On Episode 108 of The Edge of Innovation, we’re digging in our archives to bring back one of our most popular podcasts – “Big Data.” We’re talking about what it is and how it can help your business!
Tag: data
SEO: Google & Artificial Intelligence
On Episode 87 of The Edge of Innovation, we’re talking with Jeremiah Smith, CEO & founder of Simple Tiger, about SEO, Google, and Artificial Intelligence.
The Future of the Space Industry: Gallium Nitride Semiconductors
On Episode 72 of The Edge of Innovation, we’re talking with entrepreneur Simon Wainwright, president of Freebird Semiconductor, about Gallium Nitride technology and the future of the space industry.
Show Notes
Freebird Semiconductor’s Website
Contact Freebird Semiconductor
Find Simon Wainwright on LinkedIn
What is GaN?
What is Moore’s Law?
How2 Cut The Power Cord: Wireless Power Is Ready For Prime Time
SPWG — Space Parts Working Group Conference 2018
Freebird Semiconductor to attend and present at 2018 Space Parts Working Group
The Aerospace Corporation
Link to SaviorLabs Assessment
Sections
What is Gallium Nitride?
How To Build Gallium Nitride
Computing Technology
The Future of Gallium Nitride Technology
The Space World Today
The Beginning of Freebird Semiconductors
How To Convince the Space Industry to Adopt New Technologies
How to Do Accelerated Life Testing
Gallium Nitride Semiconductors: The Future of the Space Industry
What is Gallium Nitride?
Paul: So now it’s gallium nitride.
Simon: That’s correct.
Paul: From my science in school, I’ve seen gallium, and nitride is…what is nitride?
Simon: It’s nitrogen. Basically, it’s gallium and nitrogen.
Paul: So you put them together.
Simon: Yeah. Put them together. One of each.
How To Build Gallium Nitride
Paul: So what do you do? Go to the store and buy a bucket of gallium? Or what is it? Is it a metal?
Simon: Well, no. They exhibit semiconductor properties when you join them together. So essentially you would still use a silicon handle wafer, which is basically just the base. Consider you’re building a house, let’s say. So you would use silicon wafer as the foundation, which basically does nothing, but it makes everything strong. So it has no functional role as you build onto that. And you gradually grow it. So you have a reactor, and you grow by atomic layer by atomic layer, and you grow the structure.
Paul: You do this with tweezers?
Simon: We do this at very high temperatures. So we basically grow it and we insert different gases into this chamber, and they react, and their natural state is to form gallium nitride. We put in dopants of different kinds to make, to change…
Paul: So you’ve figured out the process.
Simon: No. But we’ve figured out how to modify the process. So the process was figured out by EPC. So we’ve figured out how to modify that process.
Paul: People have all seen the sort of semiconductor circles with all the chips not cut out. So you take a wafer like that, and you’re collecting this by using gas. Is it diffusion?
Simon: Well, you basically grow different layers. So, if you can imagine, you’re building your house onto your silicon foundation.
Paul: Atomic layers.
Simon: Yeah, layer by layer.
Paul: So, one atom thick of gallium or nitride or is it together?
Simon: You start introducing different concentrations. And you gradually go from a pure silicon wafer to like a pure gallium nitride layer. So you gradually introduce it. There’s obviously a transition, a buffer region. But the real gallium nitride, pure gallium nitride layer, which where all the action of the transistor, is a couple of layers of atoms thick.
Paul: Wow. So it’s more like a peanut butter sandwich.
Simon: Absolutely.
Paul: I mean, the house is good, but it’s got to have no basement.
Simon: There you go.
Paul: So we got the bread, and we start putting peanut butter on. But we’re really putting peanut butter and jelly. And by the time we get to a certain thickness, it’s perfect mixture of peanut butter and jelly. So you’re really in the sandwich-making business.
Simon: They wouldn’t fill you up. They’re very thin.
Paul: They’re very thin. But how can something so thin switch electrons. Do you do any other things to them?
Simon: Well basically, this gets really technical. We confine the layer of gallium nitride to be so thin that you form what’s called a quantum well.
Paul: Sounds cool.
Simon: Sounds really good. So if you go into atom-sized dimensions of everything, then you get quantum physics starts kicking in and you confine a load of carriers into a very very small space, and you increase the mobility of those carriers. So that way, they can travel through the semiconductor a lot quicker. And our components are actually called HEMTs — high electron mobility transistors because of that.
Paul: Alright. And so then what’s the next step? So you’ve got these wafers, and you’ve succeeded in putting how many atomic layers are there?
Simon: I couldn’t really say that.
Paul: Okay, so that’s a secret.
Simon: Somebody would kill me. I’m not sure who. But somebody would kill me if I said that.
Paul: So it’s more than one and less than a billion or whatever.
Simon: There you go.
Paul: I don’t know. A billion wouldn’t probably even show up. But it’s an atomic layer, so you’ve got this sandwich. So then what do you do? Slice these up and put them in packages?
Simon: Basically, you need to put the third electrodes. So at either end of this very thin layer, you have a source and drain. That’s where the current flows between, in and out. And then you have to have a control contact, which, in this case, is called a gate. When you open the gate, you allow the electrons to flow from in to out. And essentially that is a transistor. So the Jell-O, if you like, on the top, is the gate. The technology with that is, there’s a lot of physics involved. There’s a lot of technology involved to enable that to work correctly, so to speak.
Paul: Sort of make it all happen. So then the application of power to that gate can be faster, switched faster. So and we’re talking very small amounts of time here, even in a regular transistor. So if you take a silicon transistor and you apply power to the gate, what’s the switching time?
Simon: I mean, it varies. There’s lot of different configurations but I’ll give you the limitations of the switching time. So the switching time is determined by charge. You have charge on the gate and charge on the drain and the source. So the more charge you have to move during your switching operation. So the lower the gate charge or the drain charge or whatever, the better, the faster you can move it, because you have less things to move. So that’s basically what determines the switching time of a transistor, any transistor. So if we can compare apples with apples, a radiation-hardened silicon MOSFET, which is the silicon way of implementing this, to an enhancement-mode GaN, HEMT, our gate charge is an order of magnitude lower. An order of magnitude lower.
Computing Technology
Paul: So now does this have any application in actually computing technology?
Simon: Absolutely.
Paul: Because that’s the point, we’ve got to get things to switch quickly. So that’s cool. Is there a projection in somebody’s mind out there for the impact of computers being faster because of this?
Simon: Absolutely. I mean, you’ve heard of Moore’s Law, where I think it’s every 18 months the size of electronics reduces by half. So this will actually permit that to continue because silicon has really gotten to…
Paul: We’ve squeezed as much as we can out of it.
The Future of Gallium Nitride Technology
Simon: Yeah, to its fundamental limits. On this is more on the commercial side, not related as much to our product. But certainly more on the commercial side, the founder of EPC, Dr. Alex Lidow, has predicted that Moore’s Law will continue. Some of us like to now call it Lidow’s Law.
Paul: Interesting. So does that mean, and again, I am not holding you to this. Is this five years from now I’ll see computers doing this? When am I going to go to the store and buy a computer that’s a magnitude faster because of this technology?
Simon: At this point, I’m not able to tell you that because my world is the power world rather than the digital world. So, I don’t really know how fast it’s going to be adopted in the digital world.
Paul: How about in the power supply world?
Simon: The power supply world, it’s here already. You’ll see new products coming out, to put it directly into people’s lives. You’ll see that you can actually cut the cord. You can throw away wires because you can remote charge most things. You will be able to remote charge most things.
Paul: So it’s not wishful thinking.
Simon: Oh, no. It’s actually happening.
Paul: Because we’ve heard a lot about wireless charging and all that, but it doesn’t work all that well, and it’s sort of working, but it’s not. So you’re saying it’s prime for market betterment.
Simon: Absolutely. I mean, I have a Samsung. I have the pad. I replaced the Samsung. So gallium nitride is not actually used in the Samsung or even the Apple remote charging things at the moment. But it will be in the future. It will have to be incorporated.
Paul: And what does that make it? Does it make it charge faster?
Simon: Makes it charge faster.
Paul: Further away?
Simon: I’m not sure about that. I’m not as familiar with that technology to give you stats and distances and things like that. But it’s certainly faster. It’s more efficient, and, you know, it would enable you to charge higher powers rather than just a phone. You can actually run a laptop on a desk. You’d have a charger pad underneath it. You just put the laptop or whatever.
The Space World Today
Paul: Alright. So now in the space world, there’s all these people putting satellites. Is it just satellites? I mean, there’s a few missions outside of our planet, I would imagine. But the majority of it is satellites, or is there other stuff in the space world?
Simon: I would say there’s satellites. There’s space exploration vehicles, the ones that go to different planets.
Paul: Have you made it into any space exploration vehicles yet that you can talk about?
Simon: We’re working on one. Let’s leave it at that.
Paul: And do you work with any aliens yet?
Simon: No. Some of the guys back at the office.
The Beginning of Freebird Semiconductors
Paul: The market there is huge, I tell you. That’s just incredible! So you guys started this and you’re on the North Shore here in Massachusetts. What does that look like over the next three years? How does your company grow? Are you commercialized? Are you shipping? What are the next sort of milestones?
Simon: Okay. So let me go back to when we founded it. So we spent a year basically developing our product portfolio to making sure. We had to do a bunch of testing, do radiation testing. We do electrical testing. We do temperature testing. We do a plethora of different kinds of tests. So we spent a year, 18 months getting to that point. And that never ends. We have to continue to test, continue to push the boundaries of the technology so that we know where it fails, why it fails, how it fails.
Paul: And then how to fix it.
Simon: And how to fix it. If you know that, then you can determine the lifetime of that. But the bulk of that work was done in the first 18 months. Then we sort of came out of the closet, so to speak, and we went public. We came out, out of hiding, so to speak, after year one, essentially. At the end of year one. And we presented to the industry at a conference called SPWG — Space Parts Working Group over in California. This is sponsored by the aerospace corporation, which is one of the, I would say, like a regulatory body sort of thing. And people there were NASA, the European Space Agency, the Japanese Space Agency, and then all of the guys that build satellites — so Boeing, Lockheed Martin, Northrop, all of the prime contractors are there. So we came out at that.
Paul: Was it a surprise to them?
Simon: There was a lot of interest. Let’s just put it that way. There was a lot of interest at that point.
Paul: So I’m a designer in the satellite world. You’ve just given me new tools.
Simon: I’ve just given you a new solution.
Paul: So this is like, “Okay. I’ve got to redesign all my power supplies.”
How To Convince the Space Industry to Adopt New Technologies
Simon: Well firstly, there’s a lot more work that has to be done before anybody that is remotely involved in space will actually adopt your technology. Firstly, you have to convince them. Bear in mind that the technology for space has not changed in 30 years, since the lunar landings and all the Apollo missions. So you have to break down resistance to change first in a lot of these companies. And the only way to do that in this space industry, which is an extremely cautious industry, the only way to do that is with data.
So we had to go through our portfolio, and we had to test everything. Every single device that we ship goes through an individual screening program. Some parts get tested for 2,000 hours, for instance.
Paul: This is a part you’re going to ship.
Simon: Oh, yeah.
Paul: So it’s not just one sample.
Simon: Oh, no, no. Everything that we ship has been tested, 100%, at various different levels of stringency. So our second major goal was to break down the barriers of acceptance on this new technology into a world that had been dominated by silicon.
Paul: So it’s really marketing. I mean, it’s marketing with backup.
Simon: It’s marketing and engineering. Yeah.
Paul: But you’re talking to an engineer, and an engineer isn’t going to take that risk without compelling evidence.
Simon: Yeah. Absolutely.
Paul: Just like you’re not going to buy the car unless you like it. So you’re breaking down those barriers to entry or barriers to integration, I guess.
Simon: And essentially, you, you go through all of the data that they would require, and then you show them, once they’re satisfied that you’ve gotten to a point of reliability that they need, then you have to show them that the performance is worth it. So they’re not going to put anything in there that’s going to break after five years. So then you’ve got to show them. Then the sales end starts. Then you have to differentiate your product with switching performance or the losses or whatever somebody is specifically interested in for their specific design.
So at that point, then the sales effort starts to communicate all of those differences. So you have to have in your back pocket, one, a bunch of radiation testing, two, a bunch of life testing, reliability testing, and then — only then — once they’ve seen that data and believed that data can you then start trying to sell the product. So there’s a lot of upfront work, and there’s a lot of barriers to entry into this market.
Paul: Yeah, I could imagine. So do you give them samples?
Simon: Wherever we can, we try to sell them samples.
Paul: Well, okay. Alright.
Simon: But yes. We’ve been known to give a few away.
Paul: So they’re actually trying it and, and playing with it. It’s not like just a piece of paper.
Simon: No, no, no. Most, most of the major satellite companies in the world have Freebird parts that they are testing at this point.
How to Do Accelerated Life Testing
Paul: So now, you talked about radiation testing and life testing. So how do you do life testing? Just for the average person, you’re not going to be alive in 90 years or 100 years, how do you tell if this is going to—
Simon: So we do accelerated testing. So basically, what we do is, we increase temperatures or increase voltages — whatever is sensitive during the lifetime of a component — and we put more of that than it would normally see. So we try and accelerate the aging process. So, for instance, a very easy example to understand is temperature. So we would test our parts for a thousand hours at the temperature of 150 degrees. Okay?
Paul: Fahrenheit or Celsius?
Simon: Celsius.
Paul: Okay. So that’s pretty warm.
Simon: You’re going to have to convert that into F.
Paul: Yeah, sorry. Okay.
Simon: It’s been a while since I did that. So, you’d leave that on with a bias, or you have your in and your out, your source and your drain, so you bias the drain at 80% of its rated voltage, and you leave it on test, continuously energized for a thousand hours, which is eight weeks, more or less. But the fact that you’ve done that at temperature, allows you, with statistics, to predict an accelerated aging, so to speak. So you get a lot into statistics.
Paul: It’s burning. You’d burn your fingers.
Simon: It’s 320 maybe.
Paul: Okay. So you’d burn your fingers. But isn’t space cold?
Simon: Space is cold, but we’re not trying to simulate space. We’re trying to accelerate the aging process.
Paul: I see. So basically, you’re stressing the technology. What about freezing tests?
Simon: Well, when you say, “Is space cold?” it depends where you are in space. If you have a direct line to the sun or, so are you on the bright side or the dark side of the moon, so to speak. When you’re in the dark side, you’re at minus 50-something C. If you’re on the bright side, you may be at 80 degrees C.
So we also go through thermal cycles. We have a chamber which has an elevator, basically a small elevator. It goes between an oven and a fridge.
Paul: Oh really? Oh, that’s cool.
Simon: It’s great.
Paul: You can put a soda in there, and you can cool it off really fast.
Simon: When we have office parties, we put the pizza in the warmness and the beer in the cold.
Paul: There you go. So you’re doing this, and you’re doing it from, I guess, a compliance level where you’re actually testing it and certifying it and making sure that it’s true so that people can track that all back.
More Episodes:
You’ve been listening to Part 2 of our conversation with Simon Wainwright! If you missed Part 1, you can find it here! To listen to Part 3, you can find it here!
Also published on Medium.
Archiving for Perpetuity: Is it Relevant?
On Episode 64 of The Edge of Innovation, we’re talking with entrepreneur Greg Arnette, about new business technology and archiving for perpetuity.
Cybersecurity: For Better or For Worse?
On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.
Show Notes
Find Adriel Desautels on Twitter
Find Adriel Desautels on LinkedIn
Follow Adriel Desautels’ Blog on Netragard
“Is Your Data Safe From Hackers?”
“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor
“Cars: The Next Hacking Frontier?”
“How to Find a Genuine Penetration Testing Firm”
“What Is Penetration Testing? Here’s the Right Definition”
“Is Your Data Safe From Hackers?”
“How To Hack A Company With A Trojan Mouse”
Bitdefender’s Website Where You Can Buy Bitdefender, recommended by Adriel Desautels
The Hands Off! Mac Update Download recommended by Adriel Desautels can be found here
VMware Fusion, also recommended by Adriel Desautels, can be found here
“Honeypots: The Sweet Spot in Network Security” – An article about Honeypots
The Frank Abagnale movie, “Catch Me If You Can”
Link to SaviorLabs’ Free Assessment
Sections
CVE: Common Vulnerability Enumeration
The Watering Hole
You Can’t Detect What You Don’t Know To Look For
Programs and Operating Systems Adriel Uses
Dealing With Data
Is Computer Security Getting Better or Worse?
What is a Honey Pot?
Internet Security: Ten Years From Now
There’s No Excuse
Data With a Long Lifetime
Why Europe is Doing Credit Right
What To Do If You Have Been Compromised
How to Tell If Penetration Services are Genuine
Cybersecurity: For Better or For Worse?
CVE: Common Vulnerability Enumeration
Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard.
So now I recently read about a CVE. And just for our audience, CVE stands for…
Adriel: It’s the Common Vulnerability Enumeration, I think it is.
Paul: Something like that. So it was a vulnerability that if you browse to a certain website, to a website with a certain browser, and it loads an ad, your machine is infected. Can you explain? How does that work? And we’ll go through this probably…we’ll unwrap the onion a couple of times on this. How does that work? So I use Chrome and obviously, we think it’s secure today, but six weeks ago, we thought the same thing. And they fixed things in the past six weeks. So what happens? I go to a website. It opens up a news site. What happens? Tell me.
Adriel: So, this goes back into the helper application world. So, let’s use Flash as an example. Flash is a great example because Flash is always being exploited. In fact, our own company is notorious for having sold a Flash exploit. It made the news a while ago. But, Flash is used a lot for ads or videos or things like that on news websites or other websites, or at least it used to be. It’s a way of almost playing movies. Or playing ads and things like that.
Well, you can take Flash and you can embed specialized payloads into Flash. And then the Flash players themselves were vulnerable to these payloads. And when they would load the payload, the payload would exploit a vulnerability in the player, and then give whoever an attacker was — or whatever the end thing was — full access to your system. So in the case of malware, when the system is exploited, rather than give command and control of your compare system to some third party, the malware would be uploaded into the system, and it would do whatever it was going to do. So if it was ransomware, it would encrypt your system. Then maybe propagate it upwards, other directions. So really it’s taking advantage of helper applications.
Any time you browse the web, your browser is the main application that sometimes contains its own vulnerabilities that can be exploited. There are lots of other helper applications that come in. There’s different movie players, there are different content renderers. There are all kinds of things you can plug into a web browser or that you can use in a browser and any one of those things does have vulnerabilities and can be exploited.
So when you browse websites, when you look at anything online, you’re effectively trusting that source to have content that’s safe.
Paul: Okay, but now aren’t you also trusting their ad networks?
Adriel: You are trusting their ad networks, but more importantly, you’re trusting them. The ad networks are less likely… Well, they’re less likely to cause problems for you, than the systems themselves, usually.
Paul: Really?
The Watering Hole
Adriel: Yeah, I think so. I mean, from a theoretical perspective, I suppose anything could be a problem. But, I mean, if you look at…Are you familiar with the term watering hole?
Paul: Not from a computer point of view. I mean, from a wild gazelle point of view, yes.
Adriel: Yeah. Right. Exactly. So, in a safari, you have a watering hole. The animals, they all go to get their water, and they drink from this watering hole. And it’s the one place where the lion won’t eat the gazelle, and all these things are great and happy.
Now imagine some guy comes by with a bio agent that’s designed to wipe out these animals, and he puts it into the water hole. And these animals drink, and then they go back to their herd. And unbeknownst to them, spread this infection and then all of a sudden, their prides and their herds and all that just drop dead. That’s because of a poisoned watering hole.
So a watering hole attack is when you take a website, a common website or a news location or an ad network or anything like that, and you infect it with malware. The people who go and visit that website are then compromised or infected by the malware that exists in that website. If the malware is designed, as we would be at Netragard, if it’s designed properly, then what will end up happening is when that person takes their infected computer to another network, it will notify the controller, the person in charge, whoever deployed the malware, that they’re on a new network, and it will give them access to that network too.
So just like the infected animals that spread their infection to the rest of the herd, the infected computer will spread their infection to the rest of the computers in the network that it connects to. So it’s a watering hole.
This attack has been around… Boy, this type of attack has been around, since probably 2000, 2003, just never really heard about it until, I think it was called the Aurora incident, the Aurora something. It was when Google was targeted by the Chinese with a watering hole attack. And since then watering hole attacks have been happening. I can’t remember any off the top of my head or recall any on the top of my head that were as large-scale as that. That was just one example. I mean, there are, of course, you know… We have the ransomware attacks today that are happening. Bad Rabbit or whatever that was. They’re continuously going. But I don’t remember anything quite the scale of what was going on with Google, only because Google, of course, is massive.
Paul: They are a big target.
Adriel: Yeah. And so they have a lot of viewers. The bigger the watering hole, the more people that feed from it, the greater the impact.
You Can’t Detect What You Don’t Know To Look For
Paul: So now if I’m just a general citizen sitting at my computer, why is it that Google doesn’t catch the fact that their site is infected or CNN or whatever? How come they’re not smarter than me?
Adriel: Yeah. You can’t detect what you don’t know to look for. A weird example. Imagine we somehow encounter extraterrestrials and they come in. “We come in peace.” Shoot to kill. They think they’re friendly. We think they’re friendly. Everything is going great. Meanwhile, they’re offloading masses of weapons, and we don’t recognize the weapons as weapons because we have no idea what they are. Right? And they begin to attack us with these weapons, but they’re not like anything we’ve ever seen before. So we have no idea we’re being attacked. And then all of sudden, people just start dropping dead, and it takes us a while to begin to realize, we’ve been attacked.
Hackers are the aliens. We build weapons that nobody else has seen before. And we attack people in ways that they absolutely don’t expect and in ways that the security industry doesn’t expect. We come up with new things. And so you really can’t defend against the unknown, which kind of goes full circle, and that’s why this whole “I protect you against zero-day things” is ridiculous because zero days are unknown vulnerabilities you can’t defend.
Paul: So it’s all marketing is what you’re saying is…
Adriel: Exactly. That’s exactly right.
Programs and Operating Systems Adriel Uses
Paul: Now what kind of computer do you use? Do you use a PC with Windows or Mac or what?
Adriel: I use a Mac. But within the Mac, I use a hypervisor and I run about four or five different operating systems within that. So I use the virtual machines. Within containers is my real machines.
Paul: Which hypervisor do you use?
Adriel: Right now it’s VMware Fusion.
Paul: Okay. So you’re using VMware Fusion which allows you to run virtual machines, as they’re generally called. Are those sacrificial virtual machines, or are they secure?
Adriel: One of them secure, but it can still be sacrificed if that makes any sense. I take snapshots regularly. So if I’m doing something, and I think anything bizarre happens, I just revert back to the snapshot that I know was good.
Paul: Okay. So this is a good line of discussion. So you have several VMs and you use those. Now in those VMs, do you have any antivirus, antimalware, any software on them that helps you stay secure?
Adriel: Yeah. Only in one of them, in the Mac VM, within the Mac. On my Mac within a Mac, yeah. I use Bitdefender and Hands Off! I use Bitdefender because it is proven to be one of the most effective pieces of antivirus software out there. When we do our own zero-day development, Bitdefender oftentimes will pick up our exploits or our tools and we’ll be able to say, “Hey, well okay. We have to adjust this because Bitdefender just found it.” Others just don’t seem to do it quite as well.
And then Hands Off! Is sort of like Little Snitch, only it’s a bit more advanced. It’s a bit more advanced than Little Snitch. Hands Off! allows me to control what files are accessed, what ports are being connected to, what hosts are being connected to. So if I decide that I want to browse to XYZ.com, Hands Off! is going to say, “Hey, do you want to allow this connection? Do you want to allow this access to this file?” And I have to explicitly allow everything.
And it’s nice because if I actually brought us to a malicious site and I hit a Flash exploit or whatever it might be, when that exploit begins to work, I will see that my system is trying to access files and do things that it shouldn’t normally do. And I’ll say, “Hey, wait a second. Why are you doing all of this stuff? Something just happened. Let me revert back.” So I can catch it, even if I don’t know exactly what’s going on.
Paul: So it sounds like you have to be a little bit smart.
Adriel: Yeah. You do. You have to be vigilant. Absolutely.
Paul: And know what you’re looking at. So if the ordinary user was faced with Hands Off!, they might not know how to respond.
Adriel: Yeah, it’s not trivial, unfortunately.
Paul: So what are the other operating systems you run in these VMs and, and why?
Adriel: So BSD and Linux., BSD just because I like it. There’s not a lot of people that are targeting BSD. I like the port system a lot. And Linux because Kali is great for penetration testing and doing research, and a lot of tools run on it. I run Ubuntu, but I do that largely for administrative reasons because it has some cool functions and features that will help you manage other servers that are similar or systems that are similar.
Paul: And do you run Windows at all?
Adriel: I don’t. I mean, I do have a Windows VM, but I use that specifically for signing malware. So we have a code signing certificate and we sign all the malware that we push out, which is interesting. So I use Windows specifically for signing malware.
Dealing With Data
Paul: So how do you deal with your data?
Adriel: What kind of data?
Paul: Well, I mean, you’re doing work. You’re a productive member of society. You probably have a bank account. You probably have photos. You have business files, an agreement with a client, a contract here and there, etc. Where are those? Are they on the machine? Are they in a VM? Are they somewhere else? Are they on a flash drive?
Adriel: No. So everything that we have is stored in our data center that is related to the business. And it’s stored in different ways. If something is highly sensitive, it’s stored on an encrypted disk, and it’s also PGP encrypted. And there are only three people that can decrypt those files. If it’s medium sensitivity, then it’s stored in the system with an encrypted file system or it’s stored in a system with an encrypted file system within an encrypted database.
The idea of encryption, though, on end points like that, kind of promotes a false sense of security also. If you were to walk into our data center, and you were to lift one of our machines, the drive would be encrypted, and you wouldn’t know the passphrase to unlock the drive, so of course, it wouldn’t be useful. But if you’re a hacker, and you were to hack one of these systems, the contents are already decrypted because the system is running, and you’re going to gain access to the system and its respective data.
Likewise, encrypted databases, everybody always talks about them. “Oh, let’s use encrypted databases. They’re great.”
Well, if you hack a system with an encrypted database, the key exists somewhere because the database users, the people that are responsible for using that system, they have to have a way of decrypting the data. Right? And we have yet to find it an instance where we breached a network, counter encrypted the database, and couldn’t find a way to decrypt it. So really, encryption is not going to protect. It’s going to slow things down. The best way to encrypt something and protect is with something like PGP. But again, that’s not trivial. You know, I mean, PGP and managing that kind of…I mean, you lose your keys, you’re screwed.
Paul: Right. What do you do with your photos, your personal stuff?
Adriel: That goes into that Mac VM that I have that’s protected by Little Snitch and Bitdefender. Aand I, I just have those there.
Paul: Do you back them up?
Adriel: Yeah. I back them up.
Paul: How do you do back up?
Adriel: I back them up to the cloud. I dump them to the cloud. The iCloud. You just make sure that nothing is sensitive. That’s all. Nothing is compromising or sensitive.
Paul: Right. Okay.
Adriel: So, yeah. That’s the best way. I mean, anything that could ever be compromising or sensitive or somehow used to harm my family or harm myself, I just don’t put on computers. I try to make sure that that stuff you do stays in memory or is on paper in a vault or it just doesn’t exist.
Paul: Right. Well, it’s interesting. I’ve had, being a computer person, everybody asks you to solve their computer problems, and the number of people I’ve seen become infected, I’m like, “I don’t know. How did you get infected?” And it almost always comes down to they didn’t know what they were doing. They didn’t realize that doing this was going to do this. And, there’s really no way to give them that level of scrutiny that things that you and I might do, certainly you more than I would just say, “Wait a minute. That doesn’t seem right.” And they don’t perceive it. They don’t even see it.
I just saw a good example of the WPA Crack hack where they got in the middle and basically redirected somebody to a non-SSL site and captured their username and password. And that’s a good, for me, that really make it plain that, yeah, we really shouldn’t have any non-SSL sites. And that would have fixed that problem.
Is Computer Security Getting Better or Worse?
Paul: So what is your prognosis? Is computer security getting better, getting worse?
Adriel: No, it’s getting convoluted unnecessarily so, and it’s getting complex. And more and more difficult to understand because of the security market. Good security should follow the KISS rule. Right? Keep It Simple, Stupid.
The reason why our customers keep coming back to us, for example, is because we Keep It Simple, Stupid. We look at very efficient solutions. We don’t focus on bloatware because of security fatigue, which apparently is a new thing that people are talking about. We focus on effectiveness. The solutions that exist today are really pretty. And they look really cool.
And maybe they are catching a really high volume of attacks. The problem is, is they’re also catching a lot of non-attacks. And so somebody sitting down and staring at a screen with stuff scrolling by all the time is going to get worn out pretty quickly. Right? And so the interface of the person or the data that’s presented to the person is ineffective. And so the whole solution becomes ineffective.
Your network intrusion prevention systems, they make a lot of sense. But the part that’s not being considered there is the person that has to sit there and churn through all of that data every single day. You just can’t do it. Right?
So the security industry is chock full of solutions, which you really don’t call solutions. They’re, chock full of distracted new technologies, distracted technologies like this and these technologies are continually being marketed, pushed by other businesses. And in the end, if you follow it at all, it has to do with money. Everybody wants to make their money. The breaches that are happening today are also beneficial to the security industry because these breaches mean people are going to come and look for more technology, more services, more solutions.
In all reality, people don’t need to do a lot to be secure. And in all reality, people should not be focusing on breach prevention. They should be to a degree. But the real thing they should be looking at is preventing a damaging breach. It’s impossible to prevent the breach. Someday, somehow, somebody is going to breach your network. But if you can detect that breach when it happens, before it becomes damaging, you can prevent the damage, and you can prevent yourself from ever making the news. That’s how you protect networks.
What is a Honey Pot?
And the way that you detect a breach, right after it happens, is with things like internal honey pots and solutions that can pick up on lateral movement.
Paul: Well, so explain that to me.
Adriel: So a hacker breaks into a network…
Paul: You mentioned that. And so explain that to me. I’m a small business. I make semiconductors. I’ve got 50 employees. What is an internal honey pot?
Adriel: Well, actually, so we sell these now. It’s something that we’ve started manufacturing and selling and developing — whatever you want to call it — probably about a year ago because of their effectiveness. So what it is, it’s a computer system that does absolutely nothing except to sit there and look like other computer systems. You deploy these fake computer systems in different parts of the network, depending on how threats are likely to enter your network and move through your network. And they’re tempting.
So a hacker breaks into an infrastructure, and a hacker begins to probe the network. The very act of probing the network when it contacts one of these systems, these honey pots, is going to set off an alarm. That honey pot is going to say, “Hey, user Joe just connected to me.” Now there’s absolutely no reason for any legitimate user to ever connect to a honey pot because they do nothing. Right? So any time anybody connects to a honey pot, by default, it’s illegitimate. So there is no false positive. There is no continuous streams of data like you’re going to see with other solutions. A hacker breaks in, hacker probes network, hacker trips two or three of these things. System admin will get an alert within seconds likely of a hacker breaching a network, maybe within minutes of a hacker breaching a network.
If that admin responds to those alarms and in quick time, that admin can likely kick that intruder out of the network before any damage is every caused. They can say, “Hey, my web server just started scanning my network. That should never happen. Let me go and kill the connection, and let me go put up a temporary site, or let me revert to a back to a backup and just see what will happen.” But this was a breach. It was a breach that doesn’t matter because sensitive information was never captured.
Meanwhile, what’s going on is the inverse of this. People are focusing on breaches, and this is why I say the industry is convoluted. People are focusing on breach prevention. We hear this all the time. It’s an impossible task. But they’re not focusing on post-breach detection. And so what ends up happening is they suffer a breach, and the hacker sits there and says, “Okay. Was that detected?” It’s almost never detected. I mean, I can’t think of the last time that we were detected breaking into a network. So hacker says, “Okay. Were we detected? The answer is no. Great. Now let’s just spread like wildfire throughout the network because nobody has any post-breach detection capabilities.” And it’s true.
Paul: Right. I see.
Adriel: So there’s this gap. Mind the gap. There’s a gap that exists, and that’s what we’re exploiting. The security industry as a whole is upside down, and the solutions that it’s providing are also upside down. Rather than providing you with a solution that says, “Hey, you’re being hacked and it’s real. Do something about it,” they’re providing you with solutions that say, a million times a day, “You might be getting hacked here.”
Paul: Right.
Adriel: So, it doesn’t work.
Paul: Fascinating.
Adriel: So is it getting better, is it getting worse? I think the threats are evolving. I think some of the technology is evolving. I think software vendors like Microsoft are definitely evolving. They’re doing a much better job, and they have a part to do with good security. I think a lot of the other software vendors, especially the ones who build the applications that used by Microsoft need to really catch up and start taking security seriously. But I think that rather than being something that could be a fairly simple type of thing, I think it’s become a big convoluted mess. And I think that convoluted mess is making it hard for normal, everyday people to be able to really understand where to go, what to do.
Internet Security: Ten Years From Now
Paul: Sure. So alright. Let’s take the crystal ball out here. Ten years from now, is it going to be better or worse?
Adriel: Oh, boy. I don’t know. If we keep on allowing bureaucrats to dictate the direction of the industry and if we keep on allowing entrepreneurs that are financially motivated rather than technically motivated to dictate the direction, as long it’s being directed by really policies and money, it’s going to continue to get worse.
Paul: So that sounds like it’s going to get worse.
Adriel: Yes, that’s exactly right. And so inevitably, I think that that’s the case.
Paul: Do you think that there’s some period or some event or inflection point that we’ll reach where we just have to do something differently?
Adriel: I think we’ve already passed that point.
Paul: Okay. That’s fair.
Adriel: Yeah, there’s no reason why businesses should be suffering breaches.
There’s No Excuse
Adriel: Yeah, there’s no reason why businesses should be suffering breaches the way they have, the Equifax breach in my opinion along with Target, and the multiple breaches of Sony and Hanaford and Ashley Madison, these stand out because these were the ones that were particularly silly. And these breaches shouldn’t have happened. Knowing what I know about how these businesses operate, the reasons why these breaches most likely happened is that either the CEO or some senior level executive didn’t do their job properly and didn’t pay attention to what they were supposed to be paying attention to or didn’t give security people enough of a budget or there was a political reason. Or they believed that they were doing their job properly and they were listening to the advice of bonified experts when in fact they were just being fed Coolaid and they were given a false sense of security.
Paul: So with the Exquifax – ill say it – it was just industrial strength stupidity on their part. It wasn’t clever. They drove with their door open and their seatbelt off.
Adriel: Yeah, with a big neon sign that said, “Hey come take it.” Yeah that’s exactly right.
Paul: It’s almost like manslaughter if not murder. Its manslaughter.
So just briefly talk about the Equifax thing. A lot of people don’t understand what actually happened. I’m not really concerned with the details of the technical of thing.
Data With a Long Lifetime
So I recently attended a conference by Frank Abagnale. I don’t know if you know who he is? “Catch Me If You Can?” There was a movie about him. And he works for the FBI. And when he was arrested, he was in prison and the FBI came to him and said if you work for the rest of your prison term for us we’ll let you get out of prison and he’s been working with them now for 45 years. He made the point, the distinction that is obvious again, when I say it, that what hackers are interested in, is data that has a long lifetime. Your name, your address, your eye color, your social security number. He said credit cards are great for people to steal, there’s zero liability for users. So he made the example, for my kids, I had them get a credit card when they went off to college, and I said to them I’ll pay it off every month, don’t spend – you can spend what you want to spend, but I’m actually going to be paying for things through that. So, when they got out of college they had a great credit rating. His point, was he said there’s no risk with a credit card, if someone steals it, they give you a new one. But with your social security number, they don’t give you a new one and Equifax lost 150 million people’s social security numbers.
Adriel: Exactly.
Paul: And it’s not just a number like I could say 1,2,3,4,5,6,7,8,9, that’s a social security number of someone but that’s not the point. The point is that they, Equifax wrote it down on a piece of paper and said, “Oh this is Bob Smith and he lives at 123 Main Street and oh by the way he has this car and this house.” I don’t see a way to recover from that.
Adriel: You can’t. There’s no way. And it’s not the kind of thing where we’re going to begin seeing the impact of it until several years go by. But if you think about the information that Equifax has, how many banks and how many healthcare providers and how many wealth management firms use that exact same information to authenticate you and forget your password.
Paul: Right. What was the first car you owned and of the five addresses which one have you lived at.
Why Europe is Doing Credit Right
Adriel: Right and this information, I’d be surprised, if it wasn’t at some point used for some major heists. You can clean people out with this information if you do it carefully and thoughtfully and spend some time doing it. Of course, you have social security fraud and all kinds of other things that could be happening in the future. People die and you take their identities. The scale of what this could do is significant and what is almost laughable, and really ridiculous about the whole thing is that you look at Europe and they don’t have a credit bureau. Europeans have credit cards but they don’t have credit bureaus like Equifax. They don’t need this person’s place, this business, to maintain all this history. They have different ways of doing things. I know this because my business partner came over here from Europe, bought a house here not too long ago with his wife and all that. The whole process, you don’t have any credit yet I can still do all this stuff in Europe. Why do I need to have this thing called credit over here? So it’s interesting.
Paul: Interesting. Given all of this data is out there and all these financing companies have to continue to do business, doesn’t it almost become their problem now? Because how are they going to, they can’t just say well we’re not going to lend to you because your identity was released on the internet? Well if they stop lending to everyone they stop making money.
Adriel: Yeah, well honestly, I think we should follow suit with what most of Europe is doing. Getting rid of these credit agencies and I think we should go into a more modernized way of tracking and verifying credit. From the little that I understand, I believe that what happens that if you take a credit card in Europe and if you don’t pay off that card there’s a way of communicating to other credit card companies, without a credit score, that there’s this debt that exists. The level of information that Equifax has is too much. They have way too much information.
Paul: It’s criminal, t seems like! It’s centralized.
Adriel: Yeah and they don’t need that level of information to know that you are a good buyer and really, they don’t need to know that Paul or Adriel – They don’t need to know their name, they just need to know credit card score and some kind of unique identifier. That’s all they need yet, because they are using this antiquated system and because they are collecting information and because they make most of their money by reselling our information without us really being aware if it to god knows who, they have that and they’ve put us all at risk! And now here they are. So yeah, those companies should be done away with and that we should have a more modernized way of doing this.
What To Do If You Have Been Compromised
Paul: Do you have any suggestions somebody who was potentially compromised? What should they do?
Adriel: Freeze your credit. Call Equifax, call Trans Union, call Experian, and pay the 15 dollars or whatever it is to freeze it. And quite frankly, Equifax should be doing that for free. They shouldn’t be charging you to freeze your credit, but do that. Because if you freeze your credit it will at least help to prevent people from taking loans out and things out in your name because it won’t be possible to pull your credit history. Doesn’t mean your safe though because people can still use that information to access resources that belong to you, financial things like wealth management, retirement funds, whatever, you can still use that and if you get in, there’s no reason why you can transfer out and steal money that way. It’s unfortunate.
How to Tell If Penetration Services are Genuine
Paul: So things are worse. We’ve passed the inflection point. Things are not necessarily getting any better. We still want to use the internet. Be careful of what you share because it could be used against you. Boy it sounds like, it doesn’t sound too positive here. I guess one of the things is through your services companies can be a lot more secure. So that’s a positive thing.
Adriel: It is but you have to be careful even with that. When you purchase penetration services, you have to make sure that you’re purchasing genuine services that produce a realistic level of threat and not services that give you a squirt gun test. The analogy is that penetration tests are the equivalent of testing body armor with a squirt gun. And there are ways to do it and we actually published a white paper that was published on Forbes, that was picked up by Forbes, and the article was “This Year Why Not Take Data Security Seriously” and if you google that, you’ll find a white paper that we published and it really gives you non biased key points on how to identify a genuine penetration testing, and how to differentiate between the people that are going to be selling snake oil. One of the most important differentiators there is that the snake oil vendors will sell based on the number of IP address or the number of web applications that you have. It’s called count-based pricing. And if you have ten Ips, like I said initially, and you bill five hundred dollars per IP address, that’s all great and good, you’re going to have a five hundred dollar price tag but what happens if zero of those IPs are providing any services. You just spent five grand on zero seconds worth of work.
Paul: Right.
Adriel: Likewise, what happens if each one is offering 40 man hours worth of service. Well no pent tester is going to be working for 12 dollars and 50 cents an hour so any vendor that uses count-based pricing as part of their pricing methodology, you can rest assured that youre going to be getting that squirt gun test. There’s a lot you can do and it’s a lot of stuff you have to cut through to understand before you can get to the good stuff.
Closing Words
Paul: Is there anything you’d like to cover that we haven’t talked about?
Adriel: No, I think this was pretty thorough. There’s a lot of stuff!
Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. You’re based in Boston right?
Adreil: Yes.
Paul: But I know you work internationally and are pretty well known. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.
So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.
Adriel: My pleasure, any time.
Paul: Thank you Adriel.