Y Combinator Startup Podcast - #56 - Leah Culver of Breaker and Tom Sparks of YC Answer Your Questions About Security and Podcasting
Episode Date: January 5, 2018Leah Culver is cofounder and CTO of Breaker, which is a social podcast listening and discovery app. They went through YC in the Winter 2017 batch. Leah’s also an author of both the OAuth and oEmbed ...API specifications.Tom Sparks is an engineer on the YC Software team. He also cofounded Cryptoseal which went through YC in the Summer 2011 batch and was acquired by CloudFlare in 2014.The YC podcast is hosted by Craig Cannon.
Transcript
Discussion (0)
Hey, how's it going? This is Craig Cannon, and you're listening to Y Combinators podcast.
Today's episode is with Leah Culver and Tom Sparks.
Leah is the co-founder and CTO of Breaker, which is a social podcast listening and Discovery app.
Breaker went through YC in the Winter 2017 batch.
And Leah is also an author of both the OOath and Oembed API specifications.
Tom's an engineer here on the YC software team, and he also co-founded CryptoSeal,
which went through YC in the summer 2011 batch.
They were later acquired by Cloudflare in 2014.
So the first part of this episode is about security,
and the second part is about podcasting.
We answered a ton of questions from Twitter,
so hopefully we got here's.
All right, here we go.
All right, so how about we start with some questions from Twitter?
I actually think this one might have been on Facebook.
So Brady Simpson asked,
how do we deal with the ever-increasing pressure
from governments trying to get into devices?
Tom, do you have an opinion on this one?
I do.
So I think one of the most,
important things to think about is that some of this is just legislation-based.
However, some vendors do actually care about the privacy and security of their users.
Apple's been pretty good about it. Microsoft has actually done a lot of work for this.
Previously, when BlackBerry was still a thing, they were basically number one.
But right now, Apple's pretty much the most consumer-friendly in terms of security for just your
personal devices. They give you a lot of options. They do a lot of stuff behind the scenes to make it
really easy. Your passcode is actually backed by some really, really cool stuff. Your fingerprint
reader on your phone is pretty simple. It works pretty much all the time. So, you know,
that's easy security stuff. The government trying to subpoena the information from your devices is a lot
a bigger can of worms. And it kind of goes back to, you know, the Constitution essentially, like
Fourth, Fourth Amendment, Fifth Amendment stuff. So search and seizure is really kind of up in the air
with electronic devices. You know, this kind of goes all the way back to the 1960s in terms of
personal privacy. In the 60s, the government came up with something called echelon, I believe. And
you know, that was basically trying to get data to spy on spies.
You know, in the 90s, it was, you know, Clinton trying to do stuff to catch more spies, basically.
And with email and stuff becoming more and more prevalent, they just, you know, put in this giant apparatus to do surveillance on the American population.
So vendors, when they tackle this, kind of have.
to go, well, what can we do without, you know, taking off the government?
Apple's done a good job of basically saying, no, we're not going to give you the keys to
things. You know, if you want to get into somebody's phone, you're going to have to basically
get around the protections we've put in because we don't want to make something that's
intentionally insecure. And they've done pretty well with that. They've gotten some flack
from some people. So as a layperson, like what precautions are you taking with your own data?
I think for the most part, you know, as long as you use the key code and, you know, any sort of like biometric authentication on your devices, you're in a good spot.
If you don't do any of that, you're kind of, you're just kind of in the wind.
You know, the government has pretty deep ability to surveil you.
So your phone is probably not really going to be the vector they go after the most unless,
you're sending encrypted messages and stuff.
If you've got signal, they probably want to see what you're doing.
But if they can subpoena you and you don't have, you know, good protection on your phone,
they're going to see what's there.
They can't make Apple decrypt what you've got.
If you've got an Android phone, you're much less well off.
So it's really just, you know, legislation and, you know, using good,
technology. I believe the pixel 8 or the, what is it, the new Samsung phone has some pretty
neat stuff built into it that's got good security. What about you, Leah? Do you do anything in
particular? I'm actually, so I have an iPhone and I have some little paranoia things. Like I know how to
turn off the phone. So if I was like panicked. So I do, I actually just got the iPhone 10. So I have
the facial recognition.
But I've always had, I always tend to get the latest iPhone.
So I had the touch ID as well.
And the interesting thing is I think it's much easier for law enforcement to access
your phone via touch ID, like you're saying, through touch ID or facial recognition.
But the nice thing Apple does is if you have three failed attempts or if you shut off
your phone, you have to reenter your passcode.
And that's much harder for them to access.
So I've practiced like powering down my phone.
I tend to only put one of my thumbs in the thumbprint.
so that if I needed to, I could use my other thumb and just pretend like, oh, it's just,
I'm nervous.
It's not working until it locks me out.
I don't know.
Is that all weird and paranoid?
That's great.
I feel like it's the price you pay.
It's like the trade-off for using some of the convenience features.
Yeah.
But what about on the company side?
So at Breaker, how do you guys think about security?
Sure.
That's a great question.
So we basically follow sort of standard web service practices.
We have an API in the back end.
on the front end basic iOS stuff. So a big thing for me is keeping private data in the keychain.
It's an iOS developer and not in any other local files, especially not in NSUzer defaults or putting it in the info.
P list file. Don't put stuff in there. You can unzip an app directory to look at anyone's info P list, which is great.
I actually use it to find out what other apps are doing for certain like Apple-specific settings
because they have like these weird configurations that you can do for like interoperability with other apps.
And it never seems to work.
I was just like download people's apps and unzip them and look at their infotopulos.
But yeah, yeah, just making sure that as an app developer, when you're storing sensitive data,
such as passwords, usernames, any PII, personally identifying information about people,
that you are doing so in a thoughtful way.
And, you know, I think there are a lot of best practices about this.
And I'm not, I don't want to go into all of them, but it's pretty easy to just Google
and find out what they all are.
And just to be aware of it, just to know that you have sensitive data and power.
And to be really aware of that you have a responsibility as an app developer to protect
that data.
And for actually, it was interesting.
I was thinking about cloud services and the government accessing cloud services.
And my last job is at Dropbox and a lot of other companies do this as well.
They publish all of the requests from the government.
So the legal team publishes them all online through like a disclosure report every year.
So you can see what gets asked for.
But yeah, and it's part of the most companies today who are behaving well don't want to be overly generous with providing data to the government,
but under certain legal conditions, it is necessary.
But making that all very transparent to users when you sign up for a service,
knowing sort of how they deal with government requests.
Cool.
Well, let's go to Brady's second question then.
So he asks, why is auth tech changing every few years?
From UBKees to two-factor auth to thumbprint to face recognition,
what are we optimizing for?
Speed and reliability or security.
What's next?
Or just what's cool?
Yeah.
Honestly, like the face ID thing, I think I like the an emoji, like the making animals talk.
And yeah, I think I like that more than the actual security part of it.
But yeah, it's a tradeoff between convenience and security, right?
So I think a lot of these new technologies coming out are for convenience.
I always hear Tom thoughts on these things, too.
I mean, all this stuff is actually really old.
It's just the thing that we're actually using it now.
Like I went back and looked and two-factor off, you know, kind of started with one-time passwords.
That stuff was originated in the 1880s.
So, like, it's really not new.
Really what it is is people are becoming more aware of their own security.
They want to make sure that, you know, whatever personal data they have doesn't, you know, get out there.
Like most people have really terrible passwords.
And they're sort of like, oh, okay, even if I have this terrible password, you know,
if I use this little thing, it'll keep my personal data safe.
And I think that's good.
I mean, I don't think that, you know, the way that we implemented is necessarily, you know, what matters.
I think it's just the fact that people are using it more and becoming more aware.
You know, I think speed and reliability are really important.
When you look at what's available, I think if you go back, like, I have a laptop from the 90s that has a fingerprint
reader on it. We never really used it. But it was the thing that you could use. It worked pretty
well, actually. You know, now there's just, it's more ubiquitous. There's more, you know,
multifactor off than things. I think, you know, looking forward, I think we'll even see probably
like DNA ID. I mean, sensors are getting smaller and smaller all the time. You know, you can
detect so many different factors like humans have.
you know, unique chemical fingerprints even.
So you could have something where it's like, oh, my phone smells me or something like that.
Yeah, heartbeat.
Yeah.
Yeah.
Yeah.
What's interesting about this is that like it's not just about two, like we talk about
two factor authentication.
What it really is is multi-factor authentication and having those factors be of different types.
I'm going to try and remember the different types.
But there's something, something you know, something you are like biometric.
And what's the, what's another one?
Something you have.
So device.
So device, biometric and something you remember, like a password.
And so having two different factors, I think, is the key for two-factor authentication.
So like a UB key is a device or if you have authenticator on your phone, like an
authenticator app, that's like a device one.
The thumbprint facial recognition is biometrics.
And there's pros and cons to each, right?
So what I find super interesting is I love the convenience of the face and the thumbprint.
but what's really nice about the device and something you remember is you can replace it.
So if it were to get stolen, so if someone takes a cast of your thumbprint, it's a lot
harder to change your thumbprint than it is to change your password, right?
Change your face.
So a nice security feature is the ability to change something if you feel like it's been compromised
to make a new password or to change up your device.
The device wants a huge pain in the ass because every time I get a new iPhone, I spend the next like
hour switching over all my
authenticator keys. It's like, oh my gosh,
it's such a pain. I just did it. Did you read
the post about the mask
faking out the iPhone X?
That's so freaky. Yeah.
Have you tried to replicate it?
Do you have mask making materials
we can do right now? Yeah, but it's super scary
because it's not like you're going to change your face, right?
So having it as a second factor
or having that is the, I guess it's the first
factor, right? It's the first protection. But having
the passcode as the backup for that is
super important. Okay. Something that you can change, right? Yeah, I've just been wondering if there's
like a line for you guys where you're like, you know what, face ID, I'm good. Like, I don't need this
right now because I'm going to like, just like you said, there is a point at which if someone hacks you
or figures out a way or some exploit, it's open forever. Are there a certain light, like, or is the
convenience also for security minded people just so high that you opt into it? I love the convenience.
So I'm a big one password user. So I don't, I don't actually know.
any of my passwords that set my one password. And now it's two taps, I think. You tap once on the
button that says, look up my password and it does the face or wash recognition on one password.
And then you tap the password that you want to enter. It's just because it knows what site it's
on or whatever. And it's just so fast. It's just tap tap. Whereas, you know, I've been using
password manager for ages and it's such a pain to switch apps, like get the password, copy it,
pasted in.
So it is, the convenience is
phenomenal. But what is
the risk? I hope no one takes a mask
in my face.
Do you
use any two-factor
devices or
biometric stuff?
Yeah, I mean, I
well, I don't do as much
data center stuff anymore, but, you know,
I've definitely done a lot of the biometric
off stuff.
Funnily enough, a buddy of mine was the
first person to break the touch ID on the iPhone. He also recently published something about
the guys who did the mask thing. What do you mean by break? You like copied someone's
fingerprints? Basically, yeah. I mean, there's a few things that Apple did to try to make sure that
there's some liveliness and some other stuff, but, you know, it's hardware at the end of the day.
So it's not, you know, it's a little fallible. But it's not bad. Yeah, like there's the setting on the
the facial recognition where if your eyes are closed,
it won't read your face,
which is really,
because I assume that's like,
to protect yourself,
you could just close your eyes.
It's so obvious.
It's not like the left thumb,
right thumb thing that you're talking about.
Like,
if you show your phone to your face
and you close your eyes,
someone knows that you're trying to fake it.
I guess,
but I guess did you guys know?
I mean,
that's a really weird feature.
So someone,
Tom,
asked specifically about YC.
So Rick Deacon asked,
What precautions does YC take to protect data?
So, I mean, we deploy, you know, best practices.
We don't do anything, you know, super, super scary.
You know, we just make sure that we know where our users are.
We make sure that people use strong passwords.
We use, you know, strong encryption.
VPN.
Yeah, VPN is an easy one.
You know, we have some dedicated hardware and stuff
for VPNing so that that is kind of a little harder to, to, you know, remotely get into.
But, you know, best practice stuff, we stick to it.
You know, we do not, you know, have nuclear secrets or anything like that.
So, you know, I'm not worried about someone parachuting in with, you know, machine guns and chainsaws.
You know, our stuff is pretty, it's pretty open.
I mean, if you're a YC founder, your data is well protected.
and we want to make sure that that stays that way.
But, you know, we're not going to, you know, do DNA ID to get into something right.
So, you know, we do a pretty good job of just making sure that everything's pretty buttoned down.
And code views, that's kind of the biggest thing.
You know, that's all pretty easy.
Our developers are great.
So we're lucky in that aspect.
Yeah, it's a really good team.
So that helps.
I would agree with that.
Rick also asked another question.
He asked, what is the future of security for startups?
Do you guys have strong opinions here?
I think there's a good trend of people just not reinventing the wheel.
For security, reinventing the wheel is pretty much the worst thing you can do.
I mean, every time we see a big hack, it's because of somebody did something where they're like,
oh, I'm going to be really clever and reinvent this thing.
And like, cool, you know, you forgot this one thing where if you add it,
an extra zero or something like, oh, hey, look, does passwords be clear?
So that happens.
I think outsourcing auth is a really important thing.
You know, Oath is great, you know, Samuel is great.
Most companies don't really need to worry about auth, you know, in that way.
You know, Facebook auth is great.
It's ubiquitous.
It's pretty solid, you know, well-run company.
You know, it's everywhere.
You don't need to reinvent that.
I think, you know, moving forward, like, really it's just going to be what companies need, you know, most startups don't need, you know, crazy military grade stuff. They don't need HSMs. They don't need TPMs even. Your phone is a TPM in it. But like, you know, it's so ubiquitous that you don't need it. So having, you know, something like Oath just removes the need for really trying to have to build in a lot of security. You know, beyond that, um,
A lot of CI's continuous integration
softwares have, you know, things where you can just sort of turn on like code checking.
You can do, you know, easy, easy bounce checking.
You can do a lot of security stuff just automatically.
And it's really nice.
You know, you don't even, I mean, most developers do care somewhat about it.
But, you know, when you get the intern in and they're like, oh, yeah, you know, I wrote this great function that, you know, has, you know, one thing in it, right?
Like, they're not necessarily going to know.
Yeah.
So that's why having some oversight is good.
But, you know, frameworks eliminate a lot of these problems.
There's a lot of really great frameworks out now.
I think really now more than ever, there's a lot of just a lot of really good stuff.
Go has some pretty interesting stuff in it, just in terms of, you know, programming level of security.
You know, I made the joke the other day that, you know, if you need random numbers,
the best way to get them is to use a language that doesn't have any sanity checking in it at all.
and new developer.
Because they won't even know that they need to do memory management.
There's something already there.
And Leah, would you advise the same thing?
I totally agree with Tom.
I think when you're looking to build a website or an app or something,
to use best practices is the way to go.
And these things are sort of open standards and open protocols for a reason
because large teams of people work on it.
So I worked on OAuth, the first version.
which is maybe not as good as subsequent versions, but worked on the first version.
But it was a large team.
I'd say at any given time we had 20, 30 people working on different parts of it.
And I'm personally not a security expert.
I'm a security hobbyist.
So it was fun to work with folks from like Google, Yahoo, Mint.com, like financial institutions,
who definitely had more at stake in terms of rather than I was working on a social network
at the time a little less at stake than financial data. But it was nice to have them sanity check,
especially all the algorithms for hashing and to make sure that like we were kind of doing
things in a way that could protect against known attacks, things that people knew were like,
you know, vulnerabilities and vectors. But nowadays, like as a just an app or web developer,
you don't have to think about any of that, right? Like you to use Facebook login, it's like you
download an SDK and you like follow the instructions. And it's,
just works and it's secure and fantastic.
And let Facebook deal with it, right?
Like, it's really great.
But that being said, I do think there is still room to innovate on sort of the user
experience side of security.
So that's when we talk about things like Face ID or like sort of new.
What can we do now that we couldn't do, you know, 10 years ago, that we would have liked
to, right?
So some of that stuff is fun to play with.
I'm really interested.
So after working on OAuth, I'm still really interested in sort of like user login and all of the, especially preventing against targeted attacks is like one of my like fun hobbies.
And so some of the stuff you see now that I'm super interested in is when you log in on a new device, that you get an email about it, if your password changes that you get notified, how do you prevent, you know, someone changing the email address and changing the password at the same like too close together?
some of those things are just like product things to think about like if you're developing a product
that you need to be secure like what can you do in the case of both sort of just general attacks
to get data from your database or the more like targeted attacks which is kind of I don't know
why that's interesting to me I just find it like fascinating especially in the age of like
Instagram celebrities and things like I think it's pretty interesting and and people in
general aren't super good about security so how can we
as app developers protect someone in the case that they do have a terrible password.
Well, I think you saw it, you know, with people porting phone numbers for crypto stuff in particular.
Oh, my gosh.
Those are giant.
Those are horrible.
It really brought to attention how bad the cell phone companies were prepared for multifactor
authentication.
Like, I don't use my phone for multi-factor authentication.
I would highly recommend against it.
You mean SMS?
Yeah, not using SMS or phone calls or anything like that as a fact.
as a factor.
So you use Google Authenticator?
Yeah.
Yeah.
Or a similar application.
There's like Authi.
There's some other ones.
They're pretty good.
Okay.
Hmm.
Or Ubiki or, you know, any of them.
A million.
There's a lot of other options.
I just, you know, like when you're relying on someone who gets probably paid minimum
wage to sort of like be phone support, I don't know if I would be counting on that.
No, totally.
And do you have crypto thoughts in general?
So say if I told you this before the podcast, Tom.
I get a name wrong every time.
Seifulahi asked, what are the most recent security concerns in crypto?
Or cryptocurrency, just to be clear.
I think really it's just, you know, it's new.
People are getting used to it.
You know, people are sort of inventing their own languages to go along with them.
You know, what we were talking about earlier with Ethereum the other week,
where somebody kind of deleted a really important function out of a contract.
You know, that that stuff will happen and, you know, people will just, you know, take that lesson and move on.
I don't think cryptocurrencies are necessarily more or less secure than anything else.
I mean, cash, if you leave it on a table, somebody's probably going to walk off with it.
You know, we saw a lot of early Bitcoin stuff go away because people were using, like, horribly insecure hosting stuff.
you know, hopefully people don't continue that, but I'm sure it will.
I mean, people leave their wallets with, you know, passwords of like one, two, three, four on their laptops.
Some people will, I have seen wallets stored on public anonymous FTP sites with like a password of like one.
You know, it's like basic stuff.
Yeah.
I mean, you know, you can't protect users from themselves, really.
I don't think crypto specifically has a problem.
I think it's interesting to see how people are using it.
I think it's kind of nice that you can have it be so ubiquitous.
And it sort of brings power back to the people who use it a little bit versus with cash.
You're like, oh, central bank, you know, you have to do this.
But I'm not a crypto libertarian on this issue at all.
Yeah, I actually, I'm fascinated by, I love the blockchain as a technology from like a database ledger kind of perspective.
And actually, I have a podcast to recommend since I work on a podcasting.
There's a show called Invest Like the Best, and they have a three-part series called Hash Power.
And it's on the technology behind the blockchain and Bitcoin.
And also investing.
And I think they have a couple other times.
topics that they cover, sort of like kind of a broad look at everything to do with cryptocurrency.
And I loved it because I knew sort of the general idea, but I didn't know like the history
or like so much in depth about it. But it was excellent. And what is interesting to me
personally is distributed versus centralized systems and how they play out. I feel like the
blockchain is the first really distributed system we've seen become quite popular in recent
memory. I mean, the internet itself is a large distributed system. So I can't say it's like the only
really interesting distributed system. But what we've been seeing with the internet is a centralization.
Like we've been seeing centralized powers, especially with the large tech companies now,
really consolidating, right? Like Facebook having eight of the top 10 apps in the app store, right?
So like large amassing a power in user data with very few companies. And what's interesting to me
about the blockchain is taking that back a little bit. And there is some. And there is some,
centralization around the blockchain. Like there are like mining conglomerates. There are services that
will host and store your data for you. So cloud services instead of using like a physical device
to store your private keys, you could use a cloud service. And what's interesting about that is like the
insurance factor of it. So when you think about like banks and how your money is insured, seeing these
companies come up with like, now we're going to insure cryptocurrency. And it's like, ooh, this is
interesting, right? It's basically like rebuilding a banking system built for like the internet age.
It's really, it's super interesting. And I'm not sure how it's all going to play out. And I agree.
Some of the biggest security concern right now and say the number one is user error, right?
I totally agree with that. I think that that the fact that it's decentralized kind of protects
against a lot of like fraud or malicious intent by by centralized power. But it,
makes it really hard to recover your data if anything happens.
Yeah.
So it's fascinating.
Yeah.
So, I mean, it's kind of like measure twice cut once before you send someone a bunch of Ethereum.
Yeah.
This has happened a bunch on just private slacks around ICOs.
People post fake, like they'll steal the avatar from the creator and create an account in that slack and then post an address like a minute before the ICU would happen.
And it's just like, this torrent of money.
flows to them. And it's all a scan. And it's like, there you go. Gone. Yeah. Oh, wow. Yeah. Yeah. Just be very careful. I don't know. I have no
idea how one establishes trust with cryptocurrencies other than by using centralized systems.
It's very difficult. Yeah, I don't know. Well, you did mention podcasts and we should talk about
podcast here. So let's jump up to Kat's question. So Kat Maniolic, partner YC, threw a question out.
Let's start with the first part. What are your favorite podcasts?
Oh, that's a great question. And actually, my big thing is, I want to just put a plug for Breaker here. You should follow me on Breaker. And you can easily see what my favorite podcasts are. What's great about Breakers, it's social. You can see what people are listening to. You can see what they subscribe to. You can see what people are liking. You can see what podcast episodes are hot. Actually, I found this Hash Power series because it became popular on Breaker. Got a lot of attention, a lot of comments. And it's not, I normally wouldn't listen to a podcast called Invest Like This.
best. Yeah. But it definitely was an interesting series. So podcasts that don't exist that I wish
did, I think there's like right now on Breaker, it's a lot of tech, it's a lot of startups.
It wasn't that in the early days with a few users. We have more true crime, comedy. So what I,
I guess what I'd like is I personally love storytelling. So I'd like to hear more diverse
stories. So stories from people you wouldn't normally hear on podcasts. I guess that would be
my request. So if you out there are a listener and you think you have something unique to say,
go for it. Before we go further, Tom, did you have a favorite podcast? So don't really do a lot of
podcasts, but I think my favorite sort of equivalent of that is called The Life of Boris.
It's about this, you know,
a Slavic, like, YouTube dude
who, like, posts, like, videos
and, like, does a bunch of Q&A with his fans.
It's, uh, it's pretty funny because it basically, you know,
harkens back to a lot of the sort of Cold War era stuff.
Um, it's, it's kind of fun.
It's, it's pretty goofy.
Um, you know, he talks about all kinds of stuff.
Like, you know, the gamut of, like, video games, cars, you know,
cooking. I learned how to cook a bunch of Russian stuff from it. So like, I kind of like that kind of variety. But otherwise, I mean, I think the podcasts that are missing for me are just like really in depth, like security stuff. There's a lot more like blogging around that kind of stuff because you can't really show like a breadboard on a podcast rate. But, you know, I definitely would like to find out about it.
So I'm definitely interested in ways that I can find new stuff.
So I'm definitely going to probably spend a little more time with Bricker.
Yeah, I'll second the request for security podcasts, though.
I listen to a ton of Swift podcast and a couple Python ones.
And I've been less able to find more general security DevOps, that sort of thing.
So that's definitely an area that someone could make a podcast for.
Yeah, I've been so impressed with that breaker search.
That's my favorite part by far.
Yeah, I really like that.
So Kat asked a second question, and she asked,
what mistakes did you make with your first company that you know not to repeat on the second?
And Tom is a founder as well.
So this is a valid question for both of you.
Yeah, I'm curious what Tom has to say.
Yeah.
Oh, mistakes?
I don't know.
I mean, like, let's see, I've been doing startups since I was like 15 years old.
So I've seen a lot of mistakes.
I think one of the biggest ones is just poorly spending your money.
I worked at a startup where we had a shag carpet walled music room.
I'm pretty sure that I knew what else happened there.
You know, we spent ridiculous amounts of money on things.
We bought Napster for like a month.
What?
Yeah, right?
I know.
So, like, acquired Napster.
Acquired Napster for a month and then gave it back.
So, like, there's all kinds of weird stuff like that that happened in, you know,
sort of like the early booth.
them. You know, now I think money, even though it's pretty easily available to entrepreneurs,
I think, you know, it's still paying attention to where you spend your money is key. Like,
you know, some of the PG's early stuff about, you know, like don't go get an office,
work out of your house, you know. A lot of the YC ethos is really, really stuff that I recommend
people stick to because it's just, it's so easy to be like, oh yeah, I got all this money. I'm
to go get a flashy car. I'm going to go get a nice office. I'm going to go, you know, buy the,
by the best screens and stuff for me.
And then they just spend their time, you know,
derping around on, like, trying to be, like,
whatever they feel like makes them a successful founder,
rather than, yeah, playing startup is,
yeah, playing startup.
Scene stirring, I think, is kind of another good term for it.
I mean, those parties are fun,
but they don't get your company anywhere.
Go to other people's.
Yeah.
Oh, yeah.
Just take the, yeah.
So I'm the opposite.
I'm so frugal.
All of my startups have pretty much run on, I don't know, steam, air.
So, yeah, we're still, even breaker is still very frugal as a company.
But I've definitely had other issues.
My one is sort of the opposite.
It's asking for help.
So going out and trying to build, I think I've always thought, oh, I can build it.
I should just build it as opposed to how do I get other people involved in my company?
How do I have other people care about this?
How can we build something better together?
How can I listen more to users?
How can, you know, and now everything we do with Breaker is super user feedback focus.
It's just what do people want.
Let's just build what everyone wants.
And it's just a totally different approach than I'm building something that I want for myself, right?
And it's been much more rewarding.
Like building things because people actually are asking you for them is just so it's easy to do.
It's a little hard to get over the ego of like, oh, there's a bug.
here and someone's talking about it or hey, we don't have this feature yet. I'm sorry. But that's really
been a huge, huge change for me. The other thing is more personal. My first few startups, I struggled
with myself as a founder and not really fitting the mold of what I thought a startup founder
would be like. Same for a developer. Starting off even as a developer, like I used to get these
programming books that were like developers like us and they'd have pictures on the front that look
nothing like me.
I don't know.
So it's figuring out, and it's not just like the way I look, but it's also my personality.
Like I don't feel like I am a startup founder.
But that is also sort of coming to terms with that is like I have this mantra every day that
I get up and I say it can only be the best person that I am.
Like sort of be true to myself and that I don't have to be.
exactly like Steve Jobs or Mark Zuckerberg or Elon Musk, right?
Like, that's never going to happen.
I would say that's also a good thing.
Yeah.
Yeah.
Yeah.
But, you know, there are definitely like a wider variety of founders out there that
don't get as much like glory in the press and the media that are still phenomenal
founders running huge companies.
Just maybe less exciting than.
Yeah.
Or just like less flashy.
I mean, it's just chance and maybe running a business that's not particularly.
particularly sexy, which is always hard. So you mentioned user testing, now that you guys are a little bit
bigger than you were during YC, like giving it to me and being like, hey, what do you like about
how are you doing user testing at a larger scale now? Yeah, we have several different ways that
we collect data from users. We have just an in-app bug reporting tool. It's kind of the most direct.
You can actually just send us an email. If you take a screenshot in the app, it actually prompts you
like, hey, did you see a bug? Do you want to send it to us? Which is great. It's a tool called
bug life.
bug life. We use Mix panel for implicit user testing. And this is actually, I would say,
almost more valuable than what people tell you is what they do. So we use it for things like
testing retention, doing funnels. So knowing like when people drop off in a particular, like if we
want them to take a particular action, what happens that they tend to not do that? Ab testing. So we actually,
we don't do a ton of AB testing, but we do with things like search and discovery, do more AB testing
and sort of like what do people actually want here?
What are they actually tapping on?
What are they listening to?
What gets them excited?
So those are probably our two biggest tools for collecting user feedback.
We are starting to do more like user experience testing.
And we're about to send out our first like survey, which I'm always a little bit like,
oh, I don't know if I want to set up a survey.
Like I like that people reach out and give us like feedback directly.
We get a lot of email feedback.
Have there been any surprises in the product you designed and how it ended up being used?
Oh, yeah, definitely.
I'm trying to think of a good example, but there's stuff every day that just, you know, the way that I use a podcast app is not the way that everyone else does.
And we've sort of in our mind have this ideal user of who we want to be a breaker user.
And it's not like a hardcore podcast listener.
We're not on the extreme of the spectrum like you're listening to podcasts all day and you're very fussy about your settings.
But on the other hand, it's someone that we want to be more long-term engaged with the product.
So it's not just someone who's going to drop in and listen to one episode.
We really want to get people into podcasting and get people into listening to podcasts the same way that you would like watch Netflix, right?
Like we want people to be as excited about a new episode of their favorite show as a podcast as they are the next episode of their favorite TV show, which is exciting and really fun.
And I think there's a lot of room for a podcast to grow to really fit that.
And I hope that Breaker can be part of that.
Like the whole industry of podcasting needs to grow in order for it to be a really exciting business opportunity.
I mean, I think it's $250 million a year now in like ad revenues, which is like tiny considering how much people talk about podcasting.
Yes. Yes. I think there's definitely room to grow. And that was one of the reasons I started Breakers.
I was looking for a market that wasn't saturated, that wasn't, that was growing, but could be accelerated by using technology.
Why do you think the iOS podcast app is so popular?
Because it comes installed on the phone by default.
I know, but Apple Maps is garbage.
And Apple Maps got usurped by Google Maps, right?
I guess it might be better now.
I haven't used it.
Yeah, well, hopefully Breaker will take over and be that.
Yeah, this is what we're going for.
It's like, how do you become better than what comes installed on the phone?
And that's, it's a hard problem.
Yeah, okay.
But a fun one.
Absolutely.
Yeah.
And so Backtracks, who's actually our podcast host,
they tweeted at you.
They asked,
what's the most difficult challenge
in podcast discovery?
So I have a very strong opinion on this,
and I will lay it out there.
We do episode discovery,
not show discovery.
And the distinction there is
there are a lot of podcasts
being produced these days
where a particular episode
will really get you.
So it's more topic-based episodes
or story-based episodes.
There's a couple,
there's a few podcasts that are like,
many podcasts that are serialized
formats or have like a longer story to tell. But when we're talking about individual stories,
I think what gets people hooked on a podcast is a good story. It's like watching a good clip of
SNL, right? Like sometimes you just want to know what the good, good parts are. So for us,
we want to highlight the good episodes based on users liking them, listening to them, commenting on
them. And that's what we highlight in Breaker. It's what is hot right now. Not based on like,
so Apple uses editors. They have people who go in and say, hey, you should like this show.
because we as an Apple editor think it then it's like,
I just want to know what's the best episode right now.
Like what's the one that everyone's listening to?
Yeah.
And so Alan Lee,
so you mentioned Netflix before Netflix podcast.
Alan Lee asks,
I love Breaker.
How's Breaker going to be the Netflix of podcasting in the future?
Alan Lee with the long-term vision,
basically giving our pitch.
So that's sort of what we,
our goal is to become this source of really great content.
what I find interesting is I think that podcasts are getting better in quality in terms of the storytelling and the shows,
but I don't know that they've quite reached the level of the Game of Thrones of Podcasts.
That's when we talk about a lot.
It's like right now we're seeing some of these really good podcasts, but we haven't hit the show.
I mean, we've had cereal, which was a big, big popular show, a big popular podcast.
But we're, you know, and it's really a chicken and egg problem.
Like if we had that show, would it be just distributed across all podcast networks?
Could we actually make money off of that kind of show?
If we had a show big enough.
But is there a big enough audience on Breaker yet to make it interesting to have a big show?
So I think we're kind of taking the approach of trying to gain a large audience using Breaker
and then be able to present them with unique content that is of the quality of something like a game of.
Throne or a house of cards or I mean it's a challenge I mean even hardcore history is like five
episodes a year and it's him and other like staff working on that show yeah it's it's difficult
to produce but it's actually much cheaper and easier to produce a podcast than a television show it's
like a hundred X more expensive to produce a television show than to produce a podcast a quality
podcast are you working on your own yet original content I am not a I don't make podcast
I'm definitely on the technical side.
I have much respect for people who are storytellers.
I actually just went to a live podcast taping this weekend or a live podcast show.
They were actually playing back an episode that they hadn't aired.
I have love and radio.
I'll give them a shout out.
But it's super interesting.
And I got to talking afterwards about storytelling and how it in itself is a skill.
And I just don't have any time to work on developing that.
But Craig, you have a podcast.
Working on it.
Yeah, yeah.
If you have any questions, let me know.
Do you feel like your strategy has evolved over time, sort of like given feedback from listeners and how have you, how has the podcast changed?
So this is the second podcast I've done.
So the first podcast I did was called Salt of the Earth.
And we interviewed small business owners that were funny.
And it was a great podcast.
I had a lot of fun doing it.
But finding guests was really hard, especially because they're often, you know, just obscure small business owners.
And so not only is that difficult, but then distribution becomes a real challenge.
So that's super hard.
Like distribution across like almost every podcast is super difficult.
So with this one, we do YouTube.
And YouTube works really well.
Aside from that, my stress, like in terms of host style, I don't know what you mean.
Yeah, yeah.
Your approach to how you do interviews, because you both interview shows, right?
Yeah, they're both interview shows.
I've recognized how important it is to control the energy in the room, and as the host, it's totally on you.
A lot of people think, oh, you know, I'll just bring in Lee and Tom, and they're going to be super fun.
This is going to be great.
And you are both super fun, but that's not the case.
Like, you have to, like, have a certain energy about you and keep it going.
Transitioning is always difficult between subjects.
And I think one thing that's maybe obvious to the listeners and the YouTube people is that I introduce people in the podcast,
it rather than having people introduce themselves because that can be a little like it kind of takes
the air of the room if someone's not used to introducing themselves oh yeah I guess would you say that
startup founders are better at introducing themselves than salt of the earth interviewies it's totally sales
right like if you're good at sales you can really like come and like make it super engaging but um more
often than not people are just like you know they're just modest right so like both you guys are
coming and it's like, hey, you know, like, I'm Leah and I work on breaker. And it's, it's cool
and everything. But the reality is that you have to, you want to get someone hooked really
early on in the podcast. And so that's when the energy has to come. So if you start out with like,
hey, Leah, what do you do? Then it's not quite as good. So yeah, I would do that. We edit the
podcast. I think a lot of people are like, ah, I don't have to edit. Like, oh, just go. And I feel,
I think a lot of people don't realize how edited a lot of the most popular shows are.
Yeah, I just did an interview on a show called Hack to Start.
They edit them.
I didn't realize it because it has a very natural interview type feel.
So I'd listen to a few episodes and I went on the show.
And so I then could compare what I said versus what came out.
And it's so much better what came out.
Very heavily edited without sounding edited, which I thought was amazing.
And I know you do a little less editing.
Not that much.
Yeah.
Yeah.
I really admire Joe Rogan's podcast because they can keep like a three-hour conversation.
at high energy and fun, and they transition pretty well.
And that's something that I've been trying to get better at doing, but it's difficult, especially
video, right?
Because the continuity becomes an issue if you're just, like, cutting all over the place.
Whereas if you looked at the time and, like, the time something was recorded for the
serial and then like placed it back into the episode, it's all over the place.
Yeah.
And actually, that's something I wish I saw more podcasts do.
So another request for podcast is to incorporate music.
legally, of course, sounds, sort of
exploring audio more as an art form.
I've definitely listened to some pieces that do that,
and it does make a huge difference.
It's not necessarily the best thing for like interview type shows,
but there are shows and stories you can tell
where adding those elements in really helps.
Yeah, I would also say to podcasters,
definitely transcribe yourself because Google is not friendly to audio,
and you want that like index stuff right there.
It's pretty cheap to do now.
Which is actually something we're thinking about starting to do for Breaker, too.
We can get into, like, future ideas.
We have some pretty crazy ideas.
Yeah.
I mean, if you can talk about it, let's do it.
So we do want to eventually transcribe podcasts that are on Breaker, which is pretty much every podcast.
However, right now there's some options where you can pay to have things transcribed either
by a human or a robot to varying degrees of success, but they're fairly expensive and cost
prohibitive for something like Breaker where we have millions of episodes.
What else do you guys want to do?
to talk about.
I found a company doing what I did with Crypto Seal in 2011 now.
And like they have more adoption.
It's kind of funny.
They're called Envki.
And they're basically doing secret management for app developers.
I love all of the, I think there's a huge opportunity in security to do sort of secret management.
Like right now, things are just like, oh, put in an end very, very.
or whatever. It's like so bad. And for us, as soon as you have a team of more than like two people,
you need to be sharing all sorts of private information. And with companies, it's like if someone
joins the company, you got to set it all up. If they leave, like, you have to somehow like revoke all
these tokens, right? So it's pretty terrible right now. I think there's a huge opportunity there.
Yeah. I mean, that that was the thing that we tried to address with Cryptocile was that, you know,
we had all felt the pain of managing secrets and stuff like that. And some secrets were more secret than
others.
Yeah.
You know, but, you know, it's still a tough problem.
It's still something that developers hate to deal with.
You know, people still share passwords and like spreadsheets and stuff like that, which,
which just kind of makes me more than like hide my head, my hands.
But, you know, there's, there's technology coming out there for it.
I believe Lyft actually, like, published something that's actually kind of useful.
It's pretty interesting.
You know, I mean, like, this is an area where, like, I have a lot of background.
because like I've got a patent on it all, but, you know, it's, it's interesting to see what
things come back around in terms of security.
But password management still, it's a huge problem.
Nobody really does it all that well, especially for developers.
It's a huge pain in the butt.
So anything that makes that easier, I'm all in for.
So that that's kind of neat.
You know, beyond that, I think, you know, if somebody wants to fund a deal,
DNA sensor for your phone. I think that's probably going to be a good market. I know that there's
some companies out there doing some more sort of weird like bio-aware sensors. And I think that'll be,
that'll be pretty interesting. If you look at, you know, the last five years with people
paying attention to all their sort of personal metrics and stuff, like everybody's got a Fitbit,
everybody's got something that, you know, tracks whatever, their steps or whatever. I think
that stuff is going to be pretty interesting.
It's going to get more in depth.
Five years will probably have a scale that'll be like,
oh, you should probably cut out eating this,
or you should eat more this, or something like that.
I think we'll see some pretty interesting consumer technologies
come out of weird, potentially security stuff.
So if you weren't working at YC, what startup would you work on?
Or start.
Start.
I mean, I definitely think that there's a lot of room for more
security stuff. I think there's a lot more things that can be done with, like, end user metrics.
If you go back and look at, like a good example for security is DDoS. It's still a thing.
Like, it's been around forever. You know, the first big DDoS I remember was against eBay in like
1997 or something. That's 20 years ago, right? So this is still a problem. They're just getting
bigger and bigger and bigger. You know, my current, you know,
method of mitigation is telling people to go get Cloudflare. It's the simplest thing. You know,
I think there's going to be more stuff in that space, especially as people, you know, start
publishing more interesting things, you know, I kind of think that the internet's still in its
infancy in a way because, you know, yeah, Facebook is kind of like micro blogging for everybody,
but it's really not. It's not that ubiquitous, you know, people, you know, Instagram actually is
little bit more ubiquitous. People, you know, take pictures of their food all the time. And like,
then, well, that's kind of whatever it is. It's, it's interaction. I think we'll have people
doing more sort of like life blocking kind of stuff. And I think when we see more of that,
we'll get a lot more interesting perspectives on people. Yeah, yeah. I love this thought. And I love
that you're getting into sort of like biometrics. And I love passive sharing as a concept. And there
aren't very many apps currently that do it. So people say, oh, could there be another social
network? And something I'm fascinated by and haven't seen it done super well is like, so, so for example,
breaker and like things like Spotify tell you, you know, what you've listened to and show other
people what you've listened to in the past. And it's like a passive behavior, not like intentionally
sharing that. But there was for a while, I think PATH did some really interesting stuff with
passive sharing. Sort of if you had sort of these monitors turned on, you could sort of publish that.
Right now, a lot of the health data and sensors, even things.
like Fitbit aren't extremely social.
You can kind of see other people's step counts,
but they're not everything that you could potentially be sharing.
But it's like it's questions of so what is interesting to see?
I'm like kind of a lurker.
So I love like my favorite part of Breaker is like seeing what people listen to.
I'm like, ooh, so and so listen to this episode.
Oh, that's so interesting.
Is there incognito and Breaker?
So we're actually really discussing that pretty heavily right now.
We've had a lot of user.
So when we were very small, we didn't get as much requests for privacy.
And now we're getting a lot more.
And so we're figuring out how we want to do privacy on Breaker right now.
So if you have a thoughts on it, send us an email.
All right.
What's your email?
Are thinking about it.
Feedback at bracer.
Okay.
You send it to feedback.
I actually see every single email that goes to feedback.
I don't think it's like going into like a black hole.
Like we actually do look at that.
So if you have thoughts on how you want privacy implemented, we really want to encourage
people to share what they're listening to.
And passive is the easiest way to do it.
Like, you don't have to think about sharing it.
It's not, not tricky.
But then it also, there's this level of comfort.
Like, how comfortable are you with sharing that?
Like, I remember getting a streaming music for the service for the first time.
I actually used the audio.
But, and like, having people see what I listen to.
It's like, oh, my gosh, I'm like, I don't care.
I listen to Hansen's Christmas album this winter.
No big deal.
Oh, man.
And if you weren't working on Breaker, do you have thoughts on a startup?
you might be into? I actually would probably work on an open source project. I'm fascinated
with the idea of right now there's a lot of, I'm going to sound really trite saying this,
but like there's mobile and web development are pretty separate. I'm fascinated by projects
like Swift on the server and React on the device. But I think there's a little too idealistic
still. Like I think I would want to work on practical reusability and for,
frameworks. And I love Swift. So I'd love to get involved with what IBM is doing with like Swift on
the server. So yeah, I don't know. That's not super exciting. I'd go a little bit more back to like
my open source routes and work on. I'm, I've never built a framework or worked on a language.
And I would love to do that at some point in my life. Yeah, totally. Cool. All right, guys.
So if someone wants to get into security or building podcatchers, what would you recommend?
What should they check out?
there's honestly not a lot of stuff out there.
You know, I used to tell people, oh, you know, if you're really then interested, go to DefCon.
That's not really a great idea because it's just not.
It's fun, but, you know, the amount of learning you might get done will probably be erased by the amount of partying you do.
So, you know, I think just, you know, train to like read through blog.
and stuff like that.
You know, honestly, Hacker News has some pretty good, you know, security stuff to get submitted to it.
Yeah, Hacker News is a great resource.
Capture the Flag activities have been super fun.
Like, that's kind of how I got a little more into it, was trying that.
I'm still terrible, by the way.
I'm no good at Kappa.
It's like a little bit beyond me, but that helped me learn some of the techniques and some of the common exploits.
And they start to follow that.
I don't know.
How close are things that you do in a couple of things.
capture the flag event to like real world security issues?
It depends upon how well they were set up.
I guess I won't really totally go into my heavy background.
But like there's a lot of stuff that you can simulate pretty easily.
There's a lot of,
there's a lot of hilarious technology that's still around from like when I was a kid
that people were breaking into left and right.
And you just laugh.
I think a good way to see that kind of stuff is really,
you know, I mean, you know, if you want to go into the weeds, you can look through
Shodan and find something kind of interesting there and then start to, you know, read up on
how it works. You know, the IOT security is going to be like a really big thing and getting
pieces of common IOT equipment is pretty easy. You know, it's like maybe like 10, 15 bucks.
You can get a little programmable computer essentially and start poking away at it.
um like i i dug into micro python and like submitted some patches and did some cool stuff with some boards
and like had a lot of fun you know it cost me 10 bucks maybe so you can get started pretty easily
doing some of the basics you know if you're looking for like ways to learn how to exploit stuff i mean
you know that you can google you can actually uh insecure at org has some really great uh mailing list stuff on
it you can sort of see what's what's new you know looking through new cve is is
kind of an interesting way of learning about stuff.
There's really not a great way to get an intro aside from like having somebody kind of mentor you or essentially breaking the law right now, which I do not recommend.
Yeah, I was like, oh, capture this flight.
You're like, oh, breaking the law.
Yeah, it's like, I'll take you one step further.
Do you have any favorite last questions from podcasts?
Okay, is there anything, any common philosophies in software development or security that you disagree with?
I mean, there are some sort of old school methodologies of things where it was really kind of security by obscurity.
And like that stuff is just, I mean, it's BS basically.
You know, I think if you're, if you want to be like a good software developer, like you have to, you know, be good, good at, you know, the tools you use regularly.
You know, I know, like, I think like three or four programming languages.
I don't think that's really super useful advice.
I know lull code.
You know, I know some pretty silly stuff.
Doing esoteric stuff is not recommended on either side.
So I don't think I can think of like a methodology that would be good or bad.
I think some people rely a little bit too much, maybe on like,
source code control.
I feel like
maybe the Git security model
is pretty bad
when you compare it to some of the older stuff,
but the usability you get out of it
is way, way higher.
So I don't think those things
really go together.
I don't know.
Yeah, I think I'd just fall on the
on the side of being really good
with your tool rather than always looking
for the newest tool.
Because that's just, it's been
tiring to me with my like limited experience as an engineer where it's like oh you have to use this
language or this framework or this thing and just like how about we just get really good at python or you know
choose your choose your tool but yeah that would be mine yeah how about you that's a really good one um
oh man I just had some and then I just forgot them all that was such a good one I love it yeah yeah
all right thanks for listening so as always the video and transcript are at blog.witombinator.com
dot com and if you have a second please subscribe and review the show all right see you next week