The Growing Ransomware Threat: Targets, Insights, and Strategies with Halcyon's Jon Miller | E1877

SPEAKER_01: A week before the Super Bowl happened in Tampa, the Tampa Water District got hacked and somebody tried to poison the water. SPEAKER_03: What? I was totally unaware of that. Wow. SPEAKER_01: They stopped it because somebody was literally sitting at the computer and saw someone else moving the maps. SPEAKER_02: Whoa. That's an unplug the computer moment. Yeah. Holy cow. SPEAKER_00: This Week in Startups is brought to you by Scalable Path. Want to speed up your product development without breaking the bank? Since 2010, Scalable Path has helped over 300 companies hire deeply vetted engineers in their time zone. Visit scalablepath.com slash twist to get 20% off your first month. Northwest Registered Agent. When starting your business, it's important to use a service that will actually help you. Northwest Registered Agent is that service. They'll form your company fast, give you the documents you need to open a business bank account, and even provide you with mail scanning and a business address to keep your personal privacy intact. Visit northwestregisteredagent.com slash twist to get a 60% discount on your next LLC. And Vanta. Compliance and security shouldn't be a deal breaker for startups to win new business. Vanta makes it easy for companies to get a SOC 2 report fast. Twist listeners can get $1,000 off for a limited time at vanta.com slash twist. All right everybody, we are obsessed in 2023 and now in 2024 with how artificial intelligence is impacting essentially everything we do in business, in life, and government education. SPEAKER_06: Now, AI gives you, if you're a knowledge worker, so many amazing tools. I'm seeing people on my team get 10%, 20% faster every month just by using these tools. It is bonkers. We've never seen anything like this. But the truth is, if the good guys can get better at their jobs, well, the black hats, the hackers can get better at their jobs as well. Just think about how powerful it is to use a language model to try to convince people of something in one of your blog posts or your email newsletters. In fact, grammarly let you set that. Well, the same technology can be used by hackers, you know, spoofing emails, and the targets are always businesses, hospitals, critical infrastructure, you know all that and the damage from ransomware last year alone $30 billion. The Department of Homeland Security said ransomware was the second most profitable cyber crime. And so today we have an expert in the field. John Miller is the CEO and co founder of Halcyon. And they're building products that use AI to stop ransomware attacks before they happen and limit the damage they do. John, welcome to the program. Thanks for having me. SPEAKER_06: Let's talk a little bit about the threats and ransomware in general. How does practically ransomware go down? And who's doing this? And what's their motivation? I mean, it's pretty obvious, but I think it's good to hear it from an expert. SPEAKER_01: Yeah, I mean, it's attacker group is growing day after day, it used to be something that was heavily Russian in origin, and then into Eastern Europe, and then you'd see some Chinese actors at it. But now we're seeing a renaissance, right, where people all over the world have figured out that you can just join one of these affiliate programs, and you're a ransomware actor. So we're in this interesting spot where, you know, not only do you have AI coming in and adding to automation and scale and efficiency, but more and more attackers are coming online now. And they've been kind of bolstered by this economy where, you know, you have these large ransomware groups where, you know, a lot of them have ties to FSB or GRU. And they're actually building the tooling and operating in a profit sharing capacity with anyone that wants to partake. This is new news to me explain this, how affiliate came to ransomware, because if you did have the super weapons to exploit people and do ransomware, you would probably want to keep them for themselves. But that something seems to have changed it. It's the first time hearing about these affiliate programs. SPEAKER_06: Absolutely. So a great example of it is the MGM attack that happened in Las Vegas. And so there were two distinct groups that were involved in it. One of them was called Black Hat. Those guys have ties to Russian intelligence, and they're a ransomware group on their own. However, they make their toolkit available to an affiliate network. SPEAKER_01: And so the group that actually carried it out has been called Scattered Spider, which nobody is exactly sure where they are. There was some assumptions that they were based in the United States because their English was so good in their written communications. But that's been attributed by some people to the use of LLMs and help building their ransomware. But it was a completely new attacker group where they didn't have their own tooling. And they, they split the profits with the the Wow. SPEAKER_06: So this is interesting. The the Russians or you know, these other groups are now making the tools they make the weapons they say, Hey, you go do your activity. Yeah, they do it too. Right. And it's, it's all different percentages. But it's not like they stop the really sophisticated attackers will focus on the more sophisticated targets. And then you have tiers of these attackers where, you know, you'll have people that specialize in going out and attacking hospitals. Right. Or, you know, $100 million sized manufacturers. It's interesting where you're seeing a certain amount of people who are SPEAKER_01: interesting where you're seeing, essentially, the internet kind of carved up into territories. Wow, you have these different attacker groups that just keep kind of rinsing reusing the same techniques and tools over and over. How do they get away with it, I guess is one of the questions that I think a lot of people have because you know, the internet, you can be anonymous, but there are ways to trace people and then when payments become involved, there's ways trace people. So how do they remain anonymous during the attacks and the communications? And then how do they remain anonymous in the payment area? SPEAKER_06: So the payments are normally done via cryptocurrency, right? And you know, Bitcoin is involved, but there are washing services. There are more secure currencies like Monero that are used. But for the most part, there's no concept of like, there's no police that are going to come to rescue. Right. So 99.99% of ransomware cases out there, there's, there's no police. SPEAKER_01: That are that are chasing you down. No FBI coming in saying, Hey, we need to go stop this at the source. Would this be happening if crypto had not become so ubiquitous and available? Or is crypto the the kerosene on this fire? I mean, crypto is definitely the kerosene on the fire. It's really difficult to have someone delivered millions and millions of dollars in cash, like logistically, it's, it's complicated. You know, cryptocurrency has has definitely SPEAKER_01: streamlined the business. It did happen before there was cryptocurrency. I think the biggest thing that's really exploded it is the fact that attackers or people that weren't attackers are realizing that they can really do this consequence for you. And you know, as long as you're not in the US, or, you know, first world European nation or something like that, there's no response. The government is for years has tried to keep computer hacking, kind of on the level of espionage, right, where it's not kinetic, it doesn't merit a kinetic response. And it's, it's bled over into this now, where we're not really set up to respond to, you know, an exponentially growing threat group like this that are, you know, it's completely willing to target our critical infrastructure or manufacturing. SPEAKER_06: At some point, this is going to be so acute that we're going to have to strike back in the in the real world. And that's pretty obvious. Yeah. SPEAKER_01: I mean, it's obvious. I don't know if it's going to happen. It's not it's not where policymakers are going where, where they think they can solve it is by making it illegal for people. So if no legal to pay the ransom. Yeah. So imagine your business gets ransom. Or imagine your hospital, the hits ransom, and you can't provide quality service to your patients, which, you know, results in debt. Right. I'm telling them that they can pay a ransom is a very precarious spot to be in. But SPEAKER_01: now crypto people always say to me, Oh, have fun staying poor, not going to make it. And then when I make these points, and then they also add to it, well, crypto is 100% traced and the blockchain is immutable, blah, blah, blah, blah, blah. Therefore, crypto makes it easier to catch criminals. Is that just them talking their own book and trying to protect themselves? Yeah, SPEAKER_01: you can wash cryptocurrency, right? You can put it through laundries, online casinos, their services specifically for it, you can chain hop, right, like transfer from Bitcoin to Monero, or, you know, Monero to woo, or whatever you want togecoin, it doesn't matter. There's enough spots where you can mix it around where you can't track it anymore. They don't really need to go to that level of extreme, because no one's really going after. SPEAKER_06: It's hard to balance hiring top tier developers, and keeping your burn rate under control. But these days, I see a ton of founders successfully doing this by hiring remote talent. So let me tell you about scalable path. It's a software staffing company that can help you build an awesome remote developer team. And the right developer isn't just a list of technical skills. We all know that it's about their personality. It's about their work ethic, their motivation, and their fit within your team. And scalable path knows this. So here's what they do. Their team will get to know your vision. They're going to get to know your needs. And then they're going to develop technical challenges tailored to the roles you're hiring for. And these challenges are conducted live and on video. So there's no gaming of the system, you're going to get great people. They also evaluate each candidate soft skills like communication, attitude and work style. scalable path has completed more than 300 projects for their clients, and they have a network of 30,000 developers. They've been doing this for over a decade, they know what they're doing. So you're going to be in great hands. Here's the best part twist listeners get 20% off their first month. If you're ready to scale your dev team and your business, check out scalable path comm slash twist. Once again, that domain name scalable path comm slash twist 20% off. SPEAKER_01: The interesting thing with ransom ransomware is you negotiate with these guys, right? Like you have live communication with them, both in the process after you've been ransomed, and you're trying to get on ransomed and negotiate how much to pay them, as well as they'll support you after you've paid them to help recover data. So it's not like they're hiding deeply in the shadows. And there's just no need for them to SPEAKER_06: so when they did this with Caesars and MGM, Caesars, I think just said, Okay, or one of them Caesars just million bucks. Yeah. And they're back online. So what they do is they take down your systems, they somehow lock them up. And they have the data of the individuals. That's the playbook. SPEAKER_01: Yeah, so normally, the first thing they'll do is actual trade your data, and they do it like a smash and grab as fast as they can, they'll overwhelm the connection pipes, but take as much data out as possible. And then what they'll do is they'll run encryption software, where they'll just scour the whole hard disk, and create encrypted versions of all the files and then delete the originals. And then you pay them for that key to restore those files. And then they call it double extortion, you pay them to not publicly release the data. Got it. So they got you two different ways. SPEAKER_01: Yeah. An interesting one is, I think it was the Black Cat group. I don't want to offend any ransomware group for attributing something to another one. But about a month ago, they actually reported their own breach to the SEC, where they ransomware the company, the company was trying to keep it under wraps. And they, as the attacker did the disclosure that they were confident. SPEAKER_06: Yeah, because you do as a public company have to disclose these things now. That's part of the law. Absolutely. Yeah. And we've had laws, you know, for a bunch of years, and you know, at the state level, and now we're getting more into like, SEC mandating reporting, but, you know, the majority of these attacks still go unreported. SPEAKER_01: If you're running a business, and if you don't pay your business is going to go under, you're going to figure out what you need to do to pay and just keep it quiet. How do people stop this from happening? Because this is a system level, you need to get keys to the kingdom in order to do one of these things, which means you have to compromise a pretty serious it person's credentials? Or can you do this with just the CEOs credentials, the CFOs credentials? SPEAKER_06: How do they get into the system? What level of keys do they need? And then how do you stop it? I know your company obviously has tools and services here. But how do people practically stop this from happening? SPEAKER_01: Our company specializes in we've built an endpoint agent that complements kind of antivirus and EDR and provides another layer to stop it. And then if, if we miss it, actually recover the system, we capture those keys. So instead of having to pay for and we have a copy, we can just use them. The normal ingress for these is like phishing attacks, right? Compromise credentials. There have been so many password breaches over the years. That you can take someone's email address and essentially figure out what the algorithm is they use in their head for creating passwords, unless they believe random passwords everywhere. And they'll bake that into the mountain and say, you know, here's, here's what we think five passwords probably are when you run, you know, try to connect to the other interesting thing is there's another essentially marketplace where you have what are called SPEAKER_01: initial access brokers, right? So there is an entire business of all I do is go out and try to get a small landing point inside of a big corporation. And then I turn around and sell that. So if you wanted to be a ransomware actor today, you don't have to hack any you go and join a ransomware group, you go to initial access broker, you buy the access, you take the tool that you got from the ransomware group, you run it there, you're done. There. So there are people who complexity is low. SPEAKER_01: There's a marketplace now, of people who have hacked, yeah, numerous ones, they will hack, you know, somebody in customer support, somebody who's a receptionist, somebody who's a salesperson, whatever it is, that gets you into the building, essentially. Now you run this malware that you bought, SPEAKER_06: and you try to lateralize, you capture cash passwords off of the host, right? The interesting thing is these, these ransomware guys have a lot of money now, this is really successful. So they can go out and do things like buy zero day vulnerabilities. Right? SPEAKER_01: Explain what that is to people. SPEAKER_01: A zero day vulnerability is a flaw in a piece of software that nobody knows is there. So an individual researcher goes out and says, I figured out how to hack Chrome browser, in a way that nobody knows, instead of telling anyone, or disclosing it, you know, there are ransomware groups like lockbit, that run open bug bounty programs, you just reach out to them, you tell them what you found, and they'll pay for it. And then they'll build that into their malware. SPEAKER_06: So this hacker, the black hats are offering bounties, 100% against Microsoft offering bounties, or whoever, and guess who pays more? I'm gonna guess the people who do ransomware pay more. SPEAKER_04: Well, they make money with it. Right. And so I think it was like two or three years ago, we hit a point where those types of vulnerabilities were almost exclusively used by governments, right? intelligence SPEAKER_01: agencies, stuff like that, then we hit a point where these these cyber criminals are actually using more of these zero day vulnerabilities than than anyone else. Fascinating. So explain how language models and AI has changed the game. Because we knew it would. Is it just people are writing clever emails now? SPEAKER_06: I mean, you would be amazed at how much ransomware starts with phishing. And I'm sure you've gotten more phishing emails than you can count on your life. SPEAKER_01: Yeah. And normally, they're pretty easy to pull off when it's like, this is broken English, like this isn't legit. I mean, you can use an LLM to generate a phishing site for you. SPEAKER_01: I don't think that it's really widely being used by the ransomware groups. They don't really need it. But it is another kind of fueling factor that's just allowing them to grow even more, you get 10% 20% performance uptick, if you use, right, cut out some of the busy work and give a finished product that's going to be more successful. SPEAKER_06: The thing I've recently been made aware of, because I'm in the venture capital space, there are large wires that sometimes, you know, somebody gets a distribution. So a wire goes out, you're in a venture fund, you're an LP. And we're shipping, you know, oh, we're distributing the stock from Coinbase or Airbnb or from Uber, it's got to be wired to an account, a custodian account, a bank account, whatever it is, if it's stock or cash. And so there was a report going around Silicon Valley that somebody had taken a famous notable person's voice, and then did a dialer, and then attempted to change the distribution path of shares coming out of a venture firm to a partner or an LP, which I know was a GP, a general partner working at the firm or an LP was an investor in the firm. So have people started using voice now to kind of, and then these AI voice generators? SPEAKER_01: I haven't seen it yet. But absolutely right. It's the other beautiful thing there is caller ID is incredibly fragile and easy to spoon. So the second you call someone and it says that it's, you know, Jason calling me and it's your voice. How do you not go buy those Amazon gift cards? SPEAKER_06: Starting a business used to be a pain. You needed a lawyer, there were hidden fees, it was a mess. Now with Northwest registered agent, it only takes 10 clicks and 10 minutes. Northwest provides everything you need to start and maintain your business. Every LLC, corporation or nonprofit at Northwest forms comes equipped with registered agent service, a business address, a website and posting email, a phone number. And this is all covered by Northwest privacy by default. Again, your full business identity will be live in 10 minutes and in 10 clicks. So here's your call to action for $39 plus state fees. They'll form your LLC, corporation or nonprofit and launch your business in just minutes. Visit Northwest registered agent comm slash twist today. That's Northwest registered agent.com slash twist today. Social media seems to be another vector. I get DMS all the time from people trying to get me to send Bitcoin or receive Bitcoin, whatever. But then people create fake versions of you online and mirror your entire account and then try to get people and I get DMS on my main account, the verified account all the time saying, Hey, did you want me to send you those bitcoins? And I'm like, SPEAKER_01: I sent you three bitcoins and you're gonna send me 300 back, right? SPEAKER_06: This seems to be something that's now becoming de rigueur. But people are getting smarter to it, right? Never send money. SPEAKER_01: It also makes KYC really difficult where you have online banking. And people don't want to go into a branch and show their driver's license and have someone be like, so you end up with like, we're going to do a video chat, right? Like hold your driver's license up. And all of that is all fakeable. So never do that. Yeah, it's not that you should never do it. It's it's just, there's more vulnerability, the more connected. So two factor strong passwords, if people just did that, how much of this problem would be solved if multi factor and multi factor helps a lot. The problem that you're seeing is the companies that are going down the Caesars and MGM stand multi factor. SPEAKER_06: SPEAKER_01: They can't get around multi. How do they come back? Oh, wow. Octa people don't know is like an authentication management platform. It's got passwords in it. It's got its own two factor but they had if they got Wow, does it octa now have liability then? SPEAKER_06: SPEAKER_01: Possibly, right? Like who knows? That's, that's a much Wow, I don't think anyone's really been held liable for security vulnerability in their product that resulted in somebody else getting that. Right? Like Microsoft and Apple would be the two largest defenders in the world. Talk to me about these infrastructures. I know that we had the was it the colonial pipeline? Remembering correctly, so explain what? Because that's a different goal. That's not just money. Now this is like serious espionage level trying to damage another country. So how real is that? And how prepared are we for it? SPEAKER_06: That's the interesting thing. It was financial, it wasn't espionage. It was over the line of espionage, right? Like nobody's been willing to carry out an espionage style attack of that magnitude on US soil, right? You end up with a proportional response. Take out our pipeline, we'll take out two of yours. Because it was a cybercrime group. They got away with it. There wasn't a proportional response that wasn't. SPEAKER_01: What happened in that situation? And how did it go down? SPEAKER_05: There were attackers that were in the network for some time, they ended up installing some new security software, where they noticed that there were some irregularities. It tipped off the attackers that they were on to them. And they they encrypted all the machines, they didn't go into the actual pipeline computers. But they took all the SPEAKER_01: back end office computers, you know, essentially offline, and then demanded a ransom to allow colonial to regain control of their computers and turn everything back. And this was another one of these like payoffs with Bitcoin. I know the DOJ in this case somehow recovered some of those, SPEAKER_06: they exfilled stuff to Amazon. And so they were able they were bouncing through like an AWS host. And so they were able to, you know, the FBI, the Secret Service, US Marshals have relationships with those cloud providers. But the second that you get out of something like that, or, you know, frankly, they left stuff around, if they had just moved it all the way off, they wouldn't have been able to recover anything. SPEAKER_01: totally get when people steal the data, the releasing of the data or the selling of the data. That's a super attack vector. But when they encrypt you a machine, why don't people have backups? Why are these things not duplicated or redundant in some way? SPEAKER_06: While they encrypt the machine, they go in the encrypt the backup, or they believe it. Right? Like, if you have the ability to write to a backup, yeah, they they profile it. The interesting thing is, you know, lots of people have offline backup, you know, DLT tape drives, Iron Mountain, all that. The logistics of importing that backup data takes weeks. There's not enough bandwidth on your network to be able to do that. SPEAKER_01: And then they're going to be like, let's restore every system at the same time. So they're so sophisticated, that they know where the backups are, they encrypt them as well, at least the online ones that are redundant, they get the topography of the network, boom, they just be taken all the way, all the way down to they corrupt the like post based snapshots. Like Windows has a service called the volume shadow service, where, you know, if an update goes bad, or something like that, you can snap back, they'll actually corrupt that out. SPEAKER_06: SPEAKER_01: And that's a very major piece of brands. It's one of the indicators that we actually use for for stopping ransomware is tampering with that backup. SPEAKER_06: Ah, so if somebody starts effing with your backup service, that's when you know somebody's in there doing something. SPEAKER_01: It's one of the signs. Yeah, absolutely. SPEAKER_06: more about your software and solution? How do you implement it? And how can how does it stop people? Is this like a constant game of cat and mouse where you constantly have to update it like our software people do? SPEAKER_01: I mean, the nice thing about it is that's where, you know, AI really comes in and give some superpowers instead of, you know, thousands of people sitting writing, you know, reject signatures. You know, we are using multiple different types of machine learning to build models that that help identify both from a pre execution before it runs, as well as the behavior when something's actually running to say, we think this is bad, let's stop it. But where we're the best way to think about us is we're the first complimentary layer to antivirus. So for years, everyone said you don't want to run two antiviruses on the same machine, because they'll step on each other and conflict. Yeah. So we were the first product where we said, let's build ourselves to be a layer behind, not try to replace the defenders, the crowd strikes that are out there. Right. And then just focus on the threat of ransomware. So instead of trying to stop everything that's out there, we focus on these, you know, 200, 300 ransomware groups, what are the tools that they're using? What are the techniques? And then we use that to build, you know, kind of like a multi layer protection strategy. But where we really differentiate is, we're the first endpoint product ever to be focused on recovery to where because these guys are so sophisticated, they have so much resources, they're going to figure out how to be everything at some point. SPEAKER_01: But because they do encryption on the host, we actually capture the key material, the symmetric keys, the entropy, and we can reconstitute that data for the users without them having to interact with a ransomware. If if everything fails, they get this is a key thing, they have to encrypt it in order to give you the keys to unencrypted. So that step in the process was such a brilliant stroke for them. However, doesn't take a lot of time. SPEAKER_06: Does it take all that much technology to know a machine is doing something with encryption in real time on that server, right? Or on that? There's a lot of encryption that's going on on host nowadays, too. Right. So there's a delicate balance between, you know, profiling something that's backup software, we I mean, we also focus on the data protection side, right when they come and they steal that data before they encrypt. We have a network driver. So we'll actually detect that that data extra going and block it. SPEAKER_01: There are tactics, you said cat mouse, I mean, it's, it's completely appropriate. There are tactics change constantly. They're always looking for a way to deliver more impact quicker. SPEAKER_06: This is now becoming in terms of corporate governance, a board level issue, like, when these things happen, I remember Uber had a big hack, and then somebody didn't report it, or they try it because you know, sometimes somebody is embarrassed by and they try to, you know, maybe it was all of it before it escalates. This is getting very dangerous for companies and boards because they ultimately are responsible for knowing about these things. So what's the what's the state of the SPEAKER_01: for the CSO? Right. So in that Uber case, the person that got prosecuted was the chief information security officer. It's the same thing with the SolarWinds hack. If you remember that the SEC just filed charges against the chief information security officer there. SPEAKER_06: So if a CSO with which is chief information security officer, people don't know if a CSO doesn't do their duty to report hacks, that's criminal behavior now or it's Apparently, right, there isn't a lot of clear guidance on what's good and bad. The industry has taken up with this concept of bugmen. It's where you as an individual can go out and find a vulnerability in Uber, and then reach out to them and say, Hey, Uber, I found this vulnerability. Here's my proof, write me a check. What's the difference between that and somebody hacking you and asking for a ransom? Right? Like, attitude? SPEAKER_01: I guess it would be the threat of taking the system down and giving it to other people as opposed to politely asking, can I get 10 grand for this? Yeah, I found and also I guess being anonymous versus not being anonymous would be another SPEAKER_06: I mean, absolutely. You can always ask politely first, if they don't agree, escalate, right. But it's, it gets confusing from a legal perspective. Yeah, right. Where if you look at that Uber case, and what they prosecuted that CSO for, it seemed like something that was very common. That's done in corporations across the country every day. SPEAKER_01: Alright, listen, selling software is hard. It's hard right now, right? 2022 2023. It's been a grind 2024 it's gonna be hard to everybody's making very thoughtful decisions. And the last thing you need is to slow your sales team down because you don't have your sock to dialed in. So if you're a SaaS or services company that stores customer data in the cloud, you need to check out Vanta. Vanta will get your startup stock to comply and easier and faster. Vanta makes it really easy to get and renew your sock to on average Vanta is a very good company. SPEAKER_06: Sock to on average Vanta customers are sock to compliant in just two to four weeks. Compare that to three to five months without Vanta. Vanta can save you hundreds of hours of work and up to 85% on compliance costs. And Vanta does more than just sock to they also automate up to 90% compliance for GDPR HIPAA and more. You can't afford to lose out on major customers because of silly stuff like lacking compliance. Just work with Vanta get your compliance automated and tight tight is right. Close those big deals, the lighthouse deals that send all the other customers to you. Here's the call to actions very simple fan is going to give you $1,000 off at vanta.com slash twist. That's vanta.com slash twist to collect $1,000 off your sock to talk to me about encryption long term, because there have been rumblings, especially during this open AI brew haha, with Sam Altman being fired and rehired and all that kind of stuff that, you know, they might have this was one of the theories that they might have with, you know, LLMs and just the brute force, they have been able to figure out how to unencrypt stuff or break some encryption. So is that disaster scenario that people put in the quantum, you know, computing, oh, it's only going to happen when quantum computers come out, they're going to break encryption and whatever, we'll we'll see that coming. But then LLMs we didn't see coming, at least not at this velocity. So is that real or scare tactics or SPEAKER_01: encryption has been broken a bunch of times before. And what happens is it gets broken. There's no instant scale of attackers. So the attackers exploit it. Everyone responds, they replace it. And then we go on to the next one, right? Like, it's the reason why we don't have web on our Wi Fi anymore. And we're not using SSF one in encryption is always going to get compromised. Right? It's just you have to be dynamic and use it in a way where you can adapt and move to new standards and algorithms. But you're already seeing quantum resistant crypto. SPEAKER_06: Explain what this is for the audience. Yeah. cryptography that theoretically and it's just theoretical right now, because no one's been able to actually prove it is resistant to, you know, a scale, general purpose quantum computer being able to break the encryption, right? So the majority of, you know, like cryptocurrency and stuff like that, theoretically, with a strong enough quantum computer, you can unravel the SPEAKER_01: blotching, right, but people have identified it, we've known that this is going to be a problem for a long time. And, and there are numerous companies working on being the next, you know, quantum resistant cryptography company. What do you recommend for startups, people who are, you know, running fast growing companies, in terms of the because you can't afford to see. So you know, you're a 2030 40 person company, what's the best practices, just use a great cloud computing provider have great two factor. SPEAKER_06: I mean, there are some fabulous managed services companies that are out there, right, that specialize in security, that, you know, are affordable, have access to, you know, a suite of the best in class technologies that are out there. This is gonna sound crazy. But, you know, big companies like doubt, right, like, these are serious problems to them, and they have real solutions to it. So you can actually go out and engage with SPEAKER_01: the manufacturers, right? I'm less with Apple than everyone else. But, you know, Microsoft has a huge security suite product offering. Should people be using physical keys? I mean, there's been a lot made of like, people being able to spoof SIM cards in order to get two factor seems like the majors, the, you know, the the Verizon's of the world, Google Fi's are starting to lock this down. So they kind of get it. But there have been very interesting SPEAKER_06: edge cases of people being able to figure out how to get the SIM. So should people be using? What's that key that everybody uses QB or something that you see? You'd be nice. Should people start moving to those kind of things? Is that going to end? Does that actually really solve the problem? Maybe for now, right? Like the majority of people, I use my phone for my multi factor. And you run into an issue of what happens when your phone gets compromised, which I don't know if you've seen the news, but there was, you know, the SPEAKER_01: this highly sophisticated iOS tool chain that just came out where they were hacking iPhones, and there was no way of knowing that you were compromised. You know, it's it's layers of due diligence, right? I wish that there was some, if you use this, you're protected. But in this world, there's always a way to engineer hack around kind of any security technology that gets deployed, which is why it really comes down to to having layers and being able to detect when something's been penetrated and have mitigating controls and response plans and right partners. SPEAKER_06: How much of this is moved to China now and North Korea? Are those sophisticated players and all this is or it's still in Eastern Europe? SPEAKER_01: Oh, no, they're they're highly sophisticated. I mean, the interesting thing with North Korea is when you look at the top four, you know, non five is nation states, you've got China, Russia, Iran, and North Korea, right? SPEAKER_01: old access of evil, as I think Bush called them in North Korea operates and became one of the top four with $0 of state funding. All of their Yeah, all of their funding for computer hacking. They see, like they they were really, they're bootstrapped. They're absolutely bootstrapped. They were a big fan of, you know, the banking protocols with they would go in and hack Swift transactions and just steal money that way. SPEAKER_06: What about Iran? It's very interesting. So Iran have you there have a big capacity is not a large capacity, but they're getting really sophisticated. So they were essentially kind of late to the game. But you saw probably 10 years ago, they started taking on serious targets, they they were able to compromise the the Navy Marine Corps, intranet, you know, they got a bunch of like nuclear research from a bunch of universities. SPEAKER_01: But yeah, I mean, they're continuing to gain sophistication with essentially the rest of the world, right? Like as this information is becoming more accessible to everyone, they definitely have the motivation and the access to everything that they need to play out some major attacks. They're governments turn a blind eye to this, but they or do they support it? Are they training people? You know, are they getting a vig and a piece of the action? You would think in a place like North Korea, maybe the Supreme Leader would want a piece of the action and would see this as a revenue stream potentially? Yeah, how did the government in each of these places participate in this or not? SPEAKER_06: SPEAKER_01: It's normally state sponsored, right? Like if you look at even, you know, Russia, China, like all of these attacker groups have direct ties to military intelligence. So they exist outside of the military and outside of the government. SPEAKER_06: Moonlight there. SPEAKER_06: They're moonlighting. Yeah, it's your it's your nights and weekends job. You don't make a lot working for the government. But they've always been supportive of people kind of taking those tools and using them to attack their enemies. Right? Like there's no if if you go and hack, you know, a giant American company, as a Chinese, North Korean Iranian citizen, and it gets publicly released that you're the one that did it. There's no consequence. SPEAKER_01: China used to hold competitions at universities where they'd go and who could hack some American company the best. Okay, lightning round here. There's been rumors Bitcoin tour, the tour network, people don't know is a relay system to anonymously surf the internet. It's where all the dark rope transaction rumors, those things could have been CIA or government sponsored honeypots, etc. What do you think? SPEAKER_06: SPEAKER_01: It's definitely not conspiracy, right? Like, I don't think that it's something that they're the whole system. But yeah, I mean, if you're operating on tour, and you think that you're completely anonymous, and the US government and Intel agencies aren't operating tour exit nodes, you're delusional. Yeah. Right? Like, it's absolutely in those decentralized environments. They're going to invest and collect. It just comes down with what's their motivation to do something about SPEAKER_06: how good is America? When compared to, you know, our hacking ability, because you're in the community, people in the community sometimes get called up to duty or get pulled into operations, etc. And there's a big tradition of that here. What's very quiet, obviously, how good are we compared to the other places? Yeah. SPEAKER_01: So prior to starting Halcyon, I started a company where we exclusively worked with the US intelligence community doing sophisticated cyber operations. We are the best, right? We have the best capabilities, we have capabilities that most people can't fully comprehend. What do we use them for? What's the problem? Right? Like, are they being used for the right things? Do the groups that have these capabilities get the right mission? And it down to them that allows them to get maximum value. I think politically, we don't really understand the computer hacking yet. I don't think a lot of politicians understand how computers work and the threats were vulnerable to. But from a capability perspective, it's fantastic, right? Like better than you could imagine. It's just we don't hear about, which I think is a really good thing. Like our techniques. This is why when a lot of, you know, I mean, not to be political or anything, but like, you know, Trump having certain papers that have in them in Mar a log, or maybe other presidents have them to that have those techniques in them, right? I think they call them methods and whatever and sources. It's really important that we don't use these tools that we have, or let people know we even have them like we got some sophisticated stuff that we just don't want people SPEAKER_06: to know we have them. SPEAKER_01: Yeah, it's different classes, right? There's stuff that you have to sit on the shelf just for an emergency, right? Life or death, the world's gonna end. Like that's when we pull that one on. But there are different calories, right? Where it's, you know, you have your everyday tools that you run, like there's, there is no shortage of capabilities for cyber in the US intelligence career. We spend a lot of money on on making sure that the US has omniscient like cyber capable. SPEAKER_06: omniscient, like cyber employees, I like the sound of that is in the right hands. I mean, obviously, these can be used for nefarious purposes, too. We got to be vigilant about them. There's abuse on the margins. But generally, it seems like we do the right thing as a country. SPEAKER_01: Yeah, very much. I mean, I think that there's a lot more that we could be doing, but people are scared. You know, it's something where privacy becomes very fluid. And, you know, once you eroded that you can never really pull it back. SPEAKER_06: Yeah, I mean, if the amount of access we probably have to an average person's phone as a government is pretty amazing. People think that their signal or some of these encryption things are bulletproof, you would say no, SPEAKER_01: absolutely not. Right. So the interesting thing with with those messaging applications is, in so many cases, even when something is deleted, it's still left on the phone, right? Because you end up with a database of messages, and you don't go back and delete lines out of a database on the cell phone, it's a battery device, you just flag it as deleted. There's so much information on your devices that once it gets kind of captured by one of these, you know, government tools or programs. It's a little unimaginable. On your privacy is an illusion. If we then extrapolate that to tik tok, and the Chinese government having access to it, describe for the audience what they would be capable of doing with 50 100 100 million Americans, and the access they have on the average phone, what could they be doing with that data? SPEAKER_06: SPEAKER_01: It's interesting, right? Because there are legitimate ways to gather data on phones, and then the illegitimate ways to gather data on phones. Yeah, give me an example. SPEAKER_01: So you remember when iPhone came out with allow this application to get access to your clipboard? Yes, that was in response to applications, we're just always reading what was on your right, and then sending SPEAKER_01: it to your password. People cut and paste their password all the time from their password manager. Yeah, absolutely. So you basically given the Chinese all your passwords, and they've got five or six different passwords in there. And if you're a typical American, you're probably not using a random generator. So SPEAKER_06: your Gmail just gave him Bank of America gave him everything else. SPEAKER_01: Yeah, I mean, there's a lot of metadata that you can take off of phones, I will say this, tik tok probably isn't going to be their only source of this information. There are a lot of core services that mobile applications are built upon, that data can be mined from, I guess would be the best way to put it. You know, as long as as you're comfortable with the fact that privacy is an illusion, and you should do everything like somebody's looking over your shoulder, you'll be fine. Yeah, I mean, that is what people should be should be doing right. Yeah, especially with digital devices, right? If you want some privacy, get a friend go out into the forest, leave your phones behind. When we look at Apple as an actor here, they've been at least publicly, it seems like they're in the corner of protecting individuals rights to privacy more than anybody. They're not an ad based SPEAKER_06: business, encryption, and the fact that they wouldn't unlock the San Bernardino shooters phone, if you remember that instance, that Israeli tool to do it. So is Apple and being on the Apple ecosystem the best choice for consumers because Apple has that default of, you know, lock it down, and only the user has it and we don't have your information on some server at or in a lot of cases, they say they don't have it. SPEAKER_05: SPEAKER_06: I trust Apple the most, I guess would be the best way to put it. You know, you end up with a homogenization kind of problem, where if I want to hack you, and you're an Apple guy, I can go out and buy a zero day. That doesn't just allow me to hack your Apple phone. It allows me to hack every Apple phone in the world, because they're all the same. Yeah, everything's universal. SPEAKER_01: SPEAKER_01: And so you end up with this, because you're in the majority, everyone's going to always have access to that. Right? Like being able to get on an Apple phone is bread and butter for an intelligence agency, federal law enforcement. Like you said that they couldn't get in the San Bernardino shooters phone. So they went to an Israeli company, right? The capability is always there. Yeah. Where if you want to be really, really secure, find the most obscure phone that you can think of, and use that because nobody's going to go through that effort of, you know, buying or building a tool to get into something that unique. SPEAKER_06: What's the biggest threat? We'll end on this the biggest threat that keeps you up at night, just in terms of hacking globally, beyond your company and what you do? SPEAKER_06: What were your venture capitalists? I was gonna say interest rates. But if you're gonna take me back to hacking, right back to haggy, I mean, it's, it's our infrastructure. Right? If you look at did you make it to the Super Bowl in Tampa? You seem like the type of guy that goes, I've been to a Super Bowl. I went to the 49ers one one time. Yeah. So a week before the Super Bowl happened in Tampa, the Tampa Water District got hacked, and somebody tried to poison the law. SPEAKER_03: What I was totally unaware of that. Wow. SPEAKER_01: They stopped it. Because somebody was literally sitting at the computer and saw someone else moving the max. SPEAKER_02: Whoa, that's an unplugged the computer moment. Yeah. Holy cow. SPEAKER_01: attacks like that are so much easier than anyone realizes right now for the level of sophistication of these and how do they get the poison into the water where they just like up the amount of SPEAKER_06: boron. Yeah. 100 extra fluoride. Boom. SPEAKER_01: Whatever. Wow. transportation infrastructure, right? Like, hospitals, right? Manufacturers. What happens if the oil companies get shut down for a week? Right? You end up where we've built this, this entire supply chain that's as close to just in time as we can get. And you start dropping computer outages there and stuff on routes. Right? Yeah. People I mean, Americans are dying all of the time now from cyber facts. And we're doing nothing. That's incredible. Yeah, because of hospitals because the supply chain and these kind of things going down. Yeah, but I mean, the hospital specifically, and that is a target, huh? They want to target hospitals because they know it's mission critical, and they're just gonna come around. You got no choice. You got to pay. Yeah, this is why things that are redundant, are good. This is one thing we learned during COVID. Like, SPEAKER_06: if all of the medicine we have in this country comes from one other country, that's a communist country that maybe is an arrival, maybe we should make some of those drugs here. SPEAKER_01: Yeah, it's just not cheap. Right? Like, that's the problem. Like all of this is just more capital that that is expensive right now. And people don't want to spend if the problems solve. That is a challenge with capitalism. Capitalism finds the cheapest path and cheapest path is a dependency. You then have to say we want redundancy is more important than the lower price. And I think I think Americans are starting to see that you see that with people putting solar and generators and having Starlink and their landline people are starting I mean, putting preppers aside, just being off grid, having a well, having a generator, it's it's not like you're a kook SPEAKER_06: anymore for having those I get the sense that you have all those things. I have all of those. Thank you for calling me not a kook. I literally am putting generators in both my houses. My Cybertruck when it comes is the equivalent of 11 Powerwalls or something. So I'm gonna have a Cybertruck that's 11 Powerwalls I have set Starlinks. So yeah, I'm SPEAKER_06: digging into their cyber truck. Yeah, I thought you're you want to spread you know, by the way, SPEAKER_04: I literally just traded emails with them about it. Yeah, push me up. He's gonna get me one of the foundation series. I think I you know, here's the thing I always if you want to if you want to throw in a word for me to I SPEAKER_01: pre ordered. I think he's gonna sell every one of these you can make I think this the sneaky part of that product is the inverter and that you can plug it into your home. And it's 11 Powerwalls you just think about if you live in Texas, and you're gonna buy a SPEAKER_06: truck, and you see like three Powerwalls right now and it's pretty good, but I really could have gone with like six, but three Powerwalls will get you through like two days or a day. I mean, it gets me all the way off grid if I'm not running my air conditioner. SPEAKER_01: Yeah, so you're in pretty good shape. If you have a Cybertruck, and it's got 11 of these are nine. SPEAKER_06: You can run your AC could be doing loads of dishes and just will change how we look at the power grid itself. And that's the ultimate redundancy. Like how do you hack that it's gonna be pretty hard to hack. I think it's huge, right? Having that kind of power independence, especially where our grid is so fragile. If you take down I think it's like nine or 11 substations. And I'm talking about like a bomb on a quadcopter and you just fly it in and kaboom. Yeah, this SPEAKER_01: is a higher nations our grid. SPEAKER_06: And you think about how insane that is, you could just literally do nine Oakland's home city bombings, God forbid, SPEAKER_01: not not even that big, not even a Toyota Corolla quadcopter and drive in your own homemade explosive and have 10 buddies do it all at the same time and you just blacked out the entire United States. SPEAKER_06: It's madness. And this is where I the next thing I want to before it hasn't black swan events do happen though. And we can predict them now which was means we should be doing the thing I want to get is there are these panels that are like solar panels, you put them on your roof where you put them in your backyard and they take moisture out of the air. They're like dehumidifier kind of things or and you can basically get enough water to survive and drink off with a couple panels for your family of whatever 345 I don't SPEAKER_06: Star Trek and when I was watching in the 90s captain, something was a startup, there's a startup making them. And so it's I mean, it's fantastic. I have a well, right. So I've already got plenty of water. But that's the next piece of water, electricity and internet. What else SPEAKER_01: can you second the second you can do all that stuff off grid with starley giving you 350 megs a second wherever you want. Like I just put starlink in my ski house and I got over 200 250 megabit and I was like, what? I'm gonna first tried this. You're getting three 350 on mine right now. That's nice. And then are you on it right now? Is this a backup? Yeah, so that's what I do is I have the router uses minus the backup. But I think it's getting to the point with the latency going SPEAKER_06: down that you could actually load balance and you wouldn't be giving anything up versus your cable modem. SPEAKER_01: My head of services lives in like a rural town in Colorado. And there's no broadband there. He's been on starlink since it first dropped. And, you know, he does zooms demos, everything works right. Like, do you see it on an airplane? I was on an air I was on an airplane with it. And it was SPEAKER_06: all my goodness. I mean, you know, the just the internet coming to planes was so transformative for me, like having the actual real bandwidth there is gonna be SPEAKER_01: it's bonkers. It's really gonna change how people look at you know, taking long haul flights like the fact that you can just literally turn on Netflix and then have two other people turn on Netflix and stream something and you're like, wait a second. SPEAKER_06: Every time every night before I travel, you got to get it out, make sure everything's downloaded and synced in your DRM is renewed. And yeah, no real connection be great. SPEAKER_06: Where can people find out more about your company? And I know you're hiring, you've done great in terms of raising money. And so who you're hiring for working Halcyon halcyon.ai. That's just because you know, we can't afford the.com yet. Maybe one day we'll get there. SPEAKER_01: I think actually, the AI is probably better right now. Yeah, SPEAKER_01: it is the right time of year for AI companies, right? Absolutely. But yeah, and then, you know, major kind of security channels and partners if somebody has a security partner that they're they're working with odds are we're kind of partnered with them. But and hiring, we're definitely hiring the engineers and sales guys. Come on over. SPEAKER_01: You got it. All right. And we'll see everybody next time on this week's startups. Bye bye.