#93 Matt Holland: Zero Day
01:25:55 Share

It's that going to the doctor scenario when you have a pain. You don't want to necessarily find out what it is because people are naturally averse to bad news. You can't be like that with cybersecurity. If you don't have a cybersecurity vendor, if you don't have a company helping you out with that problem,

get on it. Everybody is a target at this point. Your company is not small enough to be off an attacker's radar. I have seen five person companies, actually I've seen two person companies attacked and hit. So, you know, my advice is don't be afraid to ask for help.

Hello and welcome. I'm Shane Parrish and you're listening to The Knowledge Project. This podcast and our website, fs.blog, help you sharpen your mind by mastering the best of what other people have already figured out. If you enjoy this podcast, we've created a premium version that brings you even more. You'll get ad-free versions of the show, like You Won't Hear This, early access to episodes, transcripts, and so much more. If you want to learn more now, head on over to fs.blog slash podcast or check out the show notes for a link.

This week I'm talking with Matthew Holland, the founder and CEO of Field Effect Security. For the past decade, Matt's been the guy that every three-letter agency in the Western world has called when they have a problem that they can't solve. Before Matt started Field Effect, he enabled allied governments to pursue their lawful mandate.

This episode is all about cybersecurity exploits, hacking and defending. And while this is a world we all hear a lot about, rarely are the people talking as knowledgeable and informed as Matt. In fact, I'd say he's one of the top three in the world at what he does.

Let's dive into the mind of an attacker, what's possible, and what questions you should ask your cybersecurity vendor. Along the way, we'll talk about Snowden, what it's like to work at an intelligence agency, and of course, Huawei and national security. It's time to listen and learn. ♪

The IKEA Business Network is now open for small businesses and entrepreneurs. Join for free today to get access to interior design services to help you make the most of your workspace, employee well-being benefits to help you and your people grow, and amazing discounts on travel, insurance, and IKEA purchases, deliveries, and more. Take your small business to the next level when you sign up for the IKEA Business Network for free today by searching IKEA Business Network. So I've known you since...

What, 1999 we met? 2000? Yeah, around then, yeah. That's crazy. Yeah, world. We used to work together at the intelligence agency. Yep. And then that was the most insane period of time ever, right? We're in this small team, September 11th happens, the world forever changes. Our team works nonstop for effectively seven years. Like I don't remember...

any of us having vacation from 2001 to 2008 other than like a random Monday or something. Yeah. I mean, firstly, I think like vacation is probably largely overrated just cause I'm a workaholic, but yeah, no, it was a really neat way to, to start. Uh, I mean, our career is, you know, just a year or two apart, but yeah,

It was definitely a very interesting experience being thrust into an environment where everything you do contributes much more than you would ever think. Because coming out of university, you want to get a job with a good salary. All of a sudden, you're, in our case,

We're doing things that actually matter to the country, that have a very significant outcome. And it's like going from zero to mature very, very quickly. Overnight. Yeah. Yeah. I remember one of the first meetings I had with you, we were trying to figure out how something worked. And I stood up, you know, in my university sort of bravado. And I was like, oh, I'll tell you how this works.

and then i spent like 30 seconds explaining this thing and then you looked at me and just deadpanned like you're absolutely wrong here's how it works you stood up and for 45 minutes you worked through like every instruction that happened in the operating system and i was just blown away by your level of knowledge i mean that's kind of you to say there's probably a factor of uh blown away at how much of a jerk i was in the process of that which

I'd like to say has changed, but probably not so much. But yeah, it was, it was a really, it was cool. I think the environment that we got to work in was learning from people. The, you know, for me, that, that time in my life really defined what a good team was. You know, when you learn something, you share it with other people in the office. I remember, you know, there was five or six of us in particular at one point where it was a very large research group.

focused group. And anytime you learn something or I learned something or one of our colleagues learned something, it was a really neat discovery. But we took the time to educate each other. And I think what that fostered was a team that, you know, a level of trust that I had never experienced in my life. I remember, you know, entering that team being massively humbled and

And, you know, once the ego got dealt with and you could really jump into that environment, it just, it catapults one's growth. And I still look back to those times and consider myself extremely lucky. And I guess always acknowledge that that time in my life largely defined who I am today.

I want to come back to that in a second. I remember it is weird to hear you say sort of like you were humbled. You are literally the best in the world at what you do. And we're going to come back to that throughout this interview. Is it drinking whiskey? You're pretty good at that too.

I remember showing up, like you used to drive me all the time in your Mazda. What was that? It was MX-6, buddy. That was the... Smelled like toffee nut latte. Yeah, no, that was the dream cybermobile. We spent a lot of time together. What made you leave? So I reflected on that quite a bit just because I get that question often and I don't think I've ever really had a good answer that wasn't necessarily immature. The ultimate reason I left...

was because I saw a limit to what I could grow into and what the vision of the group I was in achieving was. Like there was a ceiling arbitrarily put on top of that. And I'm the type of person that I don't work well when somebody says, this is as far as you can go, or this is what we're going to do, regardless of what the evidence or ideas or good ideas, bad ideas, whatever.

That stopped and it was not an environment that I said, I can grow here anymore. One of the big indicators of that, which you'll probably laugh at this, but there's a management competition. I screwed up the entire interview, but it was the same problem where somebody would ask, the interviewer would ask me a question and rather than give the answer of,

I would build a team to do this. I would request funding to do this. I would reach out to universities to bring them into the fold. So that's the answers they wanted to hear. What I gave them were the technical responses to the questions they were asking. So how would you solve this problem? My answer was, well, I would do X, Y, Z. And then I would do this. You didn't play the game. No, it was just I answered the question.

And I think that was the first time it really dawned on me that I probably don't fit into the mold that they were looking for. So I think that's when I started to, I guess the ball started rolling on my departure. I remember it changed probably about eight months before you left. Like it started to get more, I don't know. I don't even know how to word this. Like when we started, it was like,

very fast moving. We had a lot of authority, a lot of control, a lot of decision making power. And then slowly, as we became more successful, the irony is that sort of became less and less over time. Yeah, I remember having a conversation with one of our mutual colleagues at the time. And I remember being very irritated about the arbitrary handcuffs that were being put on our ability to innovate.

I remember a contentious time that you and I actually stood up at a town hall and got in a giant argument with a director. I remember that, yeah. Stu, if you're listening, we're sorry. And it was very frustrating. And I remember that colleague saying, this is just part of business, man. Once you're part of a group that does something really good and people take notice and they want to turn that into a larger part of the organization. And with that,

comes what you're seeing now you know formalized you can't work more than this you have different reporting responsibilities and you know at that time i just i just wanted to innovate i just wanted to come up with new solutions to the problems that operations were running into you know not being able to do that in its raw form was extremely frustrating so you left and we we can't talk about what we did there but we can talk about what you did right after you left

And so you started a linchpin and you had an unconventional sort of way of starting that company, which is releasing privilege elevation to get some attention on Microsoft. You want to talk about that? Yeah. So that was a funny period. So, you know, at the time, my business partner and I, we thought, you know, how can we make a splash? Because when we left Microsoft,

Our intention was to augment the world that we left with, I guess, a privatized twist on things.

So we thought about, OK, how can we really stir things up a bit? And at the time, Microsoft was releasing mandatory driver signing as part of Windows Vista, which is showing our age right there. And there's so much hype around it. And the way it was being advertised, it was going to be the silver bullet to stop all malware, to stop anything bad that could be happening.

And anybody who has spent any time, I guess, on the offensive side of the house, you know, was looking at that and saying, no, that's bullshit. Yeah, it'll make things better. But it's not going to be the silver bullet that everybody thinks. So we said, all right, well, why don't we just do something kind of funny and, you know, show them. So what we did was we wrote a tool called DenwipActive. The name of the company was DenwipActive, which is Vista Pooned.

in reverse, you know, got a signing certificate under this fake company, legitimately registered fake in reality and released a tool that would load. It was an assigned component that would load an unsigned driver. And it was not to do anything other than show how easy it is with the most simplest, goofiest approach to get around this problem.

And so at the time I was in Australia with my business partner starting things up. We were working out of a closet, really kind of a ragtag setup to start. And at the time there were people being arrested for violations of the DMCA, Digital Millenniums Copyright Act, which...

you know, back at that time was a really contentious thing because it was changing what people could or could not do with computers. And it was, it was a really big deal. So when we released that, um, some people were like, Oh, that's kind of neat. And other people are, you know, one person in particular was like, this is a violation of the DMCA. You should be arrested. Um,

PS, it's not really that cool. I'm going to go and release a tool that actually exploits ATI drivers and NVIDIA drivers and then basically does the same thing. But I've done it a lot cooler. So take that, linchpin, ha-ha. And in reality, that was... I remember that guy. Yeah, that was so much worse because... And I don't know if it actually resulted in the revoking of ATI and NVIDIA's signing certificate, but it was something that...

To us, it was stupid to say that we were violating the DMCA. And two, the response was just so much unbelievably worse. And it was a very weird first few months of the company. Do you ever miss working at the intelligence agency? I miss people. I miss a lot of really good people. They're amazing people. It's very underrated. People think that all government employees are lumped in the same...

same group they're not, as we can both attest to. Yeah, so I miss the people. I miss having firsthand exposure to the mission. You know, I think back to some of the things I got to see and be a part of that no one will ever know about, and that is really cool. It was really neat being a part of that. It creates memories that I'm pretty sure if I were to run into somebody 30 years from now on the other side of the world in a bar, you know, immediately there's that connection of like, "Hey, we did that. That was really cool."

So, yeah, I mean, I miss aspects, but I don't miss the handcuffs that were ultimately a part of my departure from there. And then when you left, do you ever feel like there was they didn't want you to succeed because they wanted you to come back? Was there a part of you that felt like they didn't want to give you contracts? They didn't want to. I don't know if there's any any interest in me coming back. I think there was definitely skepticism as to whether I could succeed or

I'm fine with that. I mean, you know, clearly at the time, my business partner and I were the first ones to kind of make that jump and do that together. And there was a lot of skepticism as to whether we should be allowed to do that, whether we are able to do that. I remember having a departure interview with a Hyatt manager who sat me down and said, you're going to go sell to China. You're going to enable China. And I looked at him in the eye and I said, what on earth would make you think I would ever do that?

that is the most ridiculous thing ever. So, so I think there was a bit of fear that we would enable, you know, adversaries of, of allied countries, which, yeah, I mean, in retrospect, I can understand. I just think at the time it was a, uh, it was an immature view. I remember going to a meeting a couple of weeks after you left and they were like, Oh, we're not going to buy anything from him. And I was like, we're going to end up giving this guy like 50 million bucks a year. I want to say I was closer to reality than they were. Well, I

So the idea of going private was taking the handcuffs off and creating an environment where we put really, really smart people together. Part of our recruiting strategy was immediately going after the best people in the community and taking all barriers out of their way and letting them do amazing things. I want to dive into that a little more because you were able to replicate an entire wing of an agency, if you want to say that,

with 1 20th the number of people and have higher output. How were you able to do that? You just, same people, you just took them out of the environment and what enabled that? Largely removing barriers. I mean, I think that was a big component of it. You know, giving them an environment that they could excel in, which, you know, breaks down into what tools do you need?

do you need to put in a purchase requisition to get what you need or can I just get that for you? That was one of the comments from one person I remember early on when they joined. They're like, "Okay, these are the things I'm going to need to do my job." And I was like, "Okay, I'll be back in 30 minutes and here's your stuff." And the reaction was, "Really? We can just do this?" It's like, "Yeah, go be a genius. Go produce amazing things."

So I think that was a big component. I think making it clear that everything that we were doing was as a team. And I think as an aside, this is one thing I think people who are entrepreneurs sometimes get caught up in that it's about them. It's about their journey. And the way I approach it is, no, we're all in this together. I'm really lucky to have you in the company. And

creating that environment where they knew that they were lucky that I appreciated them and that whatever we do we're doing together. I think it's an empowering message to build a team around. I remember one of the things I took away that I've learned from you is when you started doing that with people and you were like, what equipment do you need to do your job? And you just go out and get it for them and they were astonished by how simple that was. And that's something we do with everybody here too. We just sort of like, what is it you need to do your job to the best of your ability?

There's a downside to that, too, which is really interesting, because then you lose the excuse of the equipment's the problem. If only I had the right tools, I could deliver. There's this subtle undercurrent to it, which is...

I expect you to be amazing at what you do and keep getting better. Yeah. And I mean, I think for some people, sometimes just that belief helps them get there. And so you did LPL from what, 2007? Seven to 18. To 2018. What are some of the lessons you learned about growing that? When you ended, how many people were there? So globally, I'm going to lump in the partner company that we were sold with. But I think for

at the time close to 90 to 100. We sold in 2018, but I didn't leave until December of 2019. I want to come back to that, but what are some of the lessons you learned from growing, scaling, running that company, recruiting? I think one of the biggest things was starting a company from scratch. At that time, I had a computer science background. I clearly had a lot of experience in cybersecurity,

I took some accounting courses and marketing courses in university. So I think there was a bit of a foundation as to, okay, if I remember doing a business plan because that was one thing you did, you made a business plan. But one thing through the linchpin experience that I got to have was I got to do every job.

So I got to literally be the janitor. I got to be the marketing person. I got to be the primary salesperson. I remember doing really challenging sales pitches in front of audiences that didn't even want me in the room because I was, you know, stamping on their creative territory. I got to write code. I got to manage projects. I got to be the evangelist in the company. And going from there to Field Effect with that base, I think allows me to really, you know, make decisions that are more informed,

It allows me to, I guess, understand and appreciate all the different parts of field effect, which is a much more diverse-- MARK MANDEL: But we're going to come to field effect in a second. SIMON HUGHES: So I think there was that. I think the ability to make decisions and be confident in those decisions, not get caught in paralysis of decision making, that is something that I think at first I struggled with. But over time, the ability to filter out the noise,

and focus on the things that actually truly matter have really helped. So why'd you leave? I mean, right before you left, you're the guy, every three-letter agency and basically the allied world would call when they had a problem they couldn't solve and you would solve it. Why leave?

I was going to make a joke about they ran out of problems, but it wouldn't be funny. They didn't. No, problem's done. All problems solved. Actually, the same reason I think, and this is actually where I think I realized why, you know, the root factor of why I left CSE is it was a similar scenario where- Because you guys got bought. Yeah, yeah. But it was a change in what I could do.

was, you know, I started to see a ceiling on what I could achieve. And it became clear to me that, you know, I was the square peg trying to fit into the round hole because of admissions and more creative things that I thought we could do. And that was actually a pretty interesting experience coming to terms that, you know, I was the square peg in the round hole because it definitely took time to, you know. The hole's not going to change. Yeah, yeah. And you go through this evolution of like,

What's wrong with everybody? Why is nobody on board with this? And then the realization that, oh, shit, it's me. I'm the problem here. And then the appreciation of, okay, okay, understanding why that is. And I think that ultimately made the transition very easy, actually. And it's not something that I look back with at this point with any animosity or anything. It was just part of life. You exited with more than enough to sort of walk away for the rest of your life and-

Just sort of like sit on a boat in Costa Rica and never have to worry again. But they're sharks. They are sharks. But then you start a field of fact. And how many employees are you now? Almost 100. You're almost 100. You're entirely self-funded.

to this point. So you basically took all this money you made and you were like, oh, I want to do this again and I'm going to put it all on the line. Like what went into that thinking? Several factors. I think I really enjoy solving hard problems.

And the current state of the cybersecurity industry, to say it's a hard problem is an understatement. It is an unethical shit show, I would say. And it really bothers me where it's at. So I think there's a large part of me that wants to fix that. There's also the aspect of I'm like ultimately a serial entrepreneur. And I remember chatting with my wife when that transition was happening.

She asked me, like, why are you doing this? And I was like, what else am I going to do? I'm just going to start something else. And it's either, you know, a cybersecurity company that I'm once again running that I believe can change the world and fix a lot of problems, or I can open a coffee shop. Probably going to take the same amount of time. So how about the cybersecurity firm? And how important has she been through this?

She's amazing. I don't think I could ever thank her enough. I think the formula for my success, she is a huge part of that. She is a fun- Because you're a workaholic. Yes. If you could sample what makes her run, who she is, and somehow create a vaccine and inoculate the world, you would have world peace, hands down. And that obviously-

is a strong statement, but she is a phenomenal, anybody who knows her would definitely agree with that. I would agree. She's amazing. She is pretty cool. You mentioned sort of the state of the cybersecurity industry. Talk to me a little bit about that. Where are we? What's it look like? I mean, there's nobody in the world, from my point of view, that would have a better aperture into cybersecurity

not only how things are, how they're sold, but also the attacker's mindset in terms of what you're buying versus what you're consuming and how it's impacting your business. This is the part in the discussion where I get angry. That's okay, we get a lot of scotch. So I think to answer that question correctly,

the first thing we need to do is look at what the cybersecurity industry actually is, because I think it gets muddled. The way the public looks at it, the way it's reported on. It's just everything. It's like a grab bag for... Yeah. So I think there's three groups or pillars of cybersecurity. There's the one, there's the offensive side, which we've talked about the

The ransomware, the intelligence agencies, I say offensive, but it's that traditional hacking, which has largely been glorified thanks to Hollywood. Mr. Robot gets it right, though. I don't know if you've ever seen it. I remember in Swordfish, he sits down like 30 seconds later, everything's... Yeah, no, it's largely horse shit. Isn't that how it works?

With VR goggles, yeah. But if you've ever seen Mr. Robot, that is actually an accurate representation, if you ever are curious. But it is this glamorized thing that is entirely misrepresented, but it is an economy in itself. There's an economy behind ransomware, and they get paid for it. They are successful. There's an economy behind intelligence agencies. That is ultimately what drives that, dollars and cents.

On the defensive side, the second bit, and by the way, the first bit only exists because humans are generally horrible at writing software. So that wouldn't exist if people were actually good at security models and implementing software. The second bit only exists because the first bit exists. So that's the defensive side. So let me, I guess the best way to describe it is,

As a consumer, it is probably the worst experience you could go through. So if you're going to go buy some cybersecurity, are you buying an antivirus? That's exactly what I want to do. I want to buy cybersecurity. Yeah, buy some cyber. Because that's largely because it's a black box industry, right? A lot of businesses, a lot of people don't know what they're actually buying. And that has been exploited by the industry. And this is the part where I get angry.

Because none of the solutions out there there there are a few That are there decent but like look at what your options are do I buy an antivirus? Do I buy any spyware do I buy firewall Shane maybe an IDS intrusion detection system maybe endpoint detect and respond maybe user behavior and analysis maybe a network monitor and the way that vendors will try to push it forward as they say you actually need all of that which is a

Total crap. You do not need all of those things. They do not work well together. So that whole thing angers me to no end. The third bit is a category that isn't actually cybersecurity. I read an interesting article recently and it kind of clued me in. I was like, actually, yeah, no, this third thing or pillar exists that is entirely wrong. And it's that bit that happens frequently.

on the internet, social media, that type of thing that isn't actually security related. But people like to kind of put a box around that. So an example would be election interference. So what are the organized influential campaigns on social media to get people to vote in particular directions? I do not think that's cybersecurity, but that also gets lumped in.

So that is the third bit, which is kind of like faux cybersecurity. It's a little bit confusing because then you lose track of what's actually happening. But I mean, intelligence agencies have been spying on other countries forever. One of the things that have changed now is not only the amount of consumer data and the value of that data, but also that people are spying on companies now as a means to fast track their R&D. Yeah.

Why invest hundreds of millions of dollars when you can sort of like just hack into somebody else's computer and download all their work and then claim it as your own?

It highlights why companies need to take this problem seriously. And I don't think it necessarily extends just to large companies at this point. Legal firms, accountants, huge targets, huge targets. You think about what they're dealing with in regards to confidential agreements, financials of individuals and companies. And that's one thing I think we've seen over the last couple of years is

The attention that state-sponsored groups are going after, it's no longer the Sonys of the world. It is now your law firms because there's a lot of intelligence value there. Patent firms. There's a lot of intelligence value there. How seriously smaller companies need to take this threat I think has really gone up. I find it super interesting. I was talking to KPMG just last week and they were like, send me this.

And I was like, how do I send it to you? And they're like, just put it in an email. I was like, what are you talking about? Like, I'm not putting that in an email.

I sort of compromised with like I used quickforget.com and like uploaded something and it's like, this is good for like six hours, so you better download it. But it's amazing to me that the lack of thought that goes into the information you share and how that manifests itself or what's exposed, right? Because if somebody breaks into that computer, that whole email chains there. Now the files there already, but a lot of the emails stored in the cloud are

It's a lot easier to access than people realize. What makes you want to tackle this problem? This is the greatest intractable problem ever with tons of competition. The government's doing host-based. You have private sector doing all of these things, cobbling together solutions. What makes you think that you can have a better outcome for customers? Probably arrogance. Yeah.

I joke, but that's probably... I mean, nobody knows the industry better than you do. But seriously, there's billions of dollars going on here. Yeah. So if we look 20 years ago, it's the same problem. One of the things I tell people when they join, when I hire from intelligence agencies, is that be prepared to be disappointed because the problems that you are going to see will shock you

that they're still out there. So the techniques that are 10 years old or the problems that should be 10 years old are still happening today. And I think that's a large referendum on how not good the cybersecurity industry is at actually trying to solve the problem. And if I look at

you know, the vendors out there, I'm not going to name any specific competition, but what I see is a sales strategy that is like a warped used car salesman strategy. And that's probably an insult to used car salesmen out there because it's much worse. It's all about the transaction. It's all about, you know, getting that done, taking the customer's money and saying, good luck.

And that isn't resulting. We're not responsible for anything. Yeah. And that's not making anything better. How should that work? Like how do people buy cyber? Isn't it the, I wasn't on sort of like the acquisition of cyber side, but like this Gardner quadrant, does that sound familiar? Yeah. Yeah. So that is, uh, I guess a measuring system, a measuring stick to help

vendors or customers or prospective customers, companies I guess is a better term, to guide them in buying what they may or may not need. There are a few problems with that.

The Gartner quadrant system is often outdated. We were, for example, Field Effect was marketing a managed detect and response service well before it was defined in Gartner. And ironically, at the time, we had a hard time gaining traction. Because that's always looking at existing technology and threats and looking backwards saying, oh, these people accomplished this, but not looking forwards in terms of where the industry is going.

Yeah, so that is a useful classification system. It is just behind the curve continuously. The second thing is I don't think businesses actually necessarily know what they're looking for. Yeah, like how would you be educated? If you're like a law firm, an accounting firm, you've got 100 employees, you don't have like a cyber guy or girl. No. How do you go about doing that?

So, I mean, that's ultimately the realm that, you know, field effect sits in, the small to medium business space. Because, you know, it is infeasible for every company to have an IT team. And in our experience, I mean, an IT team is good. They have expertise, but they may not necessarily be, you know, security experts. Is that kind of like Shopify for...

Because Shopify is really arming you. You don't have to worry about building a store. You don't have to worry about managing inventory. You don't have to worry about... They're arming the rebels, if you will, against Amazon. Are you giving world-class technology to...

small and medium-sized businesses as a means to, like, you don't really have to know all the ins and outs of cybersecurity, but then it becomes trust-based. Like, why would I trust you over another vendor? That's a great question. I mean, I think trust takes time. You don't just magically get trust right out of the gate. And I think that is something we put a lot of time into building. We take time to create a customer relationship, ask customers what their needs are, what are their problems, and then

Tell us about your network. How can we help you? And early on in that process, I think it becomes clear that we're not just out trying to sell software in a commoditized way. The first thing we do is do an external view of the network and identify, okay, here's a problem right here. We want to help you fix problems. It's not just here is a solution that you have to run with.

It is all about us helping you be better, fixing problems, and sustaining that moving forward. And that is largely a component that I don't think most vendors in the cybersecurity industry get. They are more interested in showing you, check out this really cool interface, which no one in your company is probably going to know how to use. And then if you don't see something, it's like, oh, it's not our fault. It was in the interface somewhere and you didn't... Yeah, you didn't see the logs, so why didn't you action that? And that, I mean...

I think the assumption that the average business is going to care about cybersecurity is a false starting point. Because businesses, you buy your computer hardware, you get your IT set up. If I'm a business out there, I'm not starting my day off thinking, oh, I can't wait to buy some cybers or understand some cybersecurity.

That is the baseline that I think for an effective solution, that's what you're dealing with. You're dealing with a company or a customer that doesn't care about cybersecurity, but you need to help them. The baseline of the interface could be an office manager, not somebody who has a computer science degree or somebody who has any background or interest in cybersecurity. So having a system that

you know, is set up and built and implemented to work with people who don't necessarily care or will care or should even care because that's not their job.

That's what we do. Well, that's a good point, right? Like you're not trying to make them care. You're just trying to say this isn't a worry for you anymore. Yeah. Yeah. And when something comes up, here's a very concise way of dealing with it. Not a, you know, a series of links. Go Google this. Learn how to implement a VPN. Learn how to use a firewall. Learn how to patch your system. It's a guided approach to this is specifically what you need to do.

Let's flip that around. And what people don't often see, which you can add uniquely is sort of what's the mind of the attacker? Like if you're looking at acquiring valuable information from a company, walk me through that whole process. Like how do you think about that? How do you go about doing that? What does that look like?

So initially an attacker is going to profile the target and that can look like different things. So if the target has online services, they'll probe those services to see what's there. Are there any email addresses on your website that are really easy to identify?

What type of social media presence is there? And that ultimately will lead into typically a social engineering campaign, either in the form of an email that is received that looks really normal, that you want to trust, and hopefully will get you to click on something or double-click on an attachment. Or it'll go to your phone, you click on that, and that exploitation occurs.

The other approach that we see quite a bit is people don't use multi-factor authentication with just a basic email setup. So brute force, brute forcing passwords works. Somebody gets in, will scope out your inbox and see what's there, who are your customers.

what's your routine, and then they will perform perhaps a financial redirection. So in that case, they would get an idea of what your entire portfolio is and email all of your customers and say, hey, here's your new payment instructions. And they will have all the outstanding invoices

already, you know, listed and ready to go. So they can immediately say, you know, you owe us X amount. This is where I want you to send this money now. And that is remarkably and surprisingly effective. Yeah, and hard to track down, even though there's like a total with bank accounts, we'll come to cryptocurrencies and sort of run somewhere later. But with bank accounts, it's easy to see where the money goes. It's really hard to get the money back once it's gone. Yeah. And that's conventional sort of attacks, right? Versus...

sort of somebody like Boeing or General Electric or sort of Cisco who would have a lot more valuable IP and probably worth a zero day or sort of like developing a custom exploit. Can you walk me through like how that would work? Hypothetically, of course. So you're interested in more of the pointy end of the stick? Yeah. Yeah. So, you know, the way exploitation works is

What specific platform you'd like to walk through? Let's walk through Windows. Windows, okay. So if you're going after a Windows box, it's either a server or a workstation. And typically servers, if they're internet facing, gives you the ability to hit it direct. So if you have a zero day and a web server, for example, that is something you can directly access and exploit. That is a very...

direct way, I guess, of attacking. The other approach is you have a Windows client. You're sitting at your desk, you have a laptop, and you're just typing away, and you get an email. That is probably the most common way. And what that looks like is, again, back to the scenario where you're trying to convince somebody to trust an email, so they click on a link. What happens? Like, walk me through. I click on this link. Yeah, yeah. So the first thing that happens is

the browser would be exploited. So whatever browser renders that link, web browser exploit would basically gain code execution. And modern browsers are definitely getting better at protecting against that type of thing. So Chrome is, every browser has a sandbox now. Most browser flavors are some measure of Chrome. So even Microsoft Edge is now based on Chromium. And so it's brave and so it's like...

Firefox isn't there, is it? No, no, Firefox is not. I think they're still rocking their own setup. For now, they just fired their threat team. Oh, jeez, I didn't even hear that. So yeah, it gains execution inside the browser, and then the goal is then to gain privilege in the operating system. So that could constitute a sandbox escape to get out of that browser sandbox.

a privilege escalation to ideally execute at a higher privilege level to basically nullify any security on the host and ideally get execution in the operating systems kernel. And once you're there, it's largely game over. But you get kernel on an individual host. Walk me through how you, like how does that become network access to either a super admin level or...

So once you have that, there really is no barriers to doing anything on that host.

So if you want to open up comms back to Mothership, you can do that. If you want to access a whole bunch of data, you can do that. But how do you open up comms? Like isn't everybody monitoring these links now in terms of like how you XFL information? No, no. So we're kind of diving into why this is actually a really hard problem and why any specific pillar doesn't work. So if you only buy a network monitoring solution, you won't see really anything that I've described thus far.

If you buy an endpoint-only solution, there may be hints of things that have happened depending on the sophistication of the endpoint solution. But as soon as it gets particularly deep in the kernel, you're not going to see that. So it's a very challenging position. That's why having a holistic approach is

is so important. You need network, you need endpoint. So if you get by either one of those things, the other will pick it up. And how does that work? Like on a particular client, I can understand how those things communicate, but then how do you take an attack on one company and then translate that into a defense on another company with something you haven't seen before? So I guess largely that depends on how well the cybersecurity solution is implemented.

if it is part of a network where you can dynamically signature an attack quickly,

And create an artifact, we'll say, that can be applied across the network of other customers. That is a way to combat against that. I mean, the zero-day problem is something that's always going to be there. I think this is something that a lot of vendors don't actually realize. That no matter how much you lock down your operating system, there's always going to be a creative group out there that does things better, that can get around it. I mean, if you look at Apple iPhone for the past...

I don't know, say decade, they've been adding an increasing number of security mechanisms into the operating system that largely limit an app writer to only being able to do specific things. But that is largely crippling from a security standpoint because all you need to do is get around these set of mitigations and you now can own any Apple device in the world. And a really scary thing is recently a company called Vupen

They buy zero-day exploits. I'm not sure where they go after that, but what they do is, well, I can speculate, but they buy zero-day exploits. And they posted something recently where they said, we're full up on iOS privilege escalations. We get enough. Yeah. And if that isn't a wake-up call to Apple, I don't really know what would be. That's basically the industry saying,

Yeah, your operating system is not as secure as you think it is. But it's kind of like the Great Wall Theory, right? Like you have this big wall around, but once you're on the inside of that wall, it's like there's no defenses after that. Yeah, and that perfectly describes Apple. That actually describes every mobile operating system out there. Well, Android, talk to me about the specific challenges with Android because they have a host of other problems that aren't.

common occurrences that have to be dealt with. Like everybody has a different version of Android that they're running. It's always at a date. Yeah, so Android's an interesting beast because a lot of... It's the most common platform, isn't it? Yeah, and it gets a lot of positive attention out there because it is an open platform. It's a security nightmare. Yeah, you can download the source code and you can see what's running. And that is a component of a secure operating system, I guess, that

The average person can go out and audit what's there. The average person could, if they want, take that, download it, compile it, put it on their phone, and maybe add some additional bells and whistles.

The concept is very noble. The reality of it is not so great because what we have today is there is the main Android branch that evolves, that Google releases. Android 11 just got recently released and vendors will take that and they will adopt it as is or they will customize it or they will take particular parts of what's called a change history. It's basically the

the changes that have been made to the code base. When that is taken into context with vulnerabilities, the fixes may or may not make it in. So you could have the latest Samsung phone running Android 11,

that doesn't actually have all of the security fixes that the main Android branch has. Right, because somebody's accepting or rejecting. Yeah, and I can tell you that 100% certainty. I have not looked at Android 11, but what I have experienced over the past two decades, there are problems in the Samsung version that have been missed because humans, again, are part of the equation. And on the list, it'll say CVE fixed, CVE fixed, but those fixes aren't there.

Bad guys or attackers will know that and they will exploit that. And there is literally nothing you can do to defend against that if you are a target. And that is a pretty frightening proposition. So you would rather go up against an Android phone than an iPhone if you were an attacker? That's an interesting question. I think the odds of getting exploited are higher on Android, although the nature of Android also creates a scenario where there's so many different flavors of Android.

it makes it much more difficult to create a mass attack. Whereas on iOS, because it's the same version of the operating system across the board on every device, if you can find a problem in that, you get all those devices. On Android, you get the nuances, I put nuances in quotes, of some of the decisions that individual vendors will make that makes it very difficult to take an attack on Samsung and apply it to, I don't know, a Google phone or a ZTE phone. So it's

I would say generally the security position on Android is worse. The odds of being hit in a mass attack are potentially lower. But if somebody is targeting you, I would say that the odds of them being successful against you are higher on Android for sure. As phones, or if you want to call them personal computers, it's like those are our personal computers, right? More so than we think. Become more prevalent.

they'll become the surface of which gets commonly attacked. Walk me through, like, how does phone exploitation even work? Like, is it the same sort of system that you would use for Windows or Apple? Is it different? Like, how do you attack the phone? You have this thing on you all the time. It's got a mic. It's got a camera. So the unfortunate answer is the exact same way you'd go after every other type of computer.

iOS is just an operating system. Android is just an operating system. There's no special features that make it impervious to attack. There are different security mechanisms in place that an attacker needs to get around, but it's the same deal. So if I'm going after your Windows laptop in the scenario that I described where I send you an email...

On mobiles, it's the same thing. And it's actually worse in some cases. About a year ago, a company out of Israel called NSO Group, they got busted for having a WhatsApp zero click mechanism. So there's some...

quick lingo dive here uh one click versus zero click one click is you have to social engineer somebody to the point where they can click on a link and exploit the phone zero click is where there's nothing you can do you are just owned and you have no idea by you don't even see a message like you're just yeah no decision on your part you're sleeping in the middle of the night in this case uh nso group um

you know, sends you a malicious bit of content via WhatsApp, assuming they've been able to, you know, figure out your WhatsApp ID and then exploit your phone and congratulations. That whole step of getting around sandboxes, privilege escalation, it's all the same concepts.

But in this case, it is a direct way to attack a device that you own. So previously, tools like that were only in the hands of governments and they weren't generally targeting individuals or small corporations. Has that changed? I think the accessibility is different.

There's like an asymmetry to this, right? Like some person, some teenager, guy or girl sitting in their garage can literally have a massive disproportionate impact. I'm thinking of the attack on Twitter recently and how that was a social engineering attack. Yeah. And in the context of going after mobiles, I mean, that

It all comes down to the accessibility of the attack factor and the creativity of the person running the attack factor. I was thinking with NSO Group, there's a lot of articles on them about who they sell to and don't sell to. They have a whole group now, a whole internal group within the company that I've read, dedicated to making sure they make ethical decisions. I don't personally trust that they're making ethical decisions. Why do you need a group to make ethical decisions?

I mean, that's an indication that ethics weren't a component in the founding of the company. That's probably a whole other discussion. But yeah, I think the point that the attacker and what that looks like is much more plausible that it is not an intelligence agency. You look at the...

the groups that are running out of other countries, I'll pick on India a little bit just because I've seen some IP reports on some problems coming out of there. But firms of social engineering efforts, it doesn't take a lot to go after Android that's two years old. I haven't looked at the statistics of what the market coverage is of Android versions. Pretty confident that if you're rocking a version of Android that's a year old,

you're probably a pretty big target. And that, you know, again, I don't mean to pick on Android, but that is just a reality of how that ecosystem has evolved. People don't really realize the scale at which this affects the economy, right? Like you see these ransomware attacks, which I want to come to next in terms of like,

$20 million paid in Bitcoin. But what you don't see is the trillions of dollars in IP that have been transferred to foreign governments over the last decade. Recently, we've seen a lot of intellectual property leaks. I kind of feel that if you were going to steal intellectual property and then create a competing product with traces, which Huawei got busted for that. Yeah, well, I want to come back to Huawei. Internal rage meter just went up.

You know, it's a much more, you know, deniable scenario where, you know, things hit the internet and people say, okay, I just, it was out there now. So it's public domain knowledge. So the, you know, having separation from the attacker and the beneficiary of, you know, the results of the attack, you know, it makes a lot of sense if one's goal was to get a hold of somebody's intellectual property. I mean...

Once it's out there, everybody's going to consume it. You know, you look at the leaks of the whole Eternal Blue leaks. It's a series of tools from NSA that got leaked. Windows vulnerabilities. Was that NSA or was that the CIA ones that got released? False 7? No, that was NSA.

Was there CIA ones, or am I making that up? No, there was one that was rooted in Vault 7, was that group. It was that leak, I guess. The one I'm referring to was from NSA. And it was a whole treasure trove of tools. And this one was particularly interesting because it really-- there are events that occur that destabilize, I guess, the defensive posture.

ransomware in general i don't get how it even exists it is the easiest malware to detect and stop how there's even an industry around that blows my mind but the attack vector uh that people use to wrap ransomware the payload weaponize the that chain that i talked about earlier basically allowed a you know a point and exploit capability on patched windows machines so walk me through ransomware like what what happens

Uh, depends on the flavor, but the, the, the, the overall goal is to extort money, uh, out of the, the victim. So there's different ways to do that. If you attack, uh,

an individual, you would potentially encrypt their personal photos, credit card information, maybe other personal compromising information, and then say, give me X amount of money, or I'm going to expose all your photos, or I'm gonna delete it all. When it comes to businesses, it's more of going after intellectual property where if a particular workstation gets compromised, ransomware runs on that workstation,

encrypts everything, potentially deletes everything at the time, typically making a copy of it because there's value in that. And then we'll go through all the network shares and do the same thing. So there's one particular, there's different groups, I guess, of ransomware actors out there. Some that are, you know, won't call a bluff and others where if you say, I'm not going to pay you, they will 100% follow through on what they're going to do. And this weird, I guess, sub-industry has emerged from

ransomware actually being a thing and being accepted where companies will actually act as negotiators so if you think back to those really cool movies where you know there's a really cool ransom or sorry hostage negotiator uh trying to talk somebody out of the scenario that exists for ransomware and it it drives me to the bargaining for me yeah yeah why is that a problem like do do you

Do your customers have ransomware problems? Oh no, because they use covalence. We protect against that vector. But the

But how do you stop that? If it's that easy to stop, why doesn't everybody stop it? I wish I had an answer to that. I don't think... A network monitoring solution will not stop ransomware. There's nothing you can do about that. You need to be on host. Yeah, you have to be on host and you have to have a measure of sophistication and tradecraft to identify and block it. We have some coexistence scenarios where...

I won't identify the companies, but they are very, very large, successful companies, cybersecurity companies. And the ransomware gets by them, but we stop it. And it blows my mind that based on those companies. Because for you, that's easy. That's not a big thing that you're worried about. It is a very, very basic profile to stop, identify. I might be jaded because I've been doing this for 20 years. And in the grand scheme of things that I've been a part of,

Ransomware is definitely low on the sophistication bar. Do you think it would exist without cryptocurrency and anonymous payment forms? Because it always seems to be, at least in the news, it's always like you need to pay in Bitcoin so I can run away with this money. Yeah, I would say it would definitely be harder because that is definitely a very convenient payment structure.

to pay with Bitcoin. I'm just thinking in the cases where we've seen financial redirections and those are anonymous accounts that are used and then torn down. So there's definitely... How hard is that to track? Like if you're sort of like the FBI or another three-letter agency, like to follow that path? I don't know about that. It's not my background. But I would say the...

the challenge would not necessarily be the difficulty. It would be the average person or business getting any agency to care, to track it down. Because that intel agencies, law enforcement agencies aren't sitting around waiting for things to do. There's really big problems they're going after and trying to fix and solve.

You know, a small company, you know, a law firm getting ransomware is just low on their... Well, it's not even a matter of payment for them. In some cases, it's life or death for the business because you can effectively turn the business off overnight and...

just eliminate it, especially if you're small and you don't have these sort of like big bank accounts to pay. Yeah, yeah. I'm aware of, you know, businesses that have been shut down because of ransomware. The payment is just too high and it's much easier just to say, OK, thrown in the towel, we're going to fold up shop and maybe start again. And this is ultimately why I don't

I get very frustrated that companies will pay ransom or not take the time to hire a company ahead of time. It's much easier and cheaper to be preventative and to harden your system and be ready for attacks. I mean, that is the reality of today. And anybody who thinks otherwise, they've got their head in their sand.

You're going to get ransomware. Bad things will happen and hopefully it doesn't kill your company or compromise customer data. That's a whole other aspect of this equation that I don't think people take into consideration if there are legal obligations to report ransomware.

compromises in customer data now. There are fines. I remember before COVID-19 dropped, there was discussions about six-figure fines going to Canadian companies if they are ransomware, customer data gets compromised, and it has shown that they weren't taking the problem seriously ahead of time. So they didn't have the adequate security protections in place. What's adequate? That sounds so subjective.

Yeah. Yeah. I mean, is that back to that Gartner? I checked the box. You can't sort of like fire me. So, so if I was a, a,

you know, virtual CISO, I would probably, you know, reference the Gartner quadrant to make sure that, you know, the executive board is covered in regards to liability. There's almost like two layers to this, right? There's the apparent layer, which is like, I want to solve cybersecurity. But the real layer is like, I want to keep my job. And the easiest way to do that is not take any risks and go with the industry standard. Ultimately, when it comes down to accountability...

That is a safe way to go. It is unfortunately- Even if you're owned. Yeah, yeah. It's the safe way to go, but it is not the best thing for the company. It is not-

It is not forward-facing. I think it's being naive in regards to the type of attacks that are coming. So if you're a customer and you don't know a lot about this, what are the questions you should ask to sort of reveal the type of solution you're getting for real instead of sort of like checking the box? You know, right off the bat, I would say, how are you protecting my company? Tell me how you're protecting my company. Like, full stop. What happens when something goes wrong?

And you'll probably get a whole bunch of sales jargon. What's the difference between a good answer and a bad answer to that question? If somebody uses the word next generation, seamless, we'll stop everything. AI, we've got machine learning. If any of that comes up, big red flags. So if somebody can give you a good answer to what happens when your system fails...

That gives you comfort that I think that is a that is a good position to move beyond when I said earlier that you know the cyber security industry is like a bunch of unethical used car salesman It's it's because there's so much jargon and salesmanship that goes into this For example, the the process of buying a car What do you expect when you go to a dealership?

to buy a car? What do you want to walk away? Assuming you really like a car or a brand, what do you expect to walk away after a transaction occurs? The car. Yeah. Unfortunately, with the current cybersecurity industry, there are sales persons all over the place that will say, you know what you need is you need some wheels.

And then another salesperson will say, I can sell you the engine. And another salesperson will say, I'll sell you the steering wheel. You probably only need the steering wheel, but I can sell you that. It's going to be great. I got some rims over here too. And it is up to you as a company to put those things together and make use of that. So you're cobbling together the solution yourself and each vendor, like no vendor is responsible then because it's like, oh, this person, there's a lot of finger pointing. Yeah. And ultimately the only solution

working cyber solution, and I don't care what the sales point is, the only true working cybersecurity solution is one that looks at it from where's your data, how are you going to be attacked,

across the board. So it needs to include an endpoint component, a network monitoring component, a cloud component, potentially an IoT component, an XYZ for things that we don't even need to know it exists yet. This is where this whole concept of next generation drives me nuts because people say we have this next generation thing and what I'm seeing right now is the exact same thing I've been seeing 20 years ago.

regardless of whether it has a machine learning component or not. What does that mean, next generation? If you knew the next generation of exploits, you'd be... Ultimately, it doesn't mean anything. A good solution should be iterative. A good solution should be engineered to handle the future without needing to put a sales tag around. This is what we have now. We call it the next generation thing that the world's never seen. P.S., it's got machine learning, AI, AI.

blah, blah, blah, blah, blah, which ultimately doesn't mean anything if you're a buyer. All it does is confuse you. It drives me nuts. There's so much jargon in this industry in particular, right? And a lot of it is salesy. Like it's created by the sales teams, the sales force, the... Yeah. The number of times...

I have had to worry about this, you know, these features that are sold to businesses around the world being on the other side of the coin just years ago. Never. I've never had to worry about machine learning. And by the way, the existing machine learning implementations and a lot of solutions out there is the exact same thing that, you know, I've seen in antiviruses back in 2005. They just didn't call it machine learning. It was just training analytics to look for anomalies and

So when you were an attacker, what did you worry about? Oh, that's an intimate question. Getting caught. I mean, ultimately, yeah. I mean, so as an attacker, it is a continuous balance between risk and losing a capability. And this is... What does that mean? And I'm speaking from back when I was at CSE. It means that

When I said earlier that on that first pillar of cybersecurity, if you want to call it a pillar, there's an economy behind it. So there's a cost to building capabilities to go after a particular target. If you lose that capability, that immediately is an expectation of, okay, find a new one. And it's difficult. There's cost to that. There's labor costs.

And that is a very big component that goes into the, I guess, the risk equation as to how you're going to approach an operation, how aggressive you're going to be. And different agencies around the world will do different things. I mean, you look at China and Russia, they're remarkably aggressive with a lot of...

I don't want to say disregard to their own intellectual property and what they're using, but they're certainly not quiet about what they're doing. It's like spray and pray, right? Yeah, I find it really intriguing. It makes me wonder a little bit, like do they have an army of thousands of people in warehouses cranking this stuff out, which they probably do, which is really scary. Yeah, one of the things that I always found really fascinating about intelligence problems was there's always a country with more people

who are just as smart, if not smarter than you, and just as good, if not better technology than you. And yet your task was sort of defending or in some cases acquiring information against these people and the hubris that sort of like goes into, oh, we know best. Yeah, that was always an intriguing calculation back at CSE.

It's a good debate to have, I guess. If you've got something that took a lot of time to build, do you throw it down a hill and hope for the best? Or do you protect it? Do you put shoulder pads and knee pads on it and try to make it last as long as possible? So talk me through that, though. How do you see that? Because allied governments, friendly governments, whatever you want to call them, have exploits that are zero-day as well.

that they don't release that have huge national security implications. Like we've seen some of those become public and have massive implications. Wasn't the NHS hack in Great Britain the result of a stolen zero day from an allied government? That one's tough. Should they disclose them? How do you think about that?

So from what I, so full disclosure, I don't have as much exposure to what the internal debate is on that. I'm aware that it happens. I think a lot of it comes down to what the perceived value is gained versus lost. If you don't disclose something and you use it operationally, is there more good for the mission, the country, its people by not disclosing it versus disclosing it and losing a capability? Yeah.

Yeah, it's a tough one because the adversaries of allied governments aren't going to disclose. They're not going to care. If they have something they can weaponize, they will use it. And I think, unfortunately, that is probably the tone that is set globally that

underpins a lot of the decision making. Like if you're being attacked constantly and having your nation's intellectual property stolen, I mean, you could disclose all the vulnerabilities you have and you know about as a nation. It's not going to stop them. It's just not going to. Going back to the Vupan example, there are more out there. There's a backlog, apparently. Yeah. Yeah.

Speaking of, I'm going to probably push some of your buttons here so you might want to take a drink. Talk to me a little bit about, I'm just going to leave it there, expand on

We've had many conversations on that. What a chestnut that situation is. So Huawei's had a bit of an interesting less than smooth ride, I would say. They came out of nowhere with all this tech. Yeah, which miraculously happened right after a Cisco leak, a giant Cisco source code leak. It's a coincidence. Yeah, so there's documented ties to the Chinese federal government

with that company existing. There is, I don't know if they were ever convicted. It was back in 2003, 2004, but there was a very clear-cut case that Huawei was using conveniently leaked intellectual property. This is back to, you know, if I was going to steal your intellectual property, it is much more deniable if I leak it out into the internet and then use it and come out six months later and say, oh, look, I just found this out there and I used it.

Really convenient. Coincidence. Yeah. And, you know, where we are today, Huawei basically, you know, price undercuts other vendors. And, you know, I ask how do they get to that point? That sounds like they have a lower R&D budget. And how do you have a lower R&D budget? You get intellectual property via creative means.

Today with them being banned from the US, I don't disagree with that. I have different thoughts about the whole TikTok situation. Wait, dive into the Huawei thing. Why don't you disagree with that? Why don't I disagree with them being banned? Yeah, I mean, I agree with them being banned. Yeah, so I don't think there is a framework to build trust. I don't think they have...

earned that trust and given, you know, if a nation is going to re-kit their entire country with a new type of wireless gear, especially with the complexities of 5G, you need to trust that vendor. You need to be sure that the interests of that vendor are at the very least not opposed to the interests of the country that you're in. And I don't know how anybody could possibly say that about Huawei.

I remember when the Brits did this whole thing, like we're going to set up this accredited lab, we're going to test it, so we're going to allow British Telecom to use it, but we'll test everything that's deployed. I remember just like that would fall apart in a second because the minute there's a zero day, you're going to deploy it right away, especially if it's leaked on the internet. And then you've deployed code that you haven't code reviewed and then the whole thing just falls apart. And I'm like, okay, well. Well, it doesn't scale to the realistic pace of software development. Right.

So let's imagine that a government does have a program in place where every iteration of source code, and these aren't small systems. We're talking millions of lines of source code. Let's assume you have a crack team of amazing source reviewers that can say with confidence that

Yep, this looks great. Or better yet, they have a set of automated tools to be able to derive that answer, which is challenging, probably possible, extremely challenging. The realistic outcome is the time for, let's say, Huawei releases a new iteration.

the time from that release, because if they are a vendor that actually believes in securing their product and that new release of the firmware has, you know, fixes, time matters. You're against the clock before, you know, vulnerabilities could be discovered and

put out because all it takes is for them to release that firmware once, have somebody rip that firmware apart and identify differences between the old and new. So you're immediately up against the clock. And if this ideal analysis process is being slowed down in any way, you're immediately compromising the vendor and giving them the argument that this system doesn't work because what they... And I don't necessarily disagree with that. If I was the vendor and my releases were being slowed down by a month,

I would get pretty cheesed because... It's not my fault. Yeah, you're slowing down fixes. And, oh, I'm sorry, your routers just got hacked. That's on you. That's not on the vendor at that point. So I don't think that concept is one that actually works. And the way to avoid that is sort of like just not allow that in your critical infrastructure? Or do you think it should be not allowed in any infrastructure? Your personal take. Oh, my personal take? Again, I'm completely fine with the ban. Yeah.

I mean, they're still allowed to sell into Canada. I'm not aware of what the... I think it's not allowed in the... I mean, my knowledge is at a date, so we'll have to fact-check this, but I think it's not allowed in the critical components of Canadian telcos, but it's allowed on the periphery. But that's silly when you think about it, right? Because you don't want to ever be held hostage to somebody who can...

who can turn that off and somebody who's more patient than you right because you could just go 25 years with no incident and then all of a sudden there's an incident but you've built up 25 years of trust and credibility so the story you tell yourself is we haven't had an incident it's cheaper because it's likely subsidized and not only r d but subsidized by the government

Yeah. So, I mean, ultimately this is, I don't have any problem with Huawei being banned in the U S I would not, I would not argue about that. By the way, the, the name of the vendor is Zerodium. Bupin started, sorry, Bupin started Zerodium. Okay. And they're the ones that bought the Zerodium. Yeah. I always lump them together. Just, you know, well, same parent company I would imagine. Yeah. Yeah. What do you think of Snowden? Oh, I feel like you're asking questions that has slowly taken years off my life. Uh,

So I've been doing that since I met you. No, you're great, bud. I do not agree with what Snow did in any way. And that is putting it very, very kindly. Regardless of, you know, at this point, there's been things that he brought to light that has been declared illegal. The unfortunate assumption is that

agencies, security agencies, intel agencies are these devious groups that are like, let's do whatever we can. And I don't think the average person actually realizes how difficult that job is. Normal the people are who do that job, they have families, they come in, they want to solve a mission or solve a problem, make things better. And

The way he went out with this giant trove of information, which I'm going to come back to, completely ignores the way that technical implementations get approved. It's not like developers are sitting at their desk and say, I have this great idea. Let's go do it. And all of a sudden it's running in operations without any accountability or review whatsoever.

There is a team of lawyers, depending on the size of the country, that will look at that and say, this is okay, this is bad. I remember being at CSE and arguing for something for I don't know how many years, but there was a problem legally and it didn't get through. And that vetting process, people take extremely serious and serious.

if something goes through that process, there is a measure of legality to it. There are a group of lawyers who honestly like to say no to ideas that have said, "Yeah, this is okay." So the idea that anything that has been deemed illegal, I'm not in a position to say that's right or wrong, but what I can say is the process that those things would have gone through. - People underestimate the sheer size of the bureaucracy to get anything implemented. - It's crazy. It is absolutely crazy.

So that whole side of things, I find unfortunate because the byproduct of that is distrust for agencies that are working extremely hard to keep countries safe. And it is extremely disheartening for those people to get dragged through the mud publicly when the public doesn't actually have an awareness as to how much they sacrifice on a day-to-day basis. I couldn't count the number of

long nights that I've seen people work. It can break families. It can break relationships. It has, yeah, definitely. So the other side of it is trusting his intentions. So he had gripes about those types of illegal mass monitoring or mass surveillance programs in the US. Why did he go public?

with such a large archive that had nothing to do with that? Why did he expose completely legitimate legal intelligence gathering programs that have a ton of people's names associated with that? Why did he go out the door with that? And that I think is what I have a much larger problem with in that there was no thought process. To me, it seemed like more, he was just giving the intelligence community the middle finger.

Yeah, I mean, I sort of took away the same thing from that whole thing, which was even if he felt just in what he was doing, it would have had a different sort of feel to it when it came out. And you don't need to reveal the techniques. You can just reveal the details of the programs. But the actual techniques that he revealed, the software techniques, the exploitation techniques, I mean, that definitely cost people lives, that had a huge impact on people working there.

Yeah. And how far back did he set programs? How much did

entire agencies need to go into damage control because some Yahoo decided that this thing over here was illegal. And then, oh, P.S., here's a whole bunch of other interesting stuff unredacted being released. Yeah, I think people think, oh, there's no names associated with it. But on the original documents, there's definitely names. And I think we both assume that every intelligence agency worth their salt in the world has unredacted copies of all of those documents.

Yeah, yeah. To the best of my knowledge, WikiLeaks doesn't receive redacted versions of things. I mean, that's largely my opinion on him. So you don't think he should be pardoned? A little part of me will die if he is pardoned. Why do you think he's in Russia?

Is there something to that story? I mean, where's a safe place to go when you've burned a particular group, like right into the enemy's back door? It's pretty bad when your safe place is Russia. Yeah, I mean, yeah, I'd be really curious to actually know what his living conditions are like right now. And, you know, hopefully they're not comfortable. But I mean, he brought it upon himself. There's other ways he could have done that and come forward with... How could you have done that differently? What do you think?

Like internally, there's lots of outlets for that stuff. He said he followed that.

There was no documentation released that I can remember that he did follow those. Yeah, I mean, you look at the whistleblower protection that's in place now. Was that post-Snowden there? Yeah, I was just thinking that. I don't know whether it was post-Snowden. I mean, maybe his decision to do that would have actually improved the protections for whistleblowers. And that's probably important to acknowledge. I thought he was the best thing to happen to Lynchpin, though.

I remember like, and I don't mean that in a negative way. I just remember like what happened in the immediate aftermath of that was they locked down the process by which people get hired. So like, I don't think you or I would make it through today without

from start to finish because of our backgrounds and sort of different quirks of our personality. And so what happens is like post-Snowden, you end up hiring, I call it the stormtrooper problem, which is like you end up basically hiring the same type of person, right? They're sort of like never had a problem in their life. They get straight A's. They do all the right things. They tie their shoelaces the right way. And they come into the organization and they get promoted, right?

And the process for promotion now is sort of like, here are the 10 things you need to do to get promoted because it's so sort of like laid out and so bureaucratic that you end up year 30 and all of a sudden you're in charge of solving a problem that nobody's ever solved before. But you're in a group of people who all see the problem the exact same way. So you all share the same blind spot. So I remember when that started happening, I was like, oh man, this is like great news for Matt because he's

You're hiring, in a way, the misfits of the industry, right? The people who don't want to go to meetings, the people who don't want to fill out the forms to go travel, the people who just want to be able to do their job. Yeah, I'm trying to think back of, you know, was there an effect? I don't actually know if I could speak to that without violating an NDA, honestly. Yeah, we don't want to get you in trouble.

Yeah. This year. Yeah, I think how you characterize the mindset of these organizations are... It's pretty accurate. I mean, the...

Well, we both sat in meetings where they're like, oh, we can't hire this person because there's a flaw in their background. And there's some legitimacy to that too, right? You're trying to manage top secret information. You're trying to manage risk and manage an organization. But the flip side of that is you're hiring effectively the same person. Yeah, you're not wrong. I definitely don't disagree. I think from one benefit to linchpin from that was definitely it pushed people out the door.

Absolutely. And I think that's a trend that continues to this day. I mean, I'm still, you know, full disclosure, actively recruiting from intelligence agencies. The people that are excited to leave and do something more and, you know, for the lack of better terms, be unleashed to solve technical problems. Like there's that hunger there. I love that perspective of unleashing technology.

people that have sort of like had handcuffs before. And it's like now your ceiling is not bureaucracy. Your ceiling is your own ability. Yeah. I've been doing this for 15 years almost as an entrepreneur in two companies and I've gotten to

witness people going go through that unleashing process and it is really cool to see um how you know one month after they're they're just blown away with what they are now afforded to do and what what what what you know i'm not saying don't do this it is just here's the goal here's the problem

Solve it. Let me know what you need. We'll catch up every once in a while. In Canada, people typically join the company with one year leave of absence or a five year sabbatical component. And I always laugh about that because, yeah, I mean...

Nobody's ever gone back. So from a risk standpoint, that makes sense. So I never argue with that. But from a practical standpoint, nobody's ever gone back. And it's become something that I've seen weaponized against the employee. Oh, you're going to this company. We're not going to give you your one year leave of absence. And it's like, OK, that is an extremely bad decision. And you're showing some really unfortunate true colors. Yeah.

Does that ever make somebody stay or does it push them out the door faster and motivates them? Chips on shoulders, man. There's something to the motivation that comes from that that just drives people. I mean, Google's Project Zero is largely built from people who have exited the intelligence industry with a chip on their shoulder. I don't know if that's worked out so well. I want to just sort of end on some of the lessons that you've learned growing up

field effect now to 100 people. That's the critical phase for a lot of companies. Like a lot of companies break in this sort of like 40 to 100 people range because you start reaching the ceiling of

the processes that you've put in place, but also the ceiling of the people who've got you here. How do you think about that? How do you scale and how do you go beyond that and crack through that sort of ceiling? I think the first component is making sure that everybody is going in the same direction. You have to be very straightforward, frank, honest when looking internally, but also what the company goals are. And everybody needs to know what the company goals are.

I don't think that, you know, execution is necessarily something that comes naturally to a lot of people. And for me right now, like one of my biggest concerns as we approach 100, as we go through COVID-19, I mean, when this COVID-19 started, there was, you know, a decision to be made to go aggressive or cower, I guess, from the scenario. And, you know, in my opinion, it was very clear we go aggressive because, you know, our competitors are probably going to be

category B in damage control. So you can get ahead. Yeah. So execution is a big part of that. And it takes a bit of time to understand what execution looks like in each particular problem or given company. So that discovery of how do we execute as a group has been something that I think is extremely important. And largely, the company is absolutely doing amazing at it.

And that, I think, is one thing that always resonates in my head that everybody has great ideas, but how you push through is execution. You need to materialize those great ideas into things that are reality. Is there anything else you want to say about the state of cyber before we wrap this up?

Am I out of swear jar content? No, man. Say whatever you want. I think we're already explicit at this point. So I would say, you know, if you are a company looking for help, it can be a challenging thing. I think it's that going to the doctor scenario when you have a pain. You don't want to necessarily find out what it is because, you know, people are naturally averse to bad news.

You can't be like that with cybersecurity. If you don't have a cybersecurity vendor, if you don't have a company helping you out with that problem, get on it. Everybody is a target at this point. Your company is not small enough to be off an attacker's radar. I have seen five-person companies. Actually, I've seen two-person companies

attacked and hit. So my advice is don't be afraid to ask for help. Hello at fieldeffect.com. Yeah, the second thing I would say is anybody out there looking for a really cool opportunity for a really cool company, the experts of the world, regardless of what company you're working for right now, we're always looking for more people.

That's amazing. My kids call you Uncle Matt, but they also, whenever Elon Musk comes out, they say, we know somebody who's going to do more than Elon. And they're pointing to you. So we're looking forward to seeing how this progresses over the next couple of years. I don't know how to respond to that, but that's very kind of them. Thanks for chatting, Matt. Yeah, thanks for having me. It was a good time.

Hey, one more thing before we say goodbye. The Knowledge Project is produced by the team at Furnham Street. I want to make this the best podcast you've listened to, and I'd love to get your feedback. If you have comments, ideas for future shows or topics, or just feedback in general, you can email me at shane at fs.blog or follow me on Twitter at shaneaperish. You can learn more about the show and find past episodes at fs.blog slash podcast.

If you want a transcript of this episode, go to fs.blog slash tribe and join our learning community. If you found this episode valuable, share it online with the hashtag the knowledge project or leave a review. Until the next episode.