On Episode 83 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard about what’s new in the cybersecurity world!
Tag: security
Archiving for Perpetuity: Is it Relevant?
On Episode 64 of The Edge of Innovation, we’re talking with entrepreneur Greg Arnette, about new business technology and archiving for perpetuity.
Show Notes
Greg Arnette’s Website
Find Greg Arnette on Twitter
Contact Greg Arnette
Find Greg Arnette on LinkedIn
Sonian’s Website
Barracuda’s Website
Blockchain
What is Blockchain?
Bitcoin
What is Bitcoin?
This Man’s Lost Bitcoin are Now Worth $75m – And Under 200,000 Tons of Garbage
How To Boost Your Internet Security With DNSCrypt
Cloudfest
Link SaviorLabs Cybersecurity Assessment
Sections
New Business Technology On Our Radar
Malware and Viruses: The Wild West
Are You Ga-Ga Over Blockchain?
The Conundrum of Bitcoin
Reinventing Business Solutions
What is Greg Up To?
Is Archiving Messages Relevant?
Archiving Family History: Storing Data for Perpetuity
How Can the History of Places Be Digitally Preserved
No End of Things to Get Excited About
Closing
Archiving for Perpetuity: Is it Relevant?
New Business Technology On Our Radar
Paul: So well let’s, let’s talk about like business technology. What’s fascinating out there now? What’s sort of on your radar. You’re sort of, if I dare, a visionary.
Greg: I think we share that same trait.
Paul: Well, yeah. So what are you seeing out there? I’m reading some of your articles. I’ll go into those if you, if you don’t remember some of the things.
Greg: Yeah. So from a business-technology perspective, a lot of security stuff, especially email collaboration security. That’s also part of my job function, is to be a security evangelist for the company or tech evangelist on data protection and security. I’m interested in the ever evolving set of technology building blocks that are being put out there by companies like Amazon, Microsoft, and Google that can help folks like us go and solve a business problem faster. So every six to nine months, there’s a new service that we can take advantage of that just means we don’t have to write more code.
And at some point down the road…So, tied into that is server-less types of ideas — so functions as a service or Lambda functions that they call them from Amazon or OpenWhisk from IBM — where we can get pure about the software we’re writing, not even thinking about how it has to run in any environment and just focus on the business logic. So, low-code/no-code environment, app environments, I think, are really interesting and going to make a comeback.
I remember doing tons of those Microsoft access web applications that didn’t really require much technology coding but solved the business problem. I think that’s going to coming back in full force. And I’m interested in the cloud building blocks and how we can take advantage of them to do more.
Malware and Viruses: The Wild West
Paul: I don’t know if you wrote an article about this, but what do you think about all the malware and viruses and all the attack vectors that are open now? Is it going to continue to be a problem, or is it going to level off and decline? It seems like the Wild West in some ways.
Greg: Yeah. I think that’s a great way to characterize it. I think it’s going to continue. It almost feels like an arms race or mutually assured destruction, especially now that machine learning and AI stuff is, can be used for good and for bad. The black hats and the white hats are going to be dueling it out in cyberspace, getting smarter on each other. And we’ll continue to see, I think, exploits and vulnerabilities, unfortunately. And we’ll get smarter. Hopefully we just shore up the defenses on all fronts, protecting data at rest, protecting data in transit, training people on stuff. Human behavior always gets in the way a lot in terms of where problems can happen. And so there’s lot of, I think, opportunities to keep solving these problems and leverage massive data sets, leverage machine-learning frameworks like TensorFlow to do good if you want to step in the dark side, I guess you could do all that stuff and cause problems.
Are You Ga-Ga Over Blockchain?
Paul: That’s true. That’s true. Now, are you ga-ga over blockchain?
Greg: Very interested in it and trying to figure out what the business problem to solve. Is there a problem to solve? Is there something you can do to make blockchain work better, or can you build business solutions on the blockchain technologies that somehow do something very different than what we have available today. I just came across a, what they call a collaboration system built on top of the blockchain to foster open but open yet encrypted and audited collaboration. So it’s like a Google Docs equivalent but built on top of the blockstack.
I thought, oh, okay, this is interesting. These things are starting to show up. I think Office 365 and G Suite are very popular and not going to go anywhere. But if you want to kind of roll your own and do it in a blockchain-like of way, there, there’s these new platforms that are coming out that probably a technologist can subscribe to but yet not a business person.
Paul: Well, I tend to be a reductionist, I reduce things. I try to, in my head, reduce them to the simplest things. So let me ask it. Isn’t it just a… it’s not even federated. But it’s a bunch of people, a bunch of nodes recording that block, and they all agree on it. And because, if there’s 99 blocks that agree on it and one that doesn’t, they’re going to discard the one. So if you wanted to – I know this is…at the scale we’re talking about, it’s not reasonable – if I could coerce the 99 to change all of the blocks that credibility could be broken.
So, we store the number 25 in the block, and if I can convince every one of those 99 or 100 blocks owners to go in and change it to 26, I have now changed reality. So that rolls me back to the point of a blockchain is to give some authenticated this-is-what-the-answer-truly-is, or what the information truly is. Am I reducing it too far, or is that what blockchain is?
Greg: From what my understanding and newbie, nascent in this, it sounds right. The open transparent, distributed ledger kind of concept – so the transactions are in the transparent, so to speak and so yeah. So if you could convince those 99 computers or nodes that you have a different version of reality, in theory, that should not be possible given the mathematical sequences that require to compute the blockchain, so to speak. So I guess that’s the counter measure of, it’s not, in theory, supposed to be possible, but we often say that and we actually find that.
Paul: Exactly. So now then we say, okay, well that’s great. So I have a public ledger. That’s great. Now a lot of people seem to infer that it’s anonymous, but the blockchain is inherently referential – from most of the implementations I’ve seen – that will say that, oh, Greg put that number in 10 days ago at 4:00 in the afternoon. And so I think – again, I’m exactly like you. I’m sort of like trying to understand it, and I’m nowhere near an expert. And so people that are listening can correct us – or me – please do so. But it doesn’t seem anonymous at all. In fact, it seems non-anonymous because I can know where that data entered the thing. I might not be able to identify you, but that’s ultimately…
Greg: Yeah. My goal is that it’s supposed to get rid of that problem of anonymous stuff, which is what people get concerned around. And, especially kind of in the social media aspect of things, and haven’t seen anything that blockchain can solve in that world right now, but maybe down the road a future version of Twitter or Facebook will be based on that kind of concept so. You’ll have authenticated entities not bots or whatever that are polluting the conversations and so forth.
Paul: So yeah. We could get to the root of the message, where the message originated, that it came from Paul, or it came from Greg. And we know that because when it got introduced, everybody journaled that.
Greg: Right. And all the attributes were journaled, and it can’t be tampered with. You should not be able to go back and alter that record because that’s going to become bedrock of knowledge, a source of truth, so to speak.
Paul: Right. Exactly.
Greg: I think that’s what appeals to me about this whole concept is the source of truth that can’t be altered. Because it’s a theme that I deal with in my work life is we provide a service that has immutable records of conversations with an audit trail so that we can attest that this is what was said, and here’s when it was said, and it hasn’t been tampered with, and here’s all the infrastructure around that to supports that way of operating.
The Conundrum of Bitcoin
Paul: So, switching gears just a slight little bit here, did you buy bitcoin 15 years, 10 years ago?
Greg: No. It was invisible to me.
Paul: It was just like… I thought about it. I thought, oh, I should just throw up an old machine and mine some.
Greg: Yeah. Shoulda, woulda, could– All those domain names you could have purchased 15, 20 years ago.
Paul: That’s true.
Greg: I just lump them into that category of just whistling through the fields here.
Paul: That’s right. Exactly. Why did you buy McDonalds.com?
Greg: There’s that well known story of the person in England that lost the hard drive with the bitcoin wallet.
Paul: That’s scary.
Greg: Trying to actually go back in the landfill and find it.
Paul: Are they really?
Greg: That’s what I heard. I don’t know if that’s true or not.
Paul: Wow.
Greg: There will be lots of examples of that. I guess the thing about bitcoin and the wallets, it feels like the way we think about bearer bonds. If you have that thing, it’s yours.
Paul: That’s a good analogy.
Greg: You can’t really question it, I guess. I mean, I guess you could go into the courts or legal system. But if you have it, it’s yours.
Paul: Right. It’s a redeemable…that’s it. That’s the redeemable-ness of it. It’s, it’s like a gold coin.
Greg: Right. Yeah. So it’s sort of, that’s sort of the analogy that we should be thinking about with these. Ways you protect them and… Was it Coinbase or one of these ones were hacked and, and so…
Paul: That’s scary.
Greg: I was thinking, well, you could just go back and trace the transaction. But no. If that, whoever has it owned now can just redeem it on an exchange, and now they can benefit from it.
Paul: Yeah, that is going to be interesting because you could see, you know, somebody say, “Well, I never transferred that to them.” It’s an interesting paradigm shift, because we don’t understand it. We really don’t. What’s the implication of it? You know, if I put a gold coin on the table here and walk out and you take it, there is no trace that I had it before. So bitcoin, I think, knows that I had it before, and now you have it. I think.
Greg: Right. That’s what I assume. And I was talking to a person who is much more versed on this subject, and they described to me why you would think that, but how it would be almost really difficult to actually trace that transaction down the road which surprised me.
I don’t know enough about how it works to…I thought, well how can you even steal these things because there must be a record that you had this at once. And how was it lawfully transferred to the other person? And so, yeah. It’s a conundrum.
Paul: A conundrum wrapped up inside of a what?
Greg: Enigma, I think.
Paul: That’s it. Yes, exactly. Fascinating.
Reinventing Business Solutions
Greg: Yeah, that’s, there’s a whole bunch of opportunity and, and, I think reinventing or reimagining current business solutions around a blockchain way of thinking and the distributed ledger concept – contract management, someone was even suggesting, think about DNS records on top of a blockchain environment or…
Paul: Yeah. I hear you, but it just isn’t solid. It’s not something I can grab onto yet because it seems like it has to be something that needs veracity over time. You know, and it’s like, yeah, DNS, that sounds interesting, but who cares? I mean, what the DNS was six months ago. Okay, you know. I mean, now, I think DNSCrypt – I don’t know if you’ve heard of that. That’s where you actually encrypt your DNS traffic so that somebody can’t get in the middle, and they can’t also just see where you’re trying to go and see where you’re trying to resolve. That’s a really nice thing. That’s cool.
Greg: I can see that being interesting.
Paul: That’s really cool. But, yeah, we’re doing that with a lot of our clients. We use something called Cisco Umbrella, which is basically, they bought OpenDNS. And they maintain their own DNS servers. So rather than going to the root servers or anything, you just use theirs. And so if you’ve got a bad site, they write it down as a bad site, and they won’t let you get there. And so the, they’re the arbiter – I mean, they could be the arbiter of taste. They could say, “No, we don’t want you to go here.” That’s the evil side of it. But what they’re doing is for malware and exploits and all that kind of stuff. And they could even do it for “I don’t want gambling sites being in my network.” And so it’s a cool concept, and it’s saved a lot of our customers’ bacon because they don’t know where they’re going, and then there’s an ad that shows up that has malware in it. Well, this blocks that ad. It’s some really cool stuff.
Greg: Yeah. I can see that being really valuable, especially for consumers and small businesses that rely upon MSPs for their IT services.
Paul: Yeah. Well, and even for big companies. Because what’s happening is… The reason why Cisco could do it is somebody has to keep up with the changes as the slew rate changing throughout the day, you know. This site got infected, so they say, “Okay, you can’t go there now.” And then it wears off, and that site is no longer infected, and they take it out of the list. So some cool stuff there.
Greg: That’s cool.
What is Greg Up To?
Paul: What else are you doing? What’s your days look like now that you’ve sold a company, work remotely, I would imagine. You probably have the same offices. Right?
Greg: Yeah. We have the same office. We’re one of two locations now for Barracuda in the Boston area. And the plan is to keep it the same way for the first, as far as I know, for the foreseeable future. And I spend a lot of my time on a focus of technology evangelism and also business development for the company on the product area that Sonian was responsible for. So I’ll be in Toronto next week meeting with partners and then going to CloudFest in Germany the week after. It used to be called World Hosting Days. I didn’t realize it got re-named, so I’ve been to WHD a few times, but it’s called CloudFest now. And I’ll be giving a presentation on the pros and cons at InfoSec in Orlando the week after that. So it’s an interesting time.
Paul: Yeah, you are busy.
Greg: Yeah, it’s good stuff. It’s a wide variety of activity. It keeps me close to the end customer and that’s what I crave, is hearing the feedback. What problems are you wrestling with? And always thinking of what is the best way we can help them solve the problem for that customer.
At Sonian, we were sort of had the indirect model. So we sold to a partner.
Paul: Right. So you were one step removed.
Greg: And we always were challenged with what does the end user, what does that end business need? And, you know, oftentimes our partners were really good at translating, but for many cases, we were the domain expert for the partner in this area that we focused on – email archiving kind of stuff – and we had our ideas about what was needed, but we always wanted to hear from the end customer.
So now with Barracuda having, hundreds of thousands of end customers, there’s a wealth of opportunity to engage with that business audience.
Paul: Will they change the model to be less partner driven and more direct?
Greg: I think the model is going to stay basically the same but we have a pretty diversified go-to-market engine. There is an MSP focus with Barracude MSP. There is now Barracuda OEM, which is what Sonian was, is. And then there’s the traditional channels and direct sales that they do for the security data protection products.
Is Archiving Messages Relevant?
Paul: So you’ve seen this, that we’re collecting all of this data over time. And how relevant is it that you have a message from 10 years ago in your archive?
Greg: You ask different people, and different people would have different opinions. I appreciate having a durable archive of things. I love using Gmail and typing into to search box and just seeing conversation histories and, if something happens to be 10 years old but it’s relevant, I think that’s valuable, and it doesn’t cost me any money to save it. It’s not dragging down my productivity to have it around. It’s there if it want it. And I’m personally not worried about discovery of stuff. I like having an infinite kind of repository behind the scenes.
I just recently stumbled upon a USB drive that I thought was empty. It turned out it had my PST files from a couple of different jobs ago. I thought, I should just load this up into my client so that I have an even further, longer-term library back, in case I run into people I have communicated with and that kind of stuff. So, it sounds a little bit like a packrat, but it’s not. And I think it’s valuable.
Paul: Well, it’s relationships.
Greg: It’s relationships. I want to use this to train future things, analyze my communication patterns and help me do better going forward, that kind of stuff.
Now for businesses, there’s pros and cons of retaining everything for forever. Sometimes they can’t or they shouldn’t. They have thoughtful policies on how to age stuff out nicely with an audit trail so that you know what you got rid of, and you can defend on in court kind of thing. And some companies are still very rigorous around they don’t want anything past a year. They don’t want anything after six months. And some are the opposite. They only see the value in keeping it and then to be able to correlate it with other records in the company like what’s happening in the CRM, what’s happening in the ERP, what’s happening in the HRIS systems. You start to get this wealth of analytics that can help drive better businesses decisions down the road. So I think that’s a very interesting area to work on in the future.
Archiving Family History: Storing Data for Perpetuity
Paul: What is your thoughts on sort of, I mean, you’re being very thoughtful about keeping your history of information. So you’ve sort of gotten this history. You put the old PSTs in there. And, and I’m struggling with some of the concepts around like family history and old photographs and things like that. I saw another YouTube thing. Norm McDonald with talking about when you talk about your great grandfather, you have one picture of him. And, he said, “In 10 years” – in the typical Norm McDonald – “you’re going to have a million pictures of your great-grandfather.”
Greg: Wow. So true.
Paul: And everything he said. Everything. Moment by moment. And so, as I have noticed with our kids growing up, they never met my father. He passed away long before they came along. It’s out-of-sight-out-of-mind. At some point, they may think about it and say, they get the nostalgia, maybe in their 30s or 40s or something and want to go after it, but it’s on a disk somewhere, in a closet after, maybe, I’ve passed away. And it is a very interesting conundrum.
And that’s just for normal families. But then you have these people that contribute intellectually, that do something more than that, they write a book, or they do all this different stuff. It used to be that you’d go in, and they’d get all their papers and look through them and maybe publish things. Well now, they’re on disks somewhere.
I’ve got this notion for a business of sort of perpetuity. How do you store stuff for perpetuity? Because, they may not be relevant for 20 years. It’s just an interesting thing because do you just say, okay, somebody died. They wrote a several different books. They impacted a bunch of lives. Delete? It’s so easy to store, but how do you perpetuate it? And then how do you also make it available in the universe so that people can discover it? It’s an interesting conundrum. It doesn’t seem like it should be all deleted and thrown away on an old hard drive.
Greg: Yeah. It’s funny you mentioned this. It’s something I think about similarly and from different perspectives. I ran into a local tech seed investor who was describing a similar set of concerns that he had. He was querying me about whether things I did at Sonian could help solve that. And, very, very tangentially maybe, but it wasn’t as encompassing as video and audio and harvesting seed records.
Sometimes I think like Facebook wants to be that at some level as well. You know, they want to be the source of everything. But to self-serve it their own. And then there is the internet archive projects and all these different – whether they’re dot-orgs or paid-for services, was it Memory Box? You could put all your stuff into a… Like all your physical media and ship it off, and they digitize it. That has to be part of what you’re talking about.
Paul: Sure. Yeah. I’m doing the scanning of all the photos.
Greg: Right. Right.
Paul: And then I’m wondering, why am I doing this because is anybody ever going to look at them?
Greg: Yeah. And then analyzers will tell you who’s in it and how old they are and give you more details around it that makes it searchable – that index that you really want, because it’s the index that’s really going to be important of all this content that will probably live on the cloud. And then when the cloud becomes passé, it will live on a super high-powered box you have locally that will never die because it’s so durable. The pendulum is always swinging, right?
Paul: Well, I remember – I don’t know. It was probably in my teens or 20s when I learned about all of the archives at Ellis Island. My family came through Ellis Island. So it was like, wow. That’s really cool. Well, now we have the same thing but it’s not, it’s not stored in a ratified place, to say, this is where it’s stored. But we have it to the 9th degree. You know, we have all these details of these people’s lives. And I just worry about where is it going to go?
Greg: Yeah. How do you pass it on? How do you grant access? Insure, how do you sort of donate it to the public records? The Morman Church does a lot of this in terms of records online and so for a searchable database.
Paul: But they’re only doing it to the genealogical. That’s their interest is genealogies, but I’m saying me playing baseball when I was15 years old in a league. There’s pictures of that. Does that matter to anybody? I don’t even know.
The other thing that I also struggle with a lot is a sense of place, is that there’s not really a good place that says, here’s what’s here today, but here’s what’s here. Here’s what was here 20 years ago or 10 years ago. And the less we do of that, the more we’re losing, because you just don’t know. There’s the history of it is gone, I guess.
Greg: Yeah.
Paul: So those are some things that I’m struggling and thinking through. It’s like, well, what do I do?
Greg: Big brain questions.
Paul: Yeah. Exactly.
Greg: Yeah. I love thinking about that kind of stuff and anticipating maybe things that you could create that would help others sort of who are figuring this out or have a pain point in that area. There is something there. And there’s a couple of different things that are coming, vectors into it, lik the scanning of the media stuff as a service, so you don’t have to worry about it. And that’s a lot of friction to do it. No one has the time, and it becomes one of those rainy-day things you never get to. And then who pays for the storage and how do you pass it on to your heirs? And how do you search across it and analyze it? And then there’s privacy issues. So there’s a lot of things to consider.
Paul: It is.
Greg: It’s a meaty kind of subject.
Paul: Yeah. So well maybe if you have any thoughts on that, let me know. I’m very interested in that.
Greg: Yeah. I can connect you to this other person that was thinking or interested in this, more from like wants to use a service like that because they don’t have it, and they’re worried about records for their kids and ancestors and so forth.
My grandmother and her sister were very much into genealogy, going to cemeteries and rubbing gravestones and they actually wrote books for our family, internal books.
Paul: See, now that’s cool. That’s really cool.
Greg: And it’s a really nice thing to go back and look at occasionally. That’s all different now with online versions of everything. So, it’s really more the index and search-ability, I guess. That’s where some innovation could happen, as well as removing the friction of digitizing the physical assets that we have all around us that we want to get up into the cloud, so to speak.
Paul: Yeah. I think one of the, the coolest things that I’ve ever seen is the Google Face Movies. You know, in Picasa they introduced it, where you could do a person over time. It’s really cool. It’s really familial, if you will.
How Can the History of Places Be Digitally Preserved
Greg: And now, like even you’re mentioning what was the place looking like over time, like Street View, if it’s been a long, long visited place, you could go back in time and look at it, as long as they’ve been recording it.
Paul: That’s cool. Yeah. That’s cool. But I can always remember. There’s this department store called Big N that was at the one end of town that we used and I used to buy my plastic models there. And it’s gone. And if you’re not 50 years old, you have no concept that that it’s a K-Mart or something, and then now it’s probably closed. And it’s really like what’s there? Even this building. This used to be Bay Bank.
Greg: Oh, wow.
Paul: And the room we’re next to, there’s a safe that’s the size of a car. That’s where they put the checks that they were cleaning every night. They were physically clearing the checks.
Greg: That’s a really cool history.
Paul: And this office is where they did that. So it’s like, that’s a cool piece of history and that’s not anywhere except in our heads, and there’s no geotagging way to deal with that. So, anyway, some of the things that keep me up at night.
Greg: And a place for people who have the memories can contribute into the system and others can add to it or double check or verify. It feels like the Googles of the world have the infrastructure for that and potentially the resources like financially and sort of like, hey, let’s just go do it because we can and without having to have a business case.
Paul: Right. Exactly. But this is how businesses get born is these kinds of conversations to say, this would be really cool. And I think what you’re pointing out is that the technology now is… 20 years ago, there would have been… Oh, gosh. I mean, think about building YouTube 20 years ago. Oh my gosh. Who’s going to pay for the storage? But now, like you’re saying, we can buy these components, these utility computing things and just do it and see how it grows.
Greg: It’s going to foster a huge amount of exponential experimentation and potentially you solve solutions to problems that plague us today that we felt almost insurmountable.
No End of Things to Get Excited About
Paul: Have you done much, any, anything in the Maker Space stuff or being a maker? Because that’s really what you were, is probably a maker.
Greg: Yeah, yeah. It’s funny. I haven’t. I haven’t dabbled in 3D printing. It just feels like that’s something I keep saying, oh, that’s when I get more free time. I’d love to get involved with that.
Paul: They are exponentially improving every year. So it’s sort of the longer you can wait, the better it gets.
Greg: I didn’t mean to say 3D printing is the Maker Space but I was at, are you familiar with Twilio, the AP, telephony? I was at their customer conference last year, and they’re fostering a lot of hardware innovation around devices that integrate physical devices that implement their protocol and so forth. And there is this representative from a consortium of Chinese manufacturers that sell to the maker space, and I’m drawing a blank on the name of it right now. But it’s, you can add it to the show notes. I have the card at home. And it was just like a marketplace of everything you could have want, you could imagine. Remember the Edmond’s catalog?
Paul: Yeah, yeah.
Greg: So it was like that, like on like steroids. Anything you had an interest in making, you could get the, like the parts for that through a marketplace, like an Alibaba type of thing.
Paul: It’s not Banggood?
Greg: No, it has like double Es in it, like three or four Es in it.
Paul: I’d like to know that. Have you done much with like Arduinos and Raspberry Pi and things like that?
Greg: Nah. I have a couple. Just played around with it.
Paul: Oh, they’re some cool stuff. They’re really cool stuff.
Greg: Yeah. I have friends that are doing this, and they’re doing things with drones and all that kind of stuff, and getting the drone racing.
Paul: Oh, really? Oh, I hadn’t heard of that.
Greg: Yeah. It’s becoming a thing.
Paul: Is that really?
Greg: Yeah. So as electronics get lighter, faster, all that kind of stuff.
Paul: Oh, that’s cool.
Greg: Yeah, putting on virtual reality, augmented reality stuff. Watching it, kind of from afar and getting… Your know, maybe I’ll take a step in that direction. I didn’t jump on the Google Glass thing when it was on the first iteration, but maybe the next one I’ll figure that out.
Paul: And Entel’s got something, some sort of glasses.
Greg: Yeah. That seems pretty cool. So, yeah. No end of things to get excited about.
Closing
Paul: So, alright. Well, we’ve been talking with Greg Arnette, and what’s your official title now?
Greg: Technical evangelist, business development for the OEM platform.
Paul: Of…
Greg: Barracuda Data Protection.
Paul: Okay. Barracude Data Protection.
Greg: Yeah. That’s the group that I’m in. Yeah.
Paul: Okay. Cool.
Greg: Yeah, it’s like an exciting opportunity.
Paul: So, good friend, great insights. We’ll hopefully see you soon again.
Greg: Thank you for the opportunity to get together. This has been a great conversation.
Paul: Excellent. Thank you.
Greg: Thanks.
Cybersecurity: For Better or For Worse?
On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.
The Farce of Cybersecurity
On Episode 60 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about the farce of cybersecurity!
The Art of Hacking: Cybersecurity With Adriel Desautels
On episode 59 of The Edge of Innovation, we’re talking with Adriel Desautels, founder and CEO of Netragard, about hacking and cybersecurity!
Show Notes
Find Adriel Desautels on Twitter
Find Adriel Desautels on LinkedIn
Follow Adriel Desautels’ Blog on Netragard
“Is Your Data Safe From Hackers?”
“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor
“Cars: The Next Hacking Frontier?”
“How to Find a Genuine Penetration Testing Firm”
“What Is Penetration Testing? Here’s the Right Definition”
“Is Your Data Safe From Hackers?”
“How To Hack A Company With A Trojan Mouse”
Link to SaviorLabs’ Free Assessment
Sections
What Does Netragard Do?
Hacking: Making Things Do Things They’re Not Supposed To Do
How Adriel Became a Hacker
Starting a Business Using Real Hacking Methods
Is Hacking Complicated?
The Art of Hacking
Pricing Based on IP Addresses is Not Ideal
Real Time Dynamic Testing
What is Penetration Testing?
What Should You Do About Cyber Security?
What’s the Big Deal with Online Profiling – Social Engineering
Internet Abstinence Won’t Protect You
The Art of Hacking: Cybersecurity with Adriel Desautels
Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard. Adriel, are you there?
Adriel: I am.
What Does Netragard Do?
Paul: So, Adriel, you are with a company called Netragard. What in the world does Netragard guard? Or what does it do?
Adriel: So just like our slogan says, we protect you from people like us.
Paul: I love that slogan. So, “people like us.” What do you do? Are you hackers? Or are you light-head hackers or what?
Adriel: So we are hackers in the very real sense of the word. We have roughly 35 guys on the team right now, that are all vulnerability researchers and zero to exploit developers. So we really specialize in tearing apart technology, understanding how the technology works, and then finding ways to make the technology do things that it’s not supposed to do. And we apply this skillset to anything from automobiles and cellphones, all the way into large corporate networks or government networks and so on and so forth. The end product is we breach something, we hack something, we break something, and then we provide you with a solution to prevent other people like us from being able to do the same thing.
Paul: So basically, you guys sit around and try and break things. Or, I mean, because you said, you used very select words there. “Make things do things they’re not supposed to do.”
Hacking: Making Things Do Things They’re Not Supposed To Do
Adriel: Right. Absolutely. So, a prime example, right, with cellphones, for example. When you receive a text message from somebody, you expect the test message to display the message. If you receive a text message from us, our text message, you might never actually see it come in because it will be designed in such a way that rather than displaying a text message, it gives us complete control over your phone. So maybe when we send you a text message, the payload, or the contents of the message, will allow us to listen to your microphone, turn on your camera, track you via GPS, read the emails, look at what you’re browsing, etc., etc., etc.
And the way that we do that is by leveraging flaws that exist within that specific piece of technology. And the same would be for anything. You know, we did research on cars a while ago, we were in the news for the research there. And we found that it was possible to do things with the cars, like take control over critical systems such as the accelerators, the braking systems, seatbelt tensioners, other kinds of security things in cars. And so you can literally hack a car and turn a car into a weapon.
So we look for the different avenues of those kinds of things can be done and then we build solutions so that the people who are responsible for making these technologies can prevent those kinds of things from happening, hopefully.
Paul: Okay. Alright. Well, that sounds scary and interesting all at the same time.
How Adriel Became a Hacker
Paul: Let’s take a step back. So now, what’s your background? Did you go to school for this? Did you just figure out one day, “Hey, I want to be a security person”?
Adriel: Yeah, so, when I was about eight years old, my father picked up a Tandy 1000 and maybe I was even six. I was young. And I wanted to know how this computer worked, and I played Load Runner. I played with the word processor that he had, the big old disks you used to have to stick in there. And I became more and more curious. So I began picking up Basic, I think it was and just trying to figure out how things worked in that respect. And then, you know, I saw well, if I put in this text with this, the computer would beep in this way, or the computer would do this kind of thing.
That evolved and then I was gifted with a modulator demodulator and I thought to myself, so if I dial this telephone number, I get a connection. What happens if I try a bunch of different telephone numbers? Most of the time, it would be people that would pick up and be mad that they were being called by a modem. But sometimes I would be calling other modems, and I’d find that they connect to systems that I wasn’t supposed to.
And then from there I discovered the real satisfaction. Curiosity. You know, hackers are driven by curiosity. And there’s a saying that I hear all time, curiosity killed the cat, satisfaction brought it back. So, it kind of evolved from there.
When I went to college, I was studying a combination of computer science and philosophy. I ended up dropping out of college in my second year because I was already working in the industry. I was making more money than most people with a degree, and I was learning stuff in school that I had already learned and that was really antiquated. And so I thought, well, I don’t really need a degree to get me, nothing.
And so I dropped out of college and started my first business. Sold that business, worked in the industry for a bit, which is how I you met initially, I think. And then I started up my second business and here we are. And through the interim, the point between the two businesses, I realized that I do not work well for other people. I work much better for myself, with my team. And so here we are. And it’s been a great adventure, but it’s been a pretty successful one too.
Starting a Business Using Real Hacking Methods
Paul: Excellent. So what is that business that you started? It’s Natragard. But, I mean, what was your intent? And how long ago was that?
Adriel: Yeah, so back in 2006, really 2005 to 2006, right after we were running SNOsoft, or Secure Network Operations was the full name, we were approached by a bank. And the bank said to us, “Hey, we’re looking for penetration testing that will deliver a real hack. We really want to get hacked.”
And we said, “Well, we don’t really do this kind of stuff. My team is really into reverse engineering and zero-day exploitation and things like that. Right now we’re doing vulnerability research and exploit development, but we’ll try to find a company.”
And so we scoured the internet. We looked and looked and looked, and we could not find a penetration-testing firm that would actually do what they said they were going to do. They all said that they would do manual testing. They all said that they would use a research-based methodology. They all said they were going to do these incredible things. But when it came down to really talking about the technology, they were all going to effectively deliver a vulnerability scan, vet the results, and produce a report, which is not what our customer wanted or our friend or associate wanted.
And so they said, “Well, why don’t you guys deliver this test?’
And we said, “Alright. We’ll give it a shot.” And so we took our vulnerability research and exploit development methodologies and we created a methodology. It was called Real Time Dynamic Testing. In about 2006, we used that methodology to test this bank, and we managed to breach the bank and take the domain in four minutes flat. And the reason why we were successful in doing that was because they had a critical system that was exposed to the internet but it was configured in a way that the traditional scanning technologies wouldn’t detect it. I don’t know if it was delivered. But the scanners didn’t recognize the system.
We began to look at the network, and we said, “Hey, what is this glaring hole? Let’s play with this,” and boom. You know, we were right in.
And so the bank said, “Wow, this is incredible. Not only did you take our domain in four minutes, but we didn’t see you do it. And, you know, how did you do it?”
And we said, “Well, we just used real hacking methods.” Right? We didn’t depend on scanners, and that was that. So they began talking about us. Other banks began calling us, pharmaceutical companies and so on and so forth. And we just kept on testing and kept on evolving and methodologies continually evolved.
And on the side, for the longest time, we were also doing the zero day vulnerability research, zero day exploit development, and we were catering to the zero day market. So the business was running on two fronts.
Today it’s strictly offensive. Today we are strictly hacking people and breaching people using the same kinds of methodologies and the same kinds of threat as you’d experience from nation states or from real world hackers.
Is Hacking Complicated?
Paul: So now you mentioned there that you were able to break into this. And this sounds complicated. Is it complicated? Or is it not complicated?
Adriel: No, it really isn’t. The most complicated part of breaching a network is doing the research upfront to identify the points of weakness. Once you identify a point of weakness, it’s generally pretty simple to exploit it. For example, if it’s going to be a local file inclusion vulnerability in a web application, right? You have to understand how an application is constructed. You have to be able to apply a path so that you can include a file from the local file system and just really were to paste or write a simple string. And that one simple string enables you to call a file.
So a really simple example would be an ISP that we were working on back before cloud computing was a really big thing. These guys were kind of like your pre-cloud computing hosted environment.
They had an infrastructure set up with a management interface, and the management interface had a glaring local file inclusion vulnerability in it where you could see the path, and you could see the file that was being called right in the URI. So what we ended up doing was we ended up generating a bunch of PHP based error logs by dumping PHP code directly into the server, and that would get a recorded in the error log, and then we directed the path in the URL, the URI, to the error log for Apache, because we knew they were running Apache. When it loaded the error log, it interpreted the PHP, and we got a shell in the system.
Paul: Oh my gosh. Wow.
Adriel: Yeah, so it’s pretty simple stuff.
Paul: Well, once you say it, it’s simple.
Adriel: Yeah.
Paul: That’s very important, I think. It’s like, I would not have thought of that, but now that you say it, it’s obvious.
The Art of Hacking
Adriel: Yeah. It’s funny because even the most complex hacks become trivial once they’re discovered. And so the real talent and the real art is in the discovery, and it’s being able to think in such an obscure and different way that you almost… It’s not really out-thinking other people, but you — for a lack of a better term — you out-art the other people.
Paul: Well, it’s almost out-thinking reality because you’re not just taking it for what’s in front of you. You have to look behind it and around it and under it.
Adriel: Yeah, exactly. And sometimes you have to build an entire ecosystem or environment for this thing to exist in to break it. Because certain pieces of software are meant to exist in certain situations. They’re meant to do certain things. So put them in a different situation that’s designed specifically to make it break, make it uncomfortable, you know. Doing that’s really what hacking is all about.
Paul: So it sounds like the kind of work you’re doing is finding the — I don’t want to say “esoteric” but… I didn’t know. Is that fair? Esoteric? Because I’m wondering now, you must offer something or do something that, checks for the run-of-the-mill things.
Pricing Based on IP Addresses is Not Ideal
Adriel: Oh, yeah. Absolutely. So, when we offer our services, there are three different levels, and the higher level includes the lowest two levels. So there’s silver, gold, and platinum — the whole packages that we offer. The silver level package is the industry standard package. It’s what you’re going to get from 90% of our competitors or 90%, 99% of the industry. And it’s really how many IP addresses do you have? I’m going to price based off of the number of IP address. Right? So you say you have 10 IPs at 500 bucks per IP, $5,000. We don’t price that way. This is the competition.
And then we’re going to take the IP addresses that you give us. We’re going to give them to a vulnerability scanner like Nexpose or Nessus. And then we’re going to run the scan. The scan is going to find what it’s going to find. We’re going to pass the results of that off to a team of engineers. The engineers will exploit whatever is exploitable, and then they’ll produce a report. Right? So that’s sort of the entry level penetration testing service.
It’s not ideal for several for reasons. The first is, when you price based off of the number of IP addresses, you’re not actually pricing based off of workload. So, suppose you have the 10 IPs, and they’re all running complex web application, maybe 40 man-hours per IP, $5000, that’s $12.50 an hour roughly. Nobody can work for $12.50 an hour, so you have to compensate with automation.
The second reason why it’s not ideal is automated vulnerability scanners only identify the low-hanging fruit, which kind of goes in the question that you were asking. Right? So they only identify the, the basic stuff that exists — maybe 30%, 45%. Someplace in that range, anyhow, is configured of the vulnerabilities that exist with a network. So if your methodology depends on automation, you’re going to be leaving a major gap. You’re going to be leaving a lot of exposure, which is part of the reason why businesses are suffering breaches left and right. Right?
Real Time Dynamic Testing
So then you escalate up into the gold level of service, and the gold level of service will include that low-hanging fruit type thing, the basic checks. But then we bring in Real Time Dynamic Testing, which is the methodology that we use for doing research based penetration tests. It incorporates major components of our vulnerability research and exploit development practices. So Real Time Dynamic Testing and it gets you close to a 90, 95% point of coverage as far as technology is concerned. We don’t just use — and sometimes we don’t even use— vulnerability scanners, but we really depend on our own experience, expertise, hands-on digging. Right? And that coverage you get the low-hanging fruit, the basic stuff. You get the really advanced stuff in there.
And then you go for the platinum. Platinum is realistic threat. We will cover the gamut — social, physical, electronic — and there’s no limit to what we’ll do. We have zero day malware that we use. It’s called RADON. We have different variance of RADON. The social engineering practices that we use have been written about in The Economist, Bloomberg, Forbes. We built a mouse that was fully weaponized that breached networks for us. I mean, all kinds of things. Yeah. So that was a very long-winded answer to a very simple question.
What is Penetration Testing?
Paul: No, I appreciate that. So let’s roll back a little bit. And first of all, for our listeners — because we have a fairly wide range of listeners. So you mentioned the word “penetration testing.” And I know that’s generally referred to as pen testing, and it’s not testing whether your pen works. Is that breaking into a network? What is penetration testing, very simply?
Adriel: Yeah, it’s a test that’s designed to identify the presence of points where something can make its way into or through something else. And then when applied to network security or applied to networking, it’s the same kind of thing, but it’s a test that’s designed to identify the presence of vulnerabilities, in an infrastructure that can be breached by an adversary.
Paul: Okay. So you figure out how to get in.
Adriel: Yes.
Paul: Whether you do it or not, you, you know that now there is a door that is ajar or a window that’s not locked.
Adriel: Yes. So we, we figure out how to get in, and we do get in. We demonstrate by exploitation. So we demonstrate by proof.
Paul: Okay. So you go in and put something on their coffee table.
Adriel: Yep or, if it’s a physical point of entry, you know, one of our treasuries, we literally walked into a data center and walked out with a computer.
Paul: Really?
Adriel: One of the state treasuries. Yeah. In other cases, we’ve turned on web cams and microphones and recorded entire conversations in businesses. And in one case, we actually took a video of a guy picking in nose, playing solitaire, and drinking coffee.
Paul: Wow. Well, I know that can’t be me because I don’t drink coffee.
What Should You Do About Cyber Security?
Paul: So, okay. Good. Alright. So now, we hear about cyber security, network security, security all over the place, all the time. And, general citizens have no idea what to believe. Is it good? Is it bad? Is it getting worse? Is it getting better? Is there risk? Give me an answer, it’s some point. We’ll put in some stakes in the ground here. But what would you tell the ordinary, average person? Should they be using a computer? Should they not? Should they not worry about it? Who cares?
Adriel: Yeah, there is no such things as security when it comes down to corporate security or commercial security. There is just a market. And it’s a self-perpetuating market. And that market really does provide, in many cases, a false sense of safety. When it comes to help people should be using their computers, they should think very carefully about the kinds of data that they want to store on their own computers. And they should also think very carefully about what they put out into the cloud, you know, social media. Anything like that. Because that moment that information is out there, it’s no longer their information. It might be protected by contracts. It might be protected by privacy policies. But as we’ve seen with Equifax, and as we’ve seen with Target and Sony, Hannaford, Home Depot, Ashley Mad—, you know, I could go on and on. The information is no longer their information.
Paul: Well they don’t have control over it.
Adriel: Right. And one of the things that has really surprised me about people is people think, “Well, Facebook is private. That’s my Facebook page.”
Yeah, well, you know, it really isn’t. If you’re a private person, you shouldn’t put it out there. There is no control.
What’s the Big Deal with Online Profiling – Social Engineering
Paul: Okay. So let me just unpack that a little bit. That seems to be, well, when you are doing something — whether you realize it or not — you’re explicitly sharing information. You go and you put on Facebook that I like the color orange. Okay, so the world knows that. So what’s the big deal? So people know I love the color orange.
Adriel: Yeah. So the big deal is profiling. One of the things that we do when we hack businesses is we, for the platinum level stuff, we socially engineer people. To socially engineer people, we have to be able to understand what they like, what kids of pets they have, who they’re married to, who their children are, what the last meal was they ate, anything like that. Any of that information that might seem benign. That information can help us to build a false story around a false persona that meshes very well with them. And then that enables us to befriend them on Facebook or befriend them socially in the business.
Once we befriend them, we can begin to build a trust relationship. And once that trust relationship reaches the point where I can send them content by email, a document, or I can get them to click on a link, I can breach the network. So any information that they put out there is going to be useful for me to help leverage them or breach them. Or maybe even just create a falsified story, you know, and, and extort them.
I saw something really interesting recently. We have a friend here that’s going through a divorce and she received a letter in the mail. And the letter was sent to her house but it was addressed to her husband, her ex-husband, or soon-to-be ex-husband. And it said, “Hey, you know, I have really dirty information on you. And I’m not going to share it here because I don’t want your wife to know what this is but I think this is worth some hush money,” effectively. And “If you give me $2000 in bitcoin, I won’t tell anybody about this kind of thing.” Right? So the reason why they figured out this divorce was going on was because of information that was disclosed in public. It’s actually a fairly common scam. So any information that you put out there is stuff that can be leveraged by people looking to extort you or breach systems. Or, if we get hired, we’ll use it to break into whatever networks you have.
Paul: Okay. Alright. So the point here was that my use of technology as an ordinary citizen, you’re telling me I shouldn’t share things on Facebook.
Adriel: Right.
Paul: Without understanding the risks and if I’m okay with those risks. Is that fair?
Adriel: Yes.
Paul: What do you tell your close friends? Don’t use Facebook— don’t even use the internet? That seems like the safest thing.
Adriel: Yeah, it would be. Don’t trust anything on the internet is what I would say.
Paul: That’s fair. But now Equifax, I could have never used the internet, and Equifax, all of sudden, let all my information out.
Adriel: That’s right.
Paul: So I have been foregoing the enjoyment of the internet — because it’s a pretty cool place. I can do lots of stuff. I can learn lots of stuff. I can have great relationships and get to know people and see what my friends from high school are doing. And I’ve foregone all that. And then Equifax does something stupid and so I basically said, “Oh, I’m going to abstain from the internet.” How do you speak to that? What do you think of that?
Internet Abstinence Won’t Protect You
Adriel: So your abstinence doesn’t necessarily protect you.
Paul: Well, but there was no way to protect me there. There was no way to protect me.
Adriel: Right. There isn’t.
Paul: So why not just use the internet? I understand your argument.
Adriel: Yeah. That’s what a lot of people do. It comes full circle.
Paul: I understand that you’re saying that the more information I get, the more exploitable I am. The more I give, the more exploitable I am. But then it’s sort of like Chicken Little. It’s sort of like, “Well, I’m never going to use the internet, so I’m safe.” And then Equifax does something, and it’s like, “Well that was a waste of time.”
Adriel: Yeah. That’s exactly right. And that’s where this conversation always inevitably ends up here. Is, well I won’t use it. Well, even if you don’t think you’re going to use it, you’re still using it. Your bank is online, period. You’re living in this country, and this country is in its financial system, uses these ridiculous things called credit scores. Your purchases, everything you do, are online. You own a credit card, that’s online. You own a cellphone, you’re online. And you don’t have to have a social media presence, you’re there. The only thing that you do with your social media presence is you feed the engine unnecessarily.
Paul: Okay. Good. That’s great.
Adriel: Yeah. So I mean, that’s really the best way to explain it.
Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.
So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.
Adriel: My pleasure, any time.
Paul: Thank you Adriel.