On Episode 84 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard, about why hackers hack!
Category: Technology
What’s New in the Cybersecurity World With Adriel Desautels
On Episode 83 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard about what’s new in the cybersecurity world!
Sections
Introduction
Netragard’s New Product: A Breach Detection Solution
Netragardian BDS
What’s Going on at DEF CON and Black Hat?
Hacking Medical Devices
Vendor Hostility Toward Researchers
Government Networks & the Vulnerability of Voter Information
Why Do People Feel Threatened By Research Hackers
Security Researchers Are Experts at Breaking Software
Finding Flaws in Software
More Episodes
Show Notes
What’s New in the Cybersecurity World With Adriel Desautels
Introduction
Paul: Hello.
Adriel: Hey, Paul.
Paul: Hey, how are you?
Adriel: Doing quite well. I love the fact that even in this day and age we have continual technical difficulties.
Paul: Yeah, well, it keeps people like us in business, so…
Adriel: It does. Yeah.
Paul: So, where are we finding you in the dark, unreached places on Earth? Are you from your secret lair or…?
Adriel: Right now, yes. This is very much my secret lair, which is a library with a ladder that’s been converted into an office.
Paul: Alright. There you go. We’ll cut that out or encode it in way so that only certain people can listen to that.
Adriel: There you go. Yeah, it’s pretty cool.
Paul: So, how are you doing now? How’s security in the world?
Adriel: It’s doing incredibly well. We’re becoming more and more and more well known for the level of service that we provide, the depth, the quality, and really the aggressiveness of it. We’ve also launched a product, and the product is selling faster than we can sell it. So it’s really quite remarkable.
Paul: Well, we’re talking with Adriel Desautels from Netragard, and we’ve talked with him once in the past, and he’s a great resource for technology and security, and we’re going to talk about that a little bit day.
Netragard’s New Product: A Breach Detection Solution
Paul: So, tell me about this product. What is this? Is it a shampoo or a floor wax or…?
Adriel: It’s a security shampoo.
Paul: There you go.
Adriel: It prevents malware from getting into your hair. No, no, we call it Netragardian VDF. It is a breach detection solution, and it is based on our own experience in breaching networks over the past two decades, really. What it is does at a very high level is it exploits the methods that hackers use to breach a network, whereby enabling you to identify their activity before they actually have a chance to move laterally throughout the network. So, it doesn’t prevent a breach, but it provides you with a false positive free method of detecting a breach. So, when you get an alert the alert is, in fact, real. And it’s so incredibly effective that you can use it to generate positive indicators of breach and respond to those positive indicators and quite literally completely avoid damage.
Because in this day and age the name of the game is no longer breach prevention. That’s just a known impossibility. The name of the game is damage prevention. So what the solution does from a higher level, is it allows you to see that people are breaching your infrastructure, and it allows you to respond to that event and block it before it has a chance to escalate into something damaging. The response window is minutes to seconds, depending on how fast you can move.
Paul: Wow.
Adriel: So it’s, it’s pretty cool.
Paul: So where do I find out about this product?
Adriel: We would have to tell you about it. You can contact us or website.
Paul: Well, that’s an interesting way to sell something.
Adriel: Yeah, yeah.
Paul: I have something you don’t know you need but you might want, but I’m not going to tell you about it.
Netragardian BDS
Paul: So, alright, so hold on. What’s the name of it? Spell it.
Adriel: So it’s Netragardian. It’s N-E-T-R-A-G-A-R-D-I-N. And then BDS. Bachelor, David, Simon.
Paul: Okay. Cool.
Adriel: Yep.
Paul: So, it’s a secret product. Only people with an invitation can buy it? Or, how does that go?
Adriel: Sort of. So right now, it’s a product that our clients are able to purchase. e don’t advertise it at all yet. We will be in the fairly near future, I think, mid-to-late 2019 when we start advertising it. But right now, we’re trying to push it out to our clients specifically, or they’re really picking it up from us.
Paul: Oh, very cool.
Adriel: That’s the first line. As soon as our clients have this up and running, then it’s going to be the next stage, which is to publicize it and really get people aware of this.
Paul: Well, excellent. Well, we’ll have to talk about that some more.
Adriel: Definitely.
Paul: Really, I’d be fascinated to talk about that.
Adriel: Yep. Absolutely. When we do talk about it and you hear about how this works, it definitely follows the keep-is-simple-stupid rule. It requires virtually no maintenance whatsoever. There’s no patching, no updates that are required. The agents that are associated with it do absolutely nothing of value, as far as the business is concerned. And so if there’s any kind of an outage or, or anything like that, it has zero impact on the business’ ability to function.
Paul: Cool.
Adriel: It is not an intrusion prevention system. It was not a network intrusion detection system. In fact, it has nothing to do with analyzing network data. So it’s a super-efficient and lightweight system that works.
Paul: Very cool.
What’s Going on at DEF CON and Black Hat?
Paul: So, I thought it would be cool to talk about what’s been going on recently. I imagine, just because I saw it on your feed, that you went to DEF CON and Black Hat.
Adriel: Yep. Absolutely.
Paul: How was the weather?
Adriel: It was hot.
Paul: So that’s about all we want to cover today. We heard lots of different things about hacking, voting machines and a few other little things — some drones stuff. What was the interesting things that you saw there?
Adriel: So, when we were at DEF CON and Black Hat, honestly, not a lot of the presentations that were there this year were particularly interesting. What was more interesting were the side conversations that were going on and sort of the private parties that we got ourselves invited to. There is a lot of research that’s been going into not just voting machines, but the government infrastructures that house voters’ data, the State of Kansas and things like that.
Hacking Medical Devices
Adriel: Particularly interesting too is the medical devices and critical infrastructure. There’s actually a pretty big emphasis on doing research against those things as well.
And the, the good news is that largely, it’s the good guys doing the research right now, but as the trend would be, if the good guys are looking into this, then you can rest assured that the bad guys are also looking into this.
Paul: Yeah.
Adriel: To kind of give you an understanding of scale and impact, hacking medical devices is something that can be done from afar. So, if you end up using pacemakers from specific vendors or insulin pumps from specific vendors, it’s entirely possible and realistic to cause those things to malfunction in lethal ways from as much as 90 meters away. There’s right now a general consensus that, oh, you have to be close to the device so you can program the device. But that’s not entirely true. There has been research done that demonstrates that fact.
And then, looking more into the medical devices too, these devices are running operating systems that are the equivalent, when it comes down to security, of a Windows desktop or a MacBook Pro. Their operating systems are buggy. In fact, if you look at the vulnerability databases that exist, you could find vulnerabilities that are perfectly exploitable for these.
Then, to make matters even worse, a lot of the manufacturers that are producing these devices are, frankly, hostile to researchers rather than embracing research and researchers, and saying, “Hey, we really like the work that you’re doing. Thank you for doing this. We realize you’re doing it, probably for free…” They’re saying, “Why would you look at our device? What’s your angle? Let’s quash you, and let’s threaten you with legal action and so on.”
So, the general consensus around researchers in general is, yes, we want to do this because we care about this, the big problem, but we’re very nervous about the approach with the vendors and how to handle the vendors and so on. So there’s that.
Vendor Hostility Toward Researchers
And then, of course, when it comes down to critical infrastructure, the approach is very similar. When it comes down to critical infrastructure, we see the companies who make SCADA technologies and other kinds of similar technologies, we see them also respond with hostility as opposed to sort of “Yeah, come do the research. Help us find things” —that welcoming embrace. That bug bounty-type mentality.
What that tells me is their mindset is antiquated. Right? They’re stuck back in the late ’90s, early 2000s when most vendors were really hostile, and they had yet to realize the researchers aren’t there to hurt them. They’re there to help. So I think, that one of the things that I’ve seen is that that still exists, and I think these vendors really do need to move forward in that capacity.
Government Networks & the Vulnerability of Voter Information
Now you look at government networks. Kris Kobach in the State of Kansas. We actually offered — I believe it was Kansas. It was a free penetration test because we were called out by Gizmodo, and we were asked to do a quick reconnaissance project against the state network. And we did, using open source intelligence technologies. Nothing intrusive and all that. And we found that their network was massively vulnerable. We found that they didn’t have two-factor authentication anywhere. They had VPN endpoints that were very likely brute forcible that were exposed to the internet. They had printers that were exposed to the internet. All kinds of things were just publicly accessible. And these networks were the networks that contain voter data!
We offered, we said, “Hey, guys. You know, we recognize that this is…” This was in relation to Cross Track, actually. This was the Cross Track Network. And so we said, “Hey, guys, we recognize that there’s some really sensitive information here, and we recognize that this approach of being really called out by the media about your vulnerabilities is not that great. So we’ll offer you a free test to help you harden these things.”
They never responded to that offer, despite the fact that it was being pushed by various different people. There was somebody from the Democratic side that called. We created a proposal. We issued a proposal to them. Never heard anything back, even though it was free. They said, “Hey, we were going to go with the Department of Homeland Security and gets things hardened,” but according to the sites like Census.io and other kinds of open source sites, their network hasn’t really changed posture at all. So, when it comes down to the voting information, voter information is massively vulnerable because the people that are responsible for it are not taking their security seriously. What they’re doing is they’re saying, “Hey, yes, this is hardened. This is secure. This is safe.” But it isn’t.
Paul: Right.
Adriel: And that’s really, unfortunately, the way things are on a lot of fronts when it comes to security.
Why Do People Feel Threatened By Research Hackers
Paul: So you sort of talked about the old-school mentality and the mental approach to things or the way people think about things. Let’s try and put ourselves in their shoes and why they feel so threatened by these hackers that are out there who just do all this stuff. Now, I think it’s helpful to role play this a little bit because this is the issue. So, go ahead. What do you think of that?
Adriel: Yeah. So, I think it comes from a variety of things. First off, researchers are there to identify problems or faults in something. Or identify security issues with regards to…security researchers do that anyways. And these security issues are emotional for some people because we’re effectively saying, “Hey, your baby is ugly,” or, “You didn’t do a good job,” or, “You screwed up.”
And, and rather than hearing that and saying, “Wow, okay. That’s good. Thank you for the help,” what they’re saying is, “What are you attacking me? Why would you insult my capabilities?” Or maybe it’s, “Why are you threatening my job? What are you threatening my business? Why are you trying to make me look bad?”
And so the approach that a lot of the researchers have, especially today, they no longer take that kind of thought into consideration. And if you were to approach somebody else through a bug bounty program or Facebook, Google, whatever it might be, and you were to say, “Hey, there’s a vulnerability here,” what they say is, “Great. We understand that everybody is vulnerable. Everything is vulnerable. We understand that we’re going to make mistakes. So thank you for bringing this to our attention so that we can fix it,” as opposed to “Why are you trying to make me look bad.”
Paul: Sure.
Adriel: And the reality of it is we’re not trying to make anybody look bad, but we find critical flaws in technology. And the people that created those flaws are the vendors. They are the manufacturers, and they are the ones through deliberate mishap, mistakes, or maybe accidentally, most likely they’re the ones that create the vulnerabilities that are inevitably exploited that lead to damage. So they’re the ones that are, in the end, responsible for fixing the code and becoming aware of these vulnerabilities.
But I think that what’s happened is some companies have begun to realize that they really have to embrace the hacking community and allow hackers to do this research and say “Thank you” because it’s effectively it’s elevated quality assurance.
Paul: Oh, of course. Yeah.
Security Researchers Are Experts at Breaking Software
Adriel: And it should have been done. Right? But instead of, instead of doing that, they’re offended. I think a part of this comes into play. It’s not to say that software developers are imbeciles, because they’re not. But software developers are experts at developing software. Security researchers are experts at breaking software. So, we can’t expect every single software developers in existence to also be an expert when it comes to security. And that’s where the issue comes into play, because as a security researcher I can tear networks apart. I can tear technology apart. I can find vulnerabilities in almost — with the exception of one thing — I can find vulnerabilities in everything with the exception of one piece of technology. And that’s my job. That’s my expertise. I couldn’t go to a developer and say, “Hey, find vulnerabilities in all these different things.”
They’re going to say, “Well, that’s not what I do.”
And likewise, I couldn’t go and develop something that a developer could build. I mean, sure, I can write code. I can make something work, but it’s not going to be a professional-grade product if I develop it. It’s going to be a site that’s kind of hacked together. So, it’s a different expertise.
And, and I think that that is something that is somehow missing in the communication or the thought process. When a researcher approaches somebody, that somebody, in an ideal world, would think “Oh, great. This is an expert that’s trying to help me by telling me that I have a fault in this piece of technology.” But instead, they’re saying, “Who are you to come and tell me that I got this problem? I pay my developers a lot of money, and they do a really good job. And you want to insult their work?” And that’s just not helpful.
Finding Flaws in Software
Paul: Well, and then the counter question to that is, is that “Would you rather not know that this has a flaw?”
Adriel: Right. Well, actually, what we’ve seen in some cases with some vendors — not just critical infrastructure and medical but we have seen that they would not only rather not know that there is a flaw, but we have seen that after we tell them that there is a flaw that they would rather not tell their customers and just hide it altogether. And, that is terrifying. When you see a vendor that knows that vulnerabilities exist in technology, and they continue to sell that technology, they’re quite literally putting their clients at risk. And they’re doing it at some level, knowingly.
Paul: Well, sure.
Adriel: And then, of course, then you have ethical questions that come into play there and things like that. And we’ve seen this blow up. In the past, there have been instances. In fact, we were involved with a very first instance way back in the day with HP and Tru64 where, where vendors have tried to quash research, and then later, the research became exposed, and the community said, “Hey, what’s going on?”
And their clients say, “Wait a second. These guys come to you telling you about a critical vulnerability, and you try to hide it from us? What’s the deal?” That doesn’t make clients feel particularly good either.
The, the appropriate approach would be, like I said initially, “Thank you for telling us about the vulnerability. Let us fix this. Let us coordinate how to notify our clients and how to tell the world. And let’s do this in a way that really helps everybody.” And if they take that kind of approach, that’s great because clients get notified, patches get produced, and so on and so forth.
More Episodes:
This is Part 1 of our interview with Adriel Desautels. Be sure to listen to Part 2 here! We’re talking with Adriel about why hackers hack!
Show Notes:
- Watch This Episode of The Edge of Innovation on Our YouTube Channel Here!
- Netragard’s Website
- About Netragard
- Contact Netragard
- The Netragard Blog
- Find Netragard on Twitter
- Find Netragard on Facebook
- Find Netragard on LinkedIn
- Find Adriel Desautels on Twitter
- Find Adriel Desautels on LinkedIn
- “The Art of Hacking” – SaviorLabs Podcast interview with Adriel Desautels
- “The Reality Behind Hospital and Medical Device Security” by Adriel Desautels
- “We Protect Voters From People Like Us” by Adriel Desautels
- “Snake Oil Salesmen Plague the Security Industry, But Not Everyone Is Staying Quiet” – Interview with Adriel Desautels on Gizmodo
- DEF CON Hacking Conference
- Find DEF CON on YouTube
- Black Hat USA Conference – The world’s leading information security event
- Find Black Hat USA on YouTube
- “Medical Devices Are the Next Security Nightmare” from Wired
- “How Medical Devices Like Pacemakers and Insulin Pumps Can Be Hacked” from CBS News
- “Even a Novice Hacker Could Breach the Network Hosting Kris Kobach’s Bogus Voter Fraud Program” from Gizmodo
- “The Voter Fraud Commission Wants Your Data — But Experts Say They Can’t Keep It Safe” from ProPublica.org
- Link To Savior Labs Assessment
Solving Power Management Problems with Emerging Technologies
On Episode 73 of The Edge of Innovation, we’re talking with entrepreneur Simon Wainwright, president of Freebird Semiconductor, about solving power management problems with emerging technologies.
The Future of the Space Industry: Gallium Nitride Semiconductors
On Episode 72 of The Edge of Innovation, we’re talking with entrepreneur Simon Wainwright, president of Freebird Semiconductor, about Gallium Nitride technology and the future of the space industry.
Growing Up in Technology: Entrepreneur Greg Arnette
On Episode 62 of The Edge of Innovation, we’re talking with entrepreneur Greg Arnette, about how growing up in technology influenced his life.
Show Notes
Greg Arnette’s Website
Find Greg Arnette on Twitter
Contact Greg Arnette
Find Greg Arnette on LinkedIn
Sonian’s Website
Philips Color Kinetics
Alertware
Amazon 3S Cloud Services
Ruby on Rails
Link to SaviorLabs Cybersecurity Assessment
Sections
Color Kinetics
Introduction To Greg Arnette
How It Began: Growing Up In Technology
The Beginning of a Technology Career
Starting a Business
An Entrepreneurial Background
Alertware and IntelliReach
Venture Capital
Thoughts on Amazon
The Building Blocks: Rudy on Rails and Amazon
Sonian: A Cloud-based Software
Going to Market With Sonian
Growing Up In Technology: Entrepreneur Greg Arnette
Paul: We’re here today on the Edge of Innovation. We’re talking with Greg Arnette, the founder of Sonian.
Yeah, isn’t that cool?
Greg: Yeah.
Paul: Isn’t that cool?
Greg: Retro.
Paul: Yeah. It is.
Greg: I was looking on eBay for like the old-fashioned one but didn’t even know they had these available.
Paul: Yeah. It’s amazing how big the economy is. I’m always surprised that there is a machine, a factory somewhere making it. We’re talking about the “On Air” sign here in our window in our studio. It’s amazing how many things you can get, and that there’s a sustainable economy that consumes them all.
Color Kinetics
Greg: Everything is being reinvented around LEDs as well.
Paul: Right. Exactly. Well now, you were interested, really, in LEDs back when… What, who was the company in Boston?
Greg: Color Kinetics.
Paul: Yeah, Color Kinetics, and you did that in your house.
Greg: I did. Yeah. A long time ago.
Paul: Is that still the same house now? Are you still in the same house?
Greg: Yes. Back then, that would have been the early 2000s.
Paul: That was really cutting edge.
Greg: Make a big leap, a big investment in Color Kinetics, LED lighting for cove lighting and color changing and that kind of stuff. Now it’s everywhere.
Paul: Was it worth it, having made that investment?
Greg: Yeah, yeah. Learning curve. It’s funny. The equipment I put in, now going back to around 2003, 2004, is considered ancient right now. And a couple of the transformers have burnt out and just… Because this stuff wasn’t designed… I mean, it was mass-produced but in limited quantities for professional lighting installations, and I’m kind of a tinkerer around electronics. So I’m taking them apart and had to kind of cobble together replacement stuff from existing parts and sourcing things on eBay because the transformers aren’t available anymore. If they are, they’re really expensive. But I was fortunate to come across a collection of newer generation replacement parts. I mean, lighting fixtures and transformers. So one of my weekend projects is to rip out the old and upgrade myself.
Paul: Wow. Now is Color Kinetics still a viable business? Are they in business, or have they gone out?
Greg: No, they’re there. So they were acquired by Philips, the big lighting. And you probably know some of their technology as Philips Hue, which is becoming really popular because these are more individual discreet light fixtures, LED-based. They do full-color spread from cool white, warm white, all the way to RGB. And you can control them with Alexa and your smart phone and web apps, and they plug into all the latest generation of smart home technologies and hubs and stuff.
Introduction to Greg Arnette
Paul: So we’re here today on the Edge of Innovation. We’re talking with Greg Arnette. Currently, you’ve got a new title, but I’m going to call you the founder of Sonian. Is that fair?
Greg: That’s fair. Sure.
Paul: Okay, but some stuff has happened. And we’ll get into that and all that. But you’re an entrepreneur of a long time, pretty much probably your whole life, I think.
Greg: Yeah. It’ been 30 years, I think, of thinking about ideas in the tech space, creating companies that solve problems and moving on to the next thing.
How It Began: Growing Up In Technology
Paul: So when you grew up what were you interested in? Were you a bookworm? Were you a sports person? Were you a nerd like I was? I loved technology and cool things. What was that like for you?
Greg: Yeah, definitely a self-categorized nerd, interested in electronics, technology of the era. I grew up in the ’70s and the ’80s, so a lot of it was analog stuff that I was tinkering around with. I got influenced by a grandfather who was into ham radio, and I got my ham radio license back in the 1970s as a teenager and kind of tinkered around with radio electronics for a lot. You had to learn a lot of radio electronics to get your license, as well as Morse Code. And that evolved into early interest in computers. And so some of the early computers that our generations remembers – like TRS-80s and the Texas Instrument little computer…
Paul: What was your first computer?
Greg: It was something out of England called a Sinclaire, I think.
Paul: It’s mine too, mine too.
Greg: It was a little teeny, almost the size of a book.
Paul: ZX80.
Greg: Yeah. It’s the Sinclaire, and then in high school, we were fortunate. I went to a high school that, it was in Haverhill High School, very large high school for the entire city. And the data processing for the whole city was actually in the high school. So we actually had access to a large amount of computer resources, including IBM, System 360s and TRS-80 labs, and stuff. So I got to tinker around a lot with that kind of stuff.
Paul: So I did similar things. I was very much into audio and electronics and building audio components and stuff like that. And computers, I got the ZX80, and it was, “Oh, this is school. You know, this is neat.” Was there an inflection point there that made you choose computers? Was it just technology in general? Are you a computer nerd or are you a technology nerd, I guess?
Greg: I would say technology focused with most recent time is spent in the computer realm or information technology realm. I had an uncle who was, I think a vice president of engineering at Prime Computer back a long, long time ago when that was actually a name that resonated in this area. And he hooked me up with a terminal that we could have in the home so I could plug into their, what they would call, a mainframe and got to dabble in languages like FORTRAN and stuff like that, which was what people would be doing back in the–
Paul: But you had it at home.
Greg: Right. Which I got to use very little of it because it tied up the one phone line we had. At that time, even a call down into…from where we were up in the North Shore into Boston would have been a toll call, so it was fun, but I didn’t get to maximize as much as I could.
Paul: I’m sure when the phone bill came, they’re like, “Greg, what are you doing? What’s going on?” Wow. That’s cool.
Greg: Yeah. So, I enjoyed that for a while. So I had some opportunistic, early access to technology from some family inputs. My father and my family, in general, wasn’t into technology per se, but they’re very entrepreneurial in other kinds of business, mostly in chemistry and chemical stuff. But I didn’t really gravitate towards that myself and got kind of tied into electronics and tinkering around and building stuff and that kind of thing.
Paul: Do you know the right end of the soldering iron to hold?
Greg: Yes. Yeah.
Paul: Okay so you’re that level, because some people are like “I don’t know what to do with a soldering iron.”
Greg: Yeah. I was fortunate, when I was growing up, to just fall into things, that situations that were very interesting to me and also financially lucrative. So in high school, my high school part-time job was to work for a local electronics company that manufactured emergency lighting systems, the kind of things you’d see in the corner of a building when the power goes out. And so I was working on the assembly line manufacturing PCB boards or diagnosing problems. And eventually I was actually managing people, which is kind of funny as a high schooler. But it was the perfect job. It went from two in the afternoon until five and didn’t have to work on weekends. At that time, all my friends were working at the supermarket, and they had to work at nights or on the weekends, and so it lined up nicely.
But I got to learn to solder and how to take things apart and use those solder pumps.
Paul: Yeah. A solder sucker.
Greg: The solder sucker to take away the–
Paul: Foop, foop.
Greg: So I pride myself on a nice clean…
Paul: Exactly. I don’t know why I’m saying this. I was on YouTube the other day, and a video came up that they said I’d be interested in. And boy, were they right. It was how to properly tin and clean your soldering iron. I’m like, now that’s really geeky.
Greg: That’s a skill. Yeah.
Paul: It is. It is.
Greg: Undervalued skill these days.
Paul: There’s a YouTube video with 165,000 hits on it, which is amazing to me.
Greg: You could get an entire education on YouTube right now.
Paul: Yes, you can.
Greg: On almost anything.
The Beginning of a Technology Career
Paul: So, you went to college?
Greg: I did. I went to U Mass-Amhurst.
Paul: And what was your degree?
Greg: I was able to do a bachelor’s degree in individual concentration. So it was a blend of liberal arts and computer science, so it wasn’t traditional.
Paul: And so what was your goal? Did you want to be a programmer? I mean, computer science?
Greg: Yeah.
Paul: They didn’t have a lot of things to offer back then, I’m sure.
Greg: No, this would have been in the early ’80s, and there really wasn’t a computer science major back then. Most people were, if they wanted to go into computers, they were doing electrical engineering or mechanical engineering and I started off as a chemistry major and then just kind of got bored with that. And then physical chemistry kind of killed me. I said this is not what I want to do. So switched into a combo degree. U Mass was so big, you could design your own program, and you had a sponsor or thesis guide who took you through it.
I thought I would probably do something like tech writing. I don’t know. I don’t know what I was going to do.
Paul: So what was your first job out of college?
Greg: So I was fortunate. Again, I stumbled onto something and so, I’m a really big belief in the Law of Attraction, so I must have been thinking about this, and I manifested it somehow. I got an internship my last semester, for a company in Woburn that was called ABC Software. It’s job was, basically, back then, was to help people leverage the 1-2-3 spreadsheet. So ABC123. It was kind of like a kind of a hokey name but that exposed me to PCs and business. I had never seen that realm before. So I was writing tech manuals for their software, and then that turned into just doing everything for them. They offered me a job when I graduated college, so I just segued right from the internship into full-time employment. And this was pre-days of VC and so forth.
So this company hooked up with Businessland and basically was the installation unit for all the IBM PC sales in the mid-1980s. That turned into local area networking, Novell Networking, and I just kind of just kept following that path and was mostly working on the side of IT that was helping small and medium-sized businesses implement technology for the first time. So a lot of early PC networking, little custom programming jobs here and there in dBase III. Remember Clipper and dBase III?
Paul: Yes, I do. Yes. Did you do Clipper work?
Greg: Yeah. These little teeny apps that they were kind of fun. Right?
Paul: And they were lightening first in Clipper compared to dBase. That was always the astonishing thing to me.
Greg: Right. And then I kind of got involved in what was called then 4GL programming –this platform called Clarion.
Paul: Oh wow. Yeah, I haven’t heard that in years.
Greg: Yeah. Anyways, that just evolved.
Paul: And this is in ABC?
Greg: No, no. This is after that.
Paul: Oh, so after ABC. I want to get that transition. So you were at ABC, “corporate” America? Was it a mom-and-pop? Or was it a…
Greg: It was two 30-ish guys that got together.
Paul: How many employees at that time?
Greg: Oh, it was just like 15 people.
Paul: Okay. Well that’s a decent number. But, it was a small company. So they weren’t trying to compete or be like Lotus 1-2-3. They just used the name, and they had some connections with Businessland.
Greg: And they also developed an application that helped – I think it was funeral homes – manage something. I didn’t get too involved with that. So they were doing lots of different things. They eventually got onto the Lotus Notes bandwagon and were doing all kinds. Since I left, they got into Lotus Notes.
Paul: So why did you leave there?
Greg: I just wanted to sort of scratch some different itches, I guess, so to speak. And the opportunity to grow in that environment was, I could see it was going to be limited.
Paul: Sure. Small company.
Greg: And I left there. What did I do? I left there. I went to work, for…At that time, PC Week Magazine was just becoming really popular, and I took a job as their network administrator internally and did that for a very short period of time. I realized it wasn’t what I wanted to do. I didn’t want to work for a specific company just doing network administration.
At that time, they were on a three-com network, which I wasn’t interested in. So I left that and then went to work for another company doing kind of internal IT. After that, went to work for a, I guess you would call it a PC network reseller back then in the early ’90s that was servicing all the law firms around Boston. So I got involved in a lot of technology around, upgrading like old-style Wang systems into modern – back then – modern PC-based LANs, word processing, and email. And then I got kind of got into the email theme and have been kind of riding the email now since then.
Starting a Business
Paul: Right. So then what was the, the change or the inflection point that occurred that said “I’m going to start my own business”?
Greg: So that consulting company got acquired by another consulting company. I worked there for a while focused on mass email and groupware. Back then, we called it “groupware,” specifically like exchange and Microsoft Exchange, Novell GroupWise, Lotus Notes. It really just resonated with me. I love technology that helped people communicate efficiently with each other. And I loved seeing how the implementation of an email system in an organization that didn’t have it before changed a lot of ways people thought about technology and getting rid of paper-based memos and going to electronic messaging and so forth.
Paul: Now I know, just as an aside, you were a big fan of GroupWise.
Greg: Yeah.
Paul: I was too. I loved the client. I liked the whole infrastructure, but that could be a whole episode in itself is just to talk about how that whole world changed. But anyway, so you were doing this for this company, sort of their messaging expert, I guess.
Greg: I was. Yeah.
Paul: And then, what happened?
An Entrepreneurial Background
Greg: That company got acquired. At that point, I was reflecting upon myself, and I wanted to do my own thing. I didn’t want to work for anybody, or I didn’t want to–
Paul: Where do you think that came from?
Greg: in my genetic code. My father is the same way. We’re entrepreneurial kind of background. My father’s a serial entrepreneur. I grew up in that environment. It didn’t scare me, the risk taking.
Paul: Are all your siblings entrepreneurs?
Greg: I have three younger brothers. Two of us are and two of are aren’t.
Paul: Okay, well that’s good. So, it’s there. So what were you going to do? What was the opportunity?
Alertware and IntelliReach
Greg: Yeah, the first thing I focused on was looking at email and messaging and seeing that as a consultant in that space, I was solving the same problem over and over. So I thought I’d productize this thing. And it was around, is the email system working? What’s the health of the email system? kind of stuff. So that turned into let’s design some software to make that a product and created this company called Alertware that was an email monitoring system back in the mid-1990s. And it was very successful from totally grassroots. I hadn’t known how to do anything, and that company got acquired by another bigger company called NetPro, which was out of Scottsdale, Arizona.
At that time, NetPro was the leading Novell third-party addon. They had all these things for e-directory.
Paul: Yeah. Now that you mention it, yeah.
Greg: So they renamed the product called Mail Central. And I didn’t go with the acquisition, so that funded my ability to create another company that was called IntelliReach. Initially, IntelliReach was looking at doing something around PalmPilot, because at that time, I was really interested in the PalmPilot, and I thought it was kind of a big business use case and so forth. So I didn’t find a way to make some money on that in the early days and reverted back to a theme I know, which was email. And then IntelliReach started to do things around email – email reporting, analytics, health, that kind of stuff.
Paul: Very cool. So now, you’re a CTO in general – a founder, CTO. How would you categorize yourself? Is that fair? You’re a CTO?
Greg: Yeah. Founder/CTO type. Yeah.
Paul: And so why didn’t you go towards the business president kind of thing?
Greg: In the early days of both Alertware and in IntelliReach, I wore lots of different titles as the company morphed from early days to getting sort of more mature, and I felt my best being true to myself, my best contribution to the project would be focus on technology, align myself with someone who could handle business, and become a pair and go work together.
Paul: Well that’s worked pretty well for you, I think.
Greg: It has, yeah. I think in hindsight, I probably was putting some limiters on myself that I didn’t need to because I had not seen like a pattern where “Oh I can do business as well as technology.” So just in terms of things of how do you create a sales team, how do you do marketing… I self-limited. I said, “Oh I could never figure that out. I’ll just let someone else do it.” Now if I were to start something, I would be in a different role, I think.
Paul: Alright. So you started IntelliReach. That’s how I met you. You actually acquired one of my companies, which was a great experience and worked with you for several years.
Greg: It was great.
Paul: So you sold IntelliReach.
Greg: Yeah. IntelliReach was acquired in 2005 or 2006. I can’t remember now. Around there. And similar situation – I did not go with the acquiring company. I just had no interest in working for a multi-thousand person organization and it just wouldn’t have been a good fit for me.
Paul: Did you have an idea already?
Venture Capital
Greg: No. At that point, I was kind of burnt out from the experience. It was my first dabble with venture capital.
Paul: Was that thumbs-up or thumbs-down for venture capital?
Greg: It’s to be blunt, thumbs-down. It wasn’t a great experience. Hindsight, it was the wrong investor type. It was a company that was more focused on media and communications, and they wanted to get into software as service. And so that was what IntelliReach was going to morph into, was software as a service business after being kind of a software and appliance based. But the company that acquired the technology and the employee base took it further and did okay, so…
Thoughts on Amazon
Paul: So, you were burned out on that. So what did you do? Go to the beach or…?
Greg: I did. Yeah. So at that point, I was fortunate to have built a house in Cape Cod and took three or four months off during the summer, got very healthy, long walks. This was now 2006, I’m pretty sure and, got some clarity on stuff. And I have a very kind of wide-angle, nonlinear thinker around trends, technologies, what’s next, and started to notice this thing called Amazon S3. And I’m like “What’s Amazon the bookseller doing with this cloud object store kind of thing?” And just started thinking, “Wow, there’s something here. I’ve got to figure this out.” So, that sort of became the next project, it was around cloud and Amazon.
Paul: So what were your thoughts about Amazon? Because it was, okay, what’s a bookseller… I had the same thoughts. It was like “What’s, what’s going on?” And, and then it turns out, as you pull the covers back, it was like “They did some serious work here.” I mean, it wasn’t just an initiative that was going to die, like “Oh the marketing people came up with an idea, and they’re going to put it up on paper, but it never turned into technology.” But Amazon seems completely counter that. The technology they built is rock solid.
Greg: Yeah, it was very unconventional. And sort of a pre-story to that is, during the IntelliReach days – and I’m not sure if this is after you were involved or not. I’m not sure. But, we had been talking to Sun Microsystem around deploying our software on what they were called the utility computing network, what pre-cloud. Utility computing was pre-cloud. And we spent six months with them, with a team up in Burlington, Massachusetts where Sun had an office. They were going to set up, basically, an environment that we could deploy our software, and it would be a dollar per CPU hour and a dollar per gigabyte per month, which seemed compelling. But when you actually did the spreadsheet analysis, it was still cheaper to go buy your own hardware, go rent a colo cage at a hosting center and just keep doing it the way we’re doing early, hosted applications, which is you own the entire stack, including the hardware, the networking layer – everything.
So we couldn’t make the economics work, but boy, I was really excited about the idea of not having to even worry about infrastructure and just focus on software and the problem that I could go solve for the customer. So when I saw Amazon S3 become available about a year later, I think at that point, it was 15 cents a gigabyte per month for like world-class storage, really good resiliency SLA and durability SLA. I was like that’s the game changer here in terms of being able to go do something.
The question I had was, would anybody take that seriously? Would a business actually trust–
Paul: A bookseller?
Greg: Yeah, the bookseller, to store their data – whatever it is –on behalf of a software as a SaaS application.
Paul: Okay so then you’re, so you’re, you’re on the beach relaxing and you hear about Amazon S3 and you’re like “There’s something here. I’ve, I’ve got a utility here.”
The Building Blocks: Rudy on Rails and Amazon
Greg: Yeah, there’s, there’s, there’s something here that I think is going to… Just an intuition. It was like, this is going to be big. The price points are too compelling to walk away from – pay as you go; pay with a credit card; pay for what you use; super simple. The API was really easy. And sort of take that with another thing that I was paying attention to which was Ruby on Rails, one of the first web application frameworks that sort of sponsored this idea of, again, sort of, if there’s sort of this undifferentiated aspect of building something, just let the framework take care of that. Don’t reinvent the wheel every time. Right? How many times do you need to reinvent a way for an app to talk to a database kind of stuff? Or to deploy an app. So a combination of dabbling and Rudy on Rails.
I took a, like a couple day intensive programming course in New York City over that summer. And I met someone from Boston who was down there. We started comparing notes. And he was working on something that was Rails related and also talking about Amazon. He was like “Hey, there’s something going on here.”
So Amazon and Ruby of Rails, we kind of bunched those together. They weren’t designed for each other particularly but just they were two nascent trends that I just felt they were going to become more popular. And they did. Rails is now, kind of, I think, on its…
Paul: Its horizon. It’s sunsetting almost. It’s like wow.
Greg: Exactly. Things are happening really fast. Right? But for six, seven years there, it was like the thing and alongside with maybe some Python frameworks and PhP frameworks and stuff. So these became like building blocks.
Paul: Right. Yeah, yeah, components you can pull off the shelf.
Greg: Components – pull off the shelf, get something done quickly and effectively. Wasn’t just time is the essence but also something that actually worked.
Paul: So what time period was this?
Greg: 2006, 2007. I built this little teeny, Ruby on Rails web app. I was like an early version of an online Note Taker and just wanted to see how… And then ran it on Amazon, ran it on EC2, stored the data on S3, and it worked. I mean, it proved that something you could actually do this on AWS back in the 2007 timeframe.
Sonian: A Cloud-based Software
Paul: So then what, what happened? You decided to start another company? You’d gotten rested, fit, ready, and rested?
Greg: So, end of 2007, end of 2006, early 2007, started to network. I’ve always been interested in email and messaging and the problems around that. So, not so much build an email system or messaging system but help solve problems around those environments. And problems were morphing from your antispam and antivirus were the things people worried about more to compliance, retention, data preservation, searching on the data – that kind of stuff. So I thought that’s a domain area I know. I have lots of contacts, had a certain momentum in that area prior to the IntelliReach acquisition. So maybe I could take that knowledge base with this game-changer cloud and this framework called Ruby on Rails, mash them together and do something. And that’s sort of how we started Sonian.
Paul: I see. Okay. What was the initial goal of Sonian? Did you have a vision for it?
Greg: In a sense, yeah. It was a cloud-based, Software as a Service that would help businesses retain, search, and analyze their employee-generated content, which back then was email.
Paul: Did you stay true to that?
Greg: Yes. Yeah.
Paul: So, no pivots? Were there any major pivots in there?
Going to Market With Sonian
Greg: The pivots, we certainly had pivots. The pivots were how we went to market. So we started with, it’s going to be a direct sale. We’ll sale it directly. And we might have been a little bit ahead of where the customers were back in that time period. I think it was just at the tipping point where SaaS was taking off and going mainstream. You had Salesforce had been around for a while proving it out. And they were promoting the idea of no software and other SaaS systems were getting popular and accepted. There weren’t any SaaS apps built on the cloud back then. It was still SaaS self-hosted or in a colo or something.
And so that was a little bit against the current, so to speak, of trying to do something on the cloud. Within a couple of years, it all switched entirely. It was, if you weren’t using cloud, people look at you funny. But we were out there promoting or raising some additional funding, we had to sell the cloud as much as we had to sell the business problem we were trying to solve. So that was a little more headway than I expected or anticipated. But it all worked out.
So the pivot we made was, instead of selling directly to businesses, a service that they would add on to their email environment, we found that companies that were providing hosted email – either hosted exchange or hosted something else – they had a gap in their portfolio that we could fill for them. So we focused on white labeling and OEM and APIs to offer to those other providers that then would sell to the end user, to the end customer.