This Week in Startups - The Growing Ransomware Threat: Targets, Insights, and Strategies with Halcyon's Jon Miller | E1877
Episode Date: January 9, 2024This Week in Startups is brought to you by… Scalable Path. Want to speed up your product development without breaking the bank? Since 2010, Scalable Path has helped over 300 companies hire deeply ve...tted engineers in their time zone. Visit http://www.scalablepath.com/twist to get 20% off your first month. Northwest Registered Agent. When starting your business, it's important to use a service that will actually help you. Northwest Registered Agent is that service. They'll form your company fast, give you the documents you need to open a business bank account, and even provide you with mail scanning and a business address to keep your personal privacy intact. Visit http://www.northwestregisteredagent.com/twist to get a 60% discount on your next LLC. Vanta. Compliance and security shouldn't be a deal-breaker for startups to win new business. Vanta makes it easy for companies to get a SOC 2 report fast. TWiST listeners can get $1,000 off for a limited time at http://www.vanta.com/twist * Today’s show: Jon Miller, CEO and Founder of halcyon joins Jason to discuss how ransomware attackers get away with it and stay anonymous (6:12), hacker markets, bounties, tools, and AI's role (16:20), proactive measures for startups to safeguard themselves (34:42), and more! * Timestamps: (0:00) Jon from Halcyon joins host Jason. (2:52) Delving into the renaissance of ransomware. (6:12) How ransomware attackers get away with it and stay anonymous. (8:27) Strategies for counteraction and policy implications. (10:10) Scalable Path - Get 20% off your first month at http://www.scalablepath.com/twist (11:31) 2023 ransomware attacks on MGM and Caesar's in Las Vegas. (13:52) Halcyon's endpoint agent: a solution to thwart threats. (16:20) Exploring hacker markets, bounties, tools, and AI's role. (19:57) Northwest Registered Agent - Get a 60% discount on your next LLC at http://www.northwestregisteredagent.com/twist (21:55) The effectiveness of multi-factor authentication and strong passwords. (22:49) Comparing financial vs. espionage attacks and the Colonial Pipeline event. (29:26) The escalating danger for companies and the Uber cyber attack. (31:27) Vanta - Get $1000 off your SOC 2 at http://www.vanta.com/twist (32:35) AI and quantum computing: new frontiers for hackers. (34:42) Proactive measures for startups to safeguard themselves. (37:08) Growing hacker sophistication in places like China, North Korea and Iran. (41:00) How the USA ranks in the world with cybersecurity and computer hacking. (43:41) Your privacy is an illusion and a look at the information available on TikTok. (48:01) The biggest threat that keeps Jon up at night. (50:36) American Power Grid Vulnerabilities and ways to be prepared. * Check out halcyon: https://www.halcyon.ai * Thanks to our partners: (10:10) Scalable Path - Get 20% off your first month at http://www.scalablepath.com/twist (19:57) Northwest Registered Agent - Get a 60% discount on your next LLC at http://www.northwestregisteredagent.com/twist (31:27) Vanta - Get $1000 off your SOC 2 at http://www.vanta.com/twist * Follow Jon: X: https://twitter.com/HalcyonAi LinkedIn: https://www.linkedin.com/in/jonmillerhalcyon * Follow Jason: X: https://twitter.com/jason Instagram: https://www.instagram.com/jason LinkedIn: https://www.linkedin.com/in/jasoncalacanis * Great 2023 interviews: Steve Huffman, Brian Chesky, Aaron Levie, Sophia Amoruso, Reid Hoffman, Frank Slootman, Billy McFarland * Check out Jason’s suite of newsletters: https://substack.com/@calacanis * Follow TWiST: Substack: https://twistartups.substack.com Twitter: https://twitter.com/TWiStartups YouTube: https://www.youtube.com/thisweekin * Subscribe to the Founder University Podcast: https://www.founder.university/podcast
Transcript
Discussion (0)
A week before the Super Bowl happened in Tampa, the Tampa Water District got hacked and somebody
tried to poison the law.
What?
I was totally unaware of that.
Wow.
They stopped it because somebody was literally sitting at the computer and saw someone else moving
the mess.
Whoa.
That's an unplug-the-computer moment.
Yeah.
Holy cow.
This week in startups is brought to you by Scalable Path.
Want to speed up your product development without breaking.
the bank? Since 2010, Scalable Path has helped over 300 companies hire deeply vetted engineers in their
time zone. Visit scalablepath.com slash twist to get 20% off your first month.
Northwest Registered Agent. When starting your business, it's important to use a service that
will actually help you. Northwest Registered Agent is that service. They'll form your company fast,
give you the documents you need to open a business bank account, and even provide you with mail,
and a business address to keep your personal privacy intact.
Visit Northwest registeredagent.com slash twist to get a 60% discount on your next LLC.
And Vanta.
Compliance and security shouldn't be a deal breaker for startups to win new business.
Vanta makes it easy for companies to get a SOC2 report fast.
Twist listeners can get $1,000 off for a limited time at vanta.com slash twist.
everybody, we are obsessed in 2023 and now in 2024 with how artificial intelligence is impacting
essentially everything we do in business, in life, and government, education. Now, AI gives you,
if you're a knowledge worker, so many amazing tools. I'm seeing people on my team get 10% 20% faster
every month just by using these tools. It is bonkers. We've never seen anything like this.
But the truth is, if the good guys can get better at their jobs, well, the black hats, the hackers can get better at their jobs as well.
Just think about how powerful it is to use a language model, to try to convince people of something in one of your blog posts or your email newsletters.
In fact, grammarly lets you set that.
Well, the same technology can be used by hackers, you know, spoofing emails.
And the targets are always businesses, hospitals, critical infrastructure, you know all that.
And the damage from ransomware last year alone, $30 billion.
The Department of Homeland Security said ransomware was the second most comfortable cyber prime.
And so today we have an expert in the field.
John Miller is the CEO and co-founder of Halcyon.
And they are building products that use AI to stop ransomware attacks before they happen and limit the damage.
They do.
John, welcome to the program.
Thanks for having me.
Let's talk a little bit about the threats and ransomware in general. How does practically ransomware go down and who's doing this and what's their motivation? I mean, it's pretty obvious, but I think it's good to hear it from an expert.
Yeah, I mean, an attacker group is growing day after day. It used to be something that was heavily Russian in origin and then into Eastern Europe and then you'd see some Chinese actors at it. But now we're seeing a renaissance, right, where people all over the world have figured out that you can just join one of these affiliate programs and you're a ransomware actor. So we're in this interesting spot where, you know, not only do you have AI coming in and
adding to automation and scale and efficiency, but more and more attackers are coming online now.
And they've been kind of bolstered by this economy where, you know, you have these large
ransomware groups where, you know, a lot of them have ties to FSB or GRU.
And they're actually building the tooling and operating it in a profit sharing capacity
with anyone that wants to partake.
This is new news to me.
Explain this how affiliate came to ransomware, because if you did have the super weapons
to exploit people and do ransomware, you would probably want to keep them for themselves,
but that something seems to have changed you.
This is the first time hearing about these affiliate programs.
Explain what they are?
Absolutely.
So a great example of it is the MGM attack that happened in Las Vegas.
And so there were two distinct groups that were involved in it.
One of them was called Black Cat.
Those guys have ties to Russian intelligence and their ransomware group on their own.
However, they make their toolkit available to an affiliate network.
And so the group that actually carried it out has been called Scattered Spider,
which nobody is exactly sure where they are.
There was some assumptions that they were based in the United States because their English was so good in their written communications.
But that's been attributed by some people to the use of LLMs and help building their ransom notes.
But it was a completely new attacker group where they didn't have their own tooling and they split the profits with the black.
Wow.
So this is interesting.
The Russians or, you know, these other groups are now making the tools.
They make the weapons.
They say, hey, you go do your activity.
Chop it up 50-50.
Yeah, yeah.
they do it too, right? And it's all different percentages.
But it's not like they stop. The really sophisticated attackers will focus on the more sophisticated
targets. And then you have tiers of these attackers where you'll have people that
specialize in going out and attacking hospitals, right? Or, you know, 100 million dollar sized
manufacturers. It's interesting where you're seeing essentially the internet kind of carved up
into territories.
Wow.
You have these different attacker groups that just keep kind of rinse and reusing the same
techniques and tools over and over.
How do they get away with it?
I guess is one of the questions that I think a lot of people have because, you know,
the internet, you can be anonymous, but there are ways to trace people.
And then when payments become involved, there's ways to trace people.
So how do they remain anonymous during the attacks and the communications?
And then how do they remain anonymous in the payment area?
So the payments are normally done via cryptocurrency, right?
And, you know, Bitcoin is involved, but they're washing services.
There are more secure currencies like Niro that are used.
But for the most part, there's no constable, like there's no police that are going to
come to rescue.
Right?
So 99.99% of ransomware cases out there, there's no police that are chasing you down.
No FBI coming and saying, hey, we need to go stop this at the source.
Would this be happening if crypto had not become so ubiquitous and available?
Or is crypto the kerosene on this fire?
I mean, crypto is definitely the kerosene on the fire.
it's really difficult to have someone deliver millions and millions of dollars in cash.
Logistically, it's complicated.
You know, cryptocurrency has definitely streamlined the business.
It did happen before there was cryptocurrency.
I think the biggest thing that's really exploded it is the fact that attackers or people
that weren't attackers are realizing that they can really do this consequence free.
And, you know, as long as you're not in the U.S. or, you know, a first world European nation or something like that, there's no response.
The government has, for years, has tried to keep computer hacking kind of on the level of espionage, right?
Where it's not kinetic.
It doesn't merit a kinetic response.
And it's bled over into this now where we're not really set up to respond to.
an exponentially growing threat group like this that are, you know,
it's completely willing to target our critical infrastructure or manufacturing.
At some point, this is going to be so acute that we're going to have to strike back in the
real world.
And that's pretty obvious, yeah.
I mean, it's obvious.
I don't know if it's going to happen.
It's not where policymakers are going.
Where they think they can solve it is by making it illegal for people there.
ransom. So if nobody can leave. Oh, make it illegal to pay the ransom. Yeah. So imagine your business
gets ransom or imagine your hospital that gets ransom and you can't provide quality service to your
patients, which, you know, results in debt. Telling them that they can't pay a ransom is a very
precarious spot to be in. But now, crypto people always say to me, oh, have fun.
staying poor, not going to make it.
And then when I make these points,
and then they also add to it, well,
crypto is 100% traced
and the blockchain is immutable,
blah, blah, blah, blah, blah.
Therefore, crypto makes it easier
to catch criminals.
Is that just them talking
their own book and trying to
protect themselves?
You can wash cryptocurrency,
right?
You can put it through laundries,
online casinos.
There are services specifically for it.
You can chain hop, right?
Like transfer from Bitcoin to Monaro or, you know,
Minero to Wu or whatever you want, DogePoint.
It doesn't matter.
There's enough spots where you can mix it around where you can't track it anymore.
They don't really need to go to that level of extreme because no one's really going after.
It's hard to balance hiring top-tier developers and keeping your burn rate under control.
But these days, I see a ton of founders successfully doing this by hiring remote talent. So,
let me tell you about Scalable Path. It's a software staffing company that can help you build an
awesome remote developer team. And the right developer isn't just a list of technical skills.
We all know that. It's about their personality. It's about their work ethic, their motivation,
and their fit within your team. And Scalable Path knows this. So here's what they do. Their team will get
to know your vision. They're going to get to know your needs.
and then they're going to develop technical challenges tailored to the roles you're hiring for.
And these challenges are conducted live and on video.
So there's no gaming of the system.
You're going to get great people.
They also evaluate each candidate's soft skills like communication, attitude, and work style.
Scalable Path has completed more than 300 projects for their clients, and they have a network of 30,000 developers.
They've been doing this for over a decade.
They know what they're doing.
So you're going to be in great hands.
here's the best part. Twist listeners get 20% off their first month. If you're ready to scale your
dev team and your business, check out Scalablepath.com slash twist. Once again, that domain name,
scalable path.com slash twist, 20% off. The interesting thing with ransom, ransomware is you negotiate
with these guys, right? Like, you have live communication with them both in the process after
you've been ransomed and you're trying to get un ransomed and negotiate how much to pay them.
as well as they'll support you after you've paid them to help recover data.
So it's not like they're hiding deeply in the shadows.
And there's just no need for them to.
So when they did this with Caesars and MGM,
Caesar's, I think, just said, okay, or one of them,
Caesar's just paid $15 million.
Yeah, and they're back online quickly.
So what they do is they take down your systems,
they somehow lock them up, and they have the data of the individuals.
that's the playbook?
Yeah, so normally the first thing they'll do is actual trade your data.
And they do it like a smash and grab.
As fast as they can, they'll overwhelm the connection pipes,
but take as much data out as possible.
And then what they'll do is they'll run encryption software,
where they'll just scour the whole hard disk
and create encrypted versions of all the files
and then delete the originals.
And then you pay them for that key to restore those.
files. And then they call it double extortion. You pay them to not publicly release the data
that they stole. Got it. So they got you two different ways. Yeah. I mean, an interesting one is,
I think it was the Black Cat group. I don't want to offend any ransomware group for attributing
something to another one. But about a month ago, they actually reported their own breach to the SEC
where they ransomware to company. The company was trying to keep it under wraps.
And they, as the attacker, did the disclosure that they were compromised.
Yeah, because you do as a public company have to disclose these things now.
That's part of the law.
Yeah, absolutely.
And we've had laws, you know, for a bunch of years and, you know, at the state level.
And now we're getting more into like SEC mandating reporting.
But, you know, the majority of these attacks still go unreported.
If you're running a business and if you don't.
pay your business is going to go under, you're going to figure out what you need to do to pay
and just keep it quiet.
How do people stop this from happening?
Because this is a system level.
You need to get keys to the kingdom in order to do one of these things, which means you
have to compromise a pretty serious IT person's credentials, or can you do this with just
the CEO's credentials, the CFO's credentials?
How do they get into the system?
What level of keys do they need?
And then how do you stop it?
I know your company obviously has tools and services here, but how do people practically stop this from happening?
Our company specializes in. We've built an endpoint agent that complements kind of antivirus and EDR and provides another layer to stop it.
And then if we miss it, actually recover the system, we capture those keys. So instead of having to pay for them, we have a copy and we can just use them.
The normal ingress for these is like fission attacks, right?
compromised credentials.
There have been so many password breaches
over the years that you
can take someone's email address
and essentially figure out what the algorithm
is they use in their head for creating passwords
unless they use really random
passwords everywhere.
And they'll bake that into the
mountain and say, you know,
here's what we think
five passwords probably are.
When you run, you know,
try to connect to them. The other interesting
thing is there's another essentially marketplace where you have what are called initial access
brokers.
Right?
So there is an entire business of all I do is go out and try to get a small landing point
inside of a big corporation and then I turn around and sell that.
So if you wanted to be a ransomware actor today, you don't have to hack any one.
you go and join a ransomware group, you go to initial access broker, you buy the access,
you take the tool that you got from the ransomware group, you run it there, you're dumb.
So there are people who...
Complexity is low and...
So there's a marketplace now of people who have hacked.
Yeah, numerous ones.
They will hack, you know, somebody in customer support, somebody who's a receptionist,
somebody who's a salesperson, whatever it is.
That gets you into the building, essentially.
Now you run this malware that you bought.
And you try to lateralize.
You capture cash passwords off of the host, right?
The interesting thing is these ranchward guys have a lot of money now.
This is really successful.
So they can go out and do things like buy zero-day vulnerabilities, right?
Explain what that is to people.
A zero-day vulnerability is a flaw in a piece of software.
that nobody knows is there.
So an individual researcher
goes out and says,
I've figured out how to hack Chrome
browser the way that nobody knows.
Instead of telling anyone
or disclosing it,
there are ransomware groups like LockBit
that run open
bug bounty programs. You just reach out
to them, you tell them what you found, and they'll
pay you for it. And then they'll build
that into their malware.
So this hacker, the black hats
are offering bounties
100% against Microsoft offering bounties or whoever.
And guess who pays more?
I'm going to guess the people who do ransom air pay more.
Well, they make money with it, right?
And so I think it was like two or three years ago.
We hit a point where those types of vulnerabilities were almost exclusively used by governments, right?
Intelligence agency, stuff like that.
Then we hit a point where these cyber criminals are actually using more.
of these zero-day vulnerabilities than anyone else.
Fascinating.
So explain how language models and AI has changed the game because we knew it would.
Is it just people are writing clever emails now?
I mean, you would be amazed at how much ransomware starts with fishing.
And I'm sure you've got more fishing emails than you can counter your life.
Yeah.
And normally they're pretty easy to pull off when it's like, this is broken
in English.
Like, this isn't legit.
I mean, you can use an LLN to generate a fishing site for you.
I don't think that it's really widely being used by the ransomware groups.
They don't really need it.
But it is another kind of fueling factor that's just allowing them to grow even more.
You get 10%, 20% performance uptick if you use it, right?
cut out some of the busy work and give a finished product that's going to be more successful.
The thing I've recently been made aware of because I'm in the venture capital space,
there are large wires that sometimes somebody gets a distribution.
So a wire goes out.
You're in a venture fund.
You're an LP.
And we're shipping, you know, oh, we're distributing the stock from Coinbase or Airbnb or from Uber.
It's got to be wired to an account.
custodian account, a bank account, whatever it is, if it's stock or cash.
And so there was a report going around Silicon Valley that somebody had taken a famous,
a notable person's voice and then did a dialer and then attempted to change the distribution
path of shares coming out of a venture firm to a partner or an LP, which I don't know,
was a GP, a general partner working at the firm or an LP who was an investor in the firm.
So have people started using voice now to kind of,
And then these AI voice generators?
I haven't seen it yet, but absolutely right.
The other beautiful thing, there's caller ID is incredibly fragile and easy to spute.
So the second you call someone and it says that it's, you know, Jason calling me and it's your voice,
how do you not go buy those Amazon gift cards?
Starting a business used to be a pain.
You needed a lawyer.
There were in fees.
It was a mess.
Now, with Northwest Registered Agent, it only takes 10 clicks and 10 minutes.
Northwest provides everything you need to start and maintain your business.
Every LLC, corporation, or nonprofit at Northwest Forms comes equipped with registered agent
service, a business address, a website, and hosting, email, a phone number, and this is all covered
by Northwest's privacy by default.
Again, your full business identity will be live in 10 minutes and in 10 clicks.
So here's your call to action for $39 plus state fees.
They'll form your LLC, corporation, or nonprofit, and launch your business in just minutes.
Visit Northwest Registeredagent.com slash twist today.
That's Northwest Registeredagent.com slash twist today.
Social media seems to be another vector.
I get DMs all the time from people trying to get me to send Bitcoin or receive Bitcoin, whatever.
But then people create fake versions of you on online.
line and mirror your entire account and then try to get people.
And I'll get DMs on my main account, the verified account all the time, saying,
hey, did you want me to send you those Bitcoins?
And I'm like, no.
I send you three Bitcoins and you're going to send me 300 back, right?
This seems to be something that's now becoming dear rigor.
But people are getting smarter to it, right?
Never send money.
It also makes K.C really difficult where you have online banking.
And people don't want to go into a branch and show their driver's license and have someone
be like, so you end up with like, we're going to do a video check, right?
Like hold your driver's license up.
And all of that is all fakeable now.
So never do that.
It's not that you should never do it.
It's just there's more vulnerability, the more connected.
So two factor, strong passwords.
If people just did that, how much of this problem would be solved?
if multifactor and
multi-factor helps a lot.
The problem that you're seeing is
the companies that are going down,
the Caesars and MGMs,
they're in multifactor.
How do they compromise?
They have to Octa.
Oh, wow.
Octa, people who don't know,
is like an authentication management platform.
It's got passwords in it.
It's got its own two-factor,
but they had,
if they got,
wow,
does it Octa now have liability then?
Possibly, right?
Like, who knows?
That's a much...
Wow.
I don't think anyone's really been held liable for security vulnerability in their product that resulted in somebody else getting that.
Right?
Like Microsoft and Apple would be the two largest defenders in the world.
Talk to me about these infrastructures.
I know that we had a...
Was it the colonial pipeline, if I remember incorrectly?
So explain what...
Because that's a different goal.
That's not just money.
Now, this is like serious espionage level, trying to down.
damage in another country. So how real is that and how prepared are we for it?
That's the interesting thing. It was financial. It was an espionage. And it was over the line of
espionage, right? Like nobody's been willing to carry out an espionage style attack of that
magnitude on U.S. soil, right? You end up with a proportional response. Take out our pipeline,
we'll take out to yours. Because it was a cybercrime group, they got away with it. There
It wasn't a proportional response.
What happened in that, if you know, what happened in that situation and how did it go down?
There were attackers that were in the network for some time.
They ended up installing some new security software where they noticed that there were some irregularities.
It tipped off the attackers that they were onto them and they encrypted all the machines.
They didn't go into the actual pipeline computers.
but they took all of the back end office computers, you know, essentially offline and then demanded a ransom to allow Colonial to regain control of their computers and turn everything back.
And this was another one of these like payoffs with Bitcoin. I know the DOJ in this case somehow recovered some of those.
They ex-filled stuff to Amazon. And so they were able, they were bouncing through like an AWS. And so they were. And so they, they were.
were able to, you know, the FBI, the Secret Service, U.S. Marshals have relationships with those
cloud providers. But the second that you get out of something like that, or, you know, frankly,
they left stuff around. If they had just moved it all the way off, they wouldn't have been
able to recover anything. Totally get when people steal the data, the releasing of the data or the
selling of the data, that's a super attack vector. But when they encrypt, you know, a machine,
Why don't people have backups?
Why are these things not duplicated or redundant in some way?
While they encrypt the machine, they go and they encrypt the backups or they believe them.
Right?
Like if you have the ability to write to a backup, yeah, they profile it.
The interesting thing is, you know, lots of people have offline backups, you know, DLT, tape drives, Iron Mountain, all that.
The logistics of importing that backup data takes weeks.
There's not enough bandwidth on your network to be like, let's restore every system at the same time.
So they're so sophisticated that they know where the backups are.
They encrypt them as well, at least the online ones that are redundant.
They get the topography of the network, boom.
I mean, take the whole thing down to they corrupt the like host-based snapshots.
Like Windows has a service called the volume shadow service where, you know, if an update goes bad or something like that, you can snap back.
they'll actually corrupt that out in every major piece of Brantzable.
It's one of the indicators that we actually use for stopping Brantamware is tampering with that backup
service.
Ah, so if somebody starts effing with your backup service, that's when you know somebody's in there
doing something.
It's one of the signs, yeah, absolutely.
Tell me more about your software and solution.
How do you implement it and how can, how does it stop people?
Is this like a constant game of cat and mouse where you constantly have to update it like the virus software people do?
I mean, the nice thing about it is that's where, you know, AI really comes in and gives some superpowers instead of, you know, thousands of people sitting writing, you know, reject signatures.
You know, we are using multiple different types of machine learning to build models that help identify both from a pre-action.
before it runs, as well as the behavior when something's actually running to say,
we think this is bad. Let's stop it. But the best way to think about us is we're the first
complementary layer to antivirus. So for years, everyone said you don't want to run two antiviruses
on the same machine because they'll step on each other and conflict. So we were the first product
where we said, let's build ourselves to be a layer behind, not try to replace the
the defenders, the crowd strikes that are out there, right?
And then just focus on the threat of ransomware.
So instead of trying to stop everything that's out there, we focus on these 200, 300 ransom
workers.
What are the tools that they're using?
What are the techniques?
And then we use that to build kind of like a multi-layered protection strategy.
But where we really differentiate is we're the first endpoint product ever to be focused on
recovery too, where because these guys are so sophisticated, they have so much resources,
they're going to figure out how to beat everything at some point. But because they do encryption
on the host, we actually capture the key material, the symmetric keys, the entropy, and we can
reconstitute that data for the users without them having to interact with a ransomware group.
If everything fails, they get ransom. This is a key thing. They have to increase.
it in order to give you the keys to unencrypt it.
So that step in the process was such a brilliant stroke for them.
However, it doesn't take all that much technology to know a machine is doing something
with encryption in real time on that server, right?
Or on that desktop.
I'm not sure if we try to go after.
There's a lot of encryption that's going on on host nowadays, too.
Right?
So there's a delicate balance between, you know, profiling something that's backup software.
I mean, we also focus on the data protection side, right?
When they come and they steal that data before they encrypt,
we have a network driver, so we'll actually detect that data extra going and block it.
Their tactics, you said cat mouse, I mean, it's completely appropriate.
Their tactics change constantly.
They're always looking for a way to deliver more impact quicker.
This is now becoming, in terms of corporate governance, a board level issue.
Like, when these things happen, I remember Uber had a big hack and then somebody didn't report it or they try, because, you know, sometimes somebody is embarrassed by and they try to, you know, maybe resolve it before it escalates.
This is getting very dangerous for companies and boards because they ultimately are responsible for knowing about these things.
So what's the state of the affairs now reports?
It's getting dangerous for the C-Subs, right?
So in that Uber case, the person that got prosecuted was the Chief Information Security Officer.
It's the same thing with the SolarWinds hack.
If you remember that, the SEC just filed charges against the Chief Information Security Officer there.
So if a CISO, which is the Chief Information Security Officer, people don't know,
if a CISO doesn't do their duty to report hacks, that's criminal behavior now?
Or it's...
Apparently, right?
There isn't a lot of clear guidance on what's good and bad.
The industry has taken up with this concept of bugmen where you as an individual can go out
and find a vulnerability in Uber and then reach out to them and say, hey, Uber, I found this
vulnerability.
Here's my proof.
Write me and check.
What's the difference between that and somebody hacking you and asking for a ransom, right?
Like attitude?
I guess it would be the threat of taking the system down and giving it to other people as opposed to politely asking, can I get 10 grand for this?
Yeah, yeah, yeah.
I mean, I found.
And also, I guess, being anonymous versus not being anonymous would be another person.
I mean, absolutely.
You can always ask politely first if they don't agree, escalate, right?
But it gets confusing from a legal perspective.
Yeah.
Right?
Where if you look at that Uber case and what they process.
that C-Spo4, it seemed like something that was very common that's done in corporations across the country every day.
All right. Listen, selling software is hard. It's hard right now, right?
2022, 2022, 23, it's been a grind. 2024, it's going to be hard too. Everybody's making very thoughtful decisions.
And the last thing you need is to slow your sales team down because you don't have your sock to dialed in.
So if your SaaS or services company that stores customer data in the cloud, you need to check out Vanta.
Vanta will get your startup
SOC2 compliant easier and faster.
Vanta makes it really easy to get and renew
your SOC2. On average Vanta
customers are SOC2 compliant in just two to four
weeks. Compare that to three to five months
without Vantan. Vanta can save you
hundreds of hours of work and up to 85%
on compliance costs. And Vanta does more
than just SOC2. They also automate
up to 90% compliance for GDPR,
HIPAA, and more.
You can't afford to lose out on major customers
because of silly stuff like lacking compliance.
Just work with Vanta. Get your compliance automated and tight. Tight is right. And close those big deals, the lighthouse deals that send all the other customers to you. Here's the call to actions. Very simple. Fanta's going to give you $1,000 off at vanta.com slash twist. That's Vanta.com slash twist to collect $1,000 off your sock, too. Talk to me about encryption long term because there have been rumblings, especially during this Open AI brouhaha with Sam Altman being fired and rehired and all that kind of stuff.
that, you know, they might have, this was one of the theories,
that they might have with, you know, LLMs and just the brute force they have been
able to figure out how to unencrypt stuff or break some encryption.
So is that disaster scenario that people put in the quantum, you know, computing,
oh, it's only going to happen when quantum computers come out, they're going to break encryption
and whatever.
We'll see that coming.
But then LLMs, we didn't see coming, at least not at this velocity.
So is that real or scare tactics?
Encryption's been broken a bunch of times before.
And what happens is it gets broken.
There's no instant scale of attackers.
So the attackers exploit it.
Everyone responds.
They replace it.
And then we go on to the next one, right?
It's the reason why we don't have web on our Wi-Fi anymore.
And we're not using SSF, one.
encryption is always going to get compromised, right?
It's just you have to be dynamic and use it in a way where you can adapt and move to new standards and algorithms.
But you're already seeing quantum resistant crypto.
Explain what this is for the audience.
Cryptography, theoretically, and it's just theoretical right now because no one's been able to actually prove it, is resistant to, you know,
a scale, general purpose quantum computer being able to break the encryption, right?
So the majority of, you know, like cryptocurrency and stuff like that,
theoretically with a strong enough quantum computer, you can unravel the blockchings, right?
But people have identified it.
We've known that this is going to be a problem for a long time.
And there are numerous companies working on being the next, you know, quantum-resisted
cryptography company.
What do you recommend for startups, people who are running fast-growing companies in terms of
because you can't afford a CSO, you know, you're a 20, 30, 40-person company?
What's the best practice?
You just use a great cloud computing provider, have great two-factor.
I mean, there are some fabulous managed services companies that are out there, right,
that specialize in security that, you know, are affordable, have access to.
you know, a suite of the best in class technologies that are out there.
This is going to sound crazy, but, you know, big companies like doubt, right?
Like these are serious problems to them and they have real solutions to it.
So you can actually go out and engage with the manufacturers, right?
I'm less with apples than everyone else.
But, you know, Microsoft has a huge security suite product to offer.
Should people be using physical keys?
I mean, there's been a lot made of people being able to spoof SIM cards in order to get two-factor.
It seems like the majors, the, you know, the Verizon's of the world, Google Fies are starting to lock this down.
So they kind of get it.
But there have been very interesting edge cases of people being able to figure out how to get ESIMs.
So should people be using, what's that key that everybody uses QB or something that you see?
UBee keys.
You're the key. Should people start moving to those kind of things? Is that going to, and does that actually really solve the problem?
Maybe for now, right? Like the majority of people, I use my phone for my multi-factor and you run into an issue of what happens when your phone gets compromised, which I don't know if you've seen the news, but there was, you know, this highly sophisticated iOS tool chain that just came out where they were hacking iPhones and there was no way of knowing.
that you were compromised.
You know, it's layers of due diligence, right?
I wish that there was some,
if you use this, you're protected,
but in this world, there's always a way
to engineer hack around kind of any security technology
that gets deployed, which is why it really comes down
to having layers and being able to detect
when something's been penetrated
and have mitigating controls and response plans
and the right partners.
How much of this has moved to China now and North Korea? Are those sophisticated players in all this? Is there still in Eastern Europe?
Oh, no, they're highly sophisticated. I mean, the interesting thing with North Korea is when you look at the top four, you know, non-five eyes nation states, you've got China, Russia, Iran, and North Korea.
Right.
The old access of evil, as I think Bush called them, yeah.
North Korea operates and became one of the.
the top four with zero dollars of state funding.
All of their, yeah, all of their funding for computer hacking, they speak.
Like, they were really big.
They're bootstrapped.
They're absolutely bootstrapped.
They were a big fan of, you know, the banking protocols with.
They would go in and hatch with transactions and just steal money that way.
What about Iran?
It's very interesting.
Is Iran have a big capacity?
Because not a large capacity, but they're getting really sophisticated.
So they were essentially kind of late to the game.
But you saw probably 10 years ago they started taking on serious targets.
They were able to compromise the Navy Marine Corps intranet.
You know, they got a bunch of like nuclear research stuff from a bunch of universities.
But yeah, I mean, they're continuing to gain sophistication with essentially the rest of the world.
right? Like as this information is becoming more accessible to everyone, they definitely have the
motivation and the access to everything that they need to play out some major attacks.
The governments turn a blind eye to this, but they, or do they support it? Are they training
people? You know, are they getting a VIG and a piece of the action? You would think in a place
like North Korea, maybe a Supreme Leader would want a piece of the action and would see this
as a revenue stream potentially.
How do the governments in each of these places participate in this or not?
It's normally state sponsored, right?
Like if you look at even, you know, Russia, China, like all of these attacker groups
have direct ties to military intelligence.
So they exist outside of the military and outside of the government.
Moonlight.
They're moonlight.
Yeah, it's your nights and weekends job.
You don't make a lot working for the government, but they've always been supportive of people
kind of taking those tools and using them to attack their enemies, right?
Like there's no, if you go and hack, you know, a giant American company as a Chinese,
North Korean, Iranian citizen, and it gets publicly released that you're the one that did it.
There's no consequence.
China used to hold competitions at universities where they go and, who,
Who could hack some American company the best?
Okay.
Lightning round here.
There's been rumors Bitcoin, Tor.
The Tor network people don't know is a relay system to anonymously surf the Internet.
It's where all the dark web transaction are.
There's been rumors those things could have been CIA or government sponsored, honeypots, etc.
What do you think?
It's definitely not conspiracy, right?
I don't think that it's something that they're the whole system.
But yeah, I mean, if you're operating on tour and you think that you're completely anonymous and the U.S. government and intel agencies aren't operating tour exit nodes, you're pollution.
Yeah.
Right.
Like, it's absolutely in those decentralized environments, they're going to invest and collect.
It just comes down with what's their motivation to do something about it.
How good is America when compared to our hacking ability?
Because you're in the community.
People in the community sometimes get called up to duty or get pulled into operations, etc.
And there's a big tradition of that here.
It's very quiet, obviously.
How good are we compared to the other places?
So prior to starting Halcyon, I started a company where we exclusively worked with the U.S.
intelligence community doing sophisticated cyber operations.
We are the best, right?
We have the best capabilities.
We have capabilities that most people can't fully comprehend.
What do we use them for?
That's the problem, right?
Like, are they being used for the right things?
Do the groups that have these capabilities get the right mission handed down to them
that allows them to get the maximum value?
I think politically, we don't really understand computer hacking yet.
I don't think a lot of politicians understand how computers,
computers work and the threats were vulnerable to. But from a capability perspective,
it's fantastic, right? Like, better than you could imagine. It's just... We don't hear about it,
which I think is a really good thing. Like, our techniques, this is why when a lot of, you know,
I mean, not to be a political or anything, but like, you know, Trump having certain papers that have
in them in Mar-a-Lago or maybe other presidents have them to, that have those techniques in them,
I think they call them methods and whatever and sources.
It's really important that we don't use these tools that we have or let people know we even have them.
Like we got some sophisticated stuff that we just don't want people to know we have them.
Yeah, yeah, it's different classes, right?
There's stuff that you have to sit on the shelf just for an emergency, right?
Life or death, the world's going to end like that's when we pull that one on.
But they're different calibers, right?
where it's, you know, you have your everyday tools that you run.
Like there's there is no shortage of capabilities for cyber in the U.S. intelligence
career.
We spend a lot of money on making sure that the U.S. has omniscient like cyber capabilities.
Amnitioning cyber inferals.
I like the sound of that.
If in the right hands, I mean, obviously these can be used for nefarious purposes too.
We've got to be vigilant about them.
There's abuse on the margins.
But generally, it seems like we do the right thing as a country.
Yeah, very much. I mean, I think that there's a lot more that we could be doing, but people are scared. You know, it's something where privacy becomes very fluid. And, you know, once you eroded that, you can never really pull it back. Yeah. I mean, if the amount of access we probably have to an average person's phone as a government is pretty amazing. People think that their signal or some of these encryption things are bulletproof, you would say no.
Absolutely not.
Right. So the interesting thing with those messaging applications is in so many cases, even when something is deleted, it's still left on the phone.
Right? Because you end up with a database of messages and you don't go back and delete lines out of a database on a cell phone. It's a battery device.
You just flag it as deleted. There's so much information on your devices that once it gets kind of captured by one of these government tools or programs,
it's a little unimaginable.
Yeah, your privacy is an illusion.
100%.
If we then extrapolate that to TikTok and the Chinese government having access to it,
describe for the audience what they would be capable of doing with 50, 100 million Americans
and the access they have on the average phone.
What could they be doing with that data?
It's interesting, right, because there are legitimate ways to gather data on phones
and then the illegitimate ways to gather they're on phones.
Yeah, give me an example.
So you remember when iPhone came out with allow this application
to get access to your clipboard,
that was in response to applications
were just always reading what was on your clipboard, right?
And then sending it to their password.
People cut and paste their password all the time from their password manager.
Yeah, if you're using a password manager.
Yeah, absolutely.
So you basically given the Chinese all your passwords,
and they've got five or six different passwords in there.
And if you're a typical American,
you're probably not using a random generator.
So you just got your Gmail just gave them Bank of America,
gave them everything else.
Yeah.
I mean,
there's a lot of metadata that you can take off of phones.
I will say this.
TikTok probably isn't going to be their only source of this information.
There are a lot of core services that mobile applications are built upon.
that data can be mined from, I guess would be the best way to put it.
You know, as long as you're comfortable with the fact that privacy is an illusion
and you should do everything like somebody's looking over your shoulder, it'll be fun.
Yeah, I mean, that is what people should be doing, right?
Yeah, especially with digital devices, right?
If you want some privacy, get a friend, go out into the forest, leave your phones behind.
When we look at Apple as an actor here, they've been at least publicly,
it seems like they're in the corner of protecting individuals' rights to privacy more than anybody.
They're not an ad-based business encryption.
And the fact that they wouldn't unlock the San Bernardino Shooter's phone, if you remember that instance,
the Israeli tool to do it.
So is Apple and being on the Apple ecosystem the best choice for consumers because Apple has that default of,
you know, lock it down and only the user has it and we don't have your information on some server at.
or in a lot of cases they say they don't have it.
I trust Apple the most, I guess, would be the best way to put it.
You know, you end up with a homogenization kind of problem where if I want to hack you and you're an Apple guy,
I can go out and buy a zero day that doesn't just allow me to hack your Apple phone.
It allows me to hack every Apple phone in the world because they're all the same.
everything's universal.
And so you end up with this
because you're in the majority,
everyone's going to always have access to that.
Right.
Like being able to get on an Apple phone
is bread and butter for an intelligence agency,
federal law enforcement.
Like you said,
they couldn't get in the San Bernardino shooter's phone
so they went to an Israeli company.
Right.
The capability is always there.
Yeah.
Where if you want to be really, really secure, find the most obscure phone that you can think of and use that because nobody's going to go through the effort of, you know, buying or building a tool to get into something that unique.
What's the biggest threat?
We'll end on this.
The biggest threat that keeps you up at night just in terms of hacking globally beyond your company and what you do.
I mean, you're a venture capitalist.
I was going to say interest rates, but if you're going to take me back to.
Haggy.
Right.
Back to Haggy.
I mean, it's, it's our infrastructure, right?
If you look at, did you make it to the Super Bowl in Tampa?
You seem like the type of guy that would go to the Super Bowl.
No, I didn't.
I've been to a Super Bowl.
I went to the 49th one one time.
So a week before the Super Bowl happened in Tampa, the Tampa Water District got hacked and somebody
tried to poison the law.
What?
I was totally unaware of that.
Wow.
They stopped it because somebody was literally sitting.
at the computer and saw someone else moving the mess.
Whoa.
That's an unplugged the computer moment.
Yeah.
Holy cow.
Attacks like that are so much easier than anyone realizes right now for the level of
sophistication of these.
How do they get the poison into the water?
Would they just like up the amount of fluoride?
Yeah.
I would say.
You just 100x the fluoride, boom.
Yeah.
Whenever.
Wow.
Transportation infrastructure, right?
Like hospitals, right?
manufacturing, what happens if the oil companies get shut down for a week, right?
You end up where we've built this entire supply chain that's as close to just in time as we
can get.
And you start dropping computer outages there and stuff unravels, right?
Yeah.
People got. I mean, Americans are dying all of the time now from cyber attacks.
And we're doing nothing.
That's incredible.
Yeah, because of hospitals, because of supply chain and these kind of things going down.
Yeah, I mean the hospitals specifically.
And that is a target, huh?
They want to target hospitals because they know it's mission critical and they're just going to pay the ransom.
You got to pay.
You got to pay.
You got to pay.
Yeah.
This is why things that are redundant are good.
This is one thing we learned during COVID.
Like, if all of the medicine we have in this country comes from one other country, that's a communist country, that maybe is an arrival.
Maybe we should make some of those drugs here.
Yeah, it's just not cheap, right?
Like, that's the problem.
Like, all of this is just more capital that is expensive right now and people don't want to spend.
If the problems solved or at least look solved.
That is a challenge with capitalism.
Capitalism finds the cheapest path.
And the cheapest path is a dependency.
You then have to say, we want redundancy is more important than the lower price.
And I think Americans are starting to see that.
You see that with people putting solar and generators and having start.
R-Link and their landline.
People are starting, I mean, putting preppers aside, just being off-grid, having a well,
having a generator.
It's not like you're a kook anymore for having those.
I get the sense that you have all those things.
I have all of those things.
Thank you for calling me not a kook.
I literally am putting generators in both my houses.
My cyber truck, when it comes, is the equivalent of 11 power walls or something.
So I'm going to have a cyber truck.
That's 11 power walls.
I have Starlink's.
So yeah, I'm big into the redundancy.
Yeah, I thought you're Elon's friend.
You don't get it right away?
I literally just traded emails with them about it.
Yeah.
He pushed me up.
He's going to get me one of the foundations series, I think.
You know, here's the thing.
I always, if you want to throw in a word for me too, I pre-ordered mine.
I think he's going to sell every one of these he can make.
I think the sneaky part of that product is the inverter and that you can plug it into
your home and it's 11 power walls.
You just think about if you live in Texas.
and you're going to buy a truck.
Yeah, I mean, I have three power holes right now, and it's pretty good, but I really could have gone with like six.
But three power walls will get you through like two days or a day.
I mean, it gets me all the way off grade if I'm not running my air condition.
Yeah, so you're in pretty good shape.
If you have a cyber truck and it's got 11 of these or nine, whatever the equivalent is, you can run your AC.
You could be doing loads of dishes and it just will change how we look at the power grid itself.
And that's the ultimate redundancy.
Like, how do you hack that?
It's going to be pretty hard to hack.
I think it's huge, right?
Having that kind of power independence,
especially where our grid is so fragile.
If you take down, I think it's like nine or 11 substations.
And I'm talking about like a bomb on a quadcopter and you just fly it in and kaboom.
Yeah, this could be like that.
And you think about how insane that is you could just literally do nine
Oakland, home of city bombings, God forbid.
Not even that big.
Not even that thing.
You can early take a toy or a quadcopter and your own homemade explosive and have 10 buddies do it all at the same time.
And you just blacked out the entire nice thing.
It's madness.
And this is where the next thing I want to.
It hasn't happened before.
Black Swan events do happen though.
And we can predict them now, which means we should be doing it.
The thing I want to get is there are these panels that are like solar panels.
You put them on your roof where you put them in your back.
And they take moisture out of the air.
They're like dehumidifier kind of things.
And you can basically get enough water to survive and drink off with a couple panels for your family of whatever, three, four, five.
I don't know if you have that yet.
I saw that on Star Trek.
And when I was watching in the 90s, Captain McCart.
There's a startup making them.
And so it's.
I mean, it's fantastic.
I have a well, right?
So I've already got plenty of water.
But that's the next piece.
Water, electricity, and internet.
What else did you?
The second you can do all that stuff off grid with Starlink,
giving you a 350 megs a second wherever you want.
I just put Starlink in my ski house,
and I got over 200, 250 megabit, and I was like, what?
When I first tried this, you're getting three?
350 on mine right now.
That's nuts.
And then, you want it right now?
Is this a, no, I have it as a backup.
Yeah, so that's what I do is I have the router uses mine as the backup.
But I think it's getting to the point with the latency going down.
that you could actually load balance
and you wouldn't be giving anything up
versus your cable modem.
My head of services lives in like a rural town in Colorado
and there's no broadband there.
He's been on Starlink since I first dropped
and he does Zooms, demos, everything works great.
Wait, do you see it on an airplane?
I was on an airplane with it and it was...
Oh, my goodness.
I mean, you know,
bonkers.
The gist internet coming to planes was so transformative for me,
like having actual real bandwidth.
with there is going to be.
It's bonkers.
It's really going to change how people look at, you know, taking long haul flights.
Like the fact that you can just literally turn on Netflix and then have two other people
turn on Netflix and stream something.
And you're like, wait a second.
This is different.
Every time, every night before I travel, you got to get it out, make sure everything's
downloaded and synced and your DRM is renewed.
And yeah, no, having a real connection to be great.
Where can people find out more about your company?
And I know you're hiring.
You've done great in terms of raising money.
And so who are you hiring for?
Howlion.a.ai.
That's just because, you know, we can't afford the dot com yet.
Maybe one day we'll get there.
I think actually the AI is probably better right now.
Yeah.
It is the right time of year for AI companies, right?
Absolutely.
But yeah, and then, you know, major kind of security channels and partners.
If somebody has a security partner that they're working with, odds are we're kind of partnered with them.
And hiring.
We're definitely hiring the engineers and sales guys.
Come on over.
You got it.
All right.
And we'll see everybody next time on this week's startups.
Bye-bye.
