This Week in Startups - E1011: Check Point CEO & Co-founder Gil Shwed shares insights on being the “Godfather of Cybersecurity”, growing Check Point into Israel’s most impactful tech company, pricing & developing products for an emerging market, best practices on protecting data from hackers & the next generation of cybers
Episode Date: December 20, 20190:48 Jason intros Gil and asks about his lengthy background in cybersecurity 3:02 What experiences inspired Check Point? 8:31 Gil explains how he raised money for Check Point in the early 1990's 14:04... How did Gil build and price his first product in a developing market? 16:46 Dealing with the first batch of cyber attacks at Check Point 19:10 What was the profile of a typical hacker in the early Internet? When did the criminality start and how does crypto tie in? 25:20 Potential of Chinese hardware hacking & hackers stealing wired money from venture firms 30:16 What are the risks associated with high-level governmental cyber security breaches 31:42 Should companies be required to build backdoors into their messaging apps? 34:24 Are Tor networks totally safe? 38:19 Gil is the "Godfather of Cybersecurity" 38:55 How protective are two-factor authentication & biometrics? 41:26 What are the most dangerous types of hacks? 44:08 Why are Microsoft products more susceptible to hacks than Apple? 46:03 Will deep-fakes lead to more threats? 50:05 Best cyber-protection advice? 55:28 Are the electrical grids a huge liability? 57:55 What is their recruiting playbook?
Transcript
Discussion (0)
This week in startups is brought to you by
LinkedIn.
A business is only as strong as its people, and every hire matters.
Go to LinkedIn.com slash Twist and get a $50 credit towards your first job post.
Eight Sleep.
The first bed engineered to improve your sleep through dynamic cooling and heating,
detailed sleep tracking, and more.
Try the pod for free for 100 days at 8Sleep.com slash twist.
And Brex.
The corporate credit card built for startups, with no personal liability, up to 20 times higher card limits, and huge rewards.
Brex is perfect for venture-backed startups.
Sign up at brex.com slash twist and get card fees waived for life by entering the code twist during signup.
Hey, everybody, welcome to this weekend startups.
I'm your host, Jason Kalakannis.
And today we have the longest running NASDAQ CEO on the program.
And you're thinking, oh, you got Bezos.
Finally, Jeff Bezos is on the program.
No, he's the second longest running public CEO.
Today, I have the CEO and co-founder of Checkpoint.
The security company, that's worth around $20 billion based in Israel.
And his name is Gil Chavid.
I got it right, Gil?
Yeah.
Very nice.
Welcome to the program.
Thank you.
You've been at this for a long time.
And when you started, people just were putting up websites and you decided to build essentially the first firewall.
Do you get credit for the first firewall?
I think we do.
First, we started a little bit about a year before.
people did websites. So we actually started in 93 and the web started in 1994.
Right. And when we started, it was actually when the internet opened up, moving from being
a purely academic network when only universities can connect to being an open one when every
company or every person at home can connect. Yeah, so you were working on Bitnet and maybe ARPANET,
the precursors to the internet. Before that, when I was in the university, that's the models I used
to know. Yeah. And do you remember the day you saw the first web browser?
The web browser was in round 94, again, a little bit more than a year after we started,
the first mosaic browsers.
And that was a huge revolution that you can suddenly, you know, so easily access information.
Do you remember the first webpage you loaded?
Do you remember actually installing a web browser?
No, I don't remember the first web page, but...
It was a crazy time because at that time there were so few web pages made.
I remember when I was at Fordham University, and I saw it for the first time,
I guess it was Mosaic
and they had a web page that listed
the new web pages that were launched that day.
I don't know if you remember that log file.
Yep.
And every day there would be about, you know,
three or four new web pages.
So you could consume the entirety of the web
in about 10 minutes.
Then it became like 20 pages, then 100.
But you could still consume the entire internet.
But you noticed when people put these into,
when people added an internet connection
to their computer network at the office, bad news started happening almost immediately, correct?
Yeah.
And what was that experience that you first had that inspired checkpoint?
I had the idea for technology about network security about three years before I started checkpoint.
And that was technology that I got to the idea when I was actually in the Israeli army.
In Israel, everybody serves in the army.
Mandatory services, one year or two?
Three years.
Three years.
And actually, when you do something interesting, you usually sign up for.
or more. So I signed for another year. I was four years in the Army since like 18 to 22.
And I drafted to a computer unit because I had tons of prior experience as a kid in computers.
And one of my tasks in the Army was to connect two classified networks, nothing to do with the
internet. And we were really, really concerned about the privacy of our network. And that's where
I was requested to find the solution that will keep the security.
Was this like a Banyan Vines or a Novell Network or something?
No, that was IP network.
It was an IP network.
My experience was always about, you know, Unix, open systems and TCPIP.
So that's what I was drafted.
They wanted to start using these technologies in the Army.
That's where they, and I dealt a lot with that on the university beforehand.
How much does the mandatory service define the work ethic and the lack of entitlement you see amongst Israelis?
Do you think?
I don't know.
It's part of our life.
I don't know if it's good or bad.
I mean, I think it makes us, you know,
in the Army, there's a lot of good things and there's a lot of bad things.
One of the good things, for example, in technology and not just in technology,
you get tons of responsibility at a very, very young age.
I mean, you look at the typical company here.
You get responsibility.
You know, you graduate college.
You work for a few years.
When you were getting to be 27 or 28, you start to get some authority.
In the Army, the entire point.
population is under 22. So by the time you're 19, you're already...
Do you have to do the Army then college? Is that the way it goes?
That's usually the way.
You can do a college and then Army. Then you need to sign up for three or four years and
you need to be accepted for that. So for example, even though I was deep into computers
and actually I did some university before during high school, I didn't want to sign up for
three or four years. So I just went to the Army directly.
And they wanted you to take these networks that had important information on them.
Just make sure it's secure.
But they weren't on the open internet.
No, no.
They were completely private and actually were physically located one room next to the other.
Interesting.
And then you immediately realized this is vulnerable.
Sure.
And I mean, I realized that I need to create something that will filter the traffic and not everything should pass by.
I looked for solutions in the marketplace.
I couldn't find something good.
I wasn't necessarily about developing.
It was about solving the problem.
And I came up with this idea that I can write some, like define my own language that can define
communication protocol, translate it into some virtual machine code that will screen the traffic,
very, very, filter the traffic very, very fast and produce the right results.
And I did that.
It was a small project and it worked.
And that was like year 1990 or something like that.
Then I got out of the army.
I did many other projects.
By the way, I felt it's a good idea
because a good idea is something that solves a real problem.
It's simple.
It wasn't that complicated.
And it's unique.
And somebody needs it.
Because you couldn't find an equivalent in the market.
I didn't find equivalent.
It solved the real problem.
I didn't invent a problem.
Somebody gave it to me.
And when I left the army,
I said, well, maybe it's a good idea.
Maybe it's my chance to build my own product.
and then I realized actually that nothing exciting about that.
Going to, you know, big organization, banks
and convincing them that they need to compartmentalize their network and so on is doable but not exciting.
So for two years I did many other things.
What you work on?
I worked in the printing industry, which was very, very interesting, actually.
Like printing newspapers or magazines?
It was actually creating large format image setters and it's a lot of things that may be common today.
back then they were very advanced and which was very interesting because it was multi-dimensional
project when people built the printers, people built, there was, you know, lasers and electronics
and mechanics and software and I was in charge of the software. I did things for the material
handling industry. I worked for some company in New York that did automation of warehouses and
things like that. Back then it was a, you know, it's interesting to see back when it wasn't a hot
market. With Amazon, it became a very hot market. Now you really read.
about it all the time.
And I did consulting for many others.
So I did a lot of different things.
And then in 1993, about two years later, suddenly I saw that the internet is opening
up.
And like you described, all these companies are coming out and saying, we want to connect.
And the next question, how do I keep all these 15,000 universities and the students
there away from my network?
And that's where it rang a bell to me when I said, wow, I got the idea.
I got the technology.
This is the time to take my technology.
Now I got the technology.
Now I have a really, really hot market for that.
And you were able to raise, I think,
four or five hundred thousand dollars back then?
250,000.
250.
Yeah.
Take me through when you first discovered this concept of venture capital.
When was the first time you heard those words?
So actually we didn't raise it even from a venture capital.
We raised it from another software company.
And we were actually looking at, we said,
what's our option?
We say, for example, we can keep our day jobs, work at night, develop a product, and then start selling it.
That's a funding option.
We realize it's not good because the Internet is moving really, really fast.
We've said maybe we sell the first product for a big bank and charge $50,000 for it.
And that's enough to finance us.
Yeah, get the client to pay.
Yeah, we were.
And we also decided that's not a good option because then we said, then we'll be a project for the client and potentially here is the entire Internet.
Keep in mind, the entire Internet is not the entire Internet of today.
It's a few hundred sites, but still different than one big customer.
At this time, if it was 94-95 time frame, there were less than 10 million people on the Internet.
Much less.
No, it was 93, and it was a...
So a couple of million, one or two million, maybe.
I don't know how many students, but in terms of corporations and open, much less, yes.
Much less, yeah.
And so you find out that there's a software company who wants this,
and they will pay you to invest and own a portion of your company.
we were very methodological.
We went,
first there were one or two VCs in Israel.
We actually didn't even call them.
We didn't think they were interested in us.
And then we just went,
we said, okay,
here is a software company of guys we know
and they might be interested in expanding and investing.
We went for some,
we went through two or three companies like that,
not just one.
We went through some people that from the banking
or the finance industry and we wanted to.
So we picked like three different sectors
of potential investors.
We showed them our ideas.
all expressed interest some more, some less.
And at the end, we had the race between two software companies.
Back to us, by the way, they looked like giants.
They were selling in millions of dollars.
Each one had about 50 employees.
Wow.
And to us, they looked like, yeah, like big companies.
And at the end up, one company called BRM from Jerusalem won the deal.
The deal.
They got, by the way, half of checkpoints for that amount.
250K for 50%.
So when people are complaining right now about,
a 10 million dollar cap for two million dollars back then it was not even close to that yeah and
and we were able to run quickly and we chose them not just for the money we chose them because they
had they had some contacts they were actually doing antivirus software for oEMs in the US eventually
even for semantic and so we got to see that they have contacts in the market they know where to
where they can help us and so on and on the other hand we weren't
we weren't thinking that they necessarily want to take over
because it's not like they had the full channel or distribution model.
So we chose them and we started running.
All right.
When we get back,
I want to understand how this went from being just this two-person company
with 250K in the bank to becoming much larger
and then eventually going public when we get back on this weekend startups.
Hiring the right person takes a ton of time.
You know this.
And what do we lack as founders?
Free time.
We don't have any free time.
urgency can be your enemy when it comes to finding the best candidates.
You might make a mistake and you might just hire somebody to fill a seat and that's always a mistake.
That's why LinkedIn is the best place to go find that talent because everybody is on LinkedIn
and LinkedIn jobs screens candidates with the hard and soft skills you are looking for.
So you're not going to rush and make a mistake, but you're going to be able to hire a person quickly and efficiently.
Over 600 million people are members of LinkedIn.
You know this because if you're hearing my voice, you have a LinkedIn profile, and you've been on LinkedIn, probably in the last hour or maybe day, just like the rest of us.
And a hire is made every eight seconds on LinkedIn.
That is crazy.
And at launch, we are proof positive.
We got Sir Charles, our director here at the studio.
And Marine, our marketing manager, both through LinkedIn Talent Solutions.
And here's a video of my associate press putting up a job posting for our clients.
success manager. And our podcast is growing so much that he's looking for somebody with those specific
set of skills. He writes that description. He adds some screening questions. And he sets a daily budget.
Bing, bang, boom. We're all set. We're going to start getting great candidates. Just that simply.
And here is your call to action. This is unbelievable. You can get 50 bucks, a 50.5.0 by visiting
LinkedIn.com off your first job posting. LinkedIn.com. It's already in your browser's history
slash twist. That's all I need you to do. LinkedIn.com slash twist. That's all I need you to do. LinkedIn.com
to get that $50 off your first job posting.
Terms and conditions apply, of course,
because it's giving you $50.
All right, let's get back to this amazing episode.
All right, welcome back.
I got the co-founder and CEO of Checkpoint.
You can go visit by Checkpoint.com.
How many employees you got now?
Today we got 5,300 employees.
5,300.
That is mind-blowing, isn't it?
Yeah.
And on how many continents?
All the continents, almost every major country.
It's about a little bit more than 2,000 in Tel Aviv in our headquarter,
where most of our research is done.
A little bit more than a thousand in the U.S.
And another, the reminder in Asia, Europe.
You're the biggest in Israel?
You're the biggest tech company?
We are the biggest, not necessarily by number of employees,
but in terms of market cap, profits,
we're the largest company in Israel.
So you build this 1.0 product
and do you remember who your first customers were
and how you sold it to them for how much?
Yeah.
So the first few, first we started before even the first customers,
we had a few beta sites.
We had about 10 beta sites,
mostly in actually in the,
actually maybe one in the Bay Area,
but most of them were in the northeast,
in the Boston area.
It's closer to Tel Aviv.
Halfway.
Halfway.
Only eight hours.
Yep.
And we've got,
and there were some interesting organization
from State Street,
Gillette,
Lotus software.
Lotus.
Oh, really?
Lotus was amazing.
case.
Mitch Kepor?
Maybe he wasn't there at the time.
I think he was there.
But Lotus was very interesting case.
We showed them the software.
They really liked it.
They're out of 20 web beta sites that we did.
19 says we want to buy the product.
And they're the only one that said, you know, you have a cool product, but we won't buy it
because getting on the internet is too dangerous.
We're not going to connect.
Wow.
And a year later, that was the nice thing.
A year later, they bought 20 copies.
So we realize that you cannot be not on the internet.
Yeah, there's no choice there.
And the 1.0 product, how did you come up with a price for it?
Good question, because there wasn't a comparable market.
In many cases, you're saying, that's my distribution channel, that's my pricing.
There wasn't any software for the internet.
So we were thinking, first we saw what, there were some companies before us that didn't do a
commercial product but provided a service.
So, for example, they charged $60,000 a year for building you a firewall service.
And we were, actually what I said is very simple.
I don't know where the market is going to go.
Very high-end, few customers, very big, or commodity like software that you sell for $500.
I'd rather start in the middle.
So we priced it at around $19,000.
And we say, you can go down from that price.
or if it's a big company,
they'll buy multiple copies
and it will be like a $100,000 project
with few copies
and, you know,
few copies mean many gateways
that you'll connect to the internet.
And so, I mean, my model was mid-price
so you can be flexible the way the market goes,
go up or go down.
Yeah.
And we actually even offered one addition,
we said for $5,000,
for startup companies,
because I said,
I want companies like ours
to say that it's not out of their league.
So if you're a small company,
50 employees or less, you can go to the whole things for $5,000.
And the internet catches fire.
Yeah.
And people start buying it like crazy because they're getting attacked or because you just
were very good at selling it?
Like was there, were there attacks that early on that people were recognizing and
people causing damage or no?
Yeah, there were attacks and there are attacks.
I mean, I can tell you my first story.
I installed our first beta sites at the company, BRM, the company that invested in us.
And that's way before we did the external best.
sites or anything. By the way, installed it there because we couldn't, we didn't afford an internet
line. We didn't have an internet line. You couldn't afford the ISDN line, the 120K? The T1 or something.
It was, we said, 5,000 a month back then. I'm not sure, but he said it's just too expensive.
Even a few hundred dollars to us looks like a lot. So, but they were, like I said, a big
company, 30 employees, so on. So they've, they did one. I came to install the software.
They bought a server, a Sun server to run that software. I installed it five minutes later. I
I get an alerts on my console that somebody's trying to break in.
Now, it's a software developer.
You know, my first reaction is, it's probably a bug.
Yeah, because it was the second you turned it on.
Yeah, the second I turned it on.
Nobody knows about us.
Nobody, they connected to the internet.
That's the first time we're connecting.
What are the chances?
So probably a bug.
And when I started investigating, I look at all the IP addresses
looks like they are valid and started tracing them back.
And the internet in Israel was like two dozen companies.
So I immediately recognized where is it.
coming from, the company I used to know.
And I called them and I said,
you're attacking us, what's going on?
Of course, they said we're not attacking you,
but we know you.
Come check our network and see what's going on.
So I drove back to Tel Aviv.
Late in the evening,
drove to their offices,
started checking the forensic on their network.
And I found out that somebody was in their network
having full super user rights.
Oh, they slave their computers.
Yep. And then I've checked where it's coming from.
It's came from Tel Aviv.
University, the Israeli electrical company, the utility company.
I mean, basically I found out that there were a few people all over the network in Israel,
all the companies, multinational, local companies penetrating.
We actually decided to call the police that early on, and the police decided to investigate
that.
And two weeks later, they arrested two teenagers that basically from their home computer
got to everywhere in the internet.
And then you hired those two teenagers?
No idea.
I still don't know who they are.
I mean, I would always stay on the, we always stayed on the, we always stayed on.
on the good side of things.
But back then, in the early days of this kind of hacking,
in that in that 90s period,
most of the people hacking, would you agree,
were trying to see if it was even possible
and were kind of rambunctious kids, as it were?
Yeah, it wasn't criminals.
It wasn't necessarily people trying to...
I mean, there were, like, students from Caltech and MIT
defacing the website of both universities.
Yeah.
That's one of the early cases,
even before the commercial internet, even...
But it wasn't criminals trying to get money so much.
When did that element start?
And when did you realize this is a requirement for every company to have?
So I think every company realized that.
It's like having a door to your house.
You have a house.
It's on the main street.
It's actually maybe in the dark part of town
because everything in the internet connects to everything.
So everything is in the scary part of town.
and you realize that
you don't want everybody
to walk into your living room.
You don't have to see that they murder you.
Just realize that you don't want
all these people in the street
in your living room,
whether they are nice people
or they are scary people.
Still want them out.
So every company that's connected
wanted to ask about firewall.
It was very clear demand.
Yeah.
And when did
the criminal element
start. Do you think there was a moment in time where people realized, oh, there is a business,
there is a financial motive in breaking into other people's computer systems?
I think there were a few, I think first it was late 90s and actually became much, much bigger in the 2000s.
Yeah.
And there are many things that caused that.
But even later, people realize once you had shops on the internet, you realize that you can
get into a shop and change the price.
So that's, yeah.
So now you can buy something for free.
still, by the way, doable on many websites.
You can easily get in.
Change the price.
Change the price to zero and buy 10 of that thing and change it back.
And nobody notices that you bought something for free.
So, I mean, there are many, many elements like that.
I mean, shutting down your networks because somebody is trying to see what's noisy.
By the way, we had a lot of hacktivist, what's called,
that are shutting down networks with attacks like that.
And their motivation wasn't to make money, but to show.
that they can or to cause some damage
to show that, you know, the banks are evil
whatever, which is not there.
So, I mean, these things
still happen and they happened also in the early
days of the internet. The organized
crime that tries to make tons of money
out of it, or by the way, the
sort of government
sponsored the
espionage and attacks,
they came a little bit later
at the beginning of the 2000s. Yeah, it was a
web 2.0 thing. People started to realize,
hey, if we break in here and we can
compromise somebody's emails, compromise somebody's passwords.
There might be money to be made.
There could be ransoms.
And then did cryptocurrency become the sort of the jackpot of all jackpots for the financial
motive?
Because before then, were people actually asking people to wire money to a bank?
It's pretty easy to get caught.
But with crypto, you had something of value that was relatively anonymous.
I know it's not completely anonymous, but it's anonymous enough that you can just say,
hey, send money to a wallet and we're done here.
You're absolutely right.
There has been criminals that try to get money even in the 80s
through wiring it to some weird countries, not an easy task.
And the cryptocurrency completely changed it
because suddenly the criminals had the currency that they can charge
and, you know, telling you pay one Bitcoin or half a Bitcoin.
And suddenly there was a financial vehicle that you can use to make money.
So absolutely.
Yeah.
All right.
when we get back from this quick break, I want to talk to you about this story that happened.
Gosh, I think it's been a year now.
I think it was super micro and in China.
I'm sure you're aware of it.
There was this Bloomberg report that the Chinese might have been putting or some organization in China was putting on the motherboards,
some worms or some code that could then activate at some point in time.
I want to know how that story was.
when we get back on this weekend startups.
Listen, if you're a founder, you're probably using a million different techniques to be better at your job.
You know what the number one thing is?
Getting a good night's sleep.
That's how you become more efficient.
That's how you become crisp and you make great decisions.
That's the ultimate hack.
You want to get a great night's sleep.
And eight sleep is the first bed engineered to improve your sleep.
I have this bed and I love it.
You can set the temperature on two sides of the bed.
So my wife, she likes it a little bit warmer than I do.
I like it nice and cool.
You can set the temperature.
And then you can look at your sleep scores.
One of the things you can do is you can make minor adjustments.
And one of the things I noticed was there were some lights on outside.
You have lights on a timer.
And we just set the lights back two more hours and all of a sudden my sleep score went up.
I realized I had an ambient light coming in from outside.
That was unnecessary.
In addition to that, I had thermal alarm from the eight sleep bed.
What this meant was it made it slightly cooler when I needed to get up at 7 o'clock.
And my heart rate goes up.
up and I wake up naturally. I felt so rested. I could never sleep on another bed that doesn't have
the eight sleep feature set. It is amazing. Customers who sleep on the pod, fall asleep 15% faster.
They toss and turn 25% less. And they increase that deep sleep. That's the one you want. They
increase it 17%. And it's just an incredibly comfortable bed. So supercharge your health and productivity like I am.
Get the sleep you need and deserve by heading to 8Sleep.com slash twist. EightSleep, E-I-G-H-T,
sleep slo-e-e-p dot com slash twist and you get to try the product risk-free for 100 days they'll take it back
if you don't like it you're going to love it that's how confident they are great job eight
sleep and really happy to be an investor in the company as well thanks for making some room on the cap table
for me all right let's get back to this amazing episode there's been a lot of talk about this Bloomberg
story last year and a lot of talk just in general about Huawei and maybe people in the west
or the free countries in the world even using
Huawei routers.
But this one story was very acute, putting some type of chip or some code on motherboards
that would then unlock at certain points in time.
Does this story seem, because it was denied, obviously, like these things are.
Does that story have any lags or does it sound to you like it would be possible or probable?
I think it's possible and probable.
I don't have any evidence that it did happen.
I mean, we saw the news reports and some people denied them.
On the other hand, nobody proved one or the other.
But wherever it's possible, it's definitely possible.
And by the way, it's computers that arrived with infected the bios software and stuff like that.
We're seeing a lot of time.
That happens a lot.
It's not even that difficult.
It's not that difficult.
Somebody is in the factory and they just take out one BIOS chip and just reload it.
And replace the master.
And that's it.
And that's a...
Now you've got a thousand webcams or a thousand servers that have this bug in it or this software.
where that calls home at some point.
But you're also seeing it on smaller scales as well.
You have startups that you've heard of that have had their money stolen.
So, for example, we published actually this week that we were called a few months ago
to investigate a case with a small startup, 10, 15 people, so a really tiny startup
in the medical field that was raising money from a Chinese investor.
And they realized that they raised a million dollars.
and somehow a few weeks after the money was supposed to be in their account,
they realized that the money is not in the account.
And they communicated and communicated until they figured out something went wrong.
And the money is not there, even though the Chinese VCs sent the money.
And they called us to do an investigation.
They didn't use anything for security, which explains some of the issue.
And they're using plain open email servers on the internet,
hosted email service.
And we started investigating and find out that there was a gang that was in their emails for a few months,
setting up fake email accounts of basically rerouting all their emails to a fake server and then rerouting it back to them and vice versa,
doing the same thing on the Chinese investor.
Wow.
And for months we were monitoring the communication, creating, understanding how to explain, how to write.
And at one point, like they're saying, okay, what's your bank details?
They changed the mail with the other bank.
bank details. And then is it fine? Should I call you? And just
communicating all of that to the point that at the day that they were supposed to get the
money, the CEO of the company and the VC were supposed to meet in some conference.
And the hackers were afraid that when they shake their hands and exchange the detail,
they realized that something is wrong. So they actually wrote to both parties an email from
the other party that saying, sorry, I won't be able to make it to the conference after
all.
mutually canceled.
Yeah, both mutually canceled and say, let's meet in the next opportunity.
And the money got wired to the wrong bank account.
Probably, by the way, they got, even the VC got an acknowledgement that they received
the money because they fake the email.
And the problem...
Talk about a man in the middle attack.
Yeah.
And when they sent probably, then sent a message might have said, yeah, the money still,
it will take a few more days or something.
And the money is gone.
And that's the real case.
happened just a few months ago.
I met last month some customers in London.
They heard the similar story in London.
So it's probably the same group deploying the same technique on multiple cases.
And that's not a small one.
A million dollar seed money for a small startup.
That's pretty big.
That's incredible.
And you just think about the amount of effort that took,
they had to intercept both of their mail servers.
And then, which probably happened because they had the ability to
get to their ISPs.
Yep.
And then for months, they sat reading the emails.
This is sophisticated.
Yeah, that's a long game.
Yeah, but you see, there should be somebody sitting again.
It can be in any country in the world, doing that job, maybe monitoring 10 or 20 companies,
and waiting for the right moment.
And if you make a million dollar every few months, that's not, I mean, I don't think any one of
us should be in that business, but it's not a bad business.
Yeah. There's more at stake, and it's very interesting. It used to be that nobody would put their credit card on the Internet, and now people have no problem putting their entire net worth on the Internet. It's been a big swing. When you look at the state actors out there, they're getting sophisticated. The big players seem to be China, the U.S., Israel, and Russia. If you were to rank those in terms of ability, how would you rank?
bank them. Are they all kind of in the same league?
I think very similar league. Probably the U.S. has capabilities better than anyone else.
But all the others are also very good. By the way, the British are also very good.
There is a lot of other nations that develop these capabilities. But the scary part is not
whether you are going to need to fight. First, you are, many of us will need to fight some foreign
governments that will break into every company, every country.
But that's not the number one risk.
The number one risk, that's the number two risk.
The number one risk is that the same tools that they develop
find themselves to find their way to the open market.
And everybody can use them.
And there are some tools that were very good.
I remember actually it was an Israeli company
that was able to backdoor into the iPhone
because we had a shooting here,
tragic shooting,
Islamic terrorists shot up,
was it San Bernardino, I believe.
And Apple wouldn't backdoor the phone,
even though it was apparent they could.
And an Israeli company did.
Yes.
I'm curious your take on the very delicate issue of,
should these companies have backdoors?
Facebook has suddenly said no backdoors
in their messenger products.
Does that seem reasonable to you personally?
knowing what you know
being essentially
the grandfather of all of this security?
I think that most companies
don't put backdoors intentionally.
I think these backdoors exist because
of bugs in software.
And last year, just to get the statistics,
there is an organization
that tracks all the vulnerabilities
that are found. In 2018,
they found 16,555
known vulnerabilities in everything
that we use.
I mean, so, I mean, it's not close to 800 of them in mobile devices, iOS and Android.
So just to give us an explanation that these backdoors exist, whether we like it or not,
I don't think they are put intentionally by the companies.
But should they?
Because we now have our government saying we have a little bit of a standoff where people in the FBI,
putting aside Republican Democrat, there are people in our intelligence service who think it is not
patriotic of the big tech companies here to not give them access. And now we have our tech
companies saying, you know what, I think people's privacy is more important and our ability to
ensure that is more important. Where do you personally stand on this issue? Because this seems to me
to be a very hard issue to reconcile. I think that if I'm developing a product, my responsibility
is to develop the best product. My responsibility is to my customers to have absolutely the
best product that I can develop.
And I shouldn't have any,
any, you know,
capabilities that are not well known to my
customers, because that can be
turned, it can be used by, for good purposes,
but it can also be used for very bad purposes.
And my customer needs to know that my
only responsibility is to make the best product for them.
Right.
Even if that same technology can be used by terrorists
or other bad actors.
Every technology can be used to me.
know, our cars are used by people that run over people.
And, you know, I'm not talking about technologies that are meant to cause damage like guns.
But again, guns are also for defense.
Right.
But, I mean, you know, car is the basic one.
I mean, fire.
The biggest damages on Earth happened due to fire.
Now, we also need fire to hit and to cook and to generate energy.
And so, I mean, every technology can be turned against us.
There is nothing new in that, in how.
high tech,
which changes that.
What do you think of this tour network?
This has been one that's particularly interesting to me because I know that the,
a lot of the government agencies were involved in the creation of it and the sponsoring of it.
There is a belief that this does, in fact, allow people to anonymously surf the
internet and browse.
But I look at it and say, you know what, this seems to me like a system that could
actually be compromised.
Do you think that is actually what it claims to be a completely,
neutral anonymous platform?
I think it's a neutral platform, but again, for everything, the sophistication of people
who want to break in is always going to find some weakness in everything.
The weakness is not in the network.
The network is not going to point to you, but maybe somebody can send you a file and
that file will, you know, beep and say, this is who I am.
And by the way, that's what's happened in many of these cases when the FBI wanted to
crack pedophile network.
The FBI used it actually to send files that will ring on the regular...
Home at Beacon.
Yeah.
And we'll do that.
I mean, we've seen the techniques.
And when you look at that world and that world is fascinating.
I'm very glad, by the way, that I'm part of the white side of it, of just defending.
But when you look at the risk and the creativity that exists amongst the hackers of how to break in, it's unbelievable.
I have a team that's doing research and trying to find vulnerability so we can create.
close them and we can notify the world.
And I'm meeting with these people every week or two.
And I'm fascinating every time by their level of creativity and what they find and what
they can do and the new ways they can find to get systems that you think are sort of isolated.
All right.
When we get back from this final break, very important.
I want you to tell us if you think two-factor authentication and biometrics are everything
they're cracked up to be. Are they actually protecting us or are they going to be the next
two things to fall when hackers figure out how to break them and back door them when we get back
on this week at startups? Okay, when Brex founders Henrique and Pedro came to the U.S. from Brazil,
they were working on a virtual reality startup and they were rejected over and over again for a
corporate card because they had no credit history. And so they pivoted that business from virtual
reality to financial reality with the Brex card.
corporate card that all the startups you know are using and rave about.
It's a card specifically designed for startups.
And here is why thousands and thousands of founders are using Brex.
Number one, it doesn't require a personal guarantee so you're not on the hook, founders.
And you don't have your credit score or your assets at risk.
They underwrite your startup, not you as the founders.
So card limits are up to 20 times higher than traditional corporate cards.
That makes total sense.
And they eliminate the hassle of tracking.
receipts with their automatic receipt matching tool. So when it got everybody on different cards and
they're spending a bunch of different stuff and you got to reconcile that, that's time, time equals
money. They got the software to do that and you get huge, ridiculous rewards. Like seven times
the points on Uber and you get four times the amount on travel, three times on restaurants,
my favorite, maybe a little Peking duck, yum yum, and two times on reoccurring software. They
know what you're buying. They know you're buying that Uber. They know you're traveling, getting that Peking
duck.
Here is your call to action, everybody, if you're a ventureback startup based in the U.S. of A.
Brex was built just for you.
Sign up at Brex, B-R-E-X.com slash twist, and get card fees waived for life.
What, for life?
What a deal.
That's B-R-E-X.com slash twist, and use the promo code twist at sign-up.
Okay, let's get back to this amazing episode.
All right.
It's okay.
I have I call you the Godfather's security.
I wish.
I mean, maybe.
I think so.
Of the internet, maybe.
Godfather ran that security, yeah.
I'm not going to comment on anything, Musad or anything.
No, no, nothing.
Absolutely not.
Me neither.
I've never been on any missions.
You know, sometimes you need a, you know, a Catholic boy.
Maybe I can get into certain situations.
I'm sure you can.
Trade some information.
You know, I'm not saying I'm, you know, CIA, nothing, anything like that.
I'm too high profile.
I'm not saying I wouldn't if I was asked to do my duty for my country.
two-factor authentication is still not mandatory, which is bizarre to me.
And biometrics are now being built into the phones, face ID, thumbprint on the back,
fingerprint on the back.
Actually, that was an Israeli company bought by Apple, I believe.
Biometrics, two-factor, are these things really powerful in protecting us?
or do you think that they're easy to compromise?
I think they are very powerful in protecting us.
I don't think that they cannot be compromised.
I think it just makes it much more difficult
and much less effective to do that.
But again, and again, as I mentioned before,
the creativity of the hackers is unbelievable.
You can fake some of the biometrics
or you can just change your registration.
I mean, register a new fingerprint,
register a new picture of your face somehow.
And as I mentioned, it's unbelievable to see a level of creativity
that sophisticated hackers can have.
The audit trail seems to be to be underutilized.
I'm noticing now that Google is getting very detailed about the audit trail.
And actually, Apple is following suit.
When you log in with a new device, it tells you on all the other devices.
You get an email, you get an alert.
hey, this device from this IP address,
that seems to be one of the biggest things,
just reading your audit logs and being on top of it.
But people don't do that basic task, do they?
Some do, some don't.
I think what some of these companies doing
is actually pretty good.
I think that some of them, by the way, got compromised too.
We've seen cases where there have been backdoors
or not backdoors, where have been exploits
that could have changed some of that on their networks as well.
But I think the more we do, the better it is.
And it's better to know that somebody's accessing my account.
And if it's not me, I should be alerted or do something about that.
But it is a pretty big challenge, yes.
Yeah.
The worst thing I heard was somebody made a domain name that was similar to another company.
So if the company was Apple, they would get the domain name, you know, Apple computer.
But they would get, you know, leave off the last e or something.com.
And then they, you know, take their mail login or call customer.
customer support from an email address at Apple Computer, and then they basically convinced the person on the customer support line to give it up.
How often, in your experience, are these hacks basically human factoring?
They're figuring out a weak human in the process.
Is that half of all hacks, you think?
The third.
I don't have percentage, but it happens a lot.
Yeah.
But the really dangerous ones are not with one.
The really dangerous one are the automatic one that simply crack through our...
I mean, sometimes they start with something like that, like identity theft.
By the way, many of the hacks that we have are starting with a mobile phone that's being compromised.
We don't even know that it was compromised because the hackers use the mobile phone to steal your credentials.
And then the attack actually occurs on your cloud account, on your enterprise network.
The source of it is the hacking of your mobile phone.
But when you account for the, when you look for where did the attack came from,
you're saying it was on my cloud account.
You're not realizing it started with stealing your credentials on the mobile phone,
for example.
And by the way, that's part of what we call fifth generation attacks,
but we call their multi-vector.
It's not somebody attacking you, somebody following you, stealing something from you,
and then using it somewhere else.
And in the third, four, or fifth stage of the attack, the damage is actually occurring.
Ah, so they try to get you on your phone, maybe compromise your phone,
maybe in your phone, they get your bank details,
they get your secret email address,
then they start working
four or five different angles.
And this is a lot of effort
on the part of the hackers.
Sometimes, sometimes it's not, I mean,
again,
you need to invest in order
to be a good hacker.
But people are doing that.
And let's remember one thing about software
in the internet. Once somebody established
a methodology, they
can bring it as a tool
that everybody can use.
And many of the criminal networks
that we see today
are not that, you know,
there is one whiz guy
that know how to write emails to people,
convince them to do certain things,
write malicious software on multiple platforms,
create a payment system
that charged the money.
That's building a business.
That's complicated.
What you're seeing is like in the real world
that there's different people
doing the different elements,
and if you want to run the crime,
you just need to rent the elements
from the professionals.
So the program,
that actually did that, again, I don't want to defend them by any means.
They're criminals.
But they feel like they wrote some software and they rent the software.
They're not stealing money.
They're getting money for, you know, renting you some software that they wrote.
And apparently that software is the one that knows how to break to your computer.
Yeah.
Are our phones, would you, why are Microsoft Windows computers been historically so much more vulnerable
than the Apple ones.
I mean, you would think Microsoft, after being such a big target,
so many virus problems over such a long period time,
would just lock down that operating system.
Why can't they?
Because we got used to the fact that Windows is open
and you can run any software on it.
And there's a lot of APIs that you can do anything you want with them.
And Microsoft doesn't regulate what you can or cannot do
with your PC software and with the APIs that exist there.
and Apple does.
Apple controls every piece of software
that runs on our iPhone.
You need to go through the App Store.
There's no other legal way or valid way to do that.
And Apple decides there's many, many rules
that Apple has about what can every API on the app store can do.
You cannot use it for anything you want.
They say what it should be used for,
and if you violate it, they throw you out.
Which one are you more in favor of which one to use yourself?
Are you part of the open,
hacker, Windows, Android
ecosystem? Well, first, the open one
started actually with the Unix
and Linux. I'm from VET party. I was
never, I wasn't a Windows programmer.
I was at a Unix programmer
when I can see the whole source of the operating
system, when I can understand
everything, when I can modify it. So I came
from VET camp.
Which is still, by the way,
vet camp. What do you advise people?
Civilians. They should just use Apple products
that are tighter. I don't think it matters.
I think it's, all the products are
vulnerable. It doesn't matter what I use, but it's a struggle on mobile is between Google and
Apple and both have her own benefits. Google is doing an amazing job and investing a lot in
security and it's a little bit more open. And Apple is also doing a good job and it's more,
more closed environment. This is like tangentially related, but have you been following the
real fakes kind of concept where they can make videos of you and I or celebrity
talking and video.
How is this going to impact security
when people can start calling people on the phone
or video conferencing?
You don't even, you're seeing video
and you don't, it's you.
Like you might have somebody call your spouse.
Yeah, absolutely.
Over FaceTime and they wouldn't be able to tell
it's not you and they say, hey, can you get me,
can you find my pin code?
Like, this is coming, right?
Yep, and we saw the first crime.
It already happened.
What?
The first crime happened in Europe
where some UK company
that has a branch in Germany
the CEO called his
general manager in Germany and asked him
to wire money to some supplier.
He wired the money
because he got a personal call from the CEO
please help me in that
and it turned out that
it was a deep fake?
The deep fake for recording the voice
of the CEO. By the way,
when he speak about mobile phone
and I see a lot of people and say,
I don't care, they can break into my phone.
What do I have to hide?
So I think even your voice is something you want to hide now.
Because how do you, you know, your voice, you can get it on the internet.
You get a thousand episodes.
Yeah, they can make anything out of me.
But regular people voice, you get it if you hack to their phone.
And then you can call and then you hack to your phone on the phone with the bank account details,
versus the who's the phone number, the person in the bank you're calling.
And now somebody can do a transaction on the bank.
The bank will call you back.
And the deep fake will answer the call and says, sure, it's me.
Please do that.
I approve, which is the most sophisticated thing.
What I do now is if somebody tries to call me like that, I say, listen, I can't talk
right now.
Give me your phone number and email me your phone number so I can call you back.
And then I check and then I check the existing phone number.
So I know that people are trying to do this with me.
So if you just tell them like, you should never, if anybody calls you on the phone, you should
assume you're being scammed.
No, but sometimes you would call the bank.
And again, with deep fake, you can do almost the...
And by the way, if I hack your phone, I can do everything because I can call on your behalf from your phone.
And that's valid.
And it's not that, unfortunately, it's not that difficult.
We've just seen several crimes like that of somebody that they got stolen over $20 million of Bitcoin from their mobile phone.
Yeah.
And again, it's a very simple, you know, we got this SMS.
You talked about multifactor authentication through SMS, which is great, and I recommend that everybody will use that.
But again, it's very, very simple.
We demonstrated that like two or three years ago in our customer conference, how you take over someone's phone and get their SMS messages.
Yeah, you just replicate their SIM card.
Not even to replicate.
You just need to know where a number.
It's actually done for roaming over GSM.
networks, if I say I'm you and I'm roaming, it's okay.
Now, in order to do that, you need to have access to someone, to some other GSM network
that will trust you.
And there is few in Africa that it's really easy to get into.
So, I mean, it's, and we demonstrated it like two or three years ago when we got, we got like
three, four years into the mobile security space.
You ever go to DefCon?
I didn't, but I have many people that do go there, yes.
Yeah, it was pretty interesting.
I went there one time.
And I walk into the lobby of the hotel in this four ATMs.
And I just thought to myself, what hotel has four different ATM brands in the lobby?
Two, maybe.
Four?
And it turns out they have now, they just roll ATMs.
You put your card in.
You're typing your pen.
It's like, oh, sorry, we're out of cash.
And now they've got your pin.
Yep.
And they've got your face.
And they've got your face.
And they got everything.
They got everything.
How do you, what do you think the best?
best practices are. If you're talking to a family member who's a neophyte, what do you tell them
in terms of like, here are the steps, protecting yourself? Beyond obviously having firewalls and
using all the same. First, consumers, it's a little bit easier than enterprises. Enterprise is my
field and it's a little bit more sophisticated. Consumer, be very, very careful. Make sure it's,
you have backup of everything you do. Make sure you know your passwords and you don't share
them, use multifactor authentication, and use software.
I think the software that we have in the industry, and again, consumer is not my main
field, even though we make some consumer software as well, use that.
The password managers that put huge strings together are safe, it's a good idea?
It's not just that.
It's not just, I mean, do you use anti-malware software on your mobile phone?
You know that it can be hacked.
We use antivirus on every PC in the world, and we don't use anti-malware.
on our Android or iOS phone.
And why?
I mean, this can be hacked.
And by the way, it is, we have our software.
I actually, of course, we have many customers that are using that.
But I'm actually sometimes giving it to some of my friends.
And many of them are business owners and sophisticated people.
And they all come back a few weeks later and say, you don't know.
I've clicked on that link and it turned out it was a malicious site.
And, I mean, it is quite.
The spearfishing is the scary one.
That's how they keep catching people.
These idiot politicians, for some reason,
it's like log in to view this document
and they show them what looks like Google Docs
and they don't even look at the URL.
It's very hard to catch that if it's done right.
I mean, I can tell you that 99% of these cases
are not done in the most professional way.
But to do a fake, it's very easy
because everything is available.
You can just copy it.
There is nothing that, I mean,
to look like Amazon website
or a Bank of Canada website,
it's very easy.
You just copy the website.
You don't need to be an artist to do that.
Yeah, it's not like you're forging $100 bills.
Yeah, you don't need to forge it.
You just copy it.
It's digital and you copy bit by bit the exact thing.
And you make only slight modifications that are very hard to track.
I'm getting messages and sometimes I look at the messages.
I just got one for my healthcare provider.
And I said, is this real or fake?
I mean, I can tell and I really can tell.
Yeah.
No, I mean, and if you have any kind of bank account, super hard to tell.
And then the stupidest thing is sort of like, tell us what city you were born in or your first car.
It's like most people's first car was a Honda or Toyota.
These secondary security questions can also be gameed pretty easily.
That's true.
And apparently, I think the issue is the level of sophistication that you need to do.
And I think what we have to remember, you don't have to be the number one in the world.
You just need to be a little bit faster than your neighbor.
because then he will get caught.
So that's so.
Yeah.
Yeah, I don't have to outrun the bear.
I just have to outrun you.
Yeah, exactly.
I mean, this is what two factor does.
If you have two factor on and you check your autologs,
a hacker's going to probably go on to the next version.
The easier one, and there's a lot of easier one.
It's true, by the way, for consumer, it's true for enterprises.
Now, again, I would advocate to get the highest level of security,
but the more you raise the bar,
the chances of you getting hacks are getting much, much lower because your neighbor
isn't.
Isn't.
And by the way,
that's the way
the professional
hackers are working.
They're sending,
they are scanning the network,
trying to infect everyone
with the bot.
Then they got the bot in.
Now that they got the bot in,
they see,
some of them just say,
create an attack on everyone.
Some of them might say,
okay, we got,
we tried the 100,000 IP addresses.
We got to 100.
Not bad.
Now let's see which one of the 100
is interesting
and where we should now
plant or more sophisticated.
And then the way
all the malware works
is like that.
You use some exploitation.
You install a bot.
This bot is programmable.
The payload, then you send the payload.
And the payload can be nothing or the payload can be extremely malicious.
So like when you talk about mobile phones, we found networks that control 50 million mobile
phones.
Most of them used by not very malicious thing, by like ad baiting or clickbaiting, which
is a small, it's a crime, but it's a small commercial economic.
crime.
This networks within one minute can be turned into the most malicious network in the world.
Yeah, to a big denial of service attack.
Denial of service or stealing all your credential or erasing the phone.
Think about 10 million phones that get erased in a minute.
What's the damage?
Economically, chaos it creates.
And I'm, by the way, pretty sure that if I was a really bad organization or really
bad government, I wouldn't put straight on malicious stuff on everyone.
I will build this network.
I will make it something that doesn't look that bad.
And at the day that I really want to create an attack, I will use that.
And if in the middle time I'm getting caught, I'm saying, that's this company.
Of course, I will arrest them.
They're criminals.
I mean, we've seen that, by the way, many hacks that the world has identified the hackers.
And somehow, some government gave them sort of somehow they disappeared somewhere in the world.
Yeah, they were providing good information so they got to pass.
You worry about the grid.
You worry about the electrical grids and this kind of stuff.
And are big customers for you.
There are customers and they are good customers.
But the grid is definitely all the infrastructure that we have is very, very vulnerable.
Because it's made out of very old software.
Most software is not updated.
It's not patched.
It's really simple.
It's really easy to hack into.
And we should be very, very worried, which, by the way, it's true both for the old grid and the old infrastructure.
and also for the new infrastructure,
which is IoT-based and super easy to penetrate, usually.
Yeah, they put in these like IoT cameras everywhere
that have no firewalls on them, no security.
But then on the reverse, well,
we might have sped up some centrifuge tubes
and ruined some people's, you know,
ability to get that uranium to where they wanted to get a bomb.
Yep, but we need to.
That's what I'm saying.
Each one of us...
Who's best offensive?
Who do you think he's got the best offense?
I wish I knew.
I'm not...
And by the way, as I said,
it doesn't matter that much
because everything is imitated.
You can understand the fact
that the US has, you know,
this F-35 jet fighter,
even if any other country in the world
knows about this plane,
they can't replicate it easily.
On the other hand,
it requires a lot of resources
to replicate it.
Even if I give them all the plans, by the way.
Still, there's hundreds of different systems
that are not easy to replicate.
taking the most sophisticated malware,
it's softer piece,
it's available on the internet,
once you find it,
you can simply take it and use it.
And that's what's happening.
The NSA toolkit three years ago
was leaked and it's available on the dark web
to everyone.
And last summer we had the city of Baltimore.
Was that part of Snowden?
Was that part of Snowden?
No, that wasn't Snowden.
That was something else.
That was some contractor of the NSA
by mistake, left it open.
and the entire toolkit leaked.
And by the way, the exact same toolkit was used last spring to attack the city of Baltimore,
to shut down the city with ransomware.
When the ransom were used, the NSA toolkit that's just a few miles away from Baltimore.
So these things are real.
It's not theoretical.
It's not science fiction.
It's not crimes that never happen.
They happen every day.
Do you court the government?
the gray hats, the black hats to come to the white side and be part of the good security teams,
is that still part of the playbook to try to convert those folks?
Our playbook is to deal with white hats only, not with people that have a bad background
and so on.
And by the way, the way we operate in Israel, that's also a very good, first, there are enough
these people.
And we also train a lot of these people ourselves.
There's a big shortage of people.
So on one hand, we get some skilled people, but mainly we now, we have like a course, Checkpoint Security Academy, our top training program for our own people that we open every year.
And we get people that come with pretty much no background, but are extremely smart and sophisticated.
And three months later, they became the top researchers.
How much did that company that invested the 250?
How much did they wind up picking when they sold their shares?
Do you even know?
I don't know exactly.
I didn't follow that even though I can probably find.
That's got to be one of the best investments of all time.
That was one of the best investment in all times.
At the top it was worth around $10 billion.
I think they sold it a little bit earlier.
I sold most of it around that it was worth around more like a billion dollars,
which is also not bad.
Bad.
But they sold it way too early.
I mean, I didn't.
So I held my share.
Yeah.
Well, I mean, when you find something this great and a problem that is going to last many lifetimes, yeah, you should play for the long haul.
And it's good to know that you're out there like fighting the good fight.
So I appreciate you coming on the pod.
And I appreciate you fighting that fight.
You're thinking about retiring or you just love doing this?
I said you love this.
First, I love doing what I'm doing.
And also for me, it's really my life, my family.
And I really, really feel, I mean, I'm thinking about, will I do it forever?
Is it too long?
Do I need to, you know, when you were CEO, you wake up every morning.
You don't just handle fun stuff.
Mainly what you handle is the problems.
So I'm thinking.
But for me, it's like, it's like my family and I need to take care of my family.
So I'd like to raise, and I do raise a lot of good people that help me.
and I have an amazing team today in Checkpoint
that are doing most of the work.
I don't work as hard as I used to,
and I have many people to rely on,
but it's wonderful when you can delegate.
Like when you have people who are that good,
you don't have to worry about it.
That's the magic.
It just shows you because sometimes you lose good people
or they start their own companies.
I'm sure you have, I know actually,
there's many Checkpoint alumni who've started companies.
Yeah, a big one.
All right, listen, Gil, what a career.
Congratulations on all.
all the hard work. Thanks for coming on the pod. And if you're not using Checkpoint and you're
risking your entire business, get your head examined. Go to Checkpoint.com. All right. I'll see you all
next time. Bye-bye.