60. Damon Fleury, CPO at SpyCloud, on Navigating the Darknet to Combat Cybercrime
Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I am one of your hosts, John McLaughlin. I'm joined with the other host, Sakhir Sinkovich. Hi, guys.
And today we have a very special guest, the CPO from SpyCloud, Damon Fleury. Welcome to the show, Damon. Thanks, John. Happy to be here.
Just look at your LinkedIn. You have a lot of great experience across different sectors of tech. It looks like you've been pretty focused on security for a while now, but you're broadcasting live from Texas, eh? Yeah, I actually grew up mostly in San Antonio and lived in Austin.
Most of my non-child life, we'll call it grown-up life, and spent a little bit of time in the Bay Area, not near you guys. That was about 20 years ago, so I've been doing security for quite a while, though. Do you think of yourself as a security person? Wow.
I've worked in security a long time, so I guess by most definitions, I would. . . If I was somebody looking at my resume, I would call me a security guy.
But I'm also one of those people that I have a hard time ever thinking I know. You can't know everything about security. It's such a massive landscape. I would hate to say I'm the security guy, but I'm one of many.
Yeah. I dabble. I've played against me so long time. Yeah, growth mindset.
I love that. Like, no one person is going to know everything, but it takes a spectral, I don't know, curiosity, or maybe there's an opportunity or something that pulled you into that world, the security world. Yeah. Well, for me, the interest in security was really just an interest in solving really hard problems, right?
And so as I got out of school and wanted to work for companies, writing code was super fun, kept me challenged, and gave me really hard problems to solve. Eventually, I got into embedded systems computing. Those were great problems. Then eventually building network stacks.
And then eventually trying to secure network stacks and network products. And those are crazy hard problems. Impossible to truly secure anything like a full network systems. But doing that work was always challenging.
And certainly once I got into security, the aspect of solving a problem that truly helps people and tries to protect people, that was also really enticing for me. So that kind of led me into security. And now, of course, I operate a little more on the business level than the coding level. But I love the challenges.
I love solving problems. I love helping people. And there's so many that never run out of these problems, unfortunately. You mentioned a vast landscape of cybersecurity in general.
Based on your career path and based on other threats, what do you see as the most interesting aspect of cybersecurity today? So today, aligning with the last couple of companies I've worked with, it's the security landscape that is built up by the economy that's been created by criminal actors at the end of the day. And so the way that they are, they no longer really need to focus on and build, like you watch movies where there's these big crimes and they do all this research and they try to figure things out. It's not that way at all.
It's a layered economy where people come in and for their day jobs, they perpetuate crime and they build such an amount of data that gets shared with others, gets shared amongst themselves. And they have many different jobs within this economy. And this world that's built out, I discovered it in the last place I worked and it's something that attracted me to SpyCloud when I came here. It's wild to me that this has happened.
It's wild that there are so many people that their whole mission is to damage other people, to damage other businesses. I understand a little bit about their motivations, but how do we stop this? Like how do we stop a trillion dollar economy that's built off of damaging the rest of the society and economy? And then that's always moving and changing with the things that as soon as we defend something that this economy and the people, the members of it, they do things to try to work around those fixes.
So the intractable problem, the scale of what's happening, and the fact that most citizens don't understand this is happening at all. It's, it's truly is in the shadows, but it's very real and it's actually affecting all of us every day. That's maybe a good segue. You mentioned some of the things that you're doing at SpyCloud or that attracted you to SpyCloud.
And we're curious and for all of our listeners out there, what do you guys do better than everyone else in the world there at SpyCloud? Yeah. What we're doing at SpyCloud is we're focusing on that very, that area that I just mentioned, the criminal community and the data that they're collecting. And what we are really great at is understanding how to gain access to that information and then bringing it to our customers, companies primarily, that can then use it to immediately remediate the damage that can be done with that information.
And going beyond just something bad happened, but how can I protect myself from that information or that bad thing, that automated remediation? So for example, if there's a ransomware attack, maybe one of the common patterns is to make a copy of all of that data. Maybe that ends up for sales somewhere in some forum or a dark website hidden behind Tor services or something like that. Is that the sort of thing that SpyCloud might brum way off in like left field?
No, I think that's a great example. We collect petabytes and petabytes of data that was collected through ransom events. And they often say, if you pay the ransom, they won't share it. That's a lie.
They share it. The data's out there. Once it's out there, others get it. And so we infiltrate those communities with our researchers and get access to that data.
But we're just as focused on the thing that happened before the ransom event. So most of those ransom events happen when they've already gained access to your environment through a phish or through a malware event. And so if you can find out that these bad guys did something to get a credential or get access to some part of your network, and then you can automatically know this and shut it down, then you could stop that ransom event from happening to you. Oh, that's super interesting.
I would love to be more proactive in that space instead of just reactive all of the time. But what sort of signals do you notice that would indicate that someone in your organization has been phished or there is a malware event or something like that? Help us get the intuition there. What does that look like?
Yeah. So it's actually coming straight from true data and it's indisputable in that way. So we gather malware. Malware is a great example.
We have, we monitor and track the data that's stolen by 61 families of malware right now. And these, this type of malware, its whole job is to install on a person's computer and steal everything it can from your computer. It could be usernames, passwords, session cookies, crypto wallet addresses, credit card information. It steals everything in less than a minute and shoves it up to the dark net, to the command and control or often called the panel.
So we infiltrate where that data is moving and we gather copies of all of that information. So we can tell you without a doubt that somebody in your company or somebody using an email address or a website in your company experienced a malware infection and all these access details and all these details about that individual were stolen and that the bad guys have it and they're going to soon be using it. So let's go close those doors before they can get there. That's super interesting.
This is almost like business espionage type stuff. Yeah. Well, if it's all within the criminal community. Yeah.
And so certainly the criminals are performing business espionage and we're trying to figure out what they're doing to stop them. Right. Right. It's the counter espionage as a service.
There you go. Yeah. We like to consider ourselves spies. It's not quite that dramatic, but a Q mission impossible theme song.
I don't. There you go. You can get the rights to that one though. So I'm so sorry.
I'm so sorry. What does a typical date look like for you? Well, for me personally, a lot of my days are talking to customers. In fact, recently lots of travel, SpyCloud is.
We've grown to the point where we have a very global customer base. And so interviewing and talking to customers about their problems and how we can help, learning a lot about how large MSPs or large customers or medium-sized customers are seeing the threat landscape, the crime that's happening to them. And then what we can do to help them understand, to help them understand what happened on the back end of that crime. Can we get that data and can we somehow use it, help them automate the remediation?
So those are great conversations. And then a bunch of my time is also, of course, working with our product team within SpyCloud and building the roadmap, building the requirements for these products and helping us to take us, helping our entire company to take us to the next level. The ability to use and provide analytics around this data so that we can draw better conclusions and we can help people predict the next crime or stay ahead of the next crime. When you talk to your customers and your partners, what do you hear?
What signal do this customer give you aligned with? There is a lot of interest in your opportunities for the underworld of the cybersecurity space to create new patterns and ways to infiltrate into the organization. The SMS phishing is fairly old school attack, but it hasn't been really solved due to many different victims. And now impersonation attacks becoming a lot more sophisticated and a lot easier, a lot cheaper to, because at the end of the day, it's a matter of economics.
It's economically viable to graph the attack. It's successful. It's on point. People will answer those attacks.
What do you hear from your customers and how does it condition your road and products future? Yeah. Yeah. I mean, we hear all of those problem sets that you just mentioned, phishing attacks, add ransomware that John mentioned.
Like when we talk to them about what are your biggest problems, you can read in all the reports. We hear the same things. Phish, business email compromised, ransomware, direct attacks on infrastructure. And then, you know, because of where we approach the problem from, what we hear is, okay, we know this thing happened and where we know this thing happened to a partner company or to a law firm that's connected to us, but we don't know what the criminals got.
And we don't know that we're fully protected from whatever it is that they learned. So they have lots of ideas. Are you watching these types of criminals? Are you, are you looking at this type of information?
And then part of my favorite part is helping me to understand, well, how I gave you this data, if I could go out and find the criminals that are doing these things, which we're great at, what would you do with that data? And how can I automate that for you? Will it feed into your orchestration? Is it a toolkit that I can provide that would automatically change your directory services?
Is it something that can directly integrate with your email systems? As a problem set, we have to go, there's so much data about what the criminals are doing. And because it's become an economy, they share information with each other. If we can get clues into that, then we have to take deliberate steps to become protective and not just reactive to those things.
And so our customers push us very much in those directions. And a great conversation because some of our customers, when we get to the large MSSPs, they have people that are very familiar with the darknet that live in these channels that we're also in. And it turns into a great community effort, right? And we feel fantastic relationships with people that we all have the same, at the end of the day, the same mission of, we want to disrupt this cycle of cybercrime.
And we're all in a unique position to help each other do it. And yeah, these conversations are, they're a lot of fun. They're really collaborative. But from it, we can really, we can glean a bunch of great product ideas too.
So you've been there for just over two years now. Maybe you'd like to share with us the absolute best day that you have so far. Yeah. Probably the best day so far has been one of those.
We took a trip to Europe in the middle of this year in the fall. And it was a kind of a, it was a whirlwind trip where we hit five countries over five days and visited something like two or three dozen customers, lots of meetings. And one of those days was meeting with, with government and large enterprise customers in Brussels. And for me, the best day is those types of conversations where the customers understand the value that can be provided by looking at data and analytics the way that we do.
But then it's really just brainstorming, right? It's how do we really help you understand how to protect the entire country, right? Because some of these agencies are, they have a similar mandate to like a CISA does here in the, in the U S, but it's a smaller country. And it's actually, they have a lot of laws that allow them to control things like what their service providers do or to give guidance.
And so you can do some really interesting things that can protect an entire citizenry with some of the controls that they have access to. So some of those things have just been the most fun to really work on. Like, how do we stop this? How do we stop this problem of criminals using the data they collect from each other, perpetuate crime against everybody.
And got some great ideas from those conversations. That's, those for me are the best. Amazing. I love how, oh, so sorry, Sasha.
Kofi Kofi Data share interesting subject. And it has come up in the previous couple of shows. The point is the criminal that sharing data between the groups, between each other, but on the device side, we're not always as proactive in sharing that information. Sure, there is database of common CDEs and companies tend to publish CDEs, but those CDEs usually published after they have been patched.
Meaning there's usually a significant period of time between the discovery of CDE and it being published. What, how do you think about sharing information for the benefit? Overall, we're big fans of it. Anything that can help us work with others and stop crime.
And we have programs that we participate in with community researchers, where we share access to our data set for these types of things. We also, we're also significantly, I guess, deployed or involved with a variety of kind of sharing circles, we'll call them. Like groups of folks that are working together for specific causes. We have many members that are on the ransomware task force and we have a policy.
Of course, we offer a product, right? We offer a product with data that's available for sale when it plugs in. But when we see a crime that happens, we also have a significant responsible disclosure program. And we'll reach out as much as we possibly can to organizations that are the victims and probably are not yet aware that something has happened.
And of course, we cannot, we can't do as much as we want to and all, we'd love to share everything all the time. But we believe that kind of, especially when there's a crime ongoing, there's something happening in a specific instance. We all have a, we all have responsibility to help share that as much as we can with those being affected. But I think your, Sasha, your point also calls to another set of issues, which we still just don't have good ways to share structurally.
And we don't have good ways to know, even when data gets shared, what's interesting and what's useful and what really, what matters. Because I think we can all say, we feel like we share nothing, but you can get plenty of feeds of IP addresses and email addresses. You can be inundated with data in a moment. And I think there's, I don't have a great answer for that, but I agree that's a problem that's worth working on.
Because there's really got to be great ways to share enough that people can be better protected without, without inundating them with everything, which I think is, we have, we've both extremes, but nothing in the middle. Well, I know I appreciate that as it's difficult to share, but didn't, didn't Spy Club recently released a report that summarizes new malware and ransomware defense findings? And maybe you summarized a lot of data and just presented some thought leadership for the industry as a whole, in terms of what's happening, what's going on out there. What did that stuff look like?
What was in the report exactly? Yeah, we do a couple of these kinds of reports every year where our team basically looks at what's probably the largest collection of data coming from malware or third-party breaches or phishes, that type of information. And then looks at the whole set and says, what do we know that we can share with others to help them understand the scope of the problem? And so this report actually takes two angles at the same time.
One, we survey CISOs and gather their feedback about what's happening with malware in your world and what's happening with, what's happening with ransomware in your world. And are you still impacted by these things? Spoiler alert. Yes, they're very impacted by these things.
But then we also have the other angle of looking, how does that cross-reference with this massive amount of data that we know about their organizations? And because criminals have collected it. And then how these two things together, how does that paint the picture of how is malware impacting ransomware impacting enterprises? And some of the key takeaways that we've gotten from the data is that 75% of all organizations are impacted by ransomware in the last 12 months.
That's up from about 60% the prior year. And that doesn't necessarily mean that every one of them was ransomed, but a ransom event or attack somehow impacted their business. And that means they're having to respond to it in some way.
And then there's a variety of other stats of this program that start to show that we've been able to build predictive models looking at this massive amount of data that show if we see certain things happen in the criminal underground, a certain malware infection that happened to get access to an administrator credential or to an SSO portal or something along those lines, then we can actually predict that the ransomware gangs will choose that information to try to attack that business. And we can do that with a pretty high degree of probability. And so all of that together, we can start to paint a picture of malware infections can be directly connected to these follow-on attacks.
Yeah, no, that's very interesting. Do you see attacks being targeted by specific verticals, for example, like healthcare or insurance? Maybe because they use very similar software stocks. So if there's a vulnerability, there's a vulnerability and it could impact like if there's a product that has particularly strong penetration in a particular like market.
And that market, the entire market tends to be a fire or something like that. Do you see trends like that? Yeah, absolutely we do. So when we connected to industry, I think the two you called out are the most targeted by a pretty wide margin.
And we have our theories as to why the data shows us that they're seen, they're targeted more from malware infections and that those infections line up well to the things that would make them susceptible to an attack. But why specifically they're going after the healthcare and insurance industries, we can certainly theorize those are critical industries that they'll pay the ransom that they can get in. But it leads them to a place of being more attacked than others. Yeah, I imagine it's because there is money in those industries.
Yes, and criminal enterprises, they don't do it just for realists. Well, maybe some of them do because like they're run out of shape or whatever. But I imagine that most of those larger ones, the ones that scale, the ones that present like a clear and persistent product are just businesses. A quick question.
Based on the vast amount of data and the patterns that you guys see, you mentioned 70 plus percent for patients are targets or have been targeted. Malware injection attacks. Malware injection attacks. What is the most successful entry point for a malware injection?
Yeah, that's a great question. And unfortunately, not one that our data shows the answer to. We see some trends and we can talk to the things we see anecdotally. But most of the time, what we see is that the malware infection happened and we can't necessarily tell how it happened.
Only that a criminal installed that malware. But some of the things we see are certainly they can get in through things like vulnerabilities, like you just mentioned, Sasha. That's one. And installing it through phishes.
We see that as well, where they send a link and they get them to click on that link. But the other thing that we see maybe more than most people realize is embedding of malware in other software packages. Very commonly, you see them in mod packages for video games or skins when you're trying to get that new skin for Call of Duty. That maybe wasn't a great, great choice.
We see a lot of malware getting infected, strictly targeting universities in that space. We also have seen some stealers. So stealers are the piece of malware that we're focused the most on. We see some stealers starting to embed themselves in what looks like otherwise just kind of run-of-the-mill pop-up ads.
Right. So we've seen those pop-up companies getting paid by the creators of these stealers. They pretty much will like put these pop-up ads like, hey, we'll do a free virus scan. When they do that, they literally run malware, steal everything they can off the computer and then delete that.
And then that data gets sold through the rest of the criminal underground for other things. And so we saw one of the kind of one of the most popular stealers in recent year or two is called Luma C2. And they're seeing a lot of, they're seeing a lot of spread of that by embedding it in these affiliates that are this gray software. Like nobody really wants these ads, but people click on them all the time.
They still work. And you basically pay by the click of how many people install the software. So we see these malware variants paying per click by these kind of mass marketing gray software pups that are getting pushed out. Yeah.
And it's a little different than most people realize from the perspective of you are, what they're trying to do in this scenario is steal data more than take over your computer. If they can, they'll take over your computer too. But they can get that information that in itself is marketable. Yeah.
Yeah. In general, the most successful attack is a chain attack. What does it mean? It means that you connect related pieces of information and use that chain to then successfully infiltrate into the organization.
And it sounds like what you guys help with specifically is to prevent initial scoping because by stealing all of information system, you essentially perform the initial scoping of what it is that I can then dig deeper into. Your solution, you help organizations identify if that has happened and mitigate the risk. Yeah, exactly. And we'll pull that data from malware.
I think we're focusing a lot on that because of the malware defense report, but we get that information also from third party breaches when they steal information about people. So we're still, we don't talk about it as much as we used to because we're tired of the topic, but we discover upwards of four to 500 new breaches every single week. Then ingest all of that data, billions and billions of identities every month that get it, they get stolen identity information. And the same is true for fishes.
We collect data when people click on that email and accidentally give their Netflix credentials and credit card number to the bad guys. We collect the backend of that information when that email is stolen so that those companies or those individuals can fix those things too. It's very fascinating to be honest. In the modern DNA, waste prone to all of these attack.
So many different solutions on the market meant to prevent successful cyber exploits, but we're not playing yet. If you look at all of the statistics, the number of successful attacks is on the rise. It's not on the downtrend. Agreed.
This year, just talking about malware, we will process ourselves 80 million infected computers this year we're on track for, which is almost 2x our largest year prior to this. And so the number of infections that are happening, the number of campaigns for fishes, exactly what you're saying, Sasha, all of these activities, the problem is just getting worse. And we deploy all these defenses and they help, but then more bad actors engage in more attempts and more workarounds to get deployed. Yeah, it's not, we can tell you because we see what the criminals are, how they're winning.
We see exactly what they're getting. It's a little mind boggling and concerning, but it's a big, it's a real thing. It's a real problem. Yeah.
So to jump on the tappy train. Yeah. Sorry about that. I'm going to ask.
No, there's ups and downs, just like with everything. And the caveat, the converse question of what's the best day that you've had is what's the most challenging day that you've had? And how did you overcome the challenges? Yeah.
At SpyCloud, I don't know that I've had what I've considered to be a really challenging day. I think in my career, the most challenging days I spent before SpyCloud, I spent about five years running MSSP. And in the early days of that, I did a lot of incident response and was the incident response commander. And I'll tell you, I spent about a year and a half doing that.
And you are literally living through an individual or team's worst day they can possibly imagine. When you see an entire hospital, the largest hospitals in the world, you're not able to provide care, right? And we're all down trying to figure out who, where are they? We don't really care at that moment who.
How do we help them get through that moment? And you literally have leaders just trying. They're scared for their jobs. They're scared for the people involved.
It's a very crazy time and some of the most stressful, psychologically challenging, and most rewarding things I have ever done in my life. So those are the days that when you ask me, what are the hard days? Everything kind of pales in comparison to those kinds of days. Yeah.
Especially something like a hospital with our people's lives. So anything that comes back to people is going to be, it will have that emotional component that just, I think a piece of technology just doesn't really bring to the table. But it's actually a very interesting subject itself, the critical infrastructure in general. When we talk about equipment that carries a lot of people's lives, for example, an airplane has a redundant system.
In case if one system fails, you fall into the supportive system that meant to continue the normal operation. Usually we don't see that even in the critical systems, critical infrastructure, when we talk about software or even the physical infrastructure. We don't really talk often about the availability component of the CIA triad. In this case, we're talking about the product itself.
But it sounds fairly interesting, potential subject. Yeah. The idea of how do you protect that type of critical infrastructure. And it's such a crazy, it's such a crazy problem because there's what you mentioned, Seth, around do you, how do you make sure you have redundant systems?
But then when you focus only on that, you miss the broader problem. And what the actors actually know is that it's really hard to get to those redundant systems. And for something truly necessary, like heart machines, have backup after backup for those problems. But like during COVID was when I spend this time, like I got into incident response in late 2019 and did it through 2021, 22.
And we had cases where, I didn't just do healthcare, but another example, where the actors knew that we were all trying to do things like move equipment between hospitals, right? You don't think of that as critical infrastructure. But at that moment, if they attacked an organization whose sole job was moving equipment between hospitals in certain regions, they had no choice but to pay that ransom. Because you're not just hurting one hospital, you have the side effect.
And it's not thought of critical infrastructure. There's no backup for that. It's not a machine that needs a backup. It's communication that needed to happen to enable things that didn't save lives.
And it's a simple problem. And if you're just trying to figure out where can I pluck off certain things where they'll have to pay, you can find there was no strong security in that organization until we helped them stand back up and rebuild and build security. So it's such a massive problem. And I actually spent quite a few years doing election security.
And you do the same thing there where the real threat in election security has very little to do with the voting machines. Super hard to change those things. And changing one voting machine does not change an outcome in the United States, but change the distribution of votes or change how those things get moved from one place to the other. Those are the places where we're vulnerable.
And it's impossible to fully understand and protect that whole thing. The election machines in itself is, we can spend probably multiple days discussing the reasons why it's a problem in itself. But in general, it's a very complex and vast different set of systems. Every state and every county has its own machines.
It runs its own software. And there is no really unified way you could necessarily control it. I want to control it per se, but you want to have the informal software distribution to make sure there are abilities in the software, etc. But going back to the importance of the work that you guys do in general, security and cybersecurity solutions are seen as an overhead.
It's an overhead for the organization. Would you approach that initial discussion, potential customers, if that question? Our approach ends up to be quite effective in that we can easily show them, because we have this massive repository of data that criminals are using. It is, unless you're brand new to the internet, you've only been out there six months, we have way more data than you can possibly imagine about your employees, maybe about your business.
And it is very easy to help people understand, suddenly, oh no, all these things have somehow gotten out there. And now the question is, what can we do? How can we together fix that problem? How can we do that?
And then the fact that you can do things, that can be reassuring. And we hate the idea that we know this is frightening, but we don't want it to be frightening. We want it to be eye-opening. We want you to understand that criminals have done this already.
There's nothing this bi-cloud could do to stop it. And obviously, all the other things that everybody's tried have not worked. But now we can respond to that, and we can work on that problem. So that's the, at the end of the day, it is, you get past the overhead conversation when you're faced with the real data about your business.
So essentially solving a real pinpoint that is felt is the way to approach. When you are a pain killer versus a vitamin, you have a viable solution. And you guys help a lot of businesses. And not just businesses, you help people that are part of the business.
At the end of the day, companies just collection of people. And people have their lives, and it's important to protect. I agree. And I think of us like the tri-corder on Star Trek to use a brand that shouldn't probably be using.
But nonetheless, we're scanning them for things they don't know about themselves. We're seeing things that happen to them that maybe is hiding within their body, or their body being the company. And then we say, hey, this thing is out there. This is, your B12 is too low.
And there's these extra artifacts of data that could hurt you. Can we get ahead of these problems? And typically they're significant enough that a company says, wow, I need to know those things. Because it's happened.
If I'm a founder of a company, and maybe, I don't know, maybe I just closed my C round, and I'm starting to get some more exposure. And I'm curious if SpyCloud has a way to just like quickly help me understand if SpyCloud could help me. Or if there's data out there on my company, let's just say it's xyz. com.
Can I punch into a portal like xyz. com? Like how many entries are there that SpyCloud could help me with and click? Oh my goodness, like 50, 000 entries.
What is that? And then we continue to have discussions or anything like that that you want to plug? Yeah, of course. Go to spycloud.
com. There's a link right there on the top of the page for check your exposure. And you can pop in your company name and get a little bit of data, but then verify your email address and get a lot more data. And then we're more than happy to walk through the specifics with you so you can understand the scope of what's happening.
Amazing. That sounds so easy, so simple. And these are such big problems. I really have to compliment your ability to remain calm and cool without doing any disservice to the gravitas of the scope of the problem.
And still remain not just cool, but positive and forward-looking. And so a huge thanks to that. I'm grateful that there's people like you working on these types of problems. A lot of folks that are listening to the show, we're always thinking about growth mindset.
How do we improve ourselves? And one of the really fun questions is hinting towards what's that journey look like for you in particular? You've really contributed a lot to the security community. And if you had an opportunity to meet your younger self, would you take that opportunity?
And if you would, would you have any advice for yourself? Yeah, that's a fun question. So would I take the opportunity to meet my younger self? Absolutely.
I'll meet anybody. This seems like a fun experience. I can see how young and silly I used to look and make fun of my bosses. My big, huge, young person bosses that you only have.
I would have, I'd be open to that. But would I have any advice for myself? I really don't know. I am not a person that, I definitely look back and reflect on ways to be better.
But I'm not a person that regrets the choices that have been made. And so I don't know that I, I've watched, again, probably too many Star Trek episodes where you say something, you change the ripples of time, right? Exactly. Exactly.
I wouldn't want to change any of those things. Right? I love the things that are happening in my life, but I love the thing, the impact I'm making now. What if I stayed in architecture school and college, right?
That would not be, that's not what I would want to happen. You graduated with computer science though, right? Yeah, I did. What if architecture school and I switched after about a year and a half when my professor said, yeah, you're not so good at this art thing.
Maybe you should go do something else. And I said, yeah, you're right. I'll go work on computers for a while. But yeah, I wouldn't want to change my course.
So I don't think I'd have any advice for myself. But that's a fun question. That's perfect. That's perfect.
Now, how about a little bit of a leading question? Yeah, we got a lot of entrepreneurs on the show. A lot of folks thinking about like the future. All the gratitude in the world for sharing like how you see the future unfolding.
Is there anything out there that you wish someone with expertise and dedication and focus would just sit down and build already? Like what is the world missing? What would that look like? What would that feel like?
Yeah, the obvious things are all the things that come from sci-fi shows. Those would be the best. Things like teleporters and perpetual energy machines. Try and travel.
In my scope of the world, it would be difficult for my business. We would have to adapt. But I would love it if we could solve this stupid password problem. And I would love it if we could have secure logins that cannot be compromised.
There are ways to do it. But it requires so many things to be changed and so many that it'll never happen. And I just watch all day long criminals just taking advantage of this same stupid problem over and over again. And we built a business out of helping to fix it.
But man, we could do way better with authentication technologies, with access technologies than we're doing today. I would love to see massive step forwards from that perspective. Same. I'm a firm believer that you are not a password.
Yes. I don't know. There's something a little bit more interesting about human beings than just passwords. Exactly.
There's some key attributes to each of us, for sure. But don't look back at much. So funny thing is, well, I'll search myself in our database all the time. And I'll look back at my own history of passwords.
I'm like, yeah, let's pretend that period didn't exist with when I used to reuse passwords and do all the things that are horrible. But yeah, I think there's way better ways to do this. Yep. Yep.
We all had histories and we all did whatever we had to do to remember the password. Yeah. More than one. Yeah, exactly.
I don't need to talk about that. Oh, let's keep going. You needed to password before there were password managers. And so what did you do?
Came up with patterns. And I think there's even someone that made a pretty funny stand-up comedy joke about that. Go Google that. Yeah, exactly.
Yeah. Yeah, absolutely. But that was even before there were significant crime like there is with trying to log into people's systems. Well, Damon, this has been absolutely amazing.
Thank you so much for joining us on this show of the Security Podcast of Silicon Valley. I am one of the hosts, John McLaughlin. Joined with the other hosts, Sasha Sinkovich. We're both from YCQ.
And thanks for giving us a glimpse into what you're up to over there at SpyCloud and the future of authentication, passwords, how to handle that complex landscape of threats. Tim, thank you for leading the SpyCloud and having the conversations with the industry and aligning the roadmap of the SpyCloud to solve the real problems all of the organizations have. But whether or not have that problem, it's a matter of when you will be exposed to it. Or when you're compromised.
Question of if, it's a question of when. Yeah, thank you so much for the time. The conversation has been a lot of fun. So really appreciate the topics you guys are bringing up for all of us to talk about and the time just to share our stories a little bit.
So thanks so much. And thank you to all of our listeners and make sure to tune in for the next episode of the Security Podcast on Silicon Valley. Thank you. Thank you.