The Vergecast - Bug bounties: the good and the bad of computer security
Episode Date: July 7, 2020Verge editor-in-chief Nilay Patel talks to founder and CEO of Luta Security Katie Moussouris. Moussouris has a long history in computer security, working at Microsoft and the Department of Defense cre...ating their first bug bounty programs to incentivize catching and reporting security bugs and vulnerabilities in software systems. Nilay and Katie discuss the good and bad of bug bounties, encryption dilemmas with consumer devices, voting security in elections, and overall how we keep our software and networks secure. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
Support for the show comes from Retool.
Too many companies run critical operations on duct taped spreadsheets,
Slack workflows, and whatever else they could cobble together.
Not because they want to, but because building internal tools
means weeks of waiting on someone else's backlog.
That's where Retool comes in.
Build custom internal tools just by describing what you need.
Prompts something like,
Build me a revenue dashboard on our Salesforce data.
And Retool actually builds it on your company's data,
in your cloud with enterprise security built in.
Go to retool.com slash Verchcast.
We all need to retool how we build software.
What's up, y'all. I'm Skylar Diggins, seven-time WMBA All-Star, Olympic gold medalist, and mom.
And I'm Cassidy Hubbard, host and reporter for nearly 20 years covering the biggest names and stories in sports and mom.
And this is Am Mom, a community for athletes, game changers, and moms of all kinds.
dropping May 14th.
Tap in with us.
Hey everybody, it's you.
I'm from Vergecast.
Really interesting interview episode this week.
I talked to Katie Masuris,
who's the founder and CEO of Luda Security.
Katie has a long background in computer security.
She actually created the first bug bounty program at Microsoft,
the first bug bounty program at the Department of Defense.
A bug bounty program is when an organization says,
hey, we know there's bugs in our software.
If you disclose them for us, we'll pay you for them.
As you would expect, Katie has a lot of thoughts
on what bug bounty programs are good for,
what they're not good for, what they incentivize, and what blind spots they create. So we talked a lot
about that. We talked a lot about encryption on devices, the government's desire to break encryption
on things like the iPhone, why that's a bad idea. Obviously, Katie had a lot of thoughts about that.
And we talked a little bit about the pandemic and election security. Just a fascinating conversation,
an enormously important perspective on how we keep our devices and our network secure. Check it out.
Katie Messeris, founder and CEO of Luda Security.
Katie Missuris, you're the founder and CEO of Luda Security.
Welcome to the Virchcast.
Thank you so much for having me.
I really appreciate it.
I am very excited to have you on.
I want to talk to you a lot about how we sort of find and fix vulnerabilities in our software.
It is a theme of the modern world.
But I want to give people first just a sense of your background.
So you are the founder of Luda Security.
You've worked at the Department of Defense.
You've helped to popularize the bug bounty system that I think drives a lot of the security conversation right now.
Just give people a sense of your background.
Oh, boy.
Well, if I started at the beginning, I would say that.
I was a nerd in my room who taught myself out of program much like a lot of other nerds.
So that was, you know, me at eight years old with a Commodore 64.
But if we fast forward a little bit.
Some things happened.
Yeah, things happened.
Situations occurred.
And also the Internet happens, right?
I don't know, I don't know if people can tell by my hot pink hair that I'm actually 45 years old in real life.
And the thing was, you know, when I was learning how to hack as a teenager, it was the late 80s
early 90s, that was the very beginning of the internet. So my background basically was learning how to
hack at a very young age, finding like-minded people online in the earliest, you know, kinds of social
media that predated even AOL, you know, and all that stuff. And then from there, you know, back
then you couldn't make a living hacking because we didn't have a lot of infrastructure that was
dependent on computers. You know, we definitely used them to get to the moon. But, you know,
they were, personal computing wasn't really a thing until the mid to late 80s anyway.
So background was, you know, I was a molecular biologist for a while. I worked on the
Human Genome Project. Then I kind of transitioned into systems administration, taking
care of a bunch of networks that were constantly being under attack. And because they were under
attack, I had to learn to scan them myself. So that was basically where I dusted off my hacking
skills. And I was working at MIT at the time. And then from there, I moved to
San Francisco in 1999 and became a professional Linux developer. So I was a coder for a living.
And I also saw what it really took to ship enterprise code and support it, which is,
you know, part of it is being responsible for fixing bugs. I started the security program there
at that Linux operating system company and I was actually fixing the bugs myself because I was
a developer. So, you know, from the perspective of bug hunting, bug fixing, all of that stuff,
I've basically worn all the hats in that type of industry. And I have a love of empathy for all sides.
So when, you know, fast forward, I was a security consultant, meaning a professional hacker, hired to break into places.
This was in the early 2000s. My company that was a small consultancy, you know, at the time called AtStake, was acquired by Symantec.
And at Symantec, I continued doing that work and I founded Symantec vulnerability research, which was kind of like Google Project Zero, if you're familiar with that,
team. They look for vulnerabilities outside of Google products and third-party products. So I actually
started a similar team way back in 2004, 2005 at Symantec. So anyway, from there, I was still doing
that professional penetration testing work hunting for bugs. But I also noticed that our customers
weren't getting that much better. And it started pissing me off because I was like, I want my work
to be meaningful. And why do I keep coming back to the same customers and we find the same types of bugs?
So, you know, when Microsoft offered me a job as a security strategist is what they called it,
even though I wasn't going to be hacking for a living anymore, I was like, you know what,
maybe this is a chance for me to make a bigger impact in the software security industry
and hopefully get people on a better page.
And at Microsoft, I started a bunch of programs, including their first bug bounty program.
And that was what caught the attention of the Pentagon.
And they invited me to start briefing them, which eventually led to the Pentagon's first hacking program.
called Hack the Pentagon, which we launched four years ago right at, as I was leaving my last
company and starting my own company. So that pretty much brings you up to speed with like almost
everything I've done except, you know, some of the waiting tables jobs I had to do to pay the
bills, right? So what's really remarkable to me about that particular story and your journey is
the same thing that I think is remarkable about the tech industry at large right now. None of this
existed before. And now it exists at scale. And there's an element where,
where people just take it for granted that bug bounty programs exist.
There's an element that we take it for granted that LTE networks exist,
but they didn't exist before.
And our assumptions in building them,
I think we take a lot of them for granted that they exist and they exist in this form.
But we've only had one run at them.
We've only had one sort of basic iteration of things like bug bounty programs.
What have we learned?
Because the basic idea is obviously very clever.
We're going to provide an incentive for you to find our vulnerabilities
and the market will like do the job for us.
What have you learned as you've been setting that stuff up,
but we're the core assumptions here?
Well, I mean, the first iteration of bug bounties was actually in the mid-90s.
It was Netscape browser offered the first bug bounties.
And it was, I think it was $1,000 if you found a security bug.
And that was the only bug bounty in town.
And actually, Dilbert, the comic Dilbert did a, or, you know, Scott Adams did a comic,
a Dilbert comic about it back in 1995.
saying, you know, the pointy-haired manager was like, I'm going to start a bug bounty and pay,
you know, for every bug that's found. And Dilbert and the other engineers go, I'm going to write me
a minivan. Like, I'm going to basically go and code myself some bugs so that I can then claim the bug bounty.
So this idea of what we call perverse incentives was actually already identified by a comic author,
like way back in 1995. So we still actually struggle with perverse incentives in the bounties,
the more modern bounties, but we didn't really see much new under the bug bounty sun until 2010,
so a decade ago. And that was when Google started offering bug bounties. I was at Microsoft,
about three years into my career at Microsoft, and my superiors in the Microsoft Security Response Center
were like, so, you know, this bug bounty thing that we've publicly sworn we would never pay
for bugs publicly. We said that. Yeah, we'd like you to look into it, right? So they, so, you know,
suddenly a competitor. And if you take into account like the competitive landscape, that's really what
drove Microsoft to take a second look at doing bug bounties. Because at the time, IE was still the
dominant browser. Firefox, you know, which was the inherited, recoded version of Netscape Mozilla,
was, you know, a distant second. And Chrome was brand new, right? So Chrome browser was brand spank and new.
it didn't have sort of the legacy bugs and all of this engineering technical debt to deal with.
And so, yeah, they offered a bug bounty. I mean, it was this flashy thing. They wanted to, you know, get help from the outside world.
They wanted to use it as a conduit for not just bug reporting, but also potentially hiring people into that group.
And, you know, I think at the time, like Chrome was only like two years old.
And so, i.e., sensing that Chrome was gaining market share at an alarming pace.
decided that, you know what, we should take a second look at this bug bounty thing and see if it's something where, you know, we can participate.
So that was kind of the modern entry into the bug bounty space. And so the critical issue was that Microsoft had over 800 supported products and services.
So there was no way we were going to slap a bug bounty onto all of that because we were already, you know, I mean, seriously, we were already, to this day, they still receive over a quarter million non-spam email messages per year going into secure.
Microsoft. So why on Earth would you be like, you know, waving this green flag in front of the bug bounty
bulls out there going, Toro, Toro, you know, just come and get more, spam us out, you know. So they basically
didn't want to increase volume. So we had that challenge to manage. And the bug bounties I came up with at
Microsoft were very in tune with the fact that one, we were already getting bugs for free, right?
Bugs that would sell on the offense market for six figures or more.
Wait, just unpack what that sentence means, because it's cool.
So the offense market, you know, some people call it the black market for bugs, but it's not a black market if it's not illegal, right?
The offense market includes, you know, governments purchasing exploits and vulnerabilities for use on criminals and terrorists and, you know, adversaries of any kind, nation state adversaries.
It also includes crime organizations buying exploits and vulnerabilities for, I don't know, crimes, right?
So that's kind of the big overarching offense market.
It's basically you're buying a bug or an exploit in order to use it against someone as opposed to a bug bounty, which is part of the defense market.
And that's basically where you're buying a bug in order to fix it.
So there's price differences there.
The offense market tends to pay a hell of a lot more.
But, you know, we already knew from the experience at Microsoft who paid nothing until 2013 that you don't need to pay people to get them to turn in a bug because they actually primarily.
want to see the bug fixed, right?
Yeah.
So I wanted to make it easier for people, you know, let's say little Timmy needs braces for
them to say, you know what, I've got this bug, it's worth something on the offense
market, little Timmy needs braces, oh, but I actually want to see it fixed.
And so I didn't want to have to have them make that hard choice, you know, right?
So create some kind of a bug bounty.
Try and create incentives for the things that you most want to learn about at the times
that you most want to learn about them.
and that's kind of important for how we structured the Microsoft bug bounties,
at least the initial ones.
And then go from there and see if the market response.
So one of the things we did for IE was we knew Internet Explorer had plenty of free research coming in
where these bugs would have been worth at least $100,000, if not more, on the offense market.
But people were choosing to give them to us for free.
The problem was they were choosing to give them to Microsoft for free after the beta period was over.
And we were like, why is that?
Why are they like doing all this research during the beta period and literally not telling us until after the beta is closed?
It's kind of the worst time ever, right, to hear about the bugs.
And we figured it out.
It was basically that the only incentive they had, you know, was getting their name in a Microsoft security bulletin.
And if the-
Wow.
Yeah, if the bug only affected the beta and no earlier versions of IE as in brand-new code, you know, or brand-new thing,
we wanted to hear about it during beta, but they wouldn't get their credit. So they would hold on to it, right? So we were like, uh-oh, how about we offer them credits and maybe a little bit of money in form of a bug bounty at the beginning of the next IE beta period, which is exactly what we did. And it was super successful. I mean, we got 18 vulnerabilities during the first 30 days of the IE11 beta period. And I paid probably about $28,000 total for all of those
with proof of concept exploit code and everything.
And what's more is that because it was at the beginning,
not only could we get all of them fixed before the beta was closed,
but we actually used those bug submissions to look for other adjacent bugs in the area of code.
And we fixed so many more than we're even reported just because, you know,
where there's smoke, there's fire.
And some of these outside sets of eyeballs really helped us out and spot things that we had missed.
So it worked great.
And that was also why the Pentagon was like,
hey, we've got a lot of complex systems, and we probably can't bounty everything at once,
and you managed to do it at the biggest software company in the world.
So why don't you come on down to the Pentagon and tell us how you did it?
So that was actually how I got invited to the Pentagon the first time.
So when you go to a place like the Pentagon, Microsoft obviously owns and operates most of its
code.
It's actually different now.
They've bought so many other companies.
But at the time you were there, Microsoft's a fairly monolithic software company.
Pentagon is not in that way, right?
They have a lot of vendors, they have a lot of outside consultants, they have a lot of interconnected systems.
How did you manage that?
Because that seems like a much harder problem and also the stakes of that seem correspondingly higher, I should say.
Yeah, I mean, the legalese alone to set up the Pentagon's initial bug bounty pilot was daunting, right?
Because if you look at current events with nation state hacking and the way the United States has decided to address,
you know, hackers from acting on nation state orders from China, for example, is the DOJ actually
indicts them by name, you know? So what we had to do is we had to figure out how to walk a line
of saying, in legalese, we welcome hackers, you know, if you see something, say something,
except if you're a nation state, in which case you're totally not authorized and we can still go
after you, right? So we had to basically come up with this, you know, sort of swimline for
authorizing the friendlies without accidentally authorizing every nation state in the world
to like, come at me, bro. And so that was fascinating. But I got to say, it was really the work
of the folks inside the Pentagon to help, you know, they call themselves bureaucracy hackers.
But they basically, you know, I would come in with my expert expertise, you know, outside expertise
about incentives and working with hackers and all that stuff and the ways to structure these
program so that you didn't die, you know, a volume of cases. But they were the ones who actually
went through and got all the approvals. So I've got to name check them here. You know, you've got to
forgive me, but they deserve all the credit for getting this stuff approved. The first person to
invite me to the Pentagon, his name was Michael Solmeyer. And he's Sultan of Cyber on Twitter.
He's a great follow. But he was actually the director of policy, cybersecurity policy, for the
Office of Secretary of Defense at the time that I was at Microsoft, and he was the first person
to invite me there. And then when he left, his successor, Lisa Wisswell, was really like kind of
the chief bureaucracy hacker. And she had gotten, I mean, she had gotten decorated by the
president for multiple of her work in cybersecurity across all of government, DOD. But, you know,
without these internal Sherpas. And then there was also Charlie Snyder, who was also in the office
of Secretary of Defense as well. And between, you know, essentially those three insiders at the
Pentagon, there would have been no way to get this done as an outsider, even coming from the largest
software company in the world. So there was, you know, absolutely this internal push. And then I got to
hand it to former Secretary of Defense, Ash Carter, because, you know, there were a lot of middle
management folks in the Pentagon that basically were saying, are you crazy? We're going to invite
hackers to come at us, are you actually nuts? And Ash Carter basically said, you know what? We're going to
do this because we do need to embrace the, you know, the cybersecurity folks outside of our five sides.
And we also need, you know, a better pipeline for cybersecurity workforce in the government.
And you know what? We're just going to rip the Band-Aid off. And so I got to give credit to all the
folks inside the Pentagon and, you know, the folks who basically push those boulders uphill. But, you know,
yeah, from my part, you know, I basically, I told them, look, this is the game theory and
economic theory that went behind, you know, the Microsoft bug bounties. And here are the ways
in which we can structure things such that you also don't die of, you know, of bug bounty.
Yeah. So that's essentially where my work continues, you know, to this day in my own company
is helping people not die of premature bug bounty, right? Premature bountification.
So it brings me all the way back to my first question, which is this system kind of didn't
exist, and now it's at the point where not only has the Pentagon implemented it, but you and I
have already talked about it in terms of economic incentive. You just said there's a game theory
behind it. There's like rigorous academics underlying how the systems work, and you're now
at a place where not only is the government and the military using it, but you're helping other
companies set that stuff up. So that implies that it worked, right? This was a theory and it got
to a place of some success and sort of fixed under.
But right before we start talking on the show, you mentioned to me that it's not a cure-all.
It doesn't solve every problem.
So where are the failings of a bug bounty system?
Well, right now, honestly, the failings I've got to see is in the commercial implementation of bug bounties.
So, you know, my company basically goes in and assesses, you know, organizational maturity.
Like, are you ready for this?
Can you handle the truth?
And a lot of the questions we ask, organizations are like, yeah, but we want to do this industry
best practice thing called a bug bounty. And we know that you make all these big bug bounties. So just
make us a bug bounty. And I'm like, but you haven't actually been able to keep up with patching
the systems that you know are out of date. You don't, how can you actually deal with this additional
volume? And they say, oh, but we'll just hire a bug bounty service provider. And they'll take care of
everything for us. And I'm like, wait a minute, wait a minute. What part about your internal patch processing
did you not understand from the rest of the questions, right? Because they're sitting there going,
no, no, we've been told we can outsource this. So where I see the big failings, and I see it as
failures of both sides of the marketplace. I mean, ideally, I mean, I used to work for a bug bounty company.
I believed in this model as, hey, why don't we make it easier to connect companies with hackers
and make it safer for everybody. And, you know, eventually the companies and the governments will
become more secure. And eventually the hackers will also not only stay out of jail and make a living,
but they'll skill up, right? Because ideally, what you want to see in the whole world is enough,
you know, no low-hanging fruit anymore, right? You want to see people actually addressing those
bugs themselves, preventing them, ideally, but even if, you know, they accidentally coded up
some low-hanging fruit bugs, to be able to detect them themselves, not rely on third-party
you know, randos on the internet to come tell you about this low-hanging fruit. So where I've seen
this failing is that commercial bug-bounty platforms, basically their business model is you stay bad at
security so that there's a lot of low-hanging fruit to be found. And the relatively low-skilled
labor that hangs out on the bug-vounty platforms with very few exceptions, you know, there are
highly skilled folks on these bug-bending platforms. But it's literally, I think I read the latest report
from one of the leading bug bounty platforms, out of 600,000 registered users, 146 of them, 146,
have ever made more than $100,000 in their entire lifetime on the platform.
Wow.
You know, a professional penetration tester, even 15 years ago when I did this, already starting
salary was over $100,000.
So we're not seeing actually, you know, a good evolution of the state of security as a result
of these programs.
we're also not seeing a good evolution of the state of cybersecurity workforce.
We see a huge bottom of the pyramid, which is kind of the folks who are able to run free
or nearly free tools, scanning tools, and kind of give you the low-hanging fruit reports.
And they're making up the majority of bug bounty hunters.
And this tiny little top of the pyramid of highly skilled workers, you know, that is literally
less than 200 people are at the very, very top.
And that's despite these companies being in existence for the last eight years.
It's so funny that you are describing an economic model for cybersecurity for hacking that looks an awful lot like a user-generated content platform economic model.
Like, you could have just described YouTube or Instagram or any of these other platforms that promises lots of people access but only rewards a tiny fraction of the folks.
Is that an accurate analogy?
Absolutely.
I mean, the rules of bug bounty are only the first one to report a unique bug gets paid for it, right?
So think of all the low-hanging fruit.
You could be spraying and praying or scanning tools.
But to even make money on something that was very easy to find, you just have to be the first one in, right?
And so there's a whole lot of unpaid labor that goes into these platforms.
And then let's say even if you're operating at higher, you know, sort of higher technical levels and finding more esoteric bugs, we hear complaints left and right of companies, you know, sort of saying, oh, we knew about that bug already. So we're not going to pay you. It's already in process of getting fixed. You know, so there's a whole bunch of stuff where people are not getting what they signed up for. And I look at it as yet another failed implementation of the gig economy marketplace right now. And, you know, we all had a lot of high hopes.
that gig economy would help a lot of people. And it's not been turning out great for,
certainly for the labor side of things. But in the case of Bug Bounty, it's not turning out
great for the buying side, the hiring side either. They, you know, again, they're not, they're not
able to access huge new labor workforce. Those tiny number of people who are fairly highly
skilled and making good money on these platforms, they maybe don't want to give up their lifestyle. A few of
them have. A few of them have decided to work in-house at companies, but they're kind of preserving
their bug bounty moonlighting abilities on the side, you know, and everything. So yeah, we're just
not seeing the whole gig economy as expressed in bug bounty platforms working out for either side of the
equation. So just to keep this analogy going, maybe past its breaking point, but I'm going to try.
When we're critical of a YouTube or Instagram, a thing that is real there is that's working out.
great for YouTube and Instagram. They have no incentives to fix it because they're they're reaping
all the reward. I would imagine at least, you know, there's more actual money sort of flowing through
the bug bounty ecosystem and there is the very real threat of, hey, there's vulnerabilities in our
software. So it does seem like there's some incentive to change it, to change that model. What changes
have you seen coming or does that incentive just not exist? Well, I mean, you know, after leaving one of the
bug banning companies, I stayed on as an advisor for well over a year or pretty close to a year and,
you know, worked with them on various, you know, mutual customers. And I've worked with, you know,
I've had customer overlaps with a lot of the bug manning companies, if not all of the major U.S.
ones. And the thing I keep seeing in their business model is that I would like to help organizations
get more mature, right? So fewer low-hanging fruit bugs, more esoteric bugs. But all of their
business models depend on their being kind of chum in the water all the time of low-hanging fruit.
So they don't want the process delays that my company usually goes in and says, are you
ready for this? Have you invested internally on finding the bugs yourself? Did you know it's up to
45 times cheaper if you actually identify security bugs in the design phase, right? And that basically
ends up delaying the adoption of bug bounty, which isn't appropriate for everyone. And so,
certainly not appropriate if you can't even patch the bugs you already know about. So I think the
inherent conflict that's come up with the different business models, you know, bug bounty versus,
you know, the advisory services that my company provides is that, you know, bug bounties can help with a
tiny fraction of, you know, what you already need to do for vulnerability management, but it's being
positioned as the easy button for it. And I think that, you know, we're seeing, we're seeing a lot of
company has come to grips with the fact that they're having breaches still, even if they have
a bug bounty, or they can't bounty everything. And so their most critical stuff, like you,
I mean, there's one airline who has a bug bounty. They've had a bug bounty for a little over four
years. That's United Airlines. Is it on the planes? No, it's on the websites. It's against the
website, right? So how are we, you know, how are we safer in the skies? Well, we're not. But the appearance of
looking like you're doing diligence when it comes to vulnerability management. I think that's where
commercial bug bounty enablement platforms have been pushing is like, look, you know, just look really
busy. Yeah, you're playing whack a bug, you know, and everything. And this is super inefficient.
But you can say that you take security very seriously and you're fixing all these low-hanging fruit
bugs and whatnot. We won't call them that. We'll just say that, you know, there are all these
bugs and that it's super valuable. And then when you get breached, maybe you won't get in trouble
because you can say, well, we tried.
We had a bug bounty.
And just nobody reported that particular issue to us.
So I don't know.
I mean, I would love to say that, you know,
this is all evolving in the right direction.
But frankly, you know, I've seen it devolving,
especially in the last couple years of the commercialization of bug bounties.
Support for this show comes from Shopify.
Every thriving, successful business has to start somewhere.
A good place to start is a relatively simple question.
What if, given the right tools, I've really put my all into this.
One tool that can help grow your sprouting business to new heights is Shopify.
Millions of businesses around the world rely on Shopify for e-commerce.
They offer a host of helpful tools you can take advantage of,
from payment processing to analytics to website design.
Their design studio includes hundreds of templates to help you create the exact website
you've been envisioning for your business.
If you're wondering, what if I need help?
then no worries because you're never left to fend for yourself.
Shopify's award-winning customer support is available 24-7.
It's time to turn those what-ifs into a thriving business with Shopify today.
Sign up for your $1 per month trial today at Shopify.com slash vergecast.
Go to Shopify.com slash vergecast.
That's Shopify.com slash vergecast.
Support for the show comes from grammar.
You don't need reminding that the world moves fast.
But work today requires clear communication, and when every message counts, sounding rushed or generic, can be getting lost in the shuffle.
Gramerly gives you one place to think, write, and finish your work where you already write, while giving you access to agents that help you sound natural and engaging.
No matter what kind of writing you're doing, Gramerly helps you get ideas done faster and move from draft to done with less friction.
You can use Gramerly's AI chat to brainstorm ideas, outline a solid draft,
then refine it with context-aware suggestions that fit what you're working on.
See why 90% of professionals say Grammarly has saved them time writing and editing their work.
In a world of generic AI, you don't have to sound like everyone else.
With Gramerly, you never will.
Download Grammarly for free at Grammarly.com.
That's Grammarly.com.
So, I want to take, you brought up a few things so far that I want to just take a step
back and talk about.
The first one is the notion of the offensive market, which pays a high rate for vulnerabilities,
and the idea that a bug bounty system maybe doesn't pay as much, but can balance out that
market.
That has led, I've talked to you a few folks about it.
A lot of people have a lot of thoughts about this, like complex, academic, economic,
modeling thoughts over how you get nation states paying a million dollars and then Microsoft
paying $28,000, how that actually still balances the market.
Are those numbers changing?
Do you see that economic kind of relationship between the offensive and defensive
payments for vulnerabilities changing?
Are the rates going up, are they going down?
What does that look like?
How does that work?
Well, Apple announced that they were going to start paying over a million dollars in their
bug manning program.
You walked right into where I was going.
This is great.
And that's a terrible, terrible idea.
And the reason it's a terrible idea is that, look, you know, I know Apple pays their security engineers quite a bit of money, right?
But essentially, they already employ people who are supposed to be designing their products and services such that they don't have those flaws, you know, those kind of, you know, full remote takeover of the phone type of flaws.
They're supposed to be designing them securely from the get-go, number one.
That's what their employees are supposed to do.
Number two, if they miss something in the design, they're supposed to catch it in testing, again, themselves internally.
So what this does when they create something like a million dollar or a million dollar plus bug bounty is that they're basically saying to their internal employees, one, no, we're not going to give you a million dollar bonus for doing your job every time.
You know, so that's a little demoralizing.
But two, they're also kind of saying that, you know what, if you don't want to go to yet another.
company meeting or team meeting or group stand up this week or whatever it is.
You know, or you get a bad review or didn't get a promotion that you thought you deserved.
You know what?
Just leave the company and in the one year timeout or whatever it is, just come back and you
can just collect a million dollars, you know.
So what it does is it honestly, it breaks their labor pipeline.
It breaks the pipeline for them to continue to attract and retain the personnel that you
want in-house designing these things secure from the get-go.
And I told them this.
Of course it did.
But, you know, they were like, well, yeah, but we think that we really want to give people,
you know, more of a choice between the offense market and the defense market.
And I pretty much laughed like Jabba the Hut, you know, like, because essentially it's like
they're presuming that the offense market can't just like laugh like Jabba the Hut and add a zero
to the end of whatever they're paying.
oh, you make it $1 million, we make it $10 million, no problem. Like, it literally doesn't matter.
Unpack that a little bit. I don't think people know that, that the prices are that high or the
value is that high. Well, the offense market was already inflating the prices, right? They were already
basically, you know, making it perfect for defense contractors like Raytheon and whatnot to bid on
these things. You know, defense contractor prices, right? So they were already making the
price is really, really high. And the hilarious.
that the defense market, you know, thinking that you have to outbid the offense market, that
was an academic question that I and some other folks at MIT Sloan School and Harvard Kennedy School
took on as a research project when we ourselves modeled the system dynamics of the vulnerability
economy and exploit market. So we released some of that research, you know, several years,
like half a decade ago, you know, and it still gets brought up today because some of it is part
part of it is the labor market that we looked at. And that comes up, you know, with the stratification of
labor, you know, the very tiny number of highly skilled versus the, the huge number of not as
highly skilled, you know, and not getting paid very much, hackers in these bug banning platforms.
But, you know, the other bit was the academic question we asked ourselves was, is it possible
to corner the market on bugs by outbidding it, right? You know, is that even possible? Can you,
can you use the lever of money? And the, the answer.
answer was no, you know, you can't. One, because the offense market doesn't need to constrain itself
to who it could hire in the future in-house, right? They don't have that, you know, that mission of actually
trying to design these products to be more secure. They only have the mission of doing their
offense work. And so they can just jack up the price as much as they want. And that is why, you know,
raising prices past the point where you could reasonably pay developers and testers.
to come into your organization and work for you.
Raising bounty prices past that point is a losing game.
And, yeah, hence the job of the hut laughter and me being like,
you don't realize that the offense market can outbid you in a nanosecond, you know?
So raise it as much as you want.
They don't have the unintended consequences of basically cutting off their own labor supply by doing it,
which the defense side does.
That's really interesting.
So you're saying Russia, we'll just pick on Russia, because it's,
easy. At this moment in American history, we're going to pick on Russia. Russia can't just flood the
market with money and collect every extent vulnerability it's out there. They could try. There are
people who wouldn't have given it to them for any amount of money, including the people who
continue to report bugs for free to almost every vendor, right? So the offense market, like I said,
can raise their prices at any time. It's a question of what motivates hackers,
when they find a bug. And I usually liken that to everyday people contemplating what to do at an
intersection with a yellow light, right? You know, you find a bug and you're kind of at a crossroads.
And what do you consider when you're out of yellow light? Well, it's different every time, right?
You know, what time of day is it? Do you know that there's a speed trap nearby? Do you have passengers
in your car that you care about, right? And like, you know, should you stop suddenly and will that jar the
passengers more or she just go on through. So looking at every bug, every researcher comes to that
same yellow light choice about what do I do with it? Do I report it to the vendor to get it fixed
with or without a bug bounty or a cash reward? Like, do I just care about this technology enough that
I want to be secure? Like, I use it or my family uses it or something like that. And that drives a lot
of behavior researchers. So even if they know they could get more money for it on the offense market,
they're basically like, yeah, but there are passengers in my vehicle that I care about at this yellow light of decision making.
And so I'm going to give it to the vendor for free, even though they don't have a bug bounty and everything, because I just care and I want to see it fixed.
So price is not the most effective lever and certainly not the most effective lever to use on the defense side.
There's another issue, which I don't know if we have time to talk about, but it's also, frankly, a violation of existing labor laws.
So, like, forget about the new California labor law that's affecting gig economy marketplaces like Uber and Lyft,
and will also actually affect gig economy marketplaces like bug bounty platforms.
Forget about the new California law.
The existing labor laws were already questionable under bug bounties.
And I say questionable because at Microsoft, they've got a lot of lawyers.
And they looked, you know, it's like they have like a few lawyers.
Yeah, one or two.
Yeah, they looked into that question when I was.
starting to do research on how to make Microsoft's bug bounties happen. And the answer was, yeah,
it's probably a violation of labor law. Actually, it totally is. And there's a few reasons for that.
One, you can't claim that it's not part of your core business to secure your software, right?
So if you're a software company, you can't be like, no, no, no, not part of our core business.
We don't need to hire for that full timers, you know, not at all. So you can't make that argument
that, no, no, this is contract work only. Second, it actually ends up,
depending on how long it takes the researcher to come up with the thing that they're submitting to you,
it can violate minimum wage labor laws.
So it could be, yeah, so if you pay like a thousand bucks, but it took them like three months,
guess what?
You've violated some pretty serious, you know, minimum wage labor loss.
And further, that whole rule, remember that, you know, only the first person to come up with the valid vulnerability report gets paid.
Well, the second person who came up with the exact same bug and maybe did all of the things that you asked them to do, like did equality write up, you know, steps to reproduce it, we sent you some proof of concept exploit code so that you could run it and test it yourself.
They did all that work too, and they get paid zero, which is certainly well below even the lowest minimum wage in the United States, right?
Yeah, so there's all kinds of problems with the bug bounty economy as it's implemented now,
not the least of which are these trends with the, you know, kind of misplaced,
trying to outbid the offense market, which can't be done.
And, you know, the inherent problem in labor law violation,
which now we're seeing a lot more of that because Uber and Lyft have been under the spotlight.
So I want to pull it back to Apple again because right before Katie Harris started talking,
There is yet another encryption hearing in Capitol Hill.
Bill Barr really wants a backdoor into the iPhone.
Every time somebody wants to unlock an iPhone, another company pops up,
Celebrate says they can do it anyway.
The market for cracking an iPhone seems very, very hot, right?
Because Apple won't provide this backdoor.
Apple has, I would describe it somewhat gently as a contentious relationship with the security industry.
How are they handling all of this stuff?
because it seems like the offense market for the affinandit is just extraordinarily hot, right?
And then there's other methods, you mentioned Project Zero from Google.
They come at Apple just like head on all the time, another contentious relationship.
How do you see that playing out right now?
Because that seems like, as you point out, there is a lot of economic modeling to be done here.
And it seems like that product in particular is probably like the center of a lot of debate and controversy.
Well, okay.
So first of all, there's a lot to unpack with that, right?
The backdoor question.
I usually address the backdoor question, you know, in two ways.
One, you know, if you build in a back door, you're building in the inherent weakness that somebody else will find, somebody else will use.
And even if used as directed by, you know, sort of only our government or whatnot, you're trusting that our government stays true to its values.
in the entirety of its execution of that access to the, you know, via the back door.
That's a lot of trust to extend to, you know, not just our government, but also to anybody
who's safeguarding the secrets that are, you know, that basically are the keys to unlock that
backdoor. So backdoors are a bad idea, okay? Like, that's basically like bad idea. It's going to
get abused. If you build it, they will come and they, meaning everybody who,
you know, who wants access there. And then on the other hand, a lot of people will mistakenly make
moral judgments about selling to the offense market, saying, you know, you either turn it in for
free or do a bug bounty defensively or you're a bad person. And I'm like, whoa, whoa, hold on here.
If we all agree that backdoors are bad, then how else should our government with a warrant
go after a terrorist's iPhone, except with an exploit that they bought, right?
How can they go after child molester rings with a warrant and install some of this,
you know, some of this software, you know, on these devices and track them?
How will they do that without a back door unless you also support the offense market sale
of exploits?
So I support the offense market sale of exploits for these reasons, right?
And I think they're actually a much better solution.
I would much rather have a tiny group of specialized skilled individuals in the world able to sell to, let's say, our government for law enforcement purposes.
And yeah, you're still trusting that they're not going to abuse it and whatnot, you know, and everything.
But a bug, you know, especially in exploit, sometimes will not succeed and leave traces.
So it kind of gives the vendors and other security researchers a chance maybe to identify that vulnerability and get it fixed.
eventually, even if it's used in a targeted offensive campaign that's legally sanctioned and what everyone
would agree with. Like, let's take down some actual terrorists or let's take down some actual child molesters.
Like, everybody is down with that, you know. What we don't want to see is enabling mass
surveillance, right, for ourselves or even for, you know, foreign people if it means that our cloud
services, for example, are no longer able to be sold outside of the United States. Like, that would
have a huge economic impact to the United States. And what would happen if we're forced to install
backdoors in technology, either Apple's or, let's say, Amazon's or Microsoft in the cloud,
if we're forced to do that, well, that smells a lot like the Snowden revelations and Prism.
And there was a huge cooling effect on our ability to sell technology outside of our borders
as a result of that. So anyway, it's a long-winded, I kind of give like NPR answers,
about that. It's a podcast. What else are we here for? Right. So, but I have, you know, I mean, I just have a lot of, I have a lot of strong opinions about this because this is the dynamics of the marketplace that I actually do support the offense and defense side of the marketplace, both, especially when it comes to offense use of exploits as opposed to having to build in backdoors for encryption, which is a bad idea.
So I'm going to just say some dumb stuff and then you can react to it.
Again, a podcast.
That's the idea.
But this is why I was so excited to have you on.
The strong opinions here, I think, are very clarifying.
So what you have described to me sounds like a system that depends on a certain amount of opacity and friction.
Right.
So Apple builds the phone.
The phone has some unknown or undisclosed vulnerabilities.
Someone finds it.
They sell it to the Department of Justice or the Department of Defense.
or whoever, FBI uses the exploit to crack a terrorist phone.
Apple realizes, oh, crap, there was an exploit.
They fixed the exploit.
They ship the next phone.
It has some ex-fulnerabilities.
FBI buys it again.
Cycle repeats.
Yeah, and that connecting bit of Apple figuring out that this exploit has been used,
sometimes they don't, right?
You know, if an exploit is used successfully, there's no trace.
If an exploit crashes, then you have the opportunity maybe to start detecting all these
crashes in the wild, right?
Every time your browser crashes and it says something like, do you want to send a technical report back to Google and help improve Google?
That's basically feeding into Google's telemetry and whatnot. Apple has similar telemetry.
You can send crash reports from your phone.
But basically, a successful exploit won't crash.
What you're seeing in terms of crashes are unsuccessful exploitation attempts.
So that little connector part that you were like, you know, if FBI buys it uses it, Apple finds out about it.
It's like, well, Apple might not find out, but they have a chance.
was what I was saying.
You know, they have a chance if, you know, if some of the exploitation doesn't work
exactly as smoothly as planned.
So that's the cycle broadly.
Again, you have far more technical expertise than I do, but that's my dumb version of it.
There's a part where Apple could just talk to the FBI and smooth out that cycle, right,
and say, it's iOS 14, here's the hole, it's going away in 15, but in 15 will tell you
the whole, right?
They could just do that because that's effectively what they're doing without communicating in some broken way.
Is the value of the current system that friction and opacity?
Because I think oftentimes the value of the system is the friction, and we don't talk about it that way.
But if I'm the FBI director, I'm like just rotate the exploit, rotate the back door every year.
So bad guys don't have it, but we do.
And we'll just keep going.
Is that a simpler way?
Because I've heard a version of that proposed by a different set of law enforcement officials.
So the real thing that our technology companies have to export successfully is not their technology.
They have to successfully export trust or they are dead in the water and they cannot grow anymore.
We only have 376 million people in the United States, something like that.
Our internet and smartphone saturation is already very, very high.
You know how mobile carriers in the United States, like cell phone carriers, they basically just,
trade customers back and forth, right? Because there are no new customers to really get on board.
You know, yeah, I guess as the population grows, but that's their limit. So this can't work as a
system where Apple tells our government certain things and doesn't tell anybody else because
they will absolutely fail at their main business goal of exporting trust. They can sell no more iPhones
than they already do, probably in the United States. They're going after China's
market. China has an incredible, you know, untapped market when it comes to cell phones. And even,
it's not so in current years, but there was a year or two in the rise of iPhone where China was
massively outpacing the sales in the United States of, in terms of iPhone sales and driving
up, you know, essentially driving up the United States GDP. So, yeah, I think how I would like to
see things work. I mean, if that's where you're kind of going with this, is look, I would like to
see no backdoors and have the United States government and law enforcement kind of stop that, right?
We've been at this game for more than 20 years. Over 20 years ago, it was over strong encryption,
where the government was like, hey, you can't, you know, go dark on us by having the browsers
support strong encryption. So we're going to make strong encryption to be this export.
controlled thing. And it actually ended up backfiring because the United States was like, well,
if we can't decrypt, you know, with our technology, if we can't break the encryption, criminals are
going to get away with things. Terrorists are going to get away with things. They were using the
same arguments during what we call the crypto wars. What was the, what was the unintended effect
of that? Well, we had to ship browsers overseas that had weak-ass encryption. I don't know if you're
allowed to say that, but, you know. It's a podcast. Go nuts. Yeah. So we had to ship browsers with
weak-ass encryption. And guess what? We built the entire e-commerce, online banking, and everything
on these browsers that had everybody knew how to break it types of encryption. So we basically
weakened security for the entire internet and the burgeoning internet economy because the United
States was afraid of not being able to see encrypted traffic. So I want the United States to stop it.
I mean, we're seriously. We're done with this argument, you know, about,
like whether you can break the encryption or not. And the fact of the matter is, you can achieve
a lot of the same results by buying vulnerabilities and exploits from those who are capable of
creating them. And I think that should be like a perfectly fine thing to do, you know,
for people, you know, for security researchers encountering that yellow light when they come up
to a decision, what do I do with this? And you know what? Why not sell one for a million dollars
to, you know, the NSA if you're thinking to yourself, well, yeah,
They're going to use it.
I'm going to trust that my government will use it to do things under warrant and get, you know, take down terrorists and take down child molesters and whatever.
And I'm okay with that one time.
And then the rest of them, I'll give over to these defensive bug banning programs.
I still get paid a little bit.
It might not be minimum wage sometimes, but whatever.
I'm okay with it.
So I want to focus on incentives again because there's another trend that I'm seeing, particularly as relates to security, which may be a little tangential to what people are.
about. But a bunch of smart home devices, IOT devices, have reached sort of their end of life,
end of support. I think most famously, Sonos just said a bunch of our speakers are going to go away.
We can't support them anymore. Pull them down, buy a new one. We'll support that platform.
The first generation of hue lights just hit end of life. Philip said, we're going to turn off
the bridge. Your lights won't work anymore. That seems, on the one hand, I get why everyone's
mad that their speakers aren't going to work anymore and their light bulbs are going to stop.
Like, fine. I understand the frustration.
On the other side, I completely understand why these companies are saying, hey, just patching bugs for these things are an ongoing cost that we don't want to support.
And so I'm wondering if, like, a bounty system for updating those platforms would work for those companies to sort of prolong the life, or we've just got to give up on sort of the Internet of things because you hit a point where you have a million interconnected vulnerable endpoints and nobody wants to pay to support them.
And I'm just like, we've talked so much about the economics of security so far today.
Like, I'm curious for your read on that because it seems like a very tricky problem.
It is a tricky problem.
So, you know, one of the things I loved about working at Microsoft was the perspective it gives you.
You know, when you're at the biggest software company in the world and like a 1% failure rate on the patches means millions of computers go offline, you really get a sense of scope and scale and the difficulty of maintenance of some of these operations.
system. So I was still there when they were trying to murder XP and they were like, kill it.
Is it dead? No. Oh, God. Can we kill it again? No. Why are our customers making us resuscitate this
thing? So I was actually inside and I remember some of the efforts that we made. So, you know, first we tried
warning them like five years in advance. Like that was like, hey, just put it in your calendar.
You're going to have to do a migration, put it in your budgets and everything. But here is what
happened, right? The biggest customers who are relying on XP, they basically said, look,
it's not just the operating system. It's the applications that our business depends on these
applications running on XP, and we don't have the money or the time to port all these applications
to the latest operating system. And then the second thing, because we were like, well, what if we offered
you free consulting services to rewrite those apps for you? Like some of our biggest customers,
We're like, we'll totally do it.
Please, God, just upgrade.
And they were like, yeah, but then we'd have to train everybody on the use of the new
operating system and the new this and they knew that.
And essentially, it was like, it was like trying to like find the ruins of an organization
in like a moss-covered grove in the middle of the jungle.
And they're just like, yeah, but even just getting new wood to that area would just, you know,
would cost more than the GDP of the planet.
And we're like, yeah, okay.
So then we said, okay, fine.
If you want extended support, then it's going to be, let's say, $25 million extended support contract for next year,
thinking they would say, ooh, that's more expensive than we want to pay.
We'll go ahead and take the, you know, business hit and the training hit and we'll redo all these apps.
And they were like, no, no, no, thanks for letting us know.
Now we can put that in the budget.
And we're like, no, hey, hey, no.
And then we were like, okay, fine, fine, fine.
you're fine was $25 million next year, $50 million the following year. They're like, awesome. We were just doing our three-year
forecast. You just saved us a lot of trouble. Thank you so much. And we were like, oh, God. You know, so basically,
the problem was the business needs and the business dependencies had grown like a freaking jungle around the ruins of this operating system.
And that was just one, right? So when I look at IoT, I'm like, I can see the vines approaching. You know what I mean? Like I can see it's like, uh-oh, you know, this is going to,
to be deep in the foggy, foggiest rainforest or kind of installed on the side of a building
really high up, really hard to get to and replace. You know, all of these things are bad,
but I don't really know the best answer to stop it because if you force companies to support
these things forever, one, that stifles innovation, right? Because no new player could ever come
into the mix and be like, I'm a three-person startup with an amazing idea, you know,
and, oh, I want to get this thing to market. Oh, but I have to agree to support it for the next
14 years. Like, XP was under support for 14 years. 14 years, right? That's not possible.
So one, you stifle innovation. But two, let's say you say, okay, you know what, forget about,
you know, maintaining it for X number of years after. How about if you just say you'll maintain it
for five years? And after that, you'll send sort of a kill patch that will brick the thing and
force people to get a new one so that you won't have these things out in the world running
vulnerable because people will have no choice, right?
Yeah.
Well, that ends up screwing us over when it comes to the already insurmountable amounts of computer
hardware waste, like literally the planet, you know what I mean?
So we're already choking on computer waste and especially smartphone waste right now, you know,
especially, you know, everybody is trying to get the newest smartphones and the carriers, you
want you to buy the new phones, even if you don't need one. And so we've got landfills full of
computers and smartphones. My God, if we add IoT devices to that, you know, because we're forcing
some sort of an artificial, like, brick, you know, brick patch of death that we send to all of them
to deal with the maintenance costs, we're in trouble. So I don't have a rosy picture or solution
to say about that, honestly. I think, you know, a lot of folks are looking at right to repair
type of laws, right? Where, you know, you can take over a device, you know, that's out of service from
someone and, you know, reverse engineer what the device is doing and then build some kind of a support
structure on your own and maybe offer it to other people. But right now, we have current laws that
prohibit essentially competing. You know, that's looked at as a, you know, unfair, competitive
type of thing when you reverse engineer a product and then try to provide some of, you know,
similar services, that's against the law in the United States, according to the Digital Millennium
Copyright Act. And so you would have to create some sort of exemptions or a right to repair,
I think to put the power in the hands of the nerdy people, like the kids in their
basements, like me, right? I love the idea that I'm going to start an illegal Phillips Hugh cloud
service. I think that's great. And I would absolutely connect my lights to your dodgy, your dodgy ass.
100% trust me. Homegrown. Yeah, I'll be like, he's not listening in at all. That thing has no
speaker. Yeah. The lights are on. He discovered. So last question, speaking of dodgy tech and security,
it's an election year. This comes up a lot. Outside of this sort of misinformation,
election interference stuff, there's just a lot of voting technology that it appears to be going
well, in some cases, and totally awry in some other cases. What is the status of that? I mean,
And outside of the Iowa caucus app not working because they just didn't do a good job building it,
what is the status of our actual election security?
And sort of what is the economics of securing something like that where it only happens every so often?
And there's like big vendors who are providing a bunch of stuff.
Well, okay.
So election security is it is a complex matrix of vendors providing, you know, the voting technology, the voting machines, voting software,
all of that stuff. There's also the layer of election infrastructure. And that's bigger than just a voting
machine in terms of security. That's going to be every poll worker's machines that they bring to the polls,
every machine that is used to tally voting, you know, vote counts and everything. It's voter registration
databases that are handled by local, you know, county and state and city governments. This is what we
call like basically the election infrastructure at large. And it's a big old mess. I mean, you probably
could identify from some of the descriptions of those pockets that some of it's not even centrally managed,
you know, in any way, even for a given election because so much of it, so much of our democracy
relies on volunteer labor. And you're not going to basically provision a bunch of brand new,
fully patched Chromebooks to election workers, like all of a sudden. And even if Google wanted to,
that would actually violate a lot of donation laws for things like elections, right? So we've got this
problem here. And then further, let's say, let's say, you know, it wasn't that complex and maybe
there's, you know, only a few vendors involved, which is not true, but let's say it was.
Election certification runs at the county level and the local level as well. There's over 800 different
jurisdictions in the United States, over 800. And so let's say you were able to, oh, I don't know,
crazy style, do some kind of a bug bounty, which I've already, probably I've already dissuaded
a lot of people from like doing bug bounties. They're like, oh. It sounds like you have a hammer and a
lot of things look like in there. Yeah, exactly. That's what I say to a lot of people. It's like,
you know, please don't bounty the election infrastructure right now. Because we actually, we physically
don't have time before this election to have all of those 800 counties or even some of them
recertify their election infrastructure. So when I think about,
like, oh, hackers can help us secure the election. I'm like, yeah, like four years ago, if we had
started then, we might, yeah, we might have been able to affect this election. Look, I think, I think that,
you know, the experts that I love to listen to who have done a ton of work in this space,
you know, is folks like Matt, Matt Blaze. And, you know, he's been working on election security
for over 20 years of his career. And I think that, you know, the, you know, the, you know, the
practical matters are we just need to have ballots that can be manually checked on paper where
there's a paper receipt that goes to every voter so that those paper receipts could be counted
in the event of discovering an irregularity in any of that election infrastructure.
And then rate limiting and risk limiting audits in all the elections.
Because essentially, like there's a lot of different places where somebody could interfere
with an election.
It could be in the machines.
It could just be in the tallying.
It could be in the reporting.
It could be all of these different areas.
And there's too much to secure all at once before the deadlines.
And we wouldn't really be able to get it all recertified anyway.
So listen to Matt Blaze, read his work, you know, watch his congressional testimony and, you know, perform these elections with either, you know, with definitely a paper trail that has a receipt that goes into the voter's hands in the event of a recount, you know, needing, needing to.
to be able to tally those and risk limiting audits for all the elections.
And that's the answer.
I mean, it's not as sexy as a bug bounty.
But then again, nothing is.
You know, bug bounty is alliterative, right?
That's great.
Okay.
My actual last question, I asked this of every CEO who comes on the show.
It's really just a very selfish question.
So I might improve myself.
When do you work?
Oh.
When do you sit down and actually do the work of the individual contributor?
You read emails, write emails, write memos.
not meetings, not whatever. When do you work?
I am a night person. I am a creature of the night. So, you know, my brain often won't turn off at night until I do some things. You know, I kind of have to offload a lot of what has been percolating in my head all day. So sometimes it's, you know, I get my best work done like in the wee hours of the night, you know, after 11 p.m. before 3 a.m., somewhere in there. And I actually tell people who work for me to,
never be online during those times.
Like, never, never do that.
And then if I accidentally send them an email during that time, because I usually will
draft them and hold them, because I don't want anyone thinking that my working hours
are something that I expect of anyone who works for me.
Yeah, if I accidentally send an email that's in a weird thing, I usually say something like,
this is probably coming from the wrong time zone.
Ignore it until you're in the right time zone for you to do work.
But yeah, for me, myself, it's the wee hours.
I'm a creature of the night, nocturnal, naturally nocturnal.
Are you good at context shifting?
You know, they say that's what multitasking really is.
Like nobody actually multitask.
It's all just like a series of fast context switches.
I think so.
I, you know, have had ADHD my entire life.
I don't medicate it.
So this is it.
This is what happens.
But, you know, there's an actual squirrel outside my office area.
that squirrels me in real, real time.
And I will tell people very, very, very much out loud on a work phone call.
I'm like, no, no, hold on.
The squirrels are outside.
They're like, oh, ha, ha, ha, ha.
I'm like, no, real squirrels.
And I must watch them now.
This is important.
You don't understand, you know.
Yeah.
I mean, I can draw the curtains, but why?
You know, it's been working out.
I feel like, you know, neuro atypicality is what they call it these days.
I feel like we, you know, we as a species evolved with all of the different, you know,
sort of neural spectrum in order to survive as a species. So while everybody else who can concentrate
on one thing at a time was totally like, I don't know, husking rice or something, I was trying to husk
rice, but there's a tiger right there and I just saw it. So like, you know, I mean, the thing is
we're all kind of part of the tribe. And I think that, you know, my working style might not be for
everybody. But it's, it's so far it's worked out okay for me. And the DOD and Microsoft and a bunch
of other places.
Exactly.
Katie, this has been an incredible conversation.
Thank you for spending so much time with me.
All right, thanks.
All right, my thanks to Katie, Mr. Harris, super interesting conversation.
Excited to have her on, and we're definitely going to have her back soon.
We're back on Friday with the chat show.
I know we were off last week, so we got a lot to catch up on this week.
As always, you can tweet at me.
I'm at Reckless.
Love your feedback.
Let me know who you want me to talk to you, what you want me to cover.
Like I said, just a lot going on.
So I'd love to hear from you so we can focus and make the show good.
So we can focus and make the show great.
We'll talk to you soon.