This Week in Startups - E992: The Next Unicorns: Expanse CEO & Co-founder Tim Junio reduces exposure to online threats by providing “attack surface visibility”, shares insights into current threats from China & Russia, potential 2020 election tampering, reasons for cybersecurity optimism & more – E8 of 10-ep miniseries
Episode Date: October 23, 20190:50 Jason intros Tim Junio 1:44 Tim explains what Expanse does and how "attack surface inventory" is the first step in their cybersecurity platform 5:20 Tim explains the Dyn cyber attack 13:20 How ma...ny Fortune 500 companies have been blackmailed via cyber attack? 19:32 "White-hat" hackers impact on the cybersecurity industry 23:12 Human-made passwords are the weakest link 29:09 History of Russian interference 33:16 Why Gmail is good for cybersecurity 35:11 Tim's experience at the CIA 38:29 What worries Tim about potential election manipulation 45:38 Chinese infiltration via apps/tech companies 49:16 Christian Bale's rogue move was dangerous 51:17 Should Chinese-made routers be allowed in America? 56:16 Chances Alexa, Siri or Google Assistant have been compromised? 1:02:20 Is there foreign infiltration in major tech companies? 1:08:29 Jason & Tim go over the Snowden situation 1:17:49 How are government intelligence employees trained to avoid being compromised by foreign agents? 1:23:45 Working with Peter Thiel
Transcript
Discussion (0)
This week in startups, The Next Unicorns, is brought to you by
NetSuite by Oracle, the business management software that handles every aspect of your business in an easy-to-use cloud platform.
Get NetSuite's free guide, seven key strategies to grow your profits when you go to netsuite.com slash twist.
LinkedIn. You need LinkedIn jobs to find the right people for your business.
Post a job today at LinkedIn.com slash unicorn and get $50 off your first job post.
And Embroker.
The Embroker Startup Insurance Program helps startups secure the most important lines of insurance at a lower cost and with less hassle.
Get an instant quote and $5,000 of AWS credit at Embroker.com slash Twist.
While you're there, get 10% off by using offer code Twist 10.
All right, everybody, welcome to this week in Startups, an amazing episode today.
I have with me for the first time a CIA analyst, somebody who did strategic analysis,
at the office of the Secretary of Defense, a consultant for DARPA, and the founder of expanse.com.
Tim Junio is on the podcast. Welcome to the pod. Tim.
Thank you so much for having me.
All right. I got a lot I want to talk to you about with like global perspective.
You've agreed to talk about your time in the CIA without giving anything away.
At 4 p.m. on Friday, so I'm a little disarmed.
Yeah, perfect. We'll get into it at some point. Don't say anything that will get us both in trouble.
As everybody knows, I'm not in the CIA.
I have never worked for the CIA.
I've never met anybody from the CIA before today.
That being said, I do travel the world a lot, big finance.
But tell us what is expanse.co?
So expense is the first platform for Internet Operations Management.
So we're trying to make a new category.
I realize Internet Operations Management is not a resonant phrase.
So I'll take a step back and just kind of explain what's the thing that we're trying to do in the world.
If you think about how use of the Internet has unfolded over the last couple of decades,
particularly in the enterprise space.
In the enterprise space, we have observed a cumulative complexity of people buying stuff and connecting it,
connecting it over the Internet using Ethernet first and then Wi-Fi networks, whatever.
And there is this morass of stuff that's out there all over the place on premises and corporate offices,
regional offices, commercial cloud.
NETAMs.
Thermostat.
You got an IOT.
Sonos, radios, all kinds of stuff.
Right.
And the way people deal with that today is basically in a one-off.
You might use a tool for one thing that you do on the internet, and then probably use spreadsheets for management of the workflows and what people are doing.
So over half a trillion a year is spent on connectivity, and it's all managed through, like, a subscription with AT&T, and then a bunch of Excel documents.
It's actually kind of crazy.
There's no CRM, as it were, of the devices, servers, nodes on your network.
So if you're some giant company like Verizon or, I don't know, a university, Harvard, NYU, whatever, and you've got this huge campus, you might have millions of IP addresses and devices and have no idea what they are.
Exactly.
And this is called the surface, the threat surface in security circles, correct?
Yes, attack surface.
Attack surface.
Attack surface.
Attack surface.
That's how the security community usually refers to it.
And so when you start having the proliferation of servers in an organization and IOT devices are huge, the threat surface.
You say threat surface?
Attack surface.
Right.
I'm just thinking of like the Death Star gets bigger and bigger and bigger.
And there might be a little thermo reactor that they never plugged up that could blow the whole thing up.
It's a great metaphor.
So in almost every major breach, cybersecurity breach, we've observed, there was something like that where multiple things had to go wrong. It wasn't just the exhaust port. You also had to have your tie fighters fail and, you know, the laser turrets. So you have to be able to get close enough. And then inside, you need to have not had shielding and nobody ever patched, let's say, that problem inside the Death Star either. So that's how Equifax happened. Capital One happened. Sony. Almost every major breach had something wrong in the attack surface. And that was how the breach.
first started. So step one is with expanse to just know what the attack surface is. That's right.
So create an inventory of what's everything on the internet for organizations, really big companies
and government agencies. Every military service, for example, is a customer, Army Navy Air Force.
Oh, wow. You've already got all of them. Yeah. And it's a big problem. You would think, right? And when you
look at the attacks that have occurred, let's just talk.
about one category of attack because I think this is a really good, what I'd like to do in this
episode is talk about attacks in general and just the threat in the world and where the world
is going in terms of these attacks. Everybody's heard of the D-DAS attack, the famous
denial of service, right? What is it? Double D. Is it distributed? Distributed. Distributed
denial of service. And the second largest attack in the history of the internet was the
Dyn attack, and that was an IOT attack. It was also.
so a great investment on your part.
Dye worked out, okay.
I was on the board of that one.
But this was, this malware was called Miri.
Mirai.
Mirai.
Yep.
Explain what happened in that attack.
I mean, they did get through it, but this was a two or three day arduous recovery because of it.
Yeah.
That is a beautiful example of our value prop as a company.
So Mirai was a worm that propagated via a protocol,
called Telnet.
Explain what a worm is for people who haven't heard that term.
So it's a type of malware that self-propagates and attempts to find other exploitable
services running over Internet protocol where it could infect itself and then continue
to repropagate.
So with Mirai, there is this particular unencrypted remote access protocol, which was first
released in the 60s called Telnet, totally unencrypted, very, very insecure, should never
be accessible over the public internet.
anybody and it turned out there were very many millions on the public internet and almost
anybody could find them like if you were a nation state actor criminal actor whatever you can
just start looking for these exposed servers to try and hack them and turn them into your
pawns to then go out and do these campaigns so what happened to dine was effectively
miri propagated broadly and was attacking major web properties so in the dine attack we ended up
seeing major services go down like i think reddit twitter
were affected.
Yeah.
I mean, it was a flood of an attack.
New York Times, Reddit, GitHub.
Everybody kind of got attacked by that one.
And so the worm is basically like a virus, but its first order of business is not just
to shut anything down.
It's to propagate itself.
So I got into this device, and I think there were a lot of IoT devices, like webcams,
like these cheap Chinese like commodity webcams that you.
DVRs, all kinds of stuff.
All those kind of routers.
They get made in China.
They're using some off-the-shelf software.
Nobody's thinking about there's no instruction manual, but they cost 10 bucks to put a webcam in your house or 20 bucks, commodity stuff.
People throw these things on their network.
They don't know.
They just increase the attack surface massively because there's been no thought put into them, correct?
You nailed it.
So you mentioned Nest earlier.
So some companies have built security kind of from the start.
So security as part of product development is their mindset.
But the overwhelming majority of IoT manufacturers do not start with security because shipping the product at the lowest price is the first priority.
It's going to slow down your release date and it's going to be more expensive to make a more secure product.
And you as the consumer, what do you want?
You want it to be easy to take that webcam out of the box and connect it to Internet.
And then what are the odds that you as a consumer are going to have to deal with any consequences?
Incredibly low.
And even if your webcam were part of a botnet, you personally wouldn't even notice.
So your incentive to secure it is also low.
So you have the two main parties there, the person buying it and installing it and the person who manufactured it.
It's a tragedy of the commons.
They don't have any skin in the game.
They have $20 in the game.
What a cost to buy it and whatever the profit is.
But if it is used in a coordinated attack for a million of these to wake up and flood a network with these DDoS, DDoS, I guess is how people pronounce it, right?
DDoS.
to do a DDoS attack, like, it's not your fault.
It's not your problem.
And then that's why sometimes people would be like, hey, my Wi-Fi at home, my internet is down, where it's just really slow.
It's because one of their devices may have been pawned.
It may have been taken over by a worm to use for Niferous.
For sure.
That's part of the explanation, yep, and what's going on.
Yeah.
And so the other big attack was the GitHub attack, right?
That was last year or this year, that big giant one.
that was the biggest one
126 million packets per second
1.3 terabytes per second
and it was a
mem cash
DDoS attack by a series of bots
and it was
amplified the magnitude
attack by 50,000 X
are these DDoS attacks
something to worry about or are they just a nuisance
now?
So first off my company doesn't
specialize in anti-DEDOS technology because I think it's mostly a nuisance that to a large
extent is being well handled. So even though attacks like this happen and they're disruptive,
there's a business interruption cost. It's not really destructive. And a lot of really great
technologies have come up to help defend against them. So for example, Cloudflare a company
that IPO this year has a very advanced anti-DDoS product using distributed data centers around the
world. So to counter the distributed denial of service, they have distributed data centers so that they
have load capacity to reroute, reshape your traffic in a way that helps you avoid the consequences
of a DDoS attack. So it requires another degree of sophistication to be able to do something like
what you're describing, to actually take down major web properties today. It's a hard problem.
So it's profitable if you can do it. And there's a lot of stuff happening behind the scenes.
I can't quantify because nobody's aggregating those data. But if you talk to people in the know,
at big companies with consumer-facing web properties.
There's blackmail and, like, hidden stuff going on where people threaten to do attacks
against them unless they pay some small fee.
And then you see these bounties effectively being paid out privately or blackmail being
paid out privately.
All right.
When we get back to this quick break, I want to know from you, based on your estimates and
your expertise, if we took the Fortune 500, how many of those companies have been
blackmailed?
and then how many of them would you guesstimate, it's a guess, have actually at some point paid some amount of blackmail because it's easier to do that than to actually try to fight the attack when we get back on this week of startups.
Hey, everybody. I'm here with my friend Jason Maynard, who works at NetSuite. Tell everybody, what do you do, Jason?
I do many things here at NetSuite, but I run the field operations for the business unit.
After you've implemented it, what should I be looking for as a founder when I'm looking at my numbers?
So once I've got my numbers clean, what should I be focused on?
Is it cash flow, projections?
How does a founder go from, you know, that product market fit phase, which is usually the first year or two, to that scale phase?
So the biggest thing in every company is what are your customer acquisition costs?
When you're really trying to figure out, when you go from product market fit, it's how do you efficiently acquire customers, right?
I mean, that's the thing that everybody has to worry about.
CAC.
CAC.
How do you generate top lines?
So those, to me, are the metrics.
If you look at successful scaling companies,
they figure out the unit economics of how to acquire and retain a customer.
If you don't get that right, nothing else works.
Yeah, if you don't have your unit economics right,
you're going to be hitting the gas on a car where maybe the steering wheel is not attached,
and that's not going to be pleasant for anybody in the car.
Breaks don't work.
You name it.
Yeah, no.
But that's the, look, it's basic business.
this 101. But that is the thing that if you think about companies that have figured the model out
early on, you know, you've got to get that right. If you don't, it doesn't mean you can't go
raise more money, but either down the road at some point, that has to become the key thing.
All right. Right now, NetSuite is offering you valuable insights with a free guide, the seven key
strategies to grow your profits. So go to netsuite.com slash twist. NetSuite.com slash twist. And get that
free guide. Seven key strategies to grow.
your profits. We appreciate the work you're doing
in the startup community. It's great stuff. Thanks, pal. Thanks.
All right. We'll be back one more. All right. Tim Junio is here. He is the CEO
and co-founder of Expans, which is
one of the companies we selected for our next Unicorn series. We call
them Sunicorns, colloquially, in the Valley,
and they are well on their way. To becoming
a major concern, you've raised, I guess you did 70 million in the last
Series C. Congratulations on that. That happened in April.
TPG growth, which is a firm that is typically involved before a company goes public.
And you also have founders funds or a friend over there are involved.
You've raised 136 million to date, 100 plus employees founded just over seven years ago.
When we left our hero, Tim, from Expans, and you can go to expanse.com to see the offering.
We were talking a little bit about these denial of service attacks, and then we kind of dovetailed into people paying ransoms.
of a Fortune 500, 500, if you were to pick a number from 0 to 500, how many of them have been threatened with a blackmail?
Ooh, so the number of blackmail that are actually paid is a total guess.
So first, how many have been threatened?
Yes.
I would guess four out of five, like 80%.
So 400, a 500.
That would be my guess.
In terms of actually paying a blackmail, because sometimes people are just like sent 10,000,
worth of Bitcoin, and we will not expose this file of credit cards.
It would seem that that's a pretty easy bill to pay because the amount you'll pay to the
PR company to put out the press release would be $20,000 over the thing.
So how many of them do you think have actually paid this kind of blackmail or settled
with a hacker, a black hat hacker?
I think a much smaller fraction.
Like I would guess maybe one in five have ever done something.
something like that. But again, this is, this is speculative.
So once for a company you get into that kind of scenario, your G.C. is involved. Your general
counsel's involved. It's a legal matter. And I think that most folks in the industry and more broadly
in IT would be surprised at how frequently a company would rather settle a lawsuit or privately deal
with a matter rather than invest in better security.
Bizar.
From my point of view, obviously, yes, you should spend on the best technology.
companies possible. But I actually think a substantial proportion of the market is willing to say there's
an acceptable level of risk. And even if I accept something like, and again, putting myself in the,
you know, position of a CIO, CTO, head of risk, et cetera, the odds that I'm going to get breach in
the next few years are pretty high. Like if I'm a Fortune 500 company, some cybersecurity incident
probably going to happen like within the next three years to a Fortune 500 company.
It's pretty much guaranteed something's going to happen. And then the question is how bad is it going to
be? So an employee's laptop.
you know, losing control over a laptop because it's stolen on a train or something and you're
using full disc encryption, whatever. Like those are concerns that 10 years ago were, I guess,
higher profile. And now they're kind of dealt with. It's the cost of doing business and it's
an acceptable risk. But then you get into these scenarios of these internet facing attacks,
like what we observed happening with Capital One, with Equifax, that are devastating to the
brand, getting people to fire. Describe what happened in those attacks.
So in Capital One, there was a very labor-intensive process where a gifted,
person discovered a web login for a firewall in AWS. So they were able to issue commands to that
firewall over the public internet that got it to spit back information, including credential
information. So it was a very labor intensive thing, but they didn't need to have that login on
the public internet at all. So just as an example, why you want to reduce the attack surface,
why do you not want to have stuff out there? You don't want anything discoverable except for web
properties that people are supposed to go to. It's for reasons like this. So somebody put up the
firewall, which was good intent, but they allowed access to the admin console of the firewall.
Right. Firewall, obviously, to protect people from getting into the servers. They made it so you could
log in over the internet, which is a feature that some people might value, like if you had a remote team,
the ability to do that. But under no circumstances should you do that.
All of that should occur through some sort of protected VPN into a data center in order to interact with that device, correct?
Yes. That is our position. That is my personal position. That is what I tell customers.
And again, to the point of being amazed at how some of these risk choices are made, for years, we have been sharing this kind of information with customers.
You have a security appliance that has its login on the public internet.
You have a web proxy device.
It's a thing used for web traffic security for employees to make sure they're not going to porn sites in the office or whatever.
We see their admin consoles on the internet.
We've even seen for mobile cell towers the administrator page on the public internet.
What?
What?
Control systems, power distribution systems.
These don't need to be on the open internet.
That's just a checkbox to be turned off, correct?
Yes.
And you say, just don't let people address this admin console via an IP address.
Right. You can only get to it internally if you're on the local network.
Yes. And so the problem is you have these compounding levels of responsibility. So the person who's using it probably wants to access it remotely. You don't want to have to hire more people who are working locally or on site or whatever. So you can configure superior remote access. That's another layer of complexity. And you need to know that thing was there to begin with. So if you're a central security organization, part of the challenges, if you've got a regional office in London and they set this.
stuff up. Do you have any idea what they did regarding their local firewall configuration?
For most companies, the answer is no.
So brutal. It's a little bad, by the way. There are reasons to be optimistic about cybersecurity, too.
Are there? Started with a doom and I think so.
I mean, it feels to me like there's more bad actors and a lot of sloppiness. I mean, you do have
things like, is it Hacker 1, putting out the bounties there and making it a very positive.
Another NIA portfolio company. Oh, yeah. You have any A.
Yeah, and that seems like a great idea.
We had Hacker 1's CEO on.
That seems like a tremendously good idea to just have the white hat hackers pounding your door.
Has that made a significant impact on the industry?
I think so.
And Hacker 1 is trying to aggregate the kind of expertise in one spot and run larger bounty programs.
Companies have been doing versions of this for a while.
United Airlines started giving away miles to people who told them about cybersecurity flaws and their web properties.
So I certainly think the hardening is a good thing, including for our country.
So you were saying at some point you wanted to talk about international systemic trends.
So one thing I would say is kind of interesting.
Our generation is living through very significant cybersecurity challenges such that I'm hopeful.
The next generation will be different.
We'll have better hygiene.
We'll be thinking about security and privacy as part of how we build systems and build products.
Like we talked about Nest and other IoT companies that are cloud.
native in how they're building their software architectures, I think are in a better security
position than any of the networking companies and internet companies of the last, you know, 30 years.
And the reason they're in better shape today is because you have cloud-based services
that they're coming to the game with their offering knowing that people's number one concern
will be security. So they have to be on top of that to a level that an internal team setting
up servers would not be as vigilant on average. And it's a lot easier today. So if you think about
setting up services in AWS, how developer operations, DevOps works today, that automation and how
you would stand up a new service as a company has a lot of security built into it or it could,
if that's how you designed from the beginning, as opposed to if you think about a company
even 10 years ago before AWS, GCP, and Azure were as big a thing as they are today, you would
be dealing with the question of what's the co-location facility who's managing the servers what's the
hardware that's running on it and then who is administering the firmware on the server administration
card on the server in the data center just patching and keeping that stuff up to date is a full-time job
and when you have amazon doing it or azure or google cloud you've got the best person in the world
or best team in the world hopefully doing it for everybody so hopefully on average the security level
goes up, correct? Yes. And if something sucks, like you decide you need to get rid of it because
it's compromised or it's deprecated or you don't need any, you could kill it. And it's cheap and easy.
You don't have to deal with, I bought a bunch of stuff and I'm going to wipe these hard drives,
etc. You can just shut it down and move on and stand up something new and do migrations
cheap and easy within the cloud provider, for example. And then the corporate network is changing
its profile where the laptop is effectively a thin client today for the corporate
network. So it doesn't have the same kind of criticality as businesses in the past. So that is
cheap and easy as well. So it's easy to give employees hardware and then connect them through
software as a service, you know, SaaS products like Dropbox. And I think that is going to be
more secure than trying to write down the serial number for the backup appliance you give to
every employee, which is how people used to do it. It's crazy. And now all of these local computers,
none of the data is stored locally. If it is, they've encrypted it hopefully, right?
But your Mac hopefully has it encrypted.
Hopefully.
And if it's encrypted, it's really hard to hack today, correct?
Yes.
The modern day encryption, with the exception of maybe some nation states.
The weakest part is certainly the human.
So I don't know your favorite passwords, Jason, if you want to tell your listeners.
Yeah, my favorite password is don't hack me.
Password one.
If you look at password distributions, whenever a data set is made available of what people are actually doing.
It's incredibly bad.
So it's better, but still really awful.
So password attacks still work.
So if you have a Windows computer on the internet with no firewall, and even if it's fully
patched, the odds that somebody could guess the password for your average person on the
planet is really high.
So that's why we have things like two-factor authentication and, you know, that's where the
world has been heading for some time, but we're not all caught up, probably.
Why on Earth are Windows machines by default available?
on the internet.
Ooh.
So at any moment in time, there are about 3 million Windows computers on the internet with no firewall
or Windows instances.
It could also be a virtual machine.
The reason for that is usually a misconfiguration.
So if you're a consumer, probably you don't have this problem unless you've done something
weird on your own.
So hopefully you haven't done that, Jason.
Yeah, no.
For big companies, though, there is usually a default build image for how they
install Windows on a new computer or how a new computer would arrive at the company to issue to an
employee. And if that configuration file is set up such that it can be accessible without a firewall
over the internet, which actually happens pretty often, you can have a very bad day. So WannaCry,
another one of the big cybersecurity incidents partially propagated. There are a few different ways
in which that propagated, but a Windows remote access protocol was one of them. So that was a
virus that could spread within the network and over the public internet.
by, again, self-propagating, looking for other exposed instances of that same remote access protocol.
In 1996, in the CIA, Worldwide Threat Assessment Brief, which I enjoy reading.
You read it every year.
It's an annual...
I do, actually.
I know some people, you know.
Cybersecurity is still top three in the last one.
I know.
And that was kind of my point.
If you look at the post-Cold War threats,
looking beyond our borders, we see much that is uncertain. This is from the February 22nd,
1996. The stability of many regions of the world is threatened by ethnic turmoil and humanitarian
crises. Pretty interesting 25 years ago. It sounds pretty familiar, right? Two great powers,
Russia and China are in the process of metamorphosis, and their final shape is very much
in question. And they go further to talk about how, in
Russia, they're actually having elections and that it could be moving to a pro-democracy.
Ha-ha.
It didn't work out.
And free nations of the world are threatened by rogue nations, Iran, Iraq, North Korea, and Libya
that have built up significant military forces and seek to acquire weapons of mass destruction.
Fascinating how of that group, I mean, Iraq, obviously, we leveled, but Libya, I guess, had some changes.
But North Korea and Iran still 25 years later, a very acute problem.
Nowhere in this document do they talk about cyber in 1996.
The Internet was, I guess, a big catalyzing force for this to become an issue.
And then if we look at this year's, which now I think it's the worldwide threat assessment of the U.S. intelligence community.
Yes.
They changed it to be more.
DNI is in the office, yeah.
Which pulls together all of, and that's a post-9-11 concept is that the director of national intelligence pulls together, FBI and CIA NSA data to do this.
And they look at cyber and online influence operations and election interference as their top two.
And then they go to weapons of mass destruction, terrorism and counterintelligence.
Pretty interesting how that's changed.
What I want to know from you when we get back from this quick break is how acute is the problem of,
Russian hacking in the election as we look forward to this, you know,
uh, 2020 election when we get back on the Swedish startups.
I am loving this sunicorn series.
It's so great to find these next unicorns.
Thanks to our friends at LinkedIn Talent Solutions for sponsoring this special series.
And of course, you know, hiring is really hard.
And it's not as easy as just posting a job to a bunch of different message boards or
maybe even putting an ad in the paper.
People still do that kind of nonsense.
Nope.
When you're growing your business, you need to reach the right candidates at the right time.
And that's where LinkedIn comes in.
And that's where I got Sir Charles, our amazing new producer.
He wasn't looking for a gig, but he was on LinkedIn.
And he saw, hey, this weekend startups.
This great podcast is looking for a director.
Hey, I'm a director.
I don't like the job I'm in.
It's okay.
But this other job seems pretty dope.
And boom, he was one of those 600 million LinkedIn members.
Who is there looking for connections, passively searching?
they don't know they're looking, but they just, they pass by, maybe they take a look.
That's who you want.
And those are the people on LinkedIn.
So, Associate Press, creates a job posting for me, client success manager in Toronto.
He selects the needs, the description, and adds some additional screening questions,
and he sets a daily budget, and boom, we're on our way to finding great candidates.
And it works so well, and you can pay what you want, and the first $50 is on them.
That's right.
$50 right now, a 5O, LinkedIn.com, slash.
Unicorn. That's right. Unicor. N.N. You know how to spell unicorn.
LinkedIn.com slash unicorn. Get you a $50.50. Go find somebody great to take your startup to the next level. Thanks again, LinkedIn.
Welcome back to this week in startups. Tim Junio is with us. He is the CEO and co-founder of Expanse.
You can visit them at expanse.co. They're hiring, of course. They've raised a ton of money. They've got a lot of customers.
I assume you're in the eight, nine-figure revenue club somewhere in that range.
Yep. Doing well. A couple of hundred employees now.
150 150 so still not out of control efficient as possible yeah and when we before we went to the
break Russian hacking spear fishing seems to be their greatest easiest path is to just get some dumb
congressperson some dumb election official you send them what looks like a GM
reset your password and these idiots go log in or they send a document share and they don't look at
the URL they ignore the Google warning where their machine is a old Windows machine or something
that's some old Dell machine that's from 20 years ago they never updated and they fall for it
why is this still happening the spearfishing attacking so that's our first question and then let's go
on to the hacking of voter rolls and machines.
Okay.
So you started the question with a look back to 1996.
Yeah.
So I'm going to get a little retro on cyber security too.
So if we rewind a couple decades and look at what's happened, the Clinton administration
actually did start a bunch of inquiries into critical infrastructure protection as long ago
as, yeah, the 90s.
And there was a major event in 1998 called Moonlight, May.
It was an intrusion set that you can read about publicly.
A lot of the details have been...
Moonlight maze.
Yes, which was suspected Russian intrusions into U.S. government networks.
So that's where I think the alarm bells started going off, where before that it was an
understood threat, but it was kind of a niche threat.
So there's this book called Cuckoo's Egg.
It's one of the, like Cliff Stahl, one of the most famous books in the cybersecurity community.
That goes back even further in the Internet era.
But I would say really the late 90s, the time you're talking about,
where even though it wasn't in congressional testimony yet, that's because the seed was kind of just there for how this would grow.
And the office that I worked in at CIA, which then was called the Information Operations Center, has now been reorged, but was starting to grow.
So when I worked in that office, it was still pretty new and pretty small.
The Information Operations Center grew into a much larger entity over time.
And as you look through, this is talking about the late 90s.
When you get into the 2000s, the specter of the threat was getting more.
severe. You start to see more budget getting allocated to security programs. You do start to see it
popping up in congressional testimony. And then when we had these other events getting past 2010,
things really started to get destructive, like with the Sony attack and how there were North Korean
politics involved in that incident. And events like in 2011 of alleged Iranian state-sponsored
hacking of banks, or at least using denial of service attacks against banks. So trying to use this as a lever of
influence and power, not just an espionage threat. So if you look at it at late 90s, very much
espionage, that's how people thought about Moonlight Maze and other events. And then between 2000 and
2010, that's when we started to see things changing in the direction of coercion, using cyber
power to create effects, not just steal data. And there's a profit motive. I didn't answer your question.
No, no, that's okay. There's also a major profit motive. People forget a large portion of the
behavior of Russia has to do with acquiring money and capital. This is a place where people want to
acquire money. And so part of it is influence, but when you track the influence back, it's so that
sanctions can be lifted so that money can flow and so that money can be made. And in some
case, you can directly make it. The spearfishing stuff, that's going to continue because consumers
and users are the weakling, correct? Absolutely. So I think the problem has gotten better in the sense
of awareness has gone up and technology has gotten better. So if you were an individual, you know,
consumer or small business, I would really strongly recommend using Gmail, like just use Google's
products or something like that or 0365. The backend security that they are providing to help
prevent fishing against you and all of their user base is actually an extraordinary leap in
reducing risk for the average person. So I would trust them over.
as a private company trying to create a bunch of email security.
So we had Expans actually use Google as our email provider because we're still a, you know,
small business by any reasonable definition.
So I think that what Google has done has actually been a breakthrough.
We're going back to, I think, 2012.
They even started providing notifications that a government was trying to get into your email.
That was amazing.
Very forward-leaning stuff, yeah.
Yeah, they're actually, they know the IP addresses of those hackers, of those nation-stations.
and they know a spearfishing attack came in, so they try to...
Yeah, they're...
Yeah, they're...
...about the signal.
So it might be that they know the infrastructure, which would be, like, the IPs they're
operating from.
It could be another signal.
Maybe they are using their own Google accounts on the other side.
We don't know.
So, who knows?
They have a lot of telemetry.
It's Google.
Like, they're vertically integrated ISP, CDN, own their own data centers, are leasing cables.
So they've got a lot of signal on the world that other people don't have.
So if you're the FBI or Homeland Security or whatever, it's actually harder to aggregate threat information for American consumers than it would be for Google.
They'd have to get the data from consumers, ISPs, somebody would have to give it to them.
Google just has it.
Right.
And Google has a much bigger data set and data scientists studying this.
In your experience, the people at the CIA when you work there, were these political people or were they career-minded patriots if you had to pick?
Yeah, my personal experience, having worked there, was that these were folks who really sincerely tried to be objective and apolitical.
And it was actually borderline distasteful to talk about politics in the office.
And I wasn't even there during a particularly contentious era.
So the Iraq WMD kind of fiasco played out as how can we be better?
How can we avoid something like this again?
It wasn't a, you know, political finger-pointing kind of situation.
It was more like, obviously, this ended up not being correct.
What did we get wrong and how are we not going to let that happen again?
And so among, of course, close friends, everybody has personal opinions regarding politics.
But that's in a place like that, more of a closed door, like down the street over beers type conversation.
I personally didn't observe it entering into the workforce.
If you were going to go, if you wanted to go do politics, you'd probably go just do them directly if you were that motivated.
And you're still a citizen.
You can go and you have freedom of a.
and expression or whatever.
So you can go protest peacefully if you want to in your spare time.
You're still a U.S. citizen.
Yeah.
But it's not part of your job.
And the culture is protecting the country.
Like what I always find interesting about this sort of situation where we're politicized in these agencies is they,
though people going there are so smart, they could do private sector jobs that pay extraordinarily.
more like yourself making extraordinarily large amounts of money being the founder of a great
company right like that's a much better career path if you're interested in money so if they are
taking the time when you took the time to be there you did it because you felt in some way
patriotic or enthused by the work one or the other or both i'm guessing oh yeah absolutely i mean
the mission attitude i think is the strongest organizational culture i've ever seen really so the job
satisfaction for people who are working in something that has national security impact is through
the roof. It's not just a CIA, but the people who self-select and you're absolutely right,
have those motives and can actually fulfill them in that job. So I would say one of the strongest
lessons about culture that I felt working at CIA as an analyst was the constant tie back to the
customer. That's actually the vocabulary they used during the time I was there. So the president
is the ultimate customer along with other senior officials. And even
as a 20-something-year-old analyst, entry-level job, just getting trained, like, still very early
in my career, the conversations would always come back to the customer in what we were working
on.
Like, what do they actually need to know?
To make a decision.
Exactly.
And these decisions are very significant decisions in the world.
So you have the weight of the world quite literally on your shoulders.
Bad data could be a bad war.
Could be people getting killed.
killed literally if their security is compromised, et cetera.
Yeah.
When you look at the, not to make this political at all, but as knowing what you know, running,
expanse and having worked for our government and thank you for your service, what worries you
about the current state of affairs with regard to this election, malfeasance, you know,
manipulation and processes, which parts of it worry you?
the voter rolls being hacked, you know, pedestrian emails, the voting machines being hacked,
the ads on Facebook, the targeting from Cambridge Analytica, what which pieces, if you were
to break it down for all of us, worry you most?
The piece that worries me the most is not technical.
It's actually normative.
Is it now okay to tamper in U.S. elections?
So if you think of the history of the Cold War, tampering in elections was fair game.
for, you know, the both blocks in the Cold War. We were trying to interfere in local elections
to prevent communist governments from coming to power and the other way around. Soviet Union
was trying to get communist governments into power and keep them there. And there was a whole
theory, including in, you know, the 80s in the Reagan administration that we should support
dictatorships because eventually they'll become democracies. So Gene Kirkpatrick wrote a book,
dictatorships and double standards, which was all about how communist governments don't have a path to
liberty, but dictatorships do. So this kind of stuff of internal meddling was actually pretty
normal, but we as Americans did not experience anything quite so direct in attempts to interfere
with U.S. politics. So this is new. So to me, the biggest, I guess our scariest aspect of this
is, is it now normal? Is it part of how we're going to experience international politics
to have to fight this defensive battle on the home front, which I don't think we are.
are in a good position to do.
We're just not naturally defensive because we're supposed to be a society of free ideas.
And so we want people to be able to duke it out.
And we really didn't plan against an arsenal of a nation state with sophisticated, subtle,
you know, manipulative operations.
We just don't have the immunities for that.
Right.
And the voting machines, because they're so disparate in their design,
the chances of somebody hacking them.
machines successfully to swing, at least a national election, is small?
I personally believe that to be a remote possibility. I think it's a small probability.
Got it. So the voting machines themselves aren't particularly secure, by the way. But there's a lot
of stuff around the voting machine that makes it very hard to do tampering at skill. So there's
actually a bunch of research. This guy Avi Rubin at Johns Hopkins started publishing a long time ago,
well before the Russian election meddling about how voter machines were insecure. And you can find
online these videos of graduate students reprogramming voting machines to like play Pac-Man and stuff.
So the voting machines themselves can be tampered with, but you have to be close. So when you think
about when you go into a voting booth and you are actually going to submit your ballot, there are
people around. You've got the cruise officers. Yeah, right. But you could see your legs below the curtain,
right. So if somebody is in there, like with a USB stick trying to, you know, plug.
again and modify the front of order.
And across enough of them in the country to have an impact on results, even if it's just in
key districts.
It's a pretty hard attack.
Should they be upgraded to some other system that is more secure?
As technologists, we would like to think that throwing technology out would make it better.
Or given the cost of this and the cost that would come from an election being interfered with
not the dollar cost.
Should we just keep print ballots and not put these things on a blockchain or on a, you know,
hashed whatever, immutable nonsense?
What do you think the right solution is?
So I'll put it this way.
This guy Bruce Schneier, who's a very famous security engineer, actually wrote basically the textbook in 1994 called Applied Cryptography.
that's when it was published, has a blog called Schneier on security, very influential guy.
And despite over the course of decades, being a voice regarding internet security,
software security, advocates paper ballots.
And so that's one of the top folks in the industry you can point to.
So when we look at how we do security for ourselves in the workplace, as we were talking about
earlier, for consumers, the prospects of being able to have secure voting over our mobile phones
or over the internet, despite everything we know about crypto, still comes down to lapses in
human process that I don't think we can get assurance around. So I think having the voting
machine with then some kind of audit trail behind it is still the right approach and not having
those be networked. When we get back from this quick break, I want to know what the chances are
in your mind on a percentage basis. So you get a little time to think about this during the break.
percentage chance that the Chinese government has access to TikTok's data and by extension,
people's microphones and cameras in America already on mass, tens of millions of users.
And then second, what's the percentage chance that one of the major series, OK Googles,
Alexas have been compromised by another nation state and can turn on those microphones at any time
when we get back on this weekend startups.
All right, listen, you need to have insurance for your startup.
I do.
And with me today, Matt Miller from Embroker.
He's the CEO and founder.
Welcome to the pod.
Thanks for having me, Jason.
All right.
Tell me, what is the Embroker Startup program?
The Embroker Startup program is the first fully digital insurance program for startups.
So we can provide startups with all the coverage they need, less than five minutes.
Save them a bunch of money.
Amazing. You just fill out a form. It's like checking out at Amazon. Like checking out in Amazon.
That's simple. Basically that simple.
When I buy insurance for my startup, do I pay monthly, quarterly, or yearly?
You can usually pay in advance for a year, but we offer plans that can be paid monthly or quarterly as needed.
What is, at its core, errors and omissions insurance? What does that mean?
Eras and emissions is insurance for liability you have in the capacity of providing your professional services.
So if you're a software company and you're selling your software, if something goes wrong with a software and somebody sues you for the results of that, it covers you for that liability.
So if you were making a spreadsheet software and you miscalculated because of a bug and then they took action based on it, they could sue you because the software was faulty.
That's right.
Got it.
So get an instant quote and the $5,000 in AWS credits right now by going to imbroker.com slash twist.
and when you check out, use Twist 10 to get 10% off.
Thanks for coming in, Matt.
Thanks for having me, Jason.
All, welcome back.
What are the chances that the Chinese government can turn on the microphones and cameras,
covertly, of TikTok users in the United States, if you had and were forced to put a percentage on it?
We're going to be lame and not answered directly because I don't have enough information about TikTok in particular.
I've never seen any evidence.
Okay, let's take TikTok out of that.
I could give it some high-level analysis of what I think.
So first off, they're not just a legal system in terms of how the government is involved in their society is totally different.
But in a place like China, they could infiltrate even private companies with people from intelligence and security services to try and get access.
So part of how to look at Chinese internet companies and why they're risky to American society and American business is we can't have the assurance that even if the leadership of the company,
doesn't want to conspire with the Chinese government, they may still be penetrated in a way that
is incredibly difficult for them to detect and know about. And you have to think about that for all
of time going forward. So even if today TikTok is totally fine, has nothing going on with the government,
super secure. Same with Huawei, pick any of these companies. Who knows, five years, 10 years,
how that relationship with their government is going to evolve and whether or not they already
have embedded employees of the company who are on the payroll and recognize they have corruption
issues beyond all of these internet security issues.
Right.
So if you just paid somebody a hundred bucks a month or whatever, can you get them to walk out
with a thumb drive that contains sensitive customer data?
Yeah.
I would bet a lot on the answer being over 80 or 90 percent that there's somebody there
who can get you asymmetric information access.
So putting aside specifically TikTok.
it's basically a done deal that they could do it.
And if they could do it, why wouldn't they would be my logic?
I'm not a CIA analyst.
But if a government could do it and there is a reason to do it, I don't see why they wouldn't.
So I'll play devil's advocate.
If I were a dictator, I would totally do it.
So it's a pretty good way to keep your thumb on the people.
But if I were to make the devil's advocate claim, it would be that economic growth is most important, and therefore you don't want to risk the global user base for the product by backdooring the product in a way that is detectable.
So if they were playing long-term greed, Chinese government would want to see those Chinese companies be able to play in America.
If you were the head of the CIA or advising the president, and the president said to you—
I'm not available.
Not available.
Okay.
Everybody knows.
I know you're a modest guy, too.
Tim.
What should I do?
Huawei or no way way?
What should we do?
And so the president literally said to you, and it's your decision and you're advising me,
said, should we allow Huawei routers or just let's take them out specifically so you don't
have to have your company censored in China or whatever.
They'd never let you in China, I guess.
But as a former CIA person, you can't go there, right?
I worry about getting off the plane.
You could.
Would you ever consider it?
my LinkedIn, I have considered it. Right now, I probably wouldn't go for it.
I mean, it would be crazy for you to do. I mean, with Canada arresting the Huawei executive,
I don't know what the reciprocity is going to look like, what they're going to do to America.
So maybe five years ago it would have been fine. Like maybe I would have gotten followed around or whatever.
But now there's a whole other level of, like Christian Bale walking up to dissidents, houses and knocking on the door.
I think those days might be passed with what's happening in Hong Kong, whatever. You could go find
the video online. Chinese security people forced Christian Bail away from the house where they were keeping this guy.
under arrest.
Christian Beryl did that?
American hero, apparently, or crazy, yeah.
I mean, that is a cowboy move.
I mean, you have to be a serious, insane narcissist
to be...
Or he's Batman and the movies were a cover.
No, I have to say, in this case, I can tell you,
if you are Christian Bell
and you go to China to knock on a dissidence door,
oh, my Lord, and this...
Oh, you found it. They found it.
Look at that.
Honestly, this is a...
deranged activity by Christian Bell because this kind of cowboy bullshit is the kind of thing
that can screw up, you know, international relations in a major way. And he's doing it for his own
virtue signaling, unless this is a family member or something, this is like a crazy deranged
person, like that kid who tragically got killed in North Korea, who decided he wanted to go to
North Korea and then go to the floors they told them not to go to.
I think Dennis Rodman tried to be an ambassador to a career or something.
This kind of crazy shit, honestly, this cowboy stuff, if you're a celebrity, is so dumb because
I think the facial hair is worse than the showing up at the dissing house.
Anyway, this is some seriously stupid.
I actually don't know.
I don't know his motives.
Activist.
It's very true signaling nonsense.
Honestly, even if he has great intention, this is a level of narcissism that I, as Dennis
Rodman or Christian Bell, I'm the one because I played Batman or.
because I got 22 rebounds in a quarter.
Therefore, I can solve this problem.
And in that political climate, probably he could get away with it.
I mean, he did get away with it.
Today, the point is, I don't know, like they're so freaked out about Hong Kong, I assume.
Yeah.
The climate must be changing.
Too dangerous.
In a way that, yeah, he probably.
Would you?
Oh, sorry, go ahead.
No, no.
Would you advise the president to allow routers built in China onto our infrastructure, yes or now?
No.
Hard no.
So the analysis that I just applied regarding all of time and the relationship between a telco company like Huawei and its government and the Chinese legal system requiring cooperation with their government in a way that would be completely secret to us and therefore unable to assess the risk means you use the word infrastructure in particular.
So from an infrastructure perspective, I would not permit Huawei?
Now, would I ban Huawei for consumers?
So if you want to go on eBay and buy something, no, I would not because you have a consumer freedom.
but in terms of what I would do as, you know, president or whatever, like operating a massive
national budget, what would I do for the U.S. government, military, et cetera? No Huawei. And by the way,
just FYI, our company is doing Huawei detection work for customers. So we have written rules
for identifying Huawei equipment wherever it shows up so that we can notify them if there is
Huawei equipment in their networks and for other Chinese manufacturers. And we did this for Kasperski.
So we found Kaspersky embedded in lots of different government.
networks and nobody knew about it.
Explain what that is.
So Kaspersky is an antivirus product.
The company is headquartered in Moscow, and they are a global brand that claims they have
no relationship to the Russian government.
However, a couple of years ago, there was a bit of an expose where an NSA contractor
had Kasperski software installed on his home computer.
He stole top secret documents, still classified documents, took them home, and then a
Allegedly, this is like New York Times reporting, I don't have any official knowledge of whether or not it's true.
Allegedly, Israeli hackers hacked Russian government networks and found that they were getting files from Kaspersky from this NSA contract.
Of course.
This is a very like, you know, Wilderness of Mirrors, intelligence, weird set of stories.
What's Wilderness of Mirrors?
Wilderness of Mirrors is an expression that refers to counterintelligence.
It's the name of a book that's a history or biography.
of this guy who is a famous counterintelligence guy, James Jesus Engleton.
So wilderness of mirrors is just like, think every reflection, is it real or is it not real?
What's the truth behind all of these images that are presented to me?
So that imagery applies to this kind of situation.
So Israeli hackers finding out about Kaspersky secretly stealing files from an NSA contractor's
home is a very weird chain of evidence.
That is a hall of mirrors because if you have to ask your
yourself, what is the Israeli motive for telling us? And would the Israelis have some motivation
with the Russians or Krikskowski? Kaspersky. Kaspersky. What is their relationship?
Is there a profit of motive somewhere? So is this person a sacrificial lamb in some way?
Like there could be all kinds of like, forget about double agents. That's like a. Yep.
there could be all kinds of weird comprimat.
It gets even more complicated.
So because it's an antivirus company, they upload files to analyze them for malware.
That's what it's supposed to do.
Lots of malware companies do this.
There's a database called Virus Total, which Google now owns.
They bought it, and it's part of Chronicle, which was their security company, which got rolled up into Google Cloud.
So it's normal to extract files.
So this other murkiness is, was Kasperski extracting these files as part of how.
the product is supposed to operate. And even if they were, were they searching over those files
for expressions like top secret and whatever, like to look for sensitive information?
Oh, my Lord. So we as a company don't have an opinion. We don't know. We don't have a type,
but what we can say is, okay, Homeland Security has decided U.S. government may not use Kaspersky.
We can build software to detect Kaspersky. So we're helping enforce the policy decision,
somebody else made.
So same with Huawei.
We're helping enforce.
So my personal opinion as somebody who's been in the industry for a while would be don't
put foreign companies networking equipment in core U.S. infrastructure.
And it's not just Huawei.
I would say that regarding other foreign firms.
Of course.
I mean, if all of a sudden Saudi Arabia decides they're in the router business and they're
making switches and stuff like that, I don't think we want the kingdom to have our infrastructure.
That's right.
And then as a company.
We don't have an opinion regarding the policy, but we will help enforce our government's policies.
Got it.
And we would do that for any software product.
So for any customer, if they ban a particular manufacturer, we would help them enforce their own ban, even if it weren't a government ban.
Well, let's go to this question about the, I was having this debate.
A friend of mine said, it's impossible that Alexa or Siri or OK, Google, have been compromised.
I said, it's impossible they haven't.
Oh, interesting.
Yeah.
It's impossible they haven't.
And I'll explain my position, but I want to get your position on just looking at the four major voice assistants.
What are the chances on a percentage basis that one of them could be compromised by a foreign actor and they would have the ability to, in certain circumstances, turn on a microphone?
Let's say if some absolutely insane person from our government decided they wanted to have an Alexa in their office or living room.
I'm dying to hear your point of view.
I'm happy to go first.
It's your show.
So you're hosting.
So I'll go first.
I actually think the probability is very low.
Okay.
And so...
But not zero.
It's hard to have zero probability assigned to a...
Exactly.
Almost anything in information security.
Five to ten percent?
10 to 20.
Less than one percent.
Less than one percent chance.
So I have a few reasons why I believe the probability to be that low.
The companies have an unbelievable incentive to have strong security, particularly for something
as sensitive as microprifference.
phones in people's living rooms and the companies that you're talking about are actually
quite good at it.
Apple's pretty good at it.
Amazon's pretty good at it.
Google's pretty good at it.
I don't know what the fourth is.
Is that Cortana?
Cortana, I guess.
Yeah, Microsoft.
I don't know what their market share is.
No.
I just pick the top four because it frees us from having to have you have blowback if
your partners with Microsoft or something.
They say, oh, you said this about us specifically.
So I was giving you a composite so that it makes it easier for you to answer the question.
It's an interviewer technique.
By the way, Microsoft turnaround story under Satina Della.
Amazing. Unbelievable. Yeah. That'd be our too. Amazing. Oh, yeah. So anyway, back to the, so first, they have a strong incentive for good security. Second, they really do invest. They don't just have the incentive and, you know, have talented people. They've invested a lot on the infrastructure side of things. So I don't know this firsthand, but the stories I've heard related to how Amazon, say, does security for its data centers is so paranoid. Amazon employees don't know where other Amazon data centers are. So they only.
know about where they are employed and they don't have a global view because they have this
complementalization scheme so that even if you were an insider, you would only have partial access
to stuff going on at Amazon.
So when I hear things like that.
Exactly.
Or very few.
Or maybe five of God view in some room.
So when I hear things like that, it warms my heart as somebody works in cybersecurity.
But then, of course, it's bad for me as a company because they build all this stuff themselves.
So for Amazon to eventually be customer.
And they also have like airlock kind of situation.
where getting into the building, my understanding, is like it's like a multi-step process to go through, like, room after room into the building.
So a physical compromise is highly unlikely.
Yes.
And the third story I would tell is the history of what happened with companies like Facebook where think about social media and how they had to create internal controls.
So what I've heard, I don't know this for a fact I never worked at Facebook, but for the first four years or so.
did not have internal controls such that an engineer could access anybody's personal profile.
And they did. They did. They were stock. Somebody was stocking their ex-wife or ex-girlfriend reading
their messages previously. That happened at Google as well. Which, by the way, happens in the
private sector. Law enforcement cops stock their X, Y, whatever. Like this is, there's a baseline
of privacy that you just have to deal with in any digital society. But you could pull up
anybody's thing and there was no access control. And my point is we're in a new era. So I don't think
that's how any modern company with consumer-facing interconnected services can afford to operate.
So it's not just that they're investing. They have good people. They have the incentives. It's also now
the standard is different. Exactly. So the standard would be, hey, if we're going to review audio to make
sure that we understand what the person said, there would be a log of who heard that audio. It would be
anonymized in some way. So you didn't know whose it was. Just like advertising. So freaks me the fuck out.
all the time. I mean, I get now Instagram ads for medications, and I don't even know where it came
from because it wasn't in my email, whatever. So that was weird. And I mean, we all have personal
anecdotes like this, right? So what's happening on the Google side or the Instagram, Facebook side
with these ads? They don't have a Tim Junio is doing the following, you know, 10 things that can be
used against him. It's all rolled up into some algorithm for what ads to show somebody who matches a set
of criteria based on, you know, age and zip code and, you know, what websites.
I've been going to and whose Instagram I follow and so on.
So I think it's very much the same with voice companies and I actually feel pretty good.
I got to hear your version though.
Yeah.
So a lot of my knowledge comes, my deep knowledge of hacking comes from the Americans television show.
Okay.
Have you watched the Americans?
I'm familiar with it, but I've not watched it.
Oh my God.
For a CIA analyst, it's going to blow your mind.
Russians living in the U.S. during the Cold War.
Yeah, but these are deep, like came here when they.
they were 16 years old, got married, have kids, and their kids don't know their spies.
That's like, you know, the first five minutes of the first episode, you learn this.
So they're travel agents in D.C. during the Reagan era.
And they've been planted here since they were 16 years old.
It's a good policy, by the way.
I wouldn't trust kids either.
You said you.
Right.
Yeah.
So here's my theory.
I don't know why people do this progeny thing with wealth transfer across generations.
Yeah.
It's weird.
Yeah.
So here's my theory.
of why it has to have been compromised.
Number one, there are human beings involved in the production of these things and software.
So, yes, they might have audit trials, et cetera.
Here's a very simple way.
Persons in Vegas, they get compromise on them.
They're a quality assurance engineer.
Let's say they're married.
Now they've got them on tape having sex.
Or maybe they're in the closet.
Now they have them on tape.
Having gay sex.
Maybe they're in a straight marriage.
and now they're whatever the worst compromise you can think of.
Does this happen on the show or this is your...
It is on the show, actually.
Your episode you've written.
No, this is in the Americans episode where somebody is, because it's taking place in the
area, somebody is gay.
Got it.
And they literally these CIA, these KGB agents.
And you think that's what's happening with big tech companies.
Well, I know it's happening that big tech companies, employees, especially a senior level
or people who are on the front lines of...
So if you phrase the question as like, is there infiltration in big tech companies,
I'd agree with you.
In America.
In America.
I'd agree with you.
I'd agree with Peter Thiel as he was making these comments recently in the last few months.
But there's a difference between infiltration and then being able to go and listen to a microphone in somebody's living room.
Because that audit trail, based on the new era we're in relative to old Facebook, would get that person caught and fired.
Correct.
So here is how it goes down.
A lot of these people are doing fulfillment themselves now, Google, right?
Amazon.
Okay.
So now you compromise some people. Let's say you compromised the delivery and now you know where these celebrities are politicians or Giuliani fundraiser, whoever, Ivanka Trump's house. You know Ivanka. You'd say if it was compromised, pretty easy to get, not Ivanka Trump. Who's the daughter? Anyway, one of the kids, one of Trump's kids. Let's say we pick that. One of Trump's kids orders an Alexa or one of their spouses or one of their kids' kids, one of Trump's grandkids orders this.
Yeah, pretty easy to forget about getting the audit trails of the Alexa, but I got their prime account and I know their address.
That's pretty easy to get.
You would agree.
Internally.
So they know that this Alexa unit is going out.
They swap it out.
They intercept it on the way.
They put one in.
That's got an LTE connection and a second microphone.
And it responds to, hey, Alexa.
so now you've intercepted
and you're now listening to everything.
I'm skeptical.
You're skeptical.
I would think...
It feels so easy to me.
This is going to the compartmentalization.
I don't think the person at the warehouse
who could tell the robot what to do
would have access to the account information
to intercept the package.
They're different people.
How about I send 100 Alexes
for whatever units
to 100 different
Well, politicians
That have been compromised
Hold on
100 different ones are compromised
And I say,
thanks so much for the support last year
Have a great Christmas
And holiday season
Susan
And it's to John
It's to Jason, whatever
Of a hundred people
How many throw it away?
How many
Send it back?
Or how many just set it up
Of 100?
You think 10 set it up?
Keep it?
lose the package of the gift wrapping, I'm guessing half of them set it up and they never even
read the gift receipt, which is a Christmas present.
I think that most intelligence operations are economical, especially for relatively poor countries.
So I would look at it from the perspective of if I am a foreign intelligence agency and I want
to hear what's going on in the bedroom of a politician.
as you're laying out,
it is much, much, much cheaper
for me to watch people going in and out of their building,
write down license plate numbers,
and go bribe the housekeeper to put something in,
then compromise Amazon.
Oh, here's an even better one.
I'm Russian.
I open up, I get a job at Best Buy.
I work at Best Buy.
Russians give me a thousand bugs.
I put the bugs.
in every TV, everything we sell.
Bugs cost, whatever, a thousand bucks each,
a million dollar budget, it's no big deal.
And then we just ship them everywhere.
You could buy a lot of people access for a million dollars.
That's how I think.
That would be better.
I think it would be much better because the human is going to have a lot of local knowledge
and be able to update and adapt.
So if they swap out the TV for something else,
if you've got human-enabled access, that is persistent access,
unless they get fired, of course.
That's a risk, too.
but where are they going to put the Alexa that you gave them for free?
And if you're targeting presumably high-influenced people, elite people, it's a 10,000 square foot home, whatever, go down the list.
And then you also have to deal with the information on the other side to who's going to listen to all of that audio or if it's automatically transcribed, go through whatever your algorithm picks up as being interesting.
It is a big scale problem.
So if I had a huge budget and I were trying to do global access type stuff, like I just wanted,
have microphones everywhere or sensors everywhere. Maybe that's a big way to think about the problem.
But if you're going for a specific type of information, a person who you want to blackmail,
I think it is way cheaper to target them using classic methods and then modern tech.
So think about the fact that this, of course, is a ubiquitous sensor, right? And mine's broken
and jenky, but it's got microphones, it's got cameras. And they're everywhere. Nobody thinks
twice about it. Sorry. And GPS, obviously. And nobody thinks about it as a,
surveillance device, except the ultimate surveillance.
Go to Facebook locations and look at your locations.
Oh, my God, it's scary.
I had to turn off locations of Facebook.
I'm like trying to just trying to turn your account off.
Oh, my Lord.
Right.
So if you're a spy and you're going to meet with somebody else and you're going to have a
clandestine meeting and you want to record it so that you can pass it back to your
government, would you use some like super sleek, sophisticated spy microphone or would
you just use your phone?
So if you have human enabled access, there are so many ways you could use embedded IoT to
try to eavesdrop within an environment without going after the best buy supply chain or the
Amazon supply chain.
It's just a- What's the most clever human factoring hack you've ever heard of, unverified or verified,
most amazing, because I'm giving you my scenarios from watching three days of the condor and,
you know, whatever.
Real world, human-enabled access.
Or even a rumor you heard, just somehow a hack occurred, somebody got compromised.
what is the classic one that sticks out of your mind as like, oh, my Lord, that is unbelievable.
Probably the most destructive was Edward Snowden, but I mean, he wasn't.
So I don't know what his real motives were because of what it did to how Americans view their government.
And it ended up not resulting in a lot of policy.
So this was probably really bad from a perception point of view regarding our government and the intelligence community.
but it exactly did is the ramification of what he shared that the government was listening
i actually i actually couldn't find i couldn't find any policy changes so it's actually an open
secret that nobody talks about that snowdon had effectively no policy impact so there was no new
there was one law i think that was passed regarding one aspect of surveillance but that's about it
there wasn't a big overhaul of nSA there weren't executive orders that we've heard about of the things
he made us aware of, what was the most damaging of those that you thought, wow, this is
screwed up or?
I think everything that he shared that was not about adversary governments was unnecessarily
damaging, frankly.
So what he reported in the media, again, no official knowledge of what was real or not
real, but all of the spying on allies, which is totally normal.
Like, what is the mission of NSA?
It's the fucking eavesdrop.
Oh, my God, they did it.
Right. So all of that, like what were we doing with Angela Merkel and the EU and whatever and information about Russia and China, which he also released.
Yeah.
None of that was in the public interest, in my opinion.
And that was almost certainly very damaging.
He shouldn't have done that.
But I don't, in my opinion, if all he had done is shared the domestic surveillance stuff, even if I didn't agree with him, I could at least empathize with the point of view.
Yeah.
But since he released all this other information about actual.
Super dangerous.
adversaries and things that are legitimately part of what intelligence agencies are supposed to do,
discredited him, in my opinion, as somebody who is motivated by privacy concerns.
I think he was motivated by something else, ego or whatever.
See, that's the thing is it can't possibly be that he was motivated.
If he was motivated, you're right.
Like, why would you spill the beans on the Merkel stuff, et cetera?
So then it makes one wonder, what is the motivation here?
Is it a person who's just got some weird principal narcissistic?
I need to be the center of attention?
Or he did wind up at the end of the day in Russia.
It's a non-zero chance that he was working and groomed by the Russians from the beginning.
What do you think most people in the CIA or most people in intelligence think?
I can't speculate regarding, but I can say that I think it's also sufficiently non-zero that it would be worth a real look.
Sufficiently non-zero.
So that's double-digit.
I'm just interpreting.
I think there's a good chance that it's not just ego and that somebody else was guiding him,
even if his primary motives did end up being ego.
Him being manipulated, I think, is not a, you know, flighty, you know, hypothesis.
No.
So I mean, he wound up in Russia.
I mean, come on.
What are the chances you wind up in Russia after all this goes?
They don't have a great history with not putting a bullet in people's heads, you know.
Yeah, like, how is he running?
running around free in Russia.
It's not a great place to end up.
Unless.
Even if you were an agent of a foreign government, still, it's strange to me.
I don't know if he's naive or was in fact a source or somehow manipulated by Russian intelligence.
If you worked at the NSA, you would know that if you worked with the Russians, going back to Russia is there's a non-zero chance of you not winding up dead or in a gulag.
Right?
Yeah, I, uh...
So, hmm, so that's, that makes the game there even harder, because he's not dumb.
He's very smart.
So if he's very smart, if not brilliant, he's somewhere between very smart or clever or savvy, right?
Don't know.
Don't know.
He could be a useful idiot.
Is there a chance he's a useful idiot?
What do they call it?
What do you guys call it?
Useful.
There's a term, useful idiot or useful...
I don't see you a founder of a software company.
We don't use useful idiot in our parlance.
this person on our team is he
No there's not always that like this person's a useful idiot
Or like somebody dumb in the middle
It's really interesting
What's your take on Assange and what he did with WikiLeaks
In relation to Chelsea Manning
That would to me seem tragic
And that guy seems like a crazy narcissistic Russian plant
So I'm not qualified to make clinical diagnoses
But it seems like there was some
Mental Health stuff going on there
Yeah
And so from what I remember of
that era, some of what Chelsea Manning leaked did seem as though it were motivated by a personal,
like ethical perspective.
For her, for sure.
But I don't know what was going on with her personally within, also her reporting, she was
suffering, obviously, through a lot.
She's been very upfront about that.
She was suffering through her transition and other things.
So he prayed upon her and that conscience, her crisis of conscience.
So I think what we're seeing happening with Ukraine right now, which is, again, another thing
I'm not an expert at, but going through an inspector general and then whistleblower process
is what I would have done if I were in the position of either of those two people,
partnering up with Julian Assange and hoping that WikiLeaks would be a responsible actor
in sorting through classified information for what is in the public interest versus not is a guaranteed
disaster.
So, um, yeah, you're going with no circumstances.
Exactly.
Somebody who is anti-government, uh, anti-statist, anti-U.S.
and doesn't care about collateral damage.
Or personal hygiene.
And that's what happened with Greenwald and the Snowden Revelations.
I mean, he provided that information, right, and they could have chosen to withhold aspects of it.
And they did not, even though it's a UK entity.
So I think what we're seeing with whomever the whistleblowers are now is what a real crisis of conscience should look like.
There are policies and procedures in place where a democracy, and we actually,
are a little bit anti-statist, right? Like looking at our founding history. So we want these checks
and balances to exist. And therefore, every federal bureaucracy has created some process for that. So looking
again at NSA, nobody went to jail over any of the stuff that Snowden's surfaced. And you know why?
Turns out it wasn't illegal. It was all authorized. There was congressional oversight. He might have
had a difference of opinion and viewed privacy differently from all the people involved in what he
spoke publicly about and documents that were released. But that doesn't make it illegal. It's
doesn't make it unconstitutional, and it doesn't mean that there wasn't a proper procedure in place
for helping protect Americans' privacy. And of course, there have been abuses of power repeatedly
throughout the country's history, and I like to think that eventually justice catches up,
even if it takes a little bit longer to go through a proper process. But that's a lot better
than shooting from the hip and hoping that you end up with the right result for something
as sensitive as operations that can get people killed, who are trying to do the right thing for our
country. I mean, that's the crazy thing, is to have these people who have trusted us to collaborate with us in an authoritarian
regime, in a place where spies are tortured and murdered and killed, and their families are tortured and
murdered and killed. These people have skin in the game at a level that is beyond Snowden, Chelsea Manning, and as Assange would ever know.
Yeah, probably from their point of view, from trying to, again, empathize, always try and see things from their side of the table.
Maybe they thought the net benefit was greater, and I just believe that they were wrong, and that if, in fact, there were abuses, there are ways in which you can surface those abuses responsibly.
We have a good system.
It seems like right now it's Ukraine stuff.
The whistleblowers are been protected, even under assault.
And people go to jail for the shit all the time.
So it's actually releasable under the Freedom of Information Act.
If you just Google, like, NSA abuse or whatever, there are unclassified documents that have been requested under FOIA of people who have abused the signals intelligence system and ended up losing their jobs or even going to prison.
And then the contractors, like the guy who stole the information I mentioned in that Kaspersky scenario, those people who are stealing government documents do end up getting prosecuted.
So people who are abusing, you know, systems that are designed for national security for their personal gain do get.
do get caught fairly regularly.
It's a very small percentage relative to overall how many people are working in U.S. government,
but it is a recurring phenomenon, meaning there is a process in place that is working.
How do they train you or how do they train people in government to avoid being compromised?
So there's a lot of awareness training.
We actually have to do this as a contractor.
So we're a defense contractor.
I mentioned up front Army Navy Air Force are all customers.
So we're a defense contractor, and we have a group within our company called National Security Division
that can hold security clearances as well for those government customers.
So we do, in fact, have to provide security briefings to our employees.
So it all starts with awareness, understanding that you're a target because you have access to information
that is valuable to an enemy of the United States.
So starting from there, there's a bunch of things that you learn related to operations.
operational security you might call it.
And the baseline awareness is like, are people asking you weird questions on podcasts,
etc.?
Yeah.
Yeah.
That'd be a great way to do it.
I'm trying to compromise you.
We've heard of 300,000 people on a knucklehead podcast.
One of the ways I've heard an FBI counterintelligence person explain this is if you're a
two and a nine like approaches you in a wet towel in your hotel while you're traveling
and like starts to cozy up, you should probably question.
their motives. If they're not a horror, then probably there's something else that's even worse.
So anyway, so that kind of logic of are people probing and trying to get information from me,
asking questions that are unusual, asking questions about my work that are too specific and just
don't make sense within the context, as well as generally understanding the surveillance environment.
Like you're saying, you don't want your Alexa speaker in a place where we're having a privileged
conversation because I think it's a non-zero possibility.
skiffs in your building? Do you have to have a skiff?
We do not have a skiff at our headquarters in San Francisco. You should build one. It'd be so cool.
You could actually lease them or buy them as pods. So they have these trailers that are like skiff in a box products.
But the problem is you don't have connectivity. And you also need to get accreditation for like storage. And there's usually no reason to have like storage of classified material. Let the government do that. F why. But the connectivity is the hard part. So if you want encryption to connect to a classified network, there's a whole other set of.
of stuff that has to happen.
So, but you can get a skiff in a box.
You can do it.
You can afford it.
How much are our phones the weak link now in infrastructure?
Because I know you're monitoring the whole, you know, the whole surface here.
Are phones the real weak link now or not?
So I think, so I have a nuanced view on this.
I don't have, unfortunately, a definitive clear answer.
I think the major operating system companies, so Google and Apple, are actually very
good at protecting the security of the operating system. That being said, people install risky stuff
and give app permissions all the time. So I think the control through the stores has been pretty
good, but we see examples showing up every so often. And that's also a recurring thing. It's not a huge
volume, but it's not zero either of malware that got through the filters. So one of the ways in
which we have seen that happen is an app that's in an app store, pass the filters at first,
and then they modify it, and the update is not held to the same standard, or at least it wasn't.
So they update the chess app, and now it's turning on people's microphones or just something weird.
Or when you got the chess app, you didn't realize you were giving permissions to communicate
back to the chess app company's servers.
Your location.
Because they're reselling your location data.
So that stuff is happening all the time.
So now remotely turning on a microphone and eavesdropping is another level.
So the operating systems, again, are pretty good at alerting you to wildly weird stuff like that.
But if you are able to control the overlay, like basically what are you seeing on the screen,
there have been some pretty sneaky apps where you don't realize that the overlay is active and it can capture what's happening on the screen.
So if you're typing, it can see what you're typing.
Which could be a password.
Well, now with face ID and fingerprints, actually, that's less.
often the case, but sensitive conversations, texting, payments, that kind of stuff.
What do you think the chances the president, because he uses commercial-grade phones,
people have got to be listening to those, right?
Foreign governments can easily intercept phone calls.
Back to wilderness of mirrors.
So we know that is a risk, right?
So if I'm an FBI guy and my job is like counterintelligence in Washington, D.C.,
I'm going to assume all these other governments are going to try and eavesdrop on all the phones at the White House.
So I'm going to deploy a bunch of stuff to counter the people who are trying to listen in on what's happening at the White House and like associated office buildings.
So I don't know the answer because it's a, you know, cat mouse sort of thing.
So even though to a first approximation, I would say, oh, yeah, he's got to have issues with eavesdropping because there's such a strong incentive.
And it's so hard to control a city environment in the U.S.
But the counter counter argument is we all know that those technologies are out there.
it's not classified, go to law enforcement, like commercial technology, a equivalent of like an
arms fair.
Like this happens for police agencies.
They got all kinds of cyber and mobile phone tracking products out there.
Amazing.
All right.
Listen, Tim, you did a great job today.
You educated us.
Continued success with Expans.
You're hiring.
Expans.com.
If you're a great, what developer, cisadmin, security expert, you're looking for it all.
Oh, yeah.
And maybe even sales.
You do enterprise sales?
We do enterprise B2B sales, yep.
Yeah, all right.
So if you, you don't have to have worked in the CIA, but they're a rocket chip.
You want to get on the rocket chip before it gets to space.
So these guys are heading towards escape velocity.
Congratulations.
Thank you so much, Jason.
What's it like to work with Peter, Teal?
I love Peter.
I like him, too.
So I'm optimizing for two things in life, autonomy and constantly being intellectually stimulated.
Yeah.
And I think Peter has nailed it.
He's a really interesting cat.
Like the people who work for him disagree with him about like a lot of stuff like Brian and Luke and Sion.
But he's like one of the really interesting people in the world.
I know people hate him.
Some people.
I was actually just about to say he's also a very courageous guy.
So he will go public with these opinions because he's trying to presumably influence opinion, public opinion.
And there's no clear advantage or I don't know what the advantage is to him personally.
And there's a lot of cost.
As you're saying, a lot of people hate the guy.
Yeah.
But I actually view it as...
Yeah, go ahead.
No, I think he's one of the most courageous people I personally know.
Yeah, and you can disagree with somebody who's courageous, but intellectually, he's fierce.
And I think him calling out Google for not wanting to provide technology to our government, even if you disagree with Trump or whatever or, you know, if our great American tech companies are not supporting our government.
But they are selling into the Chinese government?
Well, they have an AI collaboration in mainland China, I think, is the point.
And then Project Maven is an AI program for the Department of Defense.
That was the thing that Google said they weren't going to support anymore.
And I think there's a really interesting question to the topic earlier of,
are there insiders in these companies of who motivated those protests and why?
Was it actually organic or something else?
Wow.
And I think the way the leadership handled it was poor.
as opposed to in stark contrast,
Satya Nadella came out and said,
hey, we're working with our government
and that's a good thing.
Turns out America has been pretty fucking awesome
in world history.
So we have this HoloLens program
with the Army, and we're good with that.
Yeah.
And making that statement relative
to what we saw coming out of Alphabet
made me very happy.
I think that's what American company should be doing.
I mean, it's just, it's like this fake,
woke, like virtue signaling,
like, oh, our government's bad.
Like, this is the government
that spread democracy around the world for hundreds of years.
And we just went from 54% of people living in a democracy like 10 years ago to 51%.
It's more critical now that we support our government because the tide is tipping towards authoritarian control.
The majority of people on this planet will likely live under a despot or a dictator in the next decade.
So I think that's scary, isn't it?
I think that if you just look at me.
So Microsoft and Google both want to be global brands, right?
And so for Alphabet, to be a global brand means we saw what the Dragonfly search engine or whatever.
They want to get back into China big time, right?
It's very important for their...
So desperate.
So on the Microsoft side, what did Bill Gates do back in the day?
He was like, oh, so we realize you kind of pirated XP like a lot, but, you know, maybe we won't enforce that.
Because they wanted everyone to be running Windows, right, in China.
So they got the market share by kind of looking the other way on pie.
of Windows install base.
So very different kinds of approaches.
Windows kind of backdoored the whole country because people are self-propagating the operating system.
And now it's everywhere.
Yeah, got in there.
Google didn't and Facebook didn't.
Exactly.
And I think they want to get in.
And so they're way oversensitive to anything that would have set the Chinese government.
So dumb.
Google and Facebook has to realize that success in China means humanity loses.
because if you are running any kind of information service or communication service, your job, number one, as far as the government is concerned, is turning over people who are freedom fighters, intellectuals, anybody who cares for democracy, your job at Google is going to be to hand them over to be executed and tortured.
Well, let's hope not.
No, no, that will be the job of Google executives. They will be explicitly told somebody searches for something about Tiananmen Square. I need to know their name.
You need to bring their IP address so we can pick them up.
Why do you think Americans don't care more about the double standard?
So Apple hacks whatever for the Chinese government at their data centers,
lets them get access to everything that's going on with iPhones in China.
But then here, FBI cooperating over the San Bernardino dude, huge uproar.
We're not going to break this phone for the FBI.
You think it's like a subtle...
What do you think?
So a friend who I won't name because I don't know if he'd want to be attributed publicly
with the statement made a comment that it's racism, that actually we view a double standard
and how American white people privacy is different from Chinese consumer privacy. And so we don't
care as much and therefore are not offended. We're just like, oh, it's normal for China
to eavesdrop on everything happening in the country. They're a dictatorship. But we, we're free
and therefore it's not okay. And I actually think there's a lot of truth in that perspective.
So that's the most persuasive argument that I've heard for why in public opinion, people don't
care more. What do you think? It's just also a very subtle issue. And I think you have to
really think on the arc of history, like in a hundred year worldview, if you give
dictators any kind of cover, their behavior trends bad. If you hold the line with them,
their behavior trends good. If there is no consequence for murdering a journalist,
if there's no consequence for disappearing, you know, people were running.
a bookstore.
I forgot about that, huh?
Yeah, it was like, oh, whatever.
It was like five news cycles ago, so whatever.
Yeah, who cares?
And if there's no cost, then their behavior trends bad.
When I worked at Amnesty International is my first job, when there is a cost, letters, publicity, that's when behavior changes.
And, you know, if we don't speak up and go to our NBA games with a free Hong Kong t-shirt on,
which everybody should do this season, if we don't speak up about Hong Kong, what's going to
happen to Taiwan. What do you think is going to happen in Hong Kong? Yeah. I don't know how it ends
without violence. Well, you saw the government had to back down. The Chinese government had to back down.
They're not really good at that. And they're not good at that. And they're not good at that. But when you see
those videos being shared on social media, they only had one choice back down. And then the second
choice is turn the internet off, turn off any foreign person coming to Hong Kong, and then roll in the
tanks. And rolling in the tanks, that worked in the 80s when we didn't even have any insight into
China. Now rolling in the tanks means iPhones get made here and we disengage. Or iPhone production
moves to Philippines, Japan, anywhere but there. So I think that they're on the verge of a civil war.
And that is a outcome that is unfathomable in terms of the, that is the existential risk of the human species as far as I'm concerned.
Is a civil war in China for a billion people go to war with each other and the government?
With nukes and who knows what else.
With nukes and whatever else they have, like this would be a humanitarian crisis that is incalculable.
Well, at least there's a Dintai Fung in San Jose, so if they knew Taiwan, we'll still get our job.
Exactly.
Yeah.
I mean, they literally, that is on their agenda.
Like they, the people in Taiwan are watching Hong Kong.
And the South China Sea and Japan.
Which is probably why they can't really back down, even if they temporarily back down.
It's very scary.
It's very scary, right?
Because if they back down, well, then Taiwan's going to start getting a little bit lit.
And Hong Kong's going to be emboldened.
Maybe Hong Kong goes up to show.
Shan Shan, who knows? And now, whoa, what happens next, you know? And that's why it's important for us to
give them a path to human rights and democracy. We have to give them that path, right? Like, we have
to show them the way and say, like, hey, can we just, anytime something bad happens where people's human
rights are being violated, we need to have leadership here, both in the private sector and the public
sector that says we need to have a conversation about this. So with MBS, every conversation with
Saudi Arabia needs to start with Khashoggi. Every conversation. And I don't understand who in the
world from our community, like I think there's three people from Silicon Valley going to this
Saudi Arabian, the kingdom is hosting their internet conference, like their Davos and the
desert thing. It's like if you're going to Davos in the desert, you have to get your head examined.
Like, they dismembered a journalist who was working for the Washington Post.
Yeah, D.Cs don't really say who their LPs are.
So the knowledge that they're a big LP and SoftBank ended up being devastating for SoftBank.
And more public than usual.
So how deep do you think they are everywhere else in the Valley already?
There are funds of funds, I know, because I asked the fund of funds because I wouldn't take money from Saudi Arabia.
And I ask.
And once in a while, a fund of funds, we'll say we have like one family from the kingdom, but they're 1% of the fund.
So if they had a $5 billion fund of funds that then went to VCs, one percent of that, 50 million,
you know, they might have 50 million from one of the 10 families in the kingdom who's splashing money around.
So I think it's very hard because, you know, we have Harvard, CalPERS, MIT, other places to go for money.
So the fact that Silicon Valley is even looking to Saudi Arabia or China for money, I think is crazy.
So leave you with another thought as it pertains to what expense does, well, I mean, in relation to what you were saying,
We're going through a super interesting time with internet fragmentation.
So the great firewall is just one of different fiefdoms that we're seeing emerge on the internet.
So it's happening with China.
We're going to have less visibility going forward into what's happening in Hong Kong, like you said,
potentially in mainland China too.
Like going back over a decade, there have been all kinds of local media reports on violence
against the Communist Party and people trying to rise up.
And that's been really effectively suppressed.
I think we're going to keep seeing that happen.
and it's happening in Russia too.
And I think we're seeing a weird new export market of China selling that surveillance technology.
So we're in this 1984 kind of situation where when the Internet was first a big thing in the early 90s,
political scientists thought that 1984 could never happen.
It was 1984 in reverse because we're all going to monitor our government with the Internet and distributed IT.
Instead, what we're seeing is authoritarian governments can now lock down a lot of
of domestic political dissent using that IT because they control the ISPs, they control the backbone,
and now they can import a software package and process from China as a third party, like some other
country in the world that's a dictatorship, and then monitor their own people. So they're actually
creating an industry out of oppression. It's a dictatorship. It's the authoritarian OS. It's authoritarian OS. So we have like our
Democratic OS. And that's really what this moment in time will be looked back on in history
is these two different operating systems, communism plus capitalism, dictatorship plus
capitalism and surveillance, and then democracy plus capitalism. And the question I believe is,
you know, when you have this capitalism in two different flavors, it might be that in the
short term, a dictatorship running a capitalist layer on their operating system could beat a
Democracy plus capitalism because we have it's messy here, right?
We have to debate shit.
We have to elect presidents.
We have to, you know, it's not fluid.
We don't have eminent domain in the way China does to just do things, to unilaterally decide we're putting up a billion cameras.
We're going to have facial recognition.
You can't do that here.
You'd have to get permission and then the states and cities and everybody would revolt, right?
That's the next 100 years for this or 150 years.
Instead, the politics we're seeing is attacking our own companies.
Right.
See how that plays out.
The tech companies are the enemies when we literally have communist countries running amok,
murdering journalists who live in the United States, who are American residents and who write for American publications.
And we're letting them run roughshod over us.
And then the NBA has nothing to say.
And it was apologizing for standing up for basic human rights.
This is a really weird moment in time.
This country has to maintain its leadership position in democracy plus capitalism.
If we don't, I fear for the world.
I mean, who else is going to stand up?
Europe.
There are another fiefdom.
They're another fiefdom.
So, by the way, with GDPR and how they, too, are trying to do antitrust against American companies,
fragmentation of the internet includes the EU zone.
So, quick story, we are having a harder time tracking cyber criminals because of GDPR.
So they're blocking public access to records that let us automate the process of building out relationships.
So we build these network graphs across.
all of our data. What's an entity? So what's a big bank? Everything on the planet that belongs to
the bank. Government agency. What's everything on the planet that belongs to that agency? We can
flip that to say this is a signature we know is a bad actor, like a criminal organization. But you can't
share it anymore. That's engaged in human trafficking, whatever. There is now a blocker in place
because of the EU. So definitely they are not the thought leaders in this regard. They think they
are. But they're aggressive. They're aggressive. All right. This has been this week in dystopia.
We'll see you all next time.
Bye-bye.