inherent transmission of the
message doesn't detract from the fact that it's going to be used for like on unvalidated purposes
or whatever you want to call it. You know what I mean? So, yeah, but, uh, the, the value that
we had in terms of the, the business messaging part of it was that the business is actually a
verified entity. It's kind of like buying a short code for an SMS in the United States. You have to
not just anybody can go and buy a short code and send from, you know, one, two, three, four, five,
you have to go through, um, like it's-week process where you're verifying your identity.
Sending from a long code, anybody can do that and people can spoof it.
And that's where a lot of the, it's not just spamming, it's that people can spoof it as well.
But I mean, I think spam will still happen.
It's like any channel that can be used for marketing purposes eventually becomes a spam channel.
All right, so we have reInvent next next week. Mary, are you giving a talk?
I am not since I, in the space of last year to this year,
I am no longer employed. So I haven't like time to switch roles, but I,
I will be around. I'll be hooching up. I might,
I might come to the booth sometimes. So if folks want to catch me, you know, swing by the lacework booth, they'll, if I'm not there, they'll know where I am.
But I will also be meeting up with the folks.
I'm going to like buy folks coffees.
I'm going to like sit down for a couple hours and let folks come to me and do some reels.
So you guys should swing by.
And I'll be around, you know, just doing, doing CISO dinners and doing my thing, you know.
Awesome.
And Alex, when's your talk?
My talk is Wednesday afternoon.
Wait, four o'clock.
Yeah.
What's your talk on Dynamo?
It's about DynamoDB.
So data modeling.
Alex is the DynamoDB expert.
That's fine.
Yeah.
I mean, the more times you have pulled it, the faster it responds.
Gotta love a cached at the edge kind of database. So. Yeah, it's pretty the more times you have pulled it, the faster it responds. Got to love a cached-at-the-edge kind of database.
Yeah, it's pretty fun.
So, yeah, it's been fun.
And, Sean, you'll be there.
You'll be doing booth stuff and meeting with a bunch of folks, I imagine.
Yeah, doing some sort of panel recording thing on the final night.
But, yeah, I'll be there all week.
We have a booth, so people can check me out
and find me at the Skyflow booth
or they probably know where I am
or how to get in touch with me.
And then the following week,
I'll be in Paris for API days as well.
So I'll be on the road for the next couple of weeks.
Travel never ends.
Yeah, that'll be it for the end of the year,
I think, unless something comes up.
But there you go.
That's good.
So don't worry, it does.
But that's a topic for another day.
All right.
Well, Merit, thanks so much for joining us
as our first ever guest on this version of Software Huddle.
And hopefully we will get to meet in person next week.
Yeah, exactly.
Sounds good.
Thanks for including me.
It's been a lot of fun.
And for listeners, feel free to reach out.
I'm on Twitter at MeritBear.
And it's not that hard to find me.
So, but welcome your feedback on, you know, what we talked about, what's helpful and any comments, questions, et cetera.
Thanks, guys.
Thanks, Merit.
Thank you.