The Knowledge Project with Shane Parrish - #93 Matt Holland: Zero Day
Episode Date: September 29, 2020Matthew Holland is one of the world’s leading authorities in cyber security. He explains exploits, hacking, and defending while providing insight on the mind of the attacker, Huawei, Snowden and wha...t you should be asking your cyber security vendor. -- Want even more? Members get early access, hand-edited transcripts, member-only episodes, and so much more. Learn more here: https://fs.blog/membership/ Every Sunday our Brain Food newsletter shares timeless insights and ideas that you can use at work and home. Add it to your inbox: https://fs.blog/newsletter/ Follow Shane on Twitter at: https://twitter.com/ShaneAParrish Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
It's that going to the doctor scenario when you have a pain, you don't want to necessarily find out what it is because, you know, people are naturally averse to bad news.
You can't be like that with cybersecurity.
If you don't have a cybersecurity vendor, if you don't have a company helping you out with that problem, get on it.
Everybody is a target at this point.
Your company is not small enough to be off an attacker's radar.
I have seen five-person companies.
actually I've seen two person companies attacked and hit. So, you know, my advice is don't be, don't be afraid to ask her help.
blog help you sharpen your mind by mastering the best of what other people have already figured
out. If you enjoy this podcast, we've created a premium version that brings you even more.
You'll get ad-free versions of the show, like you won't hear this, early access to episodes,
transcripts, and so much more. If you want to learn more now, head on over to fs.blog slash podcast
or check out the show notes for a link. This week I'm talking with Matthew Holland, the founder
and CEO of Field Effect Security. For the past decade, Matt's been the guy that every three
letter agency in the Western world has called when they have a problem that they can't
solve. Before Matt started field effect, he enabled allied governments to pursue their lawful
mandate. This episode is all about cybersecurity, exploits, hacking, and defending. And while this is a
world, we all hear a lot about, rarely are the people talking as knowledgeable and informed as
Matt. In fact, I'd say he's one of the top three in the world at what he does. Let's dive into
the mind of an attacker, what's possible, and what questions you should ask your cybersecurity vendor.
Along the way, we'll talk about Snowden, what it's like to work at an intelligence agency, and, of course, Huawei and national security.
It's time to listen and learn.
So I've known you since 1999 we met, 2000?
Yeah, around that, yeah.
That's crazy.
Yeah, world.
We used to work together at the intelligence agency.
And then that was the most insane period of time ever, right?
We're in this small team, September 11th happens.
The world forever changes.
Our team works nonstop for effectively seven years.
Like I don't remember any of us having vacation from 2001 to 2008 other than like a random Monday or something.
Yeah.
I mean, firstly, I think vacation is probably largely overrated just because I'm a workaholic.
But yeah, no, it was a really neat way to start.
I mean, our career was, you know, just a year or two apart.
But it was definitely a very interesting experience being thrust into an environment
where everything you do contributes much more than you would ever think.
Because coming out of university, you know, you want to get a job with a good salary.
All of a sudden, you're, in our case, we're doing things that actually matter to the country
that have a very significant outcome.
and it's like going from zero to mature very, very quickly.
Overnight.
Yeah.
Yeah.
I remember one of the first meetings I had with you, we were trying to figure out how
something worked, and I stood up in my university sort of bravado.
And I was like, oh, I'll tell you how this works.
And then I spent like 30 seconds explaining this thing.
And then you looked at me and just deadpanned, like, you're absolutely wrong.
Here's how it works.
You stood up.
And for 45 minutes, you worked through like every instruction.
that happened in the operating system.
And I was just blown away by your level of knowledge.
I mean, that's kind of you to say.
There's probably a factor of blown away at how much of a jerk I was in the process of that,
which I'd like to say has changed, but probably not so much.
But, yeah, it was a really, it was cool.
I think the environment that we got to work in was learning from people.
The, you know, for me, that time in my life really defined what a good team was.
you know, when you learn something, you share it with other people in the office.
I remember, you know, there was five or six of us in particular at one point where it was a very
large research focused group.
And anytime you learn something or I learned something or one of our colleagues learned something,
it was a really neat discovery, but we took the time to educate each other.
And I think what that fostered was a team that, you know, a level of trust that I had never
experienced in my life.
I remember, you know, entering that team being massively humbled.
And, you know, once the ego got dealt with, and you could really jump into that environment,
it just catapults one's growth.
And I still look back to those times and consider myself extremely lucky.
And I guess always acknowledge that that time in my life largely defined who I am today.
I want to come back to that in a second.
I remember it is weird to hear you say sort of like you were humbled.
You are literally the best in the world at what you do.
And we're going to come back to that throughout this interview.
is it drinking whiskey
You're pretty good at that too
I remember showing up
Like you used to drive me all the time
In your Mazda
What was that the
It was MX6 buddy
That was the
Smelled like toffee nut latte
Yeah yeah no that was the dream
Cybermobile
We spent a lot of time together
What made you leave?
So I
I reflect in that quite a bit
Just because I get that question often
And I don't think I've ever
Really had a good answer
that that wasn't necessarily immature.
The ultimate reason I left was because I saw a limit to what I could grow into
and what the vision of the group I was in achieving one.
Like there was a ceiling arbitrarily put on top of that.
And I'm the type of person that I don't work well when somebody says this is as far as you
can go or this is what we're going to do regardless of what the evidence or ideas or good ideas,
bad ideas, whatever, that stopped, and it was not an environment that I said, I can grow here
anymore. One of the big indicators of that, which you'll probably laugh at this, but there's a
management competition. I screwed up the entire interview, but it was the same problem where
somebody would ask, you know, the interviewer would ask me a question, and rather than give
the answer of, you know, I would build a team to do this, I would request funding to do this,
I would, you know, reach out to universities to bring them into the, into the fold.
So, you know, that's the answers they wanted to hear.
What I gave them were the technical responses to the questions they were asking.
So how would you solve this problem?
Yeah.
My answer was, well, I would do X, Y, Z, and then I would do this.
You didn't play the game.
No, it was just I answered the question.
And I think that was the first time it really dawned on me that I probably don't fit into the mold that they were looking for.
So I think that's when I started to, I guess the ball started rolling on my departure.
I remember it changed probably about eight months before you left.
Like it started to get more, I don't know, I don't even know how to word this.
Like when we started, it was very fast moving.
We had a lot of authority, a lot of control, a lot of decision-making power.
And then slowly, as we became more successful, the irony is like that sort of became less and less over time.
Yeah, I remember having a conversation with one of our mutual colleagues at the time.
And I remember being very irritated about the arbitrary handcuffs that were being put on our ability to innovate research.
You know, I remember a contentious time that you and I actually, you know, stood up at a town hall and got in a giant argument with a director.
Stu, if you're listening, we're sorry.
And it was it was very frustrating.
And I remember that colleague saying, this is just part of business, man.
Once you're part of a group that does something really good and people take notice and they, you know, they want to turn that into a larger part of the organization. And with that comes what you're seeing now, you know, formalized, you can't work more than this. You have different reporting responsibilities. And, you know, at that time, I just wanted to innovate. I just wanted to come up with new solutions to the problems that operations were running into. You know, not being able to do that in its raw form was extremely frustrating.
So you left. And we can't talk about what we did there, but we can talk about what you did right after you left. And so you started a linchpin and you had an unconventional sort of way of starting that company, which is releasing a privilege elevation to get some attention on Microsoft. You want to talk about that?
Yeah. So that was a funny period. So at the time, my business partner and I, we thought, you know, how can we make a splash? Because when we left, you know,
Our attention was to, you know, augment the world that we left with, I guess, a privatized twist on things.
So we thought about, okay, how can we really stir things up a bit?
And at the time, Microsoft was releasing mandatory driver signing as part of Windows Vista, which is showing our age right there.
And, you know, there's so much hype around it.
And the way it was being advertised, it was going to be this silver bullet to stop all malware, to stop, you know, anything bad that could be happening.
And anybody who has spent any time, I guess, on the offensive side of the house, you know, was looking at that and saying, no, that's bullshit.
Yeah, it'll make things better.
But it's not going to be the silver bullet that everybody thinks.
So we said, all right, well, why don't we just do something kind of funny and, you know, show them?
So what we did was we wrote a tool called Den Weep Atsv.
The name of the company was Den Weep Atsv, which is Vista Pooned in reverse.
You know, got a signing certificate under this face.
company legitimately registered fake in reality and released a tool that would load it was an assigned
component that would load an unsigned driver and it was not to do anything other than show how
easy it is with the most simplest goofiest approach to get around this problem and so at the time
I was in Australia with my business partner starting things up we were working out of a closet
really kind of a rag tag set up to start and at the time there were people being
arrested for violations of the DMCA,
Digital Millenniums Copyright Act,
which back at that time was a really contentious thing
because it was changing what people could
or could not do with computers,
and it was a really big deal.
So when we released that,
some people are like, oh, that's kind of neat,
and other people are, you know,
one person in particular was like,
this is a violation of the DMCA,
you should be arrested.
P.S. it's not really that cool.
I'm going to go and release a tool
that actually exploits ATI drivers and Vivida drivers,
and then basically does the same thing,
but I've done it a lot cooler.
So take that linchpin, ha-ha.
Right.
And in reality, that was-
I remember that guy.
Yeah, that was so much worse because,
and I don't know if it actually resulted
in the revoking of ATI and NVIDIA's signing certificate,
but it was something that, you know, to us, it was...
It was just, well, it was stupid to say that we were violating the DMCA
And two, the response was just so much unbelievably worse.
And it was a very weird first few months of the company.
Do you ever miss sort of working at the intelligence agency?
I miss people.
I miss a lot of really good people.
They're amazing people.
It's a very underrated.
People think that all sort of like government employees are lumped in the same group.
They're not, as we can both attest to you.
Yeah.
So I miss the people.
I miss having first-hand exposure to the mission.
You know, I think back to some of the things I got to see and be a part of that no one will ever know about and that is really cool.
It was really neat being a part of that.
It creates memories that I'm pretty sure if I were to run into somebody 30 years from now on the other side of the world in a bar, you know, immediately there's that connection of like, hey, we did that.
That was really cool.
So, yeah, I mean, I miss aspects, but I don't miss the handcuffs that were ultimately.
a part of my departure from there.
And then when you left, do you ever feel like there was,
they didn't want you to succeed because they wanted you to come back?
Was there a part of you that felt like they didn't want to give you contracts?
They didn't want to.
I don't know if there's any interest in me coming back.
I think there was definitely skepticism as to whether I could succeed,
which I'm fine with that.
I mean, you know, clearly at the time, my business partner and I were the first ones
to kind of make that jump and do that together.
And there's a lot of skepticism as to whether we should be allowed to do that,
whether we are able to do that.
I remember having a departure interview with the Hyatt manager who sat me down and said,
you're going to go sell to China.
You're going to enable China.
And I looked at him in the eye and I said,
what on earth would make you think I would ever do that?
That is the most ridiculous thing ever.
So I think there was a bit of fear that we would enable, you know,
adversaries of allied countries, which, yeah, I mean, in retrospect, I can understand. I just think
at the time it was an immature view. I remember going to a meeting a couple weeks after you left,
and they were like, oh, we're not going to buy anything from him. And I was like, we're going to
end up giving this guy like 50 million bucks a year. I want to say I was closer to reality than they
were. I mean, so the idea of going private was taking the handcuffs off and creating an environment
where we put really, really smart people together.
Part of our recruiting strategy was immediately going after the best people in the community
and taking all barriers out of their way and letting them do amazing things.
I want to dive into that a little more because you were able to replicate an entire wing of an agency,
if you want to say that, with 120th the number of people and have higher output.
How are you able to do that?
Same people.
You just took them out of the environment.
And what enabled that?
Largely removing barriers.
I mean, I think that was a big component of it, you know, giving them an environment that they
could excel in, which, you know, breaks down into what tools do you need?
Do you need to put in a purchase requisition to get what you need?
Or can I just get that for you?
Like, that was one of the comments from one person I remember early on when they joined.
They're like, okay, these are the things I'm going to need to do my job.
And they're like, okay, I'll be back in 30 minutes.
and here's your stuff and the reaction was really like we can just do this it's like yeah go be a genius
go produce amazing things so i think that was a big component i think making it clear that everything
that we were doing was as a team and i think as an aside this is one thing i think people who are
entrepreneurs sometimes get caught up in that it's about them it's about their journey and the
the way i approach it is no we're all in this together i'm really lucky to have you in the company
and creating that environment where they knew that they were lucky that I appreciated them
and that whatever we do we're doing together, I think it's an empowering message to build a team around.
I remember one of the things I took away that I've learned from you is when you started doing that with people
and you were like, what equipment do you need to do your job?
And you just go out and get it for them and they were astonished by how simple that was.
And that's something we do with everybody here too.
we just sort of like what is it you need to do your job to the best of your ability there's a
downside to that too which is really interesting because then you lose the excuse of the equipment's the
problem if only had the right tools i could like deliver right like so you there's this subtle sort of
undercurrent to it which is uh i expect you to be amazing at what you do and keep getting better
yeah and i mean i think for some people um sometimes just that belief helps them get there and so you did
LPL from what, 2007?
7 to 18.
To 2018.
What are some of the lessons you learned about growing that?
When you ended, how many people were there?
So globally, I'm going to lump in the partner company that we were sold with.
But I think at the time, close to 90 to 100.
We sold in 2018, but I didn't leave until December of 2019.
I want to come back to that.
But what are some of the lessons you learned from growing, scaling, running that company, recruiting,
I think one of the biggest things was, you know, starting a company from scratch, you know, at that time, I had a computer science background. I clearly had a lot of experience in cybersecurity. You know, I took some accounting courses and marketing courses in university. So I think there was a bit of a foundation as to, okay, if, you know, I remember doing a business plan because that was one thing you did. You made a business plan. But one thing through the Lynchman experience that I got to have was I got to do every job.
So I got to literally be the janitor.
I got to be the marketing person.
I got to be the primary salesperson.
I remember doing really challenging sales pitches in front of audiences that didn't even want me in the room because I was, you know, stamping on their creative territory.
I got to write code.
I got to manage projects.
I got to be the evangelist in the company.
And going from there to field effects with that base, I think allows me to really, you know, make decisions that are more informed.
It allows me to, I guess, understand and appreciate.
appreciate all the different parts of field effect, which is a much more diverse.
We're going to come to feel effect in a second.
So I think there was that.
I think the ability to make decisions and be confident in those decisions, not get caught in, you know, paralysis of decision making.
That is something that I think at first I struggled with.
But over time, the ability to filter out the noise and focus on the things that actually truly matter have really helped.
So why'd you leave?
I mean, right before you left, you're the guy, every three-letter agency.
And basically, the allied world would call when they had a problem they couldn't solve.
And you would solve it.
Why leave?
I was going to make a joke about they ran out of problems, but it wouldn't be funny.
They didn't.
No, problems done.
All problems solved.
Actually, the same reason I think, and this is actually where I think I realized why, you know, the root factor of why I left CSE,
is it was a similar scenario where...
Is you guys like a bought?
Yeah, yeah.
But it was a change in what I could do.
I started to see a ceiling on what I could achieve.
And it became clear to me that, you know,
I was the square peg trying to fit into the round hole
because of ambitions and more creative things
that I thought we could do.
And that was actually pretty interesting experience coming to terms
that I was the square peg in the round hole
because it definitely took time to, you know,
the hole's not going to change.
Yeah, yeah.
And you go through this evolution of like,
what's wrong with everybody?
Why is nobody on board with this?
And then the realization that, oh, shit, it's me.
I'm the problem here.
And then the appreciation of, okay, okay,
understanding why that is.
And I think that ultimately made the transition very easy, actually.
And it's not something that I look back with
at this point with any animosity or anything.
I think it was just part of life.
You exited with more than enough to sort of walk away for the rest of your life
and just sort of like sit on a boat in Costa Rica and never have to worry again.
But they're sharks.
There are sharks.
But then you start a field of fact.
And how many employees are you now?
Almost 100.
You're almost 100.
You're entirely self-funded to this point.
So you basically took all this money you made and you were like,
like, oh, I want to do this again, and I'm going to put it all on the line.
Like, what went into that thinking?
Several factors.
I think I really enjoy solving hard problems.
And the current state of the cybersecurity industry, to say it's a hard problem is an understatement.
It is an unethical shit show, I would say.
And it really bothers me where it's at.
So I think there's a large part of me that wants to fix that.
there's also the aspect of I'm like ultimately a serial entrepreneur and I remember chatting
with my wife like when that transition was happening she asked me like why are you doing this
and I'm like what else am I going to do I'm just going to start something else and it's either
you know a cybersecurity company that I'm once again running that I believe can change the
world and fix a lot of problems or I can open a coffee shop
probably going to take the same amount of time. So how about the cybersecurity firm?
And how important has she been through this? She's amazing. I don't think I could ever thank her
enough. I think the formula for my success, she is a huge part of that. She is a fun of
workaholic. Yes. If you could if you could sample what makes her run, you know, who she is
and somehow create like a vaccine
and inoculate the world
like you would have world peace
hands down
and that obviously is a strong statement
but she is a phenomenal
anybody who knows her
would definitely agree with that
I would agree she's amazing
she's pretty cool
you mentioned sort of the state
of the cybersecurity industry
talk to me a little bit about that
where are we what's it look like
I mean there's nobody in the world
from my point of view
that would have a better aperture
into not only how things are
how they're sold, but also the attacker's mindset in terms of what you're buying versus what
you're consuming and how it's impacting your business. This is the part in the discussion where
you get angry. That's okay. We get a lot of scotch. So I think to answer that question,
the first thing we need to do is look at what the cybersecurity industry actually is, because I think
it gets muddled the way the public looks at it, the way it's reported on. It's just everything. It's
like a grab bag for yeah so i i think there's there's three groups or are pillars of cybersecurity there's
the one there's the offensive side which we've talked about the the ransomware the intelligence
agencies i say offensive but the whole it's that traditional hacking which um you know has
largely been glorified thanks to hollywood mr robot gets it right though i don't know if i remember
in swordfish he says down like 30 seconds later everything yeah no it's largely horse shit
isn't that how it works with VR goggles yeah um but if you ever seen mr robert
That is actually an accurate representation if you ever are curious, but it is a, you know, it is this glamorized thing that is entirely misrepresented, but it is an economy in itself.
There's an economy behind ransomware and they get paid for it. They are successful. There's an economy behind intelligence agencies. That is ultimately what drives that, dollars and cents.
On the defensive side, the second bit, and by the way, the first bit only exists because humans are generally horrible at writing software.
So that wouldn't exist if people were actually good at security models and implementing software.
The second bit only exists because the first bit exists.
So that's the defensive side.
So let me, I guess the best way to describe it is as a consumer, it is probably the worst experience you could go through.
So if you're going to go buy some cybersecurity, are you buying an antivirus?
That's exactly what I want to do.
I want to buy some cyber.
Because that's largely because it's a, it's a.
joking, but yeah. It's a black box industry, right? A lot of businesses, a lot of people don't know
what they're actually buying, and that has been exploited by the industry. And this is the part
where I get angry because none of the solutions out there, there are a few that are decent, but
like look at what your options are. Do I buy an antivirus? Do I buy any spyware? Do I buy firewall
chain? Maybe an IDS intrusion detection system. Maybe endpoint detect and respond. Maybe user behavior
an analysis, maybe a network monitor. And the way that vendors will try to push it forward
is they say, you actually need all of that, which is total crap. You do not need all of those
things. They do not work well together. So that whole thing angers me to no end. The third bit is
a category that isn't actually cybersecurity. I read an interesting article recently, and it kind
of clued me in. I was like, actually, yeah, no, this third thing or pillar exists that is
entirely wrong. And it's that bit that happens in, you know, on the internet, uh, social media,
that type of thing, uh, that isn't actually security related. But people like to kind of put a box
around that. So an example would be, um, you know, election interference. So how do, what are the
organized influence, influential campaigns on, on social media to, to get people to vote in particular
directions? I do not think that's cybersecurity, but that also gets lumped in. So that, that, that,
is the third bit, which is kind of like foe's cybersecurity.
It's a little bit confusing because then you lose track of what's actually happening.
But, I mean, intelligence agencies have been spying on other countries forever.
One of the things that have changed now is not only the amount of consumer data and the value of that data,
but also that people are spying on companies now, as it means to fast track their R&D,
why invest hundreds of millions of dollars when you can sort of like just hack into somebody else's computer
and download all their work and then claim that.
as your own. You know, I mean, it highlights why, you know, people, companies need to take
this problem seriously. And I don't think it necessarily extends just to large companies at this
point. Legal firms, accountants, huge targets, huge targets. I mean, you think about what they're
dealing with in regards to confidential agreements, financials of individuals and companies. And that's
one thing I think we've seen over the last couple of years is the attention that state-sponsored groups
are going after it's no longer you know the sonies of the world it is now your your your law firms
because there's a lot of intelligence value there patent firms i mean there's a lot of intelligence
value there so um the you know how how seriously smaller companies need to take this threat
i think is really going up i find it super interesting i mean i was talking to kpmg just last week
and they were like oh send me this and i was like how do i send it to you and they're like just
put it in an email. I was like, what are you talking about? Like, I'm not putting that in an email.
Yeah. I sort of compromised with like, I used quickforget.com and like uploaded something and
it's like, this is good for like six hours, so you better download it. But it's amazing to me that
the lack of thought that goes into the information you share and how that manifests itself
or what's exposed, right? Because if somebody breaks into that computer, that whole email change
there. Now the files there already, but a lot of the emails stored in the cloud, it's a lot easier to
access than people realize. What makes you want to tackle this problem? This is like the greatest
intractable problem ever with tons of competition. Like the government's doing host-based. You
have private sector doing all of these things, cobbling together solutions. Like what makes you think
that you can have a better outcome for customers?
arrogance.
I mean, nobody knows the industry better than you do, but like, seriously, there's billions
of dollars going on here.
Yeah, so, I mean, if we, if we look 20 years ago, it's the same problem.
One of the things I tell people when they join who, you know, when I hire from intelligence
agencies, is that be prepared to be disappointed because the problems that you are going to
see will shock you that, you know, that they're still out there.
So the techniques that are 10 years old or the problems that should be 10 years old are still happening today.
And, you know, I think that that's a large referendum on how not good the cybersecurity industry is at actually trying to solve the problem.
And if I look at, you know, the vendors out there, I'm not going to name any specific competition.
But what I see is a sales strategy that is like a warped use car salesman strategy.
And that's probably an insult to use car salesman out.
there because it's much worse. It's all about the transaction. It's all about, you know,
getting, getting that done, taking the customer's money and saying good luck. And that isn't
resulting. We're not responsible for anything. Yeah. And that's not making anything better.
How should that work? Like how do people buy cyber? Isn't it the, I wasn't on sort of like the acquisition
of cyber side, but like this Gardner quadrant? Does that sound familiar? Yeah. Yeah. So that is, I guess,
a measuring system, a measuring stick to help the vendors or customers or prospective customers,
companies, I guess is a better term, to guide them and buy in what they may or may not need.
There are a few problems with that. The Gardner Quadrant system is often outdated.
We were, for example, field defect was marketing a managed tech and response service well before
it was defined in Gartner. And ironically, at the time, we had a hard time, you know, gaining traction.
Because that's always looking at, like, existing sort of technology and threats and looking backwards saying, like, oh, these people accomplish this, but not looking forward in terms of where the industry is going.
Yeah.
So that, you know, that is a, it is a useful classification system.
It is just behind the curve continuously.
The second thing is I don't think businesses actually necessarily know what they're looking for.
Yeah, like, how would you be educated?
If you're, like, a law firm, an accounting firm, you get 100 employees.
You don't have like a cyber guy or girl.
No.
Like how do you go about doing that?
So,
so I mean,
that's ultimately the realm that,
you know,
field effects sits in,
the small to medium business space.
Because,
you know,
it is infeasible for every company
to have an IT team.
And in our experience,
I mean,
an IT team is good.
They have expertise,
but they may not necessarily be,
you know,
security experts.
Is that kind of like Shopify for
cyber security?
security because Shopify is really arming you. You don't have to worry about building a store. You
don't have to worry about managing inventory. You don't have to worry about they're arming the rebels,
if you will, against Amazon. Are you giving world-class technology to small and medium-sized
businesses as a means to, like you don't really have to know all the ins and outs of cybersecurity,
but then it becomes trust-based. Why would I trust you over another vendor?
That's a great question. I mean, I think trust takes time. You do.
you don't just magically get trust right out of the gate.
And I think that is a that is something we put a lot of time into building.
We take time to create a customer relationship, ask customers what their needs are,
what are their problems.
And then, you know, tell us about your network.
How can we help you?
And, you know, early on in that process, I think it becomes clear that we're not just
out trying to sell software in a commoditized way.
The first thing we do is do an external view of the network and identify,
okay, here's a problem right here.
We want to help you fix problems.
It's not just here is a solution that you have to run with.
It is all about us helping you be better, fixing problems, and sustaining that moving forward.
And that is largely a component that I don't think most vendors in the cybersecurity industry get.
They are more interested in showing you, check out this really cool interface, which, you know,
knowing your company is probably going to know how to use.
And then if you don't see something, it's like, oh, it's on our fault.
in the interface somewhere and you didn't.
Yeah, you didn't see the logs.
So why didn't you action that?
And that, I mean, I think the assumption that the average business is going to care about
cybersecurity is a false starting point because businesses, you know, you buy your computer
hardware, you get your IT set up.
If I'm a business and, you know, out there, I'm not starting my day off thinking,
oh, I can't wait to buy some cybers or understand some, you know, cybersecurity.
And that is the baseline.
That I think for, you know, an effective solution, that's what you're dealing with.
You're dealing with a company or a customer that doesn't care about cybersecurity, but you need to help them.
The baseline of the interface could be an office manager, not somebody who has a computer science degree or somebody who has any background or interest in cybersecurity.
So having a system that, you know, is set up and built and implemented to work with people,
who don't necessarily care or will care or or should even care because that's not their job,
that's what we do.
Well, that's a good point, right?
Like you're not trying to make them care.
You're just trying to say, this isn't a worry for you anymore.
Yeah.
Yeah.
And when something comes up, here's a very concise way of dealing with it.
Not a, you know, a series of links, go Google this, learn how to implement a VPN, learn how
to use a firewall, learn how to patch your system.
It's a guided approach to this is specifically what you need to do.
Let's flip that around, and what people don't often see, which you can add uniquely,
is sort of what's the mind of the attacker?
Like, if you're looking at acquiring valuable information from a company, walk me through
that whole process.
Like, how do you think about that?
How do you go about doing that?
What does that look like?
So initially, an attacker is going to profile the target, and that can look like different
things. So if, you know, the target has online services, they'll probe those services to see what's
there. Are there any email addresses on your website that are really easy to identify? What type of
social media presence is there? And that ultimately will lead into typically a social engineering
campaign, either in the form of, you know, an email that is received that looks really normal,
that you want to trust, and hopefully we'll get you to click on something or double click on an
attachment, or it'll go to your phone, you click on that, and that exploitation occurs.
The other approach that we see quite a bit is people don't use multi-factor authentication
with just a basic email setup. So brute forcing passwords works. Somebody gets in. We'll scope out
your inbox and see what's there, who are your customers, what's your routine, and then
they will perform perhaps a financial redirection. So in that case,
they would get an idea of what your entire portfolio is and email all of your customers and say,
hey, here's your new payment instructions. And they will have all the outstanding invoices
already, you know, listed and ready to go. So they can immediately say, you know, you owe us X amount.
This is where I want you to send this money now. And that is remarkably and surprisingly effective.
Yeah, and hard to track down. Even though there's like a total, with bank accounts, we'll come
to cryptocurrencies and sort of rent somewhere later. But with bank accounts,
it's easy to see where the money goes.
It's really hard to get the money back once it's gone.
Yeah.
And that's conventional sort of attacks, right?
Versus sort of somebody like Boeing or General Electric or sort of Cisco
who would have a lot more valuable IP and probably worth a zero day or sort of like
developing a custom exploit.
Can you walk me through like how that would work hypothetically, of course?
So you're interested more of the pointy end of the stick?
Yeah.
Yeah.
So, you know, the way the way exploitation works is, what specific platform you'd like walk through?
Let's walk through Windows.
Windows, okay.
So if you're going after a Windows box, it's either a server or a workstation.
Typically, servers, if they're internet facing, gives you the ability to hit it direct.
So if you have a zero-day and, you know, a web server, for example, that is something you can directly access and an exploit.
And that is a very direct way, I guess, of attacking.
The other approach is you have a Windows client.
You're sitting at your desk.
You have a laptop and you're just typing away and you get an email.
That is probably the most common way.
And what that looks like is, again, back to the scenario where you're trying to convince somebody to trust an email.
So they click on a link.
What happens?
Like walk me through.
I click on this link.
Yeah.
So the first thing that happens is, you know, the browser would be excellent.
So whatever browser renders that link, web browser exploit would basically gain code execution. And modern browsers are definitely getting better at protecting against that type of thing. So, you know, Chrome is, every browser has a sandbox now. Most browser flavors are, you know, some measure of Chrome. So even Microsoft Edge is now based on chromium. And so it's brave and so it's like Firefox isn't there, is it? No, no, Firefox is not. I think they're still rocking their own setup. For now. They just fired their threat.
team. Oh, geez. I didn't even hear that. So, so yeah, gains execution inside the browser. And then
the goal is then to gain privilege in the operating system. So that could constitute a sandbox
escape to get out of that browser sandbox, a privilege escalation to ideally execute at a higher
privilege level to basically nullify any security on the host and ideally get execution in the
operating systems kernel. And once you're there, it's largely game over.
But you get kernel on an individual host, walk me through how you, like, how does that become network access to at a super admin level or?
So once you have that, you, there really is no barriers to do, to doing anything on that host.
So if you want to open up comms back to Mothership, you can do that.
If you want to access a whole bunch of data, you can do that.
But how do you open up comms?
Like, isn't everybody monitoring these links now in terms of like how you X-V,
information?
No, no.
So we're kind of diving into why this is actually a really hard problem and why any specific
pillar doesn't work.
So if you only buy a network monitoring solution, you won't see really anything that I've
described thus far.
If you buy an endpoint only solution, there may be hints of things that have happened
depending on the sophistication of the endpoint solution.
But as soon as it gets particularly deep in the kernel, you're not going to see that.
So it's a very challenging position.
That's why having a holistic approach is so important.
You need network.
You need endpoint.
So if you get by either one of those things, the other will pick it up.
And how does that work?
Like on a particular client, I can understand how those things communicate.
But then how do you take an attack on one company and then translate that into a defense on another company with something you haven't seen before?
So I guess largely that depends on how well.
the cybersecurity solution is implemented, if it is part of a network where you can dynamically
signature and attack quickly and create an artifact, we'll say, that can be applied across
the network of other customers. That is a way to combat against that. I mean, the zero-day
problem is something that's always going to be there. I think this is something that a lot of
vendors don't actually realize that no matter how much you lock down your operating system,
There's always going to be a creative group out there that does things better that can get around it.
I mean, if you look at Apple iPhone for the past, I don't say decade, they've been adding an increasing number of security mechanisms into the operating system that largely limit an operator to only being able to do specific things.
But that is largely crippling from a security standpoint because all you need to do is get around the set of mitigation.
and you now can own any Apple device in the world.
And a really scary thing is recently a company called Vupin.
That isn't, you know, they buy zero-day exploits.
I'm not sure where they go after that,
but what they do is, well, I can speculate,
but they buy zero-day exploits.
And they posted something recently where they said,
we're full up on iOS privilege escalations.
We get enough.
Yeah.
And if that isn't a wake-up call to Apple,
I don't really know what would be.
That's basically the industry is saying,
yeah, your operating system is not as secure as you think it is.
That's kind of like the great wall theory, right?
Like you have this big wall around,
but once you're on the inside of that wall,
it's like there's no defenses after that.
Yeah, and that perfectly describes Apple.
And that actually describes every mobile operating system out there.
Well, Android, talk to me about the specific challenges with Android
because they have like a host of other problems
that aren't common occurrences
that have to be dealt with.
Like everybody has a different version of Android
that they're running.
It's always at a date.
Yeah, so Android's an interesting beast
because a lot of...
It's the most common platform, isn't it?
Yeah, and it gets a lot of positive attention out there
because it is an open platform.
It's a security nightmare.
Yeah, you can download the source code
and you can see what's running.
And that is a component of a secure operating system,
I guess, that the average person can go out
and audit what's there.
The average person could, if they want, take that, download it,
compile it, put it on their phone,
and maybe add some additional bells and whistles.
The concept is very noble.
The reality of it is not so great
because what we have today is there is the main Android branch
that evolves, that Google releases.
Android 11 just got recently released,
and vendors will take that.
And they will adopt it as is,
or they will customize it,
or they will, you know,
know, take particular parts of the, what's called a change history. It's basically the
changes that have been made to the code base. When that is taken into context with vulnerabilities,
the fixes may or may not make it in. So you could have, you know, the latest Samsung phone
running Android 11, that doesn't actually have all of the security fixes that the main Android
branch has. Right. Because somebody's accepting or rejecting. Yeah. Yeah. And I can tell you that
100% certainty. I have not looked at Android 11, but what I have experienced over the past two
decades, there are problems in the Samsung version that have been missed because humans again
are part of the equation. And on the list, it'll say, you know, CVE fixed, CVE fixed,
but those fixes aren't there. Bad guys or attackers will know that and they will exploit that.
And there is literally nothing you can do to defend against that if you are a target. And that is a
Pretty frightening proposition.
So you would rather go up against an Android phone than an iPhone if you were an attacker?
That's an interesting question.
I think the odds of getting exploited are higher on Android,
although the nature of Android also creates a scenario where there's so many different flavors of Android.
It makes it much more difficult to create a mass attack,
whereas an iOS, because it's the same version of the operating system across the board
on every device. If you can find a problem in that, you get all those devices. On Android,
you get the nuances. I put nuances in quotes of some of the decisions that individual vendors
will make that makes it very difficult to take an attack on Samsung and apply it to, I don't know,
Google phone or a ZTE phone. So it's, I would say generally it's the security position on Android
is worse. You know, the odds of being hit in a mass attack are potentially lower. But if somebody
is targeting you, I would say that the odds of, you know, them being successful against you
are higher on Android Twitter.
As phones or, you know, if you want to call them personal computers, it's like those are
our personal computers, right, more so than we think, become more prevalent, they'll become
the surface of which gets commonly attacked. Walk me through, like, how does phone exploitation
even work? Like, is it the same sort of system that you would use for Windows or Apple? Is it
different like how do you attack the phone you have this thing on you all the time it's got a mic
it's got a camera so the the unfortunate answer is the exact same way you'd go after every other type of
computer uh iOS is just an operating system android is just an operating system there's no
there's no special features that make it impervious to attack there there are different security
mechanisms in place that an attacker needs to get around but it's the same deal so if i'm going
after your windows laptop in the scenario that i described or i send you
an email. On mobiles, it's the same thing. And it's actually worse in some case is about a year ago
company out of Israel called NSO Group. They got busted for having a WhatsApp zero, zero click mechanism.
So there's some quick lingo dive here. One click versus zero click. One click is you have to social
engineer somebody to the point where they can click on a link and exploit the phone. Zero click is
where there's nothing you can do. You are just owned and you have no idea.
by you don't even see a message like you're just yeah no decision on your part you're sleeping in
the middle of the night in this case uh NSO group um you know sends you a malicious bit of content
via what's app assuming they've been able to you know figure out your WhatsApp ID and then exploit
your phone and congratulations that that whole step of getting around sandboxes privilege escalation
that it's all the same concepts but in this case it is a direct way to attack a device that you
own. So previously, like, tools like that were only in the hands of governments and they weren't
generally targeting individuals or small corporations. Is that changed? I think the accessibility
is different. There's like an asymmetry to this, right? Like some, some person, some teenager,
guy or girl sitting in their garage can literally have a massive disproportionate impact.
I'm thinking of the, the attack on Twitter recently and how, you know, that was a social
engineering attack and yeah and and you know in the context of going after mobiles i mean that
that's that's it all comes down to the accessibility of the attack factor and the the creativity
of the person running the the attack factor so i was thinking you know with nSO group you know
there's there's a lot of articles on them about who they sell to and don't sell to um they have a
whole group now or whole internal group within the company that i've read uh dedicated to making
sure they make ethical decisions. I don't personally trust that they're making
ethical decisions. Why do you need a group to make ethical decisions? I mean, that's an
indication that ethics weren't a component in the founding of the company. That's probably a whole
other discussion. But yeah, I think, you know, the point that the attacker and what that looks like
is, you know, it's much more plausible that it is not an intelligence agency. You know, you look at
the groups that are running out of, you know, other countries, I'll pick on India a little bit
just because I've seen some, you know, some IP reports on, you know, some problems coming
out of there. But firms of social engineering efforts, you know, it doesn't take a lot to go
after Android that's two years old. And how many, I haven't looked at the statistics of how, you know,
what the market coverage is of Android versions, pretty confident that if you're rocking a version
of Android that's a year old, you're probably a pretty big target. And that, again, I don't mean
to pick on Android, but that is just a reality of how that ecosystem has evolved. People don't
really realize the scale at which this affects the economy, right? Like, you see these ransomware
attacks, which I want to come to next, in terms of like $20 million paid in Bitcoin, but
what you don't see is the trillions of dollars in IP that have been transferred to foreign
governments over the last decade.
Recently, we've seen a lot of intellectual property leaks.
I kind of feel that, you know, it's, if you were going to steal intellectual property
and then create a competing product with traces, which, you know, Huawei got busted
for that.
Yeah, well, when I come back to Huawei.
Internal rage meter just went up.
You know, it's a much more, you know, deniable scenario where, you know, things hit the internet
and people say, okay, I do.
just, it was out there now, so it's public domain knowledge. So the, you know, having separation
from the attacker and the beneficiary of, of, you know, the results of the attack, you know,
makes a lot of sense if one's goal was to get a hold of somebody's intellectual property. I mean,
once it's out there, everybody's going to consume it. You know, you look at the leaks of, the whole
eternal blue leaks. It's a series of tools from NSA that got leaked, Windows vulnerabilities,
you know, went to WikiLeaks. Was that NSA or was that?
the CIA ones that got released.
Fault 7? No, that was, that was NSA.
Was there CIA ones or am I making that up?
No, there was one that was rooted in Volt 7 was that group.
Was that leak, I guess.
The one I'm referring to was from NSA.
And it was a whole treasure trove of tools.
And this one was particularly interesting because it really,
there are events that occur that destabilize, I guess,
the defensive posture.
Ransomware in general, I don't get how it even exists.
It is the easiest malware to detect and stop.
How there's even an industry around that, blows my mind.
But the attack vector that people use to wrap ransomware,
the payload, weaponize, that chain that I talked about earlier,
basically allowed a point and exploit capability on patched Windows machines.
So walk me through ransomware.
What happens?
Depends on the flavor, but the overall goal is to extort.
money out of the victim. So there's different ways to do that. If you attack an individual,
you would potentially encrypt their personal photos, credit card information, maybe other personal
compromising information, and then say, give me X amount of money, or I'm going to expose all
your photos, or I'm going to delete it all. When it comes to businesses, it's more of going after
intellectual property where if a particular workstation gets compromised, ransomware runs on that
workstation, encrypts everything, potentially deletes everything at the time, typically making
a copy of it because there's value in that, and then we'll go through all the network shares and do
the same thing. So there's one particular, there's different groups, I guess, of ransomware actors
out there, some that are, you know, won't call a bluff and others where if you say, I'm not going to
pay you, they will 100% follow through on what they're going to do.
do. And this weird, I guess, sub-industry has emerged from ransomware actually being a thing and being accepted where companies will actually act as negotiators. So if you think back to those really cool movies where, you know, there's a really cool ransom, or sorry, hostage negotiator trying to talk somebody out of this scenario that exists for ransomware. And it drives me up the wall.
for me.
Yeah, yeah.
Why is that a problem?
Like, do, like, do your customers have ransomware problems?
Well, no, because they use covalence.
We protect against that vector.
But the one thing...
But how do you stop that?
Like, if it's that easy to stop, why doesn't everybody stop it?
I wish I had an answer to that.
I don't think, you know, a network monitoring solution will not stop ransomware.
There's nothing you can do about that.
You need to be on host.
Yeah, you have to be on host, and you have to have a measure of something.
sophistication and tradecraft to identify and block it.
We've seen, we have some coexistence scenarios where I won't identify the companies,
but they are very, very large, successful companies,
cybersecurity companies, and the ransomware gets by them, but we stop it.
And it blows my mind that, you know, based on the, those companies.
Because for you, that's easy.
Like, that's not a big thing that you're worried about.
It is a very, very basic profile to stop, identify.
I might be jaded because I've been doing this for 20 years.
And in the grand scheme of things that I've been a part of,
ransomware is definitely low on the sophistication bar.
Do you think it would exist without cryptocurrency
and anonymous payment forms?
Because it always seems to be, at least in the news,
it's always like you need to pay in Bitcoin
so I can run away with this money.
Yeah, I would say it definitely be harder
because that is definitely a very convenient payment structure
to pay with Bitcoin.
I'm just thinking in the cases where we've seen
financial redirections and those are anonymous accounts that are used and then torn down so there's
there's definitely how hard is that to track like if you're sort of like the fbi or the another three
letter agency like to follow that path i i don't i don't know about that it's not my not my
background but i would say the the challenge would not necessarily be the difficulty it would be
the average person or business getting any agency
to care to track it down because that intel agencies, law enforcement agencies aren't sitting
around waiting for things to do. There's really big problems they're going after and trying to
fix and solve and, you know, a small company, you know, a law firm getting ransomware is just
low on their... Well, it's not even a matter of payment for them. In some cases, it's life or death
for the business because you can effectively turn the business off overnight and just eliminate it,
especially if you're small and you don't have these sort of like big bank accounts to pay.
Yeah, yeah.
I'm aware of, you know, businesses that have been shut down because of ransomware.
The payment is just too high and it's much easier just to say, okay, thrown in the towel.
We're going to fold up shop and maybe start again.
And this is ultimately why I don't like, I get very frustrated that companies will pay ransom
or not take the time to hire a company ahead of time.
Like, it's much easier and cheaper to be preventative
and to harden your system and be ready for a tax.
I mean, that is the reality of today.
And anybody who thinks otherwise is, you know,
they've got their head in their sand.
You're going to get ransomware.
Bad things will happen.
And hopefully it doesn't kill your company
or compromise customer data.
That's a whole other aspect of this equation
that I don't think people will.
take into consideration of their legal obligations to report compromises in customer data now.
There are fines.
I remember before COVID-19 dropped, there was discussions about, you know, six-figure fines
going to Canadian companies if they are ransom-wared, customer data gets compromised,
and it is shown that they weren't taking the problem seriously ahead of time,
so they didn't have the adequate security protections in place.
What's adequate?
Like, that sounds so subjective.
Yeah, yeah.
I mean, is that back to that, Gartner, I checked the box.
You can't sort of like fire me.
So if I was a, you know, virtual C-So, I would probably, you know, reference the Gartner
quadrant to make sure that, you know, the executive board is covered in regards to liability.
There's almost like two layers to this, right?
There's the apparent layer, which is like, I want to solve cybersecurity.
But the real layer is like, I want to keep my job.
And the easiest way to do that is,
not take any risks and go with the industry standard and ultimately that when it comes down to
accountability that is a safe way to go it is unfortunately even if you're owned yeah yeah it's it's
it's the safe way to go but it is not the best thing for the company it is not uh it is not forward
facing uh it is i think it's being naive in regards to the the type of attack side are coming so if
you're a customer and you don't know a lot about this one of the questions you should ask to
sort of reveal the type of solution you're getting for real instead of sort of like checking
the box. You know, right off the bat, I would say, how are you protecting my company?
Tell me how you're protecting my company. Like, full stop. What happens when something goes
wrong? And you'll probably get a whole bunch of, you know, sales jargon. What's the difference
to a good answer and a bad answer to that question? Oh, God. If somebody uses the word next generation,
seamless, we'll stop everything, yeah, AI, we've got machine learning, any of that,
if any of that comes up, big red flags.
So if somebody can give you a good answer to what happens when your system fails,
that gives you comfort, then I think that is a good position to move beyond.
When I said earlier that, you know, the cybersecurity industry is like a bunch of unethical
use car salesman, it's because there's so much jargon and salesmanship that goes into
this. For example, the process of buying a car, what do you expect when you go to a dealership
to buy a car? What do you want to walk away? Assuming you really like a car or a brand,
what do you expect to walk away after a transaction occurs?
The car. Yeah. Unfortunately, with the current cybersecurity industry, there are sales, a person's
all over the place that will say,
you know what you need is you need some wheels.
And then another salesperson will say,
I can sell you the engine.
And another salesperson will say,
I'll say you the steering wheel.
You probably only need the steering wheel.
But I can sell you that.
It's going to be great.
I got some rims over here too.
And it is up to you as a company
to put those things together
and make use of that.
So you're cobbling together,
the solution yourself.
And each vendor,
like no vendor is responsible then
because it's like, oh, this person,
there's a lot of finger pointing.
Yeah.
And ultimately the,
the only working cyber solution, and I don't care what the sales point is, the only true working
cybersecurity solution is one that looks at it from where's your data, how are you going to be
attacked across the board. So it needs to include an endpoint component, a network monitoring
component, a cloud component, potentially an IOT component, an X, Y, Z for things that we don't even
need to know it exists yet. This is where this whole concept of next generation drives me,
because people say we have this next generation thing
and what I'm seeing right now
is the exact same thing I've been seeing 20 years ago
regardless of whether it has a machine learning component or not.
What does that mean next generation?
Like if you knew the next generation of exploits, you'd be...
Well, ultimately it doesn't mean anything.
A good solution should be iterative.
A good solution should be engineered
to handle the future without needing to put a sales tag around a,
you know, this is what we have now.
we call it the next generation thing that the world has never seen.
P.S. it's got machine learning, AI, blah, blah, blah, blah, blah, which ultimately
doesn't mean anything if you're a buyer.
All it does is confuse you.
There's so much jargon in this industry in particular, right?
And a lot of it is salesy.
Like it's created by the sales teams, the Salesforce, the...
Yeah.
The number of times I have had to worry about this, you know, these features that are
sold to businesses around the world, being on the other side of the coin just years ago,
never.
I've never had to worry about machine learning.
And by the way, existing machine learning implementations and a lot of solutions out there
is the exact same thing that, you know, I've seen an antiviruses back in 2005.
They just didn't call it machine learning.
It was just training analytics to look for anomalies.
So when you were an attacker, what did you worry about?
Oh, that's an intimate question.
getting caught.
I mean, ultimately, yeah, I mean, so as an attacker,
it is a continuous balance between risk and losing a capability.
And this is...
What does that mean?
And I'm speaking from, you know, back when I, you know, was at CSE.
It means that, you know, when I said earlier that on the, you know,
that first pillar of cybersecurity, if you want to call it
pillar, there's an economy behind it. So there's a cost to building capabilities to go after
a particular target. If you lose that capability, that immediately is an expectation of,
okay, find a new one. And it's difficult. There's cost of that. There's labor. And that is a very
big component that goes into the, I guess, the risk equation as to how you're going to approach
an operation, how aggressive you're going to be.
And different, different, you know, agencies around the world will do different things.
I mean, you look at China and Russia, they're remarkably aggressive with a lot of, I don't
say disregard to their own intellectual property and what they're using, but they're certainly
not quiet about what they're doing.
It's like spray and prey, right?
Yeah, I find it really intriguing.
It makes me wonder a little bit like, do they have an army of thousands of people in
warehouses cranking the stuff out, which they probably do, which is really scary.
Yeah, one of the things that I always found really fascinating about intelligence problems was there's always a country with more people who are just as smart, if not smarter than you, and just as good, if not better technology than you.
And yet your task was sort of defending or, in some cases, acquiring information against these people and the hubris that sort of like goes into, oh, we know best.
Yeah, that was always an intriguing calculation.
back at CSE.
It's a good debate to have, I guess.
If you've got something that took a lot of time to build,
do you throw it down a hill and hope for the best,
or do you protect it?
Do you put shoulder pads and knee pads on it
and try to make it last as long as possible?
So talk me through that, though.
How do you see that?
Because allied governments, friendly governments,
whatever you want to call them,
have exploits that are zero days,
that they don't release
that have huge national security implications
like we've seen some of those become public
and have massive implications.
Wasn't the NHS hack in Great Britain
the result of a stolen zero day from an allied government?
That one's tough.
Like should they disclose them?
What's your, like how do you think about that?
So from what I, so full disclosure,
I don't have as much exposure
to what the internal debate is on that.
I'm aware that it happens.
I think a lot of it comes down to what the perceived value is gained versus lost.
If you don't disclose something and you use it operationally,
is there more good for the mission, the country, its people,
by not disclosing it versus disclosing it and losing a capability?
Yeah, it's a tough one because, you know, the adversaries of allied governments
aren't going to disclose.
They're not going to care if they have something,
and weaponize they will use it and i think unfortunately that is probably the the tone that is
set globally that underpins a lot of these the decision-making like if if you're being attacked
constantly and having your intellectual your nation's intellectual property stolen i mean you could
disclose all the vulnerabilities you have and you know about as a nation it's not going to stop
them uh it's just not going to there they're you know going back to the the vupin example of
There are more out there.
There's a backlog, apparently.
Yeah.
Yeah.
Speaking of, I'm going to probably push some of your buttons here,
so you might want to take a drink.
Talk to me a little bit about Huawei.
I'm just going to leave it there.
Expand on Huawei.
So we've had many conversations on me.
What a chestnut that situation is.
So Wow,we's had a bit of an interesting,
less than smooth ride, I would say.
They came out of nowhere with all this tech.
Yeah, which miraculously happened right after a Cisco leak, a giant Cisco source code leak.
It's a coincidence.
Yeah, so, you know, there's documented ties to the Chinese federal government with that company existing.
There is, I don't know if they were ever convicted.
It was back in 2003, 2004, but there was a very clear-cut case that Huawei was using
conveniently leaked intellectual property.
This is back to, you know,
if I was going to steal your intellectual property,
it is much more denial if I leak it out
to the internet and then use it
and come out six months later and say,
oh, look, I just found this out there
and I used it.
Really convenient.
And, you know, where we are today,
Huawei basically, you know,
price undercuts, other vendors.
And, you know, I ask how did they get to that point?
That sounds like they have a lower R&D budget.
And how do you have a lower R&D budget?
You get intellectual property via creative means.
You know, today with them being banned from the U.S.,
I don't disagree with that.
I have different thoughts about the whole TikTok situation.
Wait, dive into the Huawei thing.
Why don't you disagree with that?
Why don't I disagree with them being banned?
Yeah, I mean, I agree with them being banned.
Yeah, so I don't think there is a framework
to build trust. I don't think they have earned that trust. And given, you know, if a nation is going
to re-kit their entire country with a new type of wireless gear, especially with the complexities of
5G, you need to trust that vendor. You need to be sure that the interests of that vendor
are at the very least not opposed to the interests of the country that you're in. And I don't know
how anybody could possibly say that about Huawei.
I remember when the Brits did this whole thing,
like we're going to set up this accredited lab,
we're going to test it,
so we're going to allow British Telecom to use it,
but we'll test everything that's deployed.
I remember just like that would fall apart in a second
because the minute there's a zero day,
you're going to deploy it right away,
especially if it's leaked on the internet,
and then you've deployed code that you haven't code reviewed,
and then the whole thing just falls apart.
And I'm like, okay, well,
well, it doesn't scale to the realistic pace
of software development.
right so let's let's imagine that a government does have a program in place where every iteration of source code and these aren't small systems we're talking millions of lines of source code let's assume you have a crack team of amazing source reviewers that can say with confidence yep this looks great or better yet they have a set of automated tools to be able to derive that answer which is challenging probably possible extremely challenging the
realistic outcome is the time for, say, Huawei releases a new iteration. The time from that
release, because if they are a vendor that actually believes in securing their product and that
new release of the firmware has, you know, fixes, time matters. You're against the clock
before, you know, vulnerabilities could be discovered and put out. Because all it takes is for them
to release that firmware once, have somebody rip that firmware apart and identify differences between
the old and new. So you're immediately up against the clock. And if this ideal analysis process
is being slowed down in any way, you're immediately compromising the vendor and giving them
the argument that this system doesn't work because what they, and I don't necessarily disagree
with that. If I was the vendor and my releases were being slowed down by a month, I would get pretty
chees because- It's not my fault. Yeah, you're slowing down fixes. And, oh, I'm sorry, your routers
just got hacked, that's on you. That's not on the vendor at that point. So I don't think
that concept is one that actually works. And the way to avoid that is sort of like just not
allowed that in your critical infrastructure, or do you think it should be not allowed in any
infrastructure, your personal take? Oh, my personal take. I'm, again, I'm completely fine with
the band. I mean, they're still allowed to sell into Canada. I'm not aware of what the... I think
it's not allowed in the I mean my knowledge is at a date so we'll have to like fact check this but
I think it's not allowed in the critical components of Canadian telcos but it's allowed on the
periphery but that's like silly when you think about it right because you don't want to ever be held
hostage to somebody who can who can turn that off and somebody who's more patient than you right
because you could just go 25 years with no incident and then all of a sudden there's an
incident but you've built up 25 years of trust and credibility so the story you tell yourself is
We haven't had an incident.
It's cheaper because it's likely subsidized and not only R&D, but subsidized by the government.
Yeah.
So, I mean, ultimately, this is, I don't have any problem with Huawei being banned in the U.S.
I would not, I would not argue about that.
By the way, the name of the vendor is Zerodium.
Bupin started, sorry, Vupin started Zerodium.
Okay, and they're the ones that bought the Zerodos.
Yeah, I always lumped them together, just, you know.
Well, same parent company, I would imagine.
Yeah.
Yeah.
What do you think of Snowden?
I feel like you're asking questions that is slowly taking years off my life.
I've been doing that since I met you.
No, you're great, bud.
I do not agree with what Snowden did in any way.
And that is putting it very, very kindly.
Regardless of, you know, at this point,
there's been things that he brought to light that has been declared illegal.
The unfortunate assumption is that agencies, security agencies, intel agencies are, you know, these devious groups that are like, let's do whatever we can.
And I don't think the average person actually realizes how difficult that job is, how normal the people are who do that job.
They have families. They come in. They want to, you know, solve a mission or solve a problem, make things better.
and the way he went out with this giant trove of information,
which I'm going to come back to,
completely ignores the way that technical implementations get approved.
It's not like developers are sitting at their desk and say,
I have this great idea, let's go do it,
and all of a sudden it's running in operations without any accountability or review.
There is a team of lawyers, depending on the size of the country,
that will look at that and say, this is okay,
this is bad. I remember being at CSE and arguing for something for I don't know how many years,
but there was a problem legally and it didn't get through. And that vetting process, people take
extremely serious. And if something goes through that process, there is a measure of legality to it.
There are a group of lawyers who honestly like to say no to ideas that have said, yeah, this is okay.
So the idea that anything that has been deemed illegal, you know, I'm not in a position to say that's right or wrong.
But what I can say is the process that those things would have gone through.
People underestimate the sheer size of the bureaucracy to get anything implemented.
It is absolutely crazy.
So that whole side of things, I find unfortunate because the byproduct of that is distrust for agencies that are working extremely hard to keep countries safe.
And it is extremely disheartening for those people to, you know, get dragged through the mud publicly when the public doesn't actually have an awareness as to how much they sacrifice on a day-to-day basis.
Like, I couldn't count the number of long nights that I've seen people work.
You know, it can break families.
It can break relationships.
And it has, yeah, definitely.
So the other side of it is, you know, trusting his intentions.
So he had gripes about, you know, those types of illegal, you know, mass monitoring or mass
surveillance programs in the U.S. Why did he go public with such a large archive that had nothing
to do with that? Why did he, you know, expose completely legitimate legal intelligence
gathering programs that have a ton of people's names associated with that?
Why did he go out the door with that? And that, I think, is what I have a much larger
problem with and that, you know, there was no thought process.
You know, it sounded, to me, it seemed like more he was just giving the intelligence
community the middle finger. Yeah, I mean, I sort of took away the same thing from that
whole thing, which was even if he felt just in what he was doing, it would have had a different
sort of feel to it when it came out. And you don't need to reveal the techniques. You can
just reveal the details of the programs. But the actual techniques that he revealed, the software
techniques, the exploitation techniques that, I mean, that definitely caused people lives that
had a huge impact on people working there. Yeah. And how far back did he set programs? How much
did, you know, entire agencies need to go into damage control because some Yahoo decided that
this thing over here was illegal? And then, oh, P.S., here's a whole bunch of other interesting
stuff, unredacted, being released. Yeah, I think people think, oh, there's no names associated with it.
But like on the original documents, there's definitely names.
And I think we both assume that every intelligence agency worth their salt in the world has unredacted copies of all of those documents.
Yeah, yeah.
To the best of my knowledge, WikiLeaks doesn't receive redacted versions of things.
I mean, that's largely my opinion on him if he's...
So you don't think he should be pardoned.
A little part of me will die if he's pardoned.
Why do you think he's in Russia?
Is there something to that story?
I mean, where's a safe place to go when you've...
burned, you know, particular group, like right into the enemy's safe
places, Russia.
Yeah, I mean, yeah, I'd be really curious to actually know what his living conditions are
like right now and, you know, hopefully they're not comfortable, but I mean, he brought
it upon himself.
There's other ways he could have done that and come forward with...
How could you have done that differently?
What do you think?
Well, like internally, there's lots of outlets for that stuff.
He said he followed that.
There was no documentation released that I, I,
can remember that he did follow those. Yeah, I mean, you look at the the whistleblower protection
that's in place now. Was that post-Noden there? Yeah, you know, I was just thinking that. I don't know
whether it was post-Snowden. I mean, maybe his decision to do that would have actually improved
the protections for whistleblowers. And, you know, that's probably important to acknowledge, but it's
I thought he was the best thing to happen to Lynchpin, though. I remember, like, and I don't mean that
in a negative way. I just remember, like, what happened in the immediate aftermath?
of that was they locked down the process by which people get hired. So like I don't think you or I would make it through today from start to finish because of our backgrounds and sort of different quirks of our personality. And so what happens is like post-Snowton you end up hiring, I call it the stormtrooper problem, which is like you end up basically hiring the same type of person, right? They're sort of like never had a problem in their life. They get
They do all the right things. They tie their shoelaces the right way. And they come into the
organization and they get promoted. And the process for promotion now is sort of like, here are the
10 things you need to do to get promoted because it's so sort of like laid out and so bureaucratic
that you end up year 30 and all of a sudden you're in charge of solving a problem that nobody's
ever solved before. But you're in a group of people who all see the problem the exact same way. So you all
share the same blind spot. So I remember when that started happening, I was like, oh, man,
this is like great news for Matt because you're hiring in a way the misfits of the industry,
right? The people who don't want to go to meetings, the people who don't want to fill
out the forms to go travel, the people who just want to be able to do their job. Yeah,
I'm trying to think back of, you know, what was there, was there an effect? I don't actually know
if I could speak to that without violating an NDA, honestly. But, yeah, we don't want to get
you in trouble this year yeah yeah i think how you characterize the the mindset of these organizations
are um it's pretty accurate i mean the well we both sat in meetings where they're like oh we can't
hire this person because there's like a flaw in their background and and there's some legitimacy
to that too right like you're trying to manage top secret information you're trying to manage risk
and manage an organization but the flip side of that is like you're hiring effectively the same
person. Yeah, you're not wrong. I definitely don't disagree. I think from one benefit to lynchpin
from that was definitely it pushed people out the door. Absolutely. And I think that's a trend that
continues to this day. I mean, I'm still, you know, full disclosure, actively recruiting from
intelligence agencies. The people that are excited to leave and do something more and, you know, for the
lack of better terms be unleashed to solve technical problems. Like there's that there's that hunger
there. And it's, uh, I love that perspective of unleashing people that have sort of like had
handcuffs before. And it's like now your ceiling is not bureaucracy. Your ceiling is your own
ability. Yeah. I've been doing this for 15 years almost as an entrepreneur in, you know,
two companies and they've gotten to witness people going, go through that unleashing process.
And it is really cool to see how, you know, one month after they're, they're just blown away with
what they are now afforded to do and what, what, what, you know, I'm not saying, don't do this.
It is just, here's the goal, here's the problem, solve it, let me know what you need.
We'll catch up every once in a while.
In Canada, people typically join, join the company with, you know,
one year leave of absence or a five year sabbatical component. And I always, I always laugh about that
because, yeah, I mean, nobody's ever gone back. Well, yeah. So, yeah. So from a risk standpoint,
that makes sense. So I never, I never argue with that. But from a practical standpoint, nobody's
ever gone back. And it's become something that I've seen weaponized against the employee, you know,
oh, you're going to this company. We're not going to give you your one year leave of absence. And it's
like, okay, that is an extremely bad decision and you're showing some really unfortunate true
colors, you know, in that whole context. Does that ever make somebody stay or does it like push
them at the door faster? Pushes them up the door faster. Chips on shoulders, man, there's something
to the motivation that comes from that that just drives people. I mean, Google's Project Zero is
largely built from people who have exited the intelligence industry with a chip on their
shoulder. I don't know if that's worked out so well. I want to just sort of like end on some of the
lessons that you've learned growing field effect now to 100 people. That's the critical phase
for a lot of companies. Like a lot of companies break in this sort of like 40 to 100 people range because
you start reaching the ceiling of the processes that you put in place, but also the ceiling of the people
who've got you here. How do you think about that?
how do you scale and how do you go beyond that and crack through that sort of ceiling?
I think the first component is making sure that everybody is going in the same direction.
You have to be very straightforward, frank, honest when looking internally, but also what the company
goals are. And everybody needs to know what the company goals are. I don't think that execution
is necessarily something that comes naturally to a lot of people. And for me right now,
like one of my, one of my biggest concerns as we approach 100, as we go through COVID-19.
I mean, when this COVID-19 started, there was, you know, a decision to be made to go aggressive
or, or cower, I guess, from the scenario.
And, you know, in my opinion, it was very clear we go aggressive because, you know,
our competitors are probably going to be category B and damage control.
So you can get ahead.
Yeah.
So execution is a big part of that.
And it takes a bit of time to understand what execution looks like.
in each particular problem or a given company.
So that discovery of, you know,
how do we execute as a group has been something that I think is extremely important.
And largely the company is absolutely doing amazing at it.
And that,
that I think is one thing that,
you know,
always resonates in my head that,
you know,
everybody has great ideas,
but how you push through is execution.
You need to materialize those great ideas into things that are reality.
Is there anything else you want to say about the state of cyber before we route this up?
Have I, am I out of swear jar?
No, man.
Say whatever you want.
I think we're already explicit at this point.
So I would say, you know, if you are a company looking for help, it can be a challenging thing.
I think it's that going to the doctor scenario when you have a pain.
You don't want to necessarily find out what it is because, you know, people are naturally averse to bad news.
You can't be like that with cybersecurity.
If you don't have a cybersecurity vendor,
if you don't have a company helping you out with that problem,
get on it.
Everybody is a target at this point.
Your company is not small enough to be off an attacker's radar.
I have seen five-person companies,
actually I've seen two-person companies attacked and hit.
So my advice is don't be afraid to ask her help.
Hello at field effect.com.
Yeah, the second thing I would say is anybody out there looking for a really cool opportunity
for a really cool company, you know, the experts of the world, regardless of what company
you're working for right now. We're always looking for more people. That's amazing. My kids
call you Uncle Matt, but they also, whenever Elon Musk comes out, they say, we know somebody
who's going to do more than Elon and sort of like, and they're pointing to you. So we're looking
forward to seeing how this progresses over the next couple years. I don't know how to respond
to that but that's very uh it's very kind to them thanks for chatting man yeah thanks for having me
it's good time hey one more thing before we say goodbye the knowledge project is produced by the team
at fernum street i want to make this the best podcast you listen to and i'd love to get your feedback
if you have comments ideas for future shows or topics or just feedback in general you can email me
at shane at fs dot blog or follow me on twitter at shane a parish you can learn more
more about the show and find past episodes at fs.blog slash podcast. If you want a transcript of this
episode, go to fs.blog slash tribe and join our learning community. If you found this episode
valuable, share it online with the hashtag the knowledge project or leave a review. Until the next
episode.
Thank you.
Thank you.