The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

61. The Father of SSL: Passwords are holding us back

Hello everyone and welcome to another episode of the security podcast of Silicon Valley. I'm one of the hosts, John McLaughlin. I'm joined with the other host Sasha Sienkiewicz. And today we have to Helga Mel to join us.

Welcome to the show. Thank you, Sasha. Thank you, John. I appreciate it.

Well, you bring so much great experience to the table. Your tagline is you're the father of SSL. You are currently the partner at Evolution Equity, your current role. You've been founder, CEO, CTO many times over in your past.

And you've also been the CTO of security at Salesforce. That is all true. Yes. I've been cybersecurity for longer than most.

On your LinkedIn, your very first entry is actually a technical staff back at HP in 84. Yeah. And there was not actually any security angle to that. So I'm curious, how did you pick up the tagline of being the father of SSL?

Wikipedia actually claims I'm the father of SSL. That's where it came from. So whoever wrote that, I did not write my own Wikipedia entry as nobody actually does. It refers to what I contributed, I suppose, to SSL because I'm not actually technically the pure inventor of it.

Although I wrote patents for SSL way back when. So that the Netscape original SSL patents I wrote. But I actually ended up building the team that developed the SSL 3. 0 RFC, which we took to IETF to become TLS 1.

0. And that became the industry standard. TLS got updated over the years, which of course is a wonderful thing. But it's actually kind of surprising that this kind of technology lasts this long.

And so I ran the IETF working group, the original one that made TLS 1. 0 standard. So the father of SSL is sort of a bunch of different things. But not undeserved, perhaps.

Is there a story of how you originally got sucked into this security world or a security world? I came to Stanford to get a PhD. My undergrad degree was from Cairo University in Egypt. And I came to Stanford to get an advanced.

So I came to grad school. That was 1979. And I studied electrical engineering, actually. So I came to study like electrical engineering.

And I thought I would be working on estimation theory and signal processing and that kind of stuff. Math is the thing I love the most all my life. I used to play with numbers when I was like four years old, which most little kids do not do. So when I came to Stanford, then I found math classes that I can take.

I just took a bunch of algebra and number theory courses, which was magnificent. That was the best thing I've ever done. And then I ran into Marty Hellman, who was the professor who ended up being my thesis advisor. And he and Whit Diffie invented public key cryptography in the mid-70s.

So public key cryptography was very new when I landed in Stanford. Early 80s is when I actually met Marty and ended up being one of his students. And kind of that's how it goes. So I didn't actually land in cybersecurity technically.

I landed in cryptography, which the math was actually the driver rather than the security side of it. And when you started at age, at what point did security become a thing at its own field, so to say? At what point did people and companies, which is just a collection of people, started to pay attention to security and dedicate enough resources for security? I mean, HP Labs, I didn't do any security.

I worked on, I joined a group in the labs that were working on data compression, image processing, and computer graphics, and these kind of things. And that was the hot time for these things at the time. I ended up building a little prototype that actually did on-the-fly data compression at HP. So my boss at that point in time, Caillou, said, hey, you're actually handy.

You're not just an academic kind of guy. We should start a company. So 1988 was that first company. And we actually built a data compression device that will double the size of your hard disk.

And if you remember, 1988, a 20 megabyte hard disk was actually a big deal. So making that 40 was a really big deal. So that's what InfoChip was. So that was the first startup actually joined.

Amazing. Amazing. There was less security. When that company sold to Cyrex was like three years later.

I ran into RSA, that company. So RSA at that time was a small company. They had less than 10 people. And I ended up being the first engineering manager.

So I was actually the very first engineering manager at RSA and I did some cryptography work also. 50-50 kind of thing. And RSA sold a cryptography toolkit, which is a software, basically a library that people bought to include cryptography into their products. You may or may not remember, there used to be a thing called Lotus Notes.

So that was the very first customer actually that was a big customer for RSA. And I'm curious to know, was there a business need for the Lotus Notes to start encoding cryptography into this product? What was driving the adoption of crypto? It was an amazing.

. . They used it for authentication of users. It was actually a beautifully written authentication program that would avoid passwords.

Can you imagine? That was 1991. They actually recognized in 1991 that passwords were a bad thing. We're still suffering from passwords, of course.

But they actually recognized that. And they wrote a very nice authentication program. So when you. .

. In the old Lotus 123, when you actually locked in, you used a cryptographically strong authentication protocol. And then after that, every single software company you can name that existed back then bought that library because there was just nothing else. It's quite fascinating that we could have.

. . Should we have taken a different turn as an industry? Could it be in a reality without human-type passwords?

Why do you think we haven't taken that turn? It's my fault. 100%. I don't know if the behavior of hundreds of millions of users is entirely one person's fault, right?

Like, it's kind of my fault. Unfortunately. Well, it's not. I mean, it is my fault.

Because what happened is when we. . . When I left RSA and I went to Netscape as a chief scientist, I was 94.

We were building the SSL protocol because Netscape wanted to use the internet, which actually existed for 30 years before, for commercial uses. And people talked about e-commerce inside the company, that the objective was to enable e-commerce. And we knew that if we used the open internet as it was, then e-commerce would be dead on arrival. So let's just not do that.

That's why SSL started. It was actually the Netscape vision to build. . .

Jim Quark, basically. The Netscape vision to build e-commerce on the open internet. And when we built SSL, we knew we kind of built in a required cryptographic authentication for the server side. So if you're logging into a website, Amazon or somebody, you can actually show yourself that you can trust this is really Amazon, not somebody trying to be Amazon.

On the consumer side, there is 8 billion people. Verisign started to issue certificates for the server side because there's a business model. It's going to enable e-commerce. You're going to make money.

So paying some money to get a digital certificate seems like a reasonable thing to do. But you and I are just not going to pay for a digital certificate as consumers. It's just, why would I do that? I mean, I'm buying something.

And if you don't trust me, that's fine. I'm buying from somebody else. But we put in the cryptographic authentication for the client side as an option. So there's actually an option in SSL to use mutual authentication, as we call it today.

But it was not forced. So that actually got everybody to do passwords because how are we all said you're going to have an account? So you'd call somebody and say, I want to have an account with eBay. They say, cool.

Who are you? They get some information from you. You have an account and you have a password key. That's how passwords actually started.

So hopefully you pick a string password, something like password123. I mean, I think 123456 is actually still the number one used password in the internet. It's hilarious. I mean, so how do you feel when you look at the entrepreneurial ecosystem and everyone trying to use client side certificates to authenticate?

People are trying to kill the password or behavioral biometrics like show up and then they fizzle. You must be filled with emotion when you look at that ecosystem. It just needs to change. We do not need a password to log into something.

It's just we don't. All you want is the server knows that this is here and there is a million ways of doing this without using a password. Unfortunately, all the server software has a password field in the login page. They change every single login page in the world.

But that also goes back into the user experience. Users are just, they expect to see a username, password login at some point. Even if you log in with OIDC or social logins, at some point in the chain, you have to provide your password. That's just what users are used to, unfortunately or unfortunately.

That's the place to judge. That's why it's my fault. That's right. The user should not be expecting to enter a password.

You don't enter a password when you walk into a shop in a mall. You don't need a password. Because now we have, I mean, back then, we did not really have fingerprints and other biometrics to validate who these people are and that kind of thing. So we did not really have a good way of doing this.

Processing a certificate on the client side would probably be perceived as a lot of processing power because running public key cryptography is not cheap. There were a lot of reasons why whatever happened. But it just, we waited way too long is the problem. And then along the way, you've seen a lot of multi-factor authentication, which we try to say, hey, at least don't use the password by itself because we know passwords can be stolen or what have you.

But honestly, we don't need any passwords. We should not have any passwords. It's a common pattern that in order for a new feature to be adopted, there needs to be a business need for it. What do you think the business need for removal of passwords?

It may be fairly obvious, but I would like to hear it. It's reduction of fraud. It's reduction of cyber attacks. I don't believe there is a single cyber attack.

Now we're getting heavy into cyber, which is a good thing. The vast majority of cyber attacks use somebody's credential to log into something. And if they stumble onto something that is an admin password, it's even better because now they have access to more stuff. And if they don't, they try to sudo into something or do something else or jump into a different machine.

And all of these things were built on the fact that they have access to an account someplace. Password is essentially answering question of which is who are you? And even if we look at the AWS root account, it is in principle protected by password. Of course, you can add second factor authentication logic, but the root accounts in AWS are protected by password.

I claim that it's the wrong thing to do. For AWS accounts or for any other account, that's just the wrong thing to do. It was actually funny. The gentleman who invented the password worked at IBM Research in the 60s.

And they were doing research and they were just trying to, I want to put my papers in one place and your papers go in a different place. So the idea of a password was you just, everybody knows where the stuff is at. It's not to actually secure anything. Because when you do research, I can read your paper just as much as you can read your own.

I mean, it's all kind of research papers. So it was not invented for a security function. It was invented to just separate things. Yeah.

It just became how the internet runs because somebody discovered, hey, if I use a password, maybe it would just, that's how people log into things. Then you don't follow the ups and downs of a security aspect. And in general, we as a security community, we are doing much better job at securing application layer of the process. There are so many different functions that make sure that your source code is as clean as possible from the logical oversight that may open up a vulnerability.

There is a lot of solutions. There are a lot of solutions out there that solve your supply chain vulnerability. There are a lot of solutions for your infrastructure. And the question of the, how do you access the infrastructure?

It's still the weakest point. And we may say that one of the ways that the successful attack is successful is through the auth end layer. Whether it's through phishing emails, someone clicks on the link, or it's someone just licking the credentials for some type of system. Right.

And a suitable credential should not be the way a hacker should get asked or an attacker should get asked. She shouldn't. Is there any interesting development in this space around authentication? There is tons.

And there is different kinds of authentication. So when you're authenticating into your own company's resources, that's kind of one suite of applications. When you're logging into an e-commerce site or a bank online app or something like this, that's a different thing. So authentication is not even one use case.

There is multiple use cases. There's a lot of companies that offer alternatives, and some of them are really actually good alternatives. I happen to sit around the board with one of those, but we're not doing commercials here, so I will not do that. How do we drive the adoption of.

. . Yes. There you go.

Internally, inside of highly regulated places, for example. The banks have actually started down that road a while back, at least from their own people. So they started the multi-factor authentication a long time ago because they figured out somebody can log into a machine in production in the bank. That's probably not a good thing.

When I was at Salesforce, we encouraged every single customer to completely replace Password with MFA. And actually, we had really good success. We had an over 80% success. The issue is that was authentication into Salesforce, not the 89 other things that people need to log into.

So the issue is the landscape is, in fact, tricky. And because we know that the user is not going to buy an authentication product necessarily. The bank buys one, and Amazon has their own, and just everybody has their own. And then as a user, you end up with 17 different ways to log into stuff.

That is not good. Yeah, that's actually a really excellent point. Because from the user point of view, in order for an average profile user to use a feature, it needs to be simple enough and well understood. And there should not be 15 different steps how you can implement the same feature.

But users actually adapt to things. I mean, if you have a safe deposit box in a bank, you expect that you have one key and the bank employee has the other key and you do two keys together. It's not exactly easy to use. But you know why?

Because there's good stuff that you're saving in there that you don't want to be available. So users actually do it. Users, in the beginning of the ATM world, everybody wrote their ATM pin on the other side of the card. Because what do you mean I need to remember a number?

That was the original thing. I think that does not happen anymore. I think now people use cards without writing numbers. So people do adapt.

Now we have one we pin and we use it across all of our cards, right? And yeah, we have that too. That is correct. It's somewhat cynical.

And if you write that in the back of your monitor, that's kind of up to you. People do that, but unfortunately. When you were the CTO, you mentioned Salesforce. When you were the CTO at Salesforce, was there any, what was your greatest challenge there as the CTO of Salesforce?

Maybe there was something that kept you up at night. And just to be clear for all of our listeners, like you were the CTO of security. Correct. It was a security CTO.

Which sounds very much like an engineering connected role distinct from a CTO. So it was not actually a CTO. As in I didn't run the security operations. Right.

But I was 50% customer facing. And I worked with the engineering teams to attempt to improve the security posture of the whole company. Salesforce started in 99. Salesforce is an awesome company.

I still have tons of friends in there. They did a lot of amazing things. But if you look at the security posture, it was built for 1999. That's when it was started.

And every few years, you improve a couple of things and you add this and you add that. And then a customer says, hey, I need you to do this. You add the stuff that the big customers ask for. I mean, the biggest challenge is just the big footprint.

Today, everyone is a customer of Salesforce, I think. I mean. That's true. Yeah.

One year. And if you're not, you're a customer of Slack, which is also Salesforce. Yeah. So the footprint is big.

And the company wanted, I mean, I wanted to build a unified kind of security posture, which is difficult to do. So you improve this and you improve that and you add this and you add that. And you continue improving every year. As long as you're doing that, you're actually fine.

But you can't go back and change fundamental architectural things 20 years after a company has started. It just doesn't work. How do you keep, and I think it's a fairly common theme, keeping the organization to a high level of modern development in cybersecurity is fairly time consuming. I mean, how do you approach that?

Every year there is a new product. How do you evaluate this specific section of the cybersecurity needs and upgrade? And how do you drive that adoption? Because at the end of the day, it's all about adoption.

Yeah. So that, I mean, that's perhaps the best question ever. Because we collectively need to improve the overall security posture of the entire digital world. I'm an investor.

As you said in the beginning, I'm a partner at Evolution Equity. So I invest in cybersecurity companies, which is a lot of fun for a guy like me. And I talk to every single area in cybersecurity as far as investments go. Because every area needs improvement.

The reason is we built a lot of things without starting with security. When people started social networks, security was not even an afterthought. It was just nowhere. And then all of a sudden, people discovered, holy crap, where people are putting all their sensitive data in there.

And people don't understand what sensitive data actually means. It is not your social security number. If, for example, somebody knows that you're physically in a particular city now, that is actually a piece of sensitive data. That means you're not home.

It has opportunity for somebody to do something bad. So the infrastructure that we collectively built over the last 30 years was never actually done with security in mind. And 25, 30 years later, you hear people talk about zero trust and secure by design and all of these things, which are wonderful things. All the big keywords.

I mean, yeah, if you keep them as keywords, then they are big keywords. If you try to implement them, you face the reality, which is actually tough. I can't tell you how many times I told engineering leaders and product leaders, there is not a PRT that I've ever seen that has security things in it. So suppose you're a PM in some company and you're responsible for some application and you write down the features of the product.

Nobody ever writes something like unauthorized people are not allowed to get in. In my opinion, humble opinion, that's probably a very important thing because if unauthorized people find their way through, bad things will happen. But that does not happen at the product level. And it transmits into the engineering level.

The engineers want to build products and they want to build the most successful product in the world. That's what the engineers want to do. Of course. That's right.

How do you think that those sorts of things are happening in this space of AI? Well, I mean, AI is an exaggeration of the complexity of the next wave of the software stack. Because you can understand what a three-layer kind of architecture looks like. You can convince yourself that database is a place you put data and you have a Java layer in front to process things and you have some business logic.

You can actually get your brain to get there. But when you put an AI layer in front that will serve the user something better because the AI will actually succeed in finding out what the user is really after, understanding what that AI layer is doing is impossible. These big OLMs have trillions of parameters. There's no way.

There is no way you're going to buy the design of the AI itself that engineers will be able to figure out what's wrong and what's right. Unless you do it like explicit. And people don't know yet. Yeah.

And I agree with you 100%. It is a very hot keyword AI. It was Gen AI. At the end of the day, it's the technology that needs to be applied properly.

Yeah, but nobody knows how to apply properly. And just like what we've done in the past, I mean, everybody had the right intention. Nobody had bad intentions. But we ended up with a lot of products that talk to each other without actually understanding what is it that they're talking about.

So even with the prior version of the software stack that did not have the AI layers, we actually do not exactly know what the software does. It's a sad thing to see, but it's just a taint. In the context of cybersecurity, which is a very complex and very vast field in itself, there are a lot of use cases for AI. AI is very good at finding patterns, recognizing something that it shouldn't be there.

And there are a lot of very cool use cases where you could be applying AI in the context of cyber base. Because today there are a lot of distributed solutions for very specific problems. There is your solution for SOG. There is your solution for mobility supply chain.

There is your solution for infrastructure. And all of the solutions are usually built around dashboards. You just, you open a solution and there's a dashboard. And often I feel like I have to go and get a four-year degree, just read the dashboard to understand what it actually says.

Yes, though I have knowledge and background in cybersecurity. I can only imagine what people feel without that knowledge when they look at those dashboards. You don't look at them. Exactly.

So you just buy the product to make you feel warm and fuzzy on the inside. And then you get it. It's all over the place. That's really what happens.

Yeah. Where do you see the intersection of cybersecurity and AI moving forward? Yeah. You can actually see that with the correct use of AI, you can have deeper understanding of the operation of an infrastructure and the suite of applications that are running.

And you can teach it what looks right and what looks wrong. And the truth is we've actually done that. So all the, starting with the early intrusion detection products, they actually use machine learning to do detection. So we've been doing that.

The issue is we've been finding anomalies. Anomalies is kind of whatever it means. There's way too many anomalies. That's why there is more alerts than people can digest.

But if you build an understanding of the operation of how these things are supposed to talk to each other, you can make sense of this is how this application runs. And this mode I've never seen before. And this mode really looks like somebody from a foreign country trying to do something bad. And that would require a little bit of time.

I think there's a number of teams going through that and trying to understand how do we make that. There's a higher level of understanding of the use of a good use of AI to actually enable enterprises or organizations in general to manage their digital footprint. Yeah. It's the matter of putting all of the knowledge and context of what the application is supposed to do, where the application is supposed to do that thing.

And what the normal practice, combining all of that knowledge together, giving the operator the actual aggressible action instead of just throwing a lot of noise is what we all want. That's right. I mean, the alert fatigue is just really extreme at this point. And I think every security professional faces it from the CISO all the way to everybody in the organization.

There is an alert fatigue. There is no question. And the number of alerts will only keep increasing because it. .

. Because you're adding AI, actually. And there are a lot of tools built on the other side of the fence, on the red side. There are a lot of tools that anyone can subscribe to.

And you don't really have to have knowledge in the cyber in order to construct a really well-orchestrated attack at this point. Because it's low-end. You don't. Because there are companies that actually build the automated attack utilities.

And you can go and. . . It's a SaaS business.

And you go buy an hour or two worth of attack. And you tell it to, is it that you want to attack? And it just goes. And you don't need to understand anything.

And if you end up with a coin in your account, then you're good. If you don't, then you try the next one. You don't lose anything. And renting these things for an hour is so much cheaper than what people actually end up paying.

Because the value of the data is much higher, obviously. So yeah, it is completely automated. It's very easy to use. And the attackers actually are interesting.

They talk to each other. They talk to each other more than their regular companies talk to each other. Because normal organizations compete. But there's a competition part of what any two people that don't work for the exact same company have.

So you don't share everything. But people who are writing the attack patterns don't actually care. They talk to each other. And they use the connectivity to their advantage.

But you look at what the regular kind of users do. Every country wants to control their own internet. Rather than use the connectivity to actually understand if they're being attacked in a bad way or not. That's the immediate thinking.

Which is just the wrong thing for an internet connected world. But it is what it is. That's what we got. Yeah, just how the incentives work for people who are tagged.

The incentive is clear. Should we communicate and find the holes? That's right. Collectively, we can benefit collectively.

The defense side, the incentives are not as well defined. But if we come together and actually believe that using the connected world in a good way will benefit us, then we get there. Well, I think, aren't there like threat intelligence streams that have a little bit of the community? Thousands of them, yes.

But you need another four-degree, four-year degree to be able to read the threat intel. That's also true. That's also true. If only there were a tool that we could use to deploy and organize the overflow, let's say, of information.

The technical people can probably get there. It's the executive level person that needs deeper understanding of how they're operating. And a lot of people just, they have a digital business, they sell something or they do whatever, and that's the end of it. They know there's cybersecurity issues, but there's no deeper understanding of what that actually means.

Right. And I think this goes back to the business incentives. Often security is seen as an overhead. Oh, I have to hire the CISO, and then the CISO will hire corporate security and product security, infrastructure security directors, and the team will just balloon out of proportion, and it becomes an expense.

And it's not clear what value does it bring. Even if you don't have an incident which results in data breach, you still don't see it as a benefit. Hence, and we started the podcast with this sentiment that there should always be a well-defined and clear business value alignment with the cybersecurity needs. I mean, we build bad products.

I mean, we have to admit it. I've been in software longer than all of you. So we just have to admit it. The way we've been building software products is just not the right way.

It's just the same as that. Where do you see cybersecurity as the industry? Where do you see it in 10 years from now? So there's multiple answers to one question in this case, and it's unfortunate.

So I think if we continue along the same road, you're going to see more tools for a while than conglomerates. So things will get acquired, and then you get bigger things to buy it. All your cloud security things are going to be from one company and that kind of stuff. And you still have gaps because actually there's no that you can buy that tell you what gaps you have in your architecture because the architecture is yours.

So this show ends up owning. So what do I need to buy now? And they actually need to think hard about what the architecture they have. But that world will continue to move forward because there's a lot of push to improve the cyber posture of everything.

The world I wish would exist in 10 years would actually take the world's zero trust and secure by design for real. Well, I try to understand what these things actually mean. And if we do that, then you're going to find products that just exist that monitor things at a cheap way to tell you if there is weird stuff or not. And they shut them down and the business continues.

What recently came to my mind and into my brain, the analogy to what you have just described, I compare to the immune system in the body. Our immune systems are really smart machines that react to all of the abnormal activities that happen. And it just happens in the background. I don't have to think about it too hard.

If something really bad happens, well, then I go and seek for more in-depth assistance. However, on day-to-day basis, every millisecond of my life, I've been attacked by a bajillion of different viruses. And somehow I'm just fine. But yeah, the vast majority of time, nothing actually.

And we're trying to, I mean, even AI, we're trying to mimic how the human system works to build an AI machine. So we're kind of realizing that the way the human system is put together is probably one of the most intelligent things that ever existed. True or false, I'm not sure, but that's what we're building for. And there's been a lot of talk over the years about self-healing technologies.

And it's just expensive to do this stuff, right? Because the applications are getting bigger. The systems are getting bigger. The cloud is getting huge.

And if you try to actually track every single thing to see if it's right or wrong, you're just going to lose. That's why I believe there's some flavor of AI that will actually find its way through this world. Because you can get it to focus on just the important thing. It's like, holy cow, I have a fever.

That doesn't sound like it. That's not a normal thing. Let me go find out what that is. Rather than is really is a virus trying to attack me or not?

Because the answer to that is, of course, yes. Yes, we need to sort of have a higher level of understanding of the operation of what we're running here, which we're not there yet. But we're moving in that direction very quickly. And there's a part of me that wonders, you know, if the world is about to change in ways that are difficult to imagine.

Like even today, even as we see the change unfolding before our very eyes, like the place that we end up could be very different. So I'm curious to hear maybe from you, from a security point of view, do you think all of this advancement with AI is going to push us in the long term? It will be something that has a sense of focus and can actually like hone in on just, I don't want to say symptoms, but the perturbations from a normal system? Or do you think eventually we will end up with something much more advanced, much more self-driving?

So John, I mean, bear in mind, you're talking to a guy that lived for a long time before the internet. So if you rewind 30 years, there was no internet, mobile phones. There were pieces of paper that we wrote our schedules on. It was a completely different world.

When the web came, the change that happened in the world is monumental. I mean, it changed the lives of every single human being to a degree that is hard to describe. It's actually, I'm not claiming that we knew that ahead of time. Maybe some people did.

So I think the AI level of change is of the same magnitude. Now we do live in the digital world. So we need to make sense of the digital. We just need to remember that the digital world brought with it ransomware and fraud.

And the level of fraud in the digital world is still an order of magnitude higher than in the physical world. It brought a lot of things to it. So AI will bring about the same level of change. It will also bring the same level of threat.

Right. It's a tool and tools will be used for good and for bad. And we're trying to regulate the tool. Rather try to regulate how people should use the tool.

Right. And I've said this before. It's my opinion. Regulating technology is a very bad idea.

We should stop talking about it. I mean, a baseball bat can be used for a very bad thing, by the way. It's true. You can imagine, right?

That does not mean we should stop making baseball bats because it's also fun to watch baseball games. So we should find a good compromise as specific uses of technology. Photography was in that place. Absolutely.

Yeah. And still gets you. I mean, all ransomware uses cryptography. Am I responsible for it?

I don't know. No, no. I mean, I don't think you're responsible for other people's decisions and bing directions, right? Bingo.

So misuse of technology intentionally to harm others is that we have to regulate and prosecute and do whatever the heck you should do. That's right. But regulating technology is just a bad idea. That's right.

It's just a tool. Right. It's just the technology. Yes.

It's just the tool. It usually impacts how well the people who help with defense. Usually you are being impacted a lot more than people are on the inside. When you start, right?

Whatever it is that you're trying to regulate. And there are people who are responsible for national security for every single country in the world. And God bless them. They're good people.

I love these people. But you're not going to help them by regulating a technology. You're going to help them by deeper understanding of things. Always.

Every single time. I'm sure they have their fingers in things that they need to have their fingers in too, right? Like trust stores or random number generators or whatever. Right.

We could put on tinfoil hats and imagine. I mean, honestly, even without any of this, a deeper understanding of how the technology works will enable you to find out who is the bad guy. That's true. Yeah, that's true.

So I'm very curious if you had the opportunity to go back in time and meet the younger version of yourself. Two questions. Would you take that opportunity and meet your younger self? And then the second part of the question is like, if you would, like, what would you share with your younger self?

I would ask them to go get a PhD in math and ignore this whole thing. Because math actually is, math is beautiful. It's very elegant. Yes.

There's actually an interesting book that I read many years ago that actually has a proof that the universe could not exist without numbers. That numbers actually existed before the universe, which is kind of a really cute thing. So yeah, math is the origin of everything. And I would probably enjoy having done math.

I cannot go back and do math now because I'm an industry guy. And I enjoy everything I do, by the way. I mean, I've been fortunate to be in a lot of great places, but. .

. I mean, surely you could do math on the weekends or you could pick it up. Not at the PhD level anymore. No.

It's not like writing a bind. Maybe not. Maybe not. And maybe it's not everyone's cup of tea either, but you know that.

. . And it's not everybody's cup of tea. But I actually enjoy doing number theory.

That's what brought me into cryptography to begin with. I could imagine. Yeah. Because all of the public key cryptography and it's all just math at the end of the day.

That is. It's number theory. It's number theory. Yeah.

That's exactly right. Certain problems that are hard in one direction and very easy in another direction. I'm from the Marty Hellman-Weed Diffie thing, which is how public key algorithms came about. That's right.

Yep. Yep. I'm. .

. So there's a lot of entrepreneurs that listen to this show. So being a partner at Evolution Equity, is there any advice that you would like to share with folks of really what you're looking for? Or is the je ne sais quoi, as the French would say, of a pitch?

Or the red flag? A red flag that would be an absolute showstopper? If somebody or some group is just starting a company, it's their reputation that is the number one cross here. Actual.

So when I talk to a brand new company or a company that's been around for a year or two, a young company, it's actually team that matters the most. What have the team done in the past? What is their approach to solving problems? Who do they know?

Who do they. . . Who are their advisors?

Who do they talk to? And that tells a lot. And then the second and most important thing is what market they are actually trying to target. Not what they're building.

Because if the market is not big, it actually almost doesn't matter how cute the product is. And I keep telling people, the companies that had an impact are the companies that became large are not the companies that built the best technologies. That's right. It's just the truth of the matter.

This is the world. And it is actually an important thing to understand. So big markets is the number one thing. And then what the original technology, what the current thinking, what are they trying to build?

And all of that stuff becomes the number three criteria. But that's exactly what I asked them. Technology is. .

. I made these mistakes myself because I started companies in the past. And at the time, I might have thought this was the best technology in the world, but maybe it was, but who cares? Exactly.

Which is not for. . . Yeah.

Technology is important, but the product needs. . . But the product needs to solve the real pain point.

And it needs to be large enough. So the company needs to exist. Now, the execution is tricky because the bigger problems cannot be solved with three people with a laptop. So the execution of what you build first and how you grow is a different thing.

And it depends on the company and what the step is and everything. And that's how people end up becoming successful, right? There's different strategies to how do you end up pre-trading a large market. I love the segregation of the different problems into the different spaces.

Any two problems that can be separated, even in an engineering sense, probably should, right? Execute them independently. I had this. .

. For God's sake, somebody needs to solve the identity problem. Keeps me going. I mean, I see that you're on the board of the.

. . Oh, of two of them. Are they competition with each other?

Two of them is the on-identity. The on-identity is actually the stronger authentication with single sign-on built in. And Euleria is the access controls and the governments of what EAM identity cannot do. So they're actually not.

. . They're not competing. So it's off-end and then fast-follow with.

. . Yep. It's fast-follow with auth-Z.

Yeah, because one thing is who you are and the second thing is what you can do. Exactly. Either one of these things is messed up, you end up with a tough place. Yep.

I joined a startup in the past around, like, trying to kill the password. Oh, let's fix the identity problem. I was like, oh, yes, let's do this. You are not a password.

You are so much more than a password. Why do we have passwords? And fizzled, but that's okay. Because Jeff Bezos decided to have a password on the Amazon website.

How do you feel. . . I mean, speaking of, like, large companies and their passwords, how do you feel about.

. . Just delegating to a third party a lot of the authentication problems. So when I did kind of.

. . And in cryptography, there's lots of trusted third parties that. .

. Oh, yeah. . .

. he's on behalf of people and do. . .

If it's done correctly, yes. Okay. If it's done correctly, yeah. It's a hard problem.

I don't think anyone should be hashing passwords in a small startup with, like, five people, six people. You can delegate that. Correct. That was the original Yahoo breach.

The one that started this whole thing. To her, it was an absolute pleasure to have you on the show. Hey, guys. I appreciate it.

It was fun. About cybersecurity, as you probably guess. Absolutely amazing. And thank you to all of our listeners for turning into another episode of the Security Podcast in Silicon Valley.

I have so many more questions to ask you, to be honest. But I also want to be respectful of your time. Perhaps there is an opportunity for us to have a fast follow-up. You can do a Fast and Furious, too.

It's been an absolute pleasure. Pleasure is mine. Thank you so much, guys. And thanks to all of our listeners.

See you, guys. Tuhyd 있다는collex. 화いやだ mental

‹ 62. The 4-Hour AI Scam: Hackers steal millions—and no one sees it happening

60. Damon Fleury, CPO at SpyCloud, on Navigating the Darknet to Combat Cybercrime ›