Cyber Space is the newest podcast for members of CAFE Insider. Every other Friday, host John Carlin, the former head of the Justice Department’s National Security Division, will explore issues at the intersection of technology, policy, and law with leaders who’ve made an impact in the world of cybersecurity.
In this inaugural episode, Carlin speaks with Alex Stamos, Facebook’s former Chief Security Officer who led the company’s investigation into Russia’s manipulation of the 2016 presidential election. Stamos was previously Chief Information Security Officer at Yahoo when the company dealt with a series of cyber attacks that resulted in the breach of some billion user accounts. Currently, he advises Zoom and leads Stanford University’s Internet Observatory. In the episode, Stamos discusses these experiences, addresses the debate over the role social media companies should play in fighting disinformation, and reacts to the biggest tech news, including the President’s intention to ban TikTok and WeChat.
Episode recorded on 8/7/20.
To listen to future episodes, become a member of CAFE Insider and get access to exclusive content, including the eponymous CAFE Insider podcast co-hosted by former SDNY U.S. Attorney Preet Bharara and former N.J. Attorney General Anne Milgram, the United Security podcast hosted by former advisers to the president Lisa Monaco and Ken Wainstein, bonus content from Stay Tuned with Preet, audio essays by Preet and former SDNY organized crime chief Elie Honig, and more: cafe.com/insider.
Read the transcript and show notes: https://cafe.com/cyber-space-podcast/cyber-space-with-alex-stamos/
Listen to John Carlin preview the Cyber Space podcast in conversation with Preet Bharara: https://cafe.com/cyber-space-podcast/introducing-cyber-space-with-john-carlin/ .
Write to letters@cafe.com with your thoughts and questions.
See omnystudio.com/listener for privacy information.
Learn more about your ad choices. Visit podcastchoices.com/adchoices
This is an unofficial transcript meant for reference. Accuracy is not guaranteed.
Hey folks, pre here. I hope you enjoy this episode of cyberspace with John Carlin in conversation with Alex Stammers. As always, right to us with your thoughts in questions at letters and cafe, I come from Cathay
welcome to cyberspace? I'm your host John
today marks the official launch of his pockets. Every other Friday will be exploring the key issues at the intersection. Tax law and policy I'll be joined by a range of guests made an impact in the world of cyber security. My guess this week is Alex statements. He served as the chief security officer Facebook. We lead an investigation into Russia's interference in the twenty sixteen election. He was previously the chief information security officer at Yahoo, or he dealt with a number of major cyber attacks from
nation state actor. Today he teaches at Stanford at least the universities Internet observatory. You also recently took on a roll with zoom help in the company with security challenges brought on by its exponential growth. During the pandemic, there is much to discuss and I'm thrilled
have Alex demos on this programme. Welcome Alex grids, be talkin to you again, and I want to start really with with your back
and a little bit, you ve had a long career in tech, including time as is successful, entrepreneur and executive Yahoo
but, although, as will get into a little bit more, sometimes I wonder if
hiring. You means instant crisis, but let me take you back. A little bit is is this. The case
few envisioned when you majored in electrical engineering and computer science at you, see Berkeley, not exactly where I was
is interested in computer security, but, like others,
the people of my generation, most of the training that we got was very unofficial, I think you'd say,
There is really no good way if you're going up the eighties and early nineties to learn about security and await its complete
legal and allowed so did some things. Honour comes just before
Then a pc, starting with three hundred a modem.
Name. Your friends in the lake and NEO back then security, simple, just kind of fun, rightly going in breaking the baby S, is
We also be, as is your pre internet. If you want that hate out with your friends online, you diamond was called the bulletin board system, so you darling
you're with your modem and often people be interacting asynchronous lake is a lot of gps is only had one or two for mines, so you can go
messages, while you're dead
go off, come back. Twenty four hours later see what people have done, but also what was big for kids. Those days was
trading, video games and tips on how to crack them in such a that's. Actually, I first learn how to do. Some. Reverse engineering was breaking the copy protection on my Commodore. Sixty four games and learning all that from PBS was their particular.
You remember cracking yes. Actually, there's really
Game called red storm, rising interest, submarine simulator based upon the tongue. Clancy book was the best commoner
before name and also very expensive, got got myself a copy of that. But beyond the time
just kind of this innocent time when you're doing this kind of stuff was not incredibly impact on people's lives.
And technology, which is this kind of citing right, like my most of my life, did not revolve around tat even for a super nerd
This kind of amazing to think what has happened since then that now technology plays such a more central part of everybody's life, especially somebody who's interested in it. Like I, what
WAR games, what you, if any nineteen, eighty four at the ground
movie STAR Matthew, broader about a kid in hacks into the Department of Defense and nearly starts a nuclear war spoiler by now,
Did you see it and what impact it and have idea? I mean the two biggest most backward movies for me in the computer
this was war games, which is exactly the kind of stuff that mean these. These kids, who go to this twenty six hundred meet up. So there's a magazine called the hacker quarterly
six hundred do yeah, I'm sure you ve seen it do you know the TWAIN six hundred comes from. This is actually a quiz. I give my students, I do not there's a man named Captain Kirk
actually, I believe, also went to Berkeley, but back in the sixties, who figured out
the whistle in the captain. Crunch cereal box made perfect twenty six hundred hurts tone which turns out
the town by which the local eighty Anti office
would signal the long distance switch. And so, if you use that whistle, you could then steal one distant calls so late,
This is exactly the kind of stuff that we talk about in war games. Here's what now
cold war, dialing which, as he just goes through a dials about your phone numbers until he finds computers, and that's exactly kind of thing- that,
Bunch of kids would do it in those days.
With no like militias purpose, just like see what was out there and what was he mountain is
Regrettably, the other movie that really had impact on Eu Sneakers right, which that rubber Redford move
in which he and a bunch of his
and have a company that professional hackers and they get paid to fixed off, which effectively became
we're goal of mine that I was able to fulfil a little bit later, though
you know it's pandemic,
time at home. Looking for something to watched the time due to reward
both those movies in sneakers has an incredible credible cast. That's shrubbery right
its DNA, Droid David's,
stay there and in the General Jones, makes a cameo as you pretty much right it s a
Guy in the national security establishment was pre, pre nationals carry division, but I'll take it. Even
naturally the best as messaging for
war games, I always find it.
interesting Y know talked about this before because, in addition to in influencing a young Alex Day most, it also for President Reagan caused him to ask the question: could this happen
Apparently it was really the beginnings of the first government programmes. When the answer is yes.
happened us in were not really prepared, for it adds in
that whole time is like looking back and of the relationship between teenage hackers and the government was very complicated and weird right.
as some guys, I ended up working with later, were part of a group called Maud masters. Destruction, which was
a prayer. Hacking group in Europe that the secret service has been called the greatest
cyber terrorists in the world, or something and later,
to be all these kids go to the same school in the upper side which off will get to it later, but that recent twitter hack a thank you still. You still have that that phenomenon,
gotta I'll write. What, but I mean this is the difference that right like if you're seventeen you have these skills and you dont very
carefully stay under the beaten path. You will end up in a very dark place right. I think that's. Actually, though, it is
There are so many more options for young people. Now, there's good options right, you can participate in.
Can clubs like just yesterday. I did a webcast with the single hack club, which is like this international group of teenagers that are interesting computer security and they all participate in capture the flag, competitions, apron
in official bug. Bounties explain: stick to step back. The outlay were captured the flag, yeah Titian, so capture the flag receipt. He asked
a competition. We have kind of an artificial network set up a new compete to break into computers and to get the flag, which is usually a file that sits on the computer, and so that's that's kind of an
official game in it, something that I actually used to participate allotted to old thou. My skills are you, I'd have to be.
The seniors division of hacking, the idea that they should make that is surely to make what is surely right
growth is willing. They caught masters right. That means old YO. If your young person he went on to hack, you can be part of a competition there's. Schools can have teams now right, like it's some high schools. It is a varsity sport to do hacking, which I think is incredible and awesome
opportunity and then, if you want to go up against real systems and not in Kennedy's artificial playland, you can go up against companies that have announced you were allowed to hack us and we will pay. You
so there's all these great opportunities for students, but there's also
huge downside, which is, if you fallen to effectively the wrong crowd. You will get,
hold into a criminal underground that didn't really exist. When, when, when I was coming up, we talked a little bit about the fork in the road for current kids, where you can go down, the path of
paid by companies define vulnerabilities so that they can fix them and essentially getting paid for gaming, which is the capture the flag or bug bounty programmes.
and then, on the other hand, that there's this dark criminal underwear
we can also end up getting Paden AG kids in the face to face with joy.
for exploring one path in the other. What what would you say helps? Which experience helped shape your thinking about technology and policy in and put you, I think, on the path of law? By
law abiding citizens of mostly lava closer yeah. I
I had a very. I was very fortunate, my childhood right, so you very supportive parents grew up in a very stable
our old in suburban Sacramento went to a good public. High school was able to get good grades in and go to Berkeley, and so you know like
There is none of those things that maybe other kids push them off the path right
plus out you know we're immigrant families
metropolis and I had a grandfather
Andrew Raucous, Andreas Ruckus, from Cyprus to it the really
kind of nailed into me like the importance of education. That was his big thing. He had left Cyprus. He had a fifth grade education because he was the oldest boy in the family and had been pulled out of schools to work on the family farm, and so when you're, the grandson of a literal goat, heard her. You know there's a kind of
There's that kind of immigrant expectations on your shoulder and he ain't that that helped him in
had that opportunity right? Like I go to call, I could take real classes. There wasn't a lot. You could study
security there is only one security class in the late Ninetys there. This is actually an interesting kind of mirror image of. What's going on right now around trust and safety, which is the same problem by the time you couldn't
to university learn a lot about security site. I took a graduate class by David Wagner really famous now, professor. At the time he was like a brand new
pressure, just got my phd and then was able to me I'll, get a good job and do the stuff professionally. So you get out of Berkeley, and you end up just three years later: CO founding Isaac Partners, a security, consulting firm that ends of becoming a really big
and as is you're saying, there was barely any coursework sounds like you. When found the one course you could find a Berkeley how'd you end up in the securities,
yeah. I mean it was always something I was. I was interest in doing professionally. I mean the nice thing about going on. I do always recommend to young people. If you have the ability to go, get a real computer science or electoral engineer in education is still incredibly important for security. Now, some of them
asked actors, I know, dropped out of school did go to school, but if you ever
an opportunity for you. It is still important, because if security is about
breaking the layers of abstraction in system. Right, like that, computers are so incredibly complex that even the people that programme them have basic
something about how they work, and it turns out those basic assumptions are often forced to good enough to go build something that work
they're, not good enough to build something that work securely and so studying commute.
Down to the lowest level can often be a really good skill, but I'd die a graduate in that dot bomb right after the collapse of the dot com industry, I had a job offer at comical loud cloud.
market reasons. Company after Netscape was really the first cloud computing company
it just is a cloud computing company that predated all the technology that makes cloud computing profitable. Now I was just a little ahead of its
I'm in a graduating. Do that in the end are pulling back?
A job offer in the may have a very distinct memory of doing this trip through Europe
my sister for, like my my my post college trip and being in the basement of the train station in Florence, ITALY
logging into a webcam. So here I am like now looking back like weight, so I wouldn't like this random computer in this train station in ITALY, and I typed in my password to get my email. That's how you did it and then them saying like. Oh
because we are legally required under our pc, I or credit card requirements to have a security engineer, we're going
To give you your job, which is like it was great ticketing when you're required to hire you so we're gonna role, eyes actually follow through. But I was like a great experience in did some other stuff electric vehicle at stake, which is kind of a consulting company, famously full of ex hackers fascinating where people just did paused over.
Second, that's an example of so there's. There is essentially a public private regulation that says there's certain ways you need to protect credit card information.
In the pc I rules and but for that you would not have gotten your first job and secure yeah. I think so I do it. This is this. Is it wasn't called pc? I just me you're gonna get email at the time it was like. I forget exactly was called before the payment card Industry Council existed. There was some
security standard from the credit card industry, but yes, it was only because they had a regulatory requirement to have somebody with its title effectually that I expect you to be thankful throughout this for regulation.
Yes, exactly, I guess we'll get to that part of definite per regulation. I just think it should be tied to reality, but yet it so I
did at stake, which is a consultancy attic I bought, and what year was this roughly? Twenty five is a two thousand for right, so at stake its bought by semantic
and a bunch of friends- and I were like we don't wanna- go so antivirus romantic. That was not our plan.
we end up going and starting our own company, and it was
Travel experience, media bootstrap that we all through a couple grand in two by our first laptops. The first data centre was the closet,
my wife and I just got married, we moved into a place in the sunset district of San Francisco,
so nice and cool. So I literally at a stack of computers in the closet and then just open the wind
for ventilation, and she called at the door of dim because we had these machines running continuously the closet under her shoes. And yet we start this company in it turned into something
the great it we're just really well timed, because all of us were specialists and application security, and this is the time the two dozen for timeframe when the thrust of security interests inside of corporations, with switching from what we call network security.
Israel mapping out networks getting past firewalls using
our abilities in software that you buy from somebody else like an Oracle or Microsoft to software security, about the software that companies build themselves.
so we're just pretty opposition for that, and we we made some good like like we got into mobile security very early on that turned out to be really good, bet and being replaced. The right time is up
for the sake of their own, your dinner in your one bedroom with the floor shaking
the door of dead and you managed to pull off get some heavy hitting clients which figures blankly, Google, Microsoft, Facebook,
Amazon and sounds like some of that. Is you right place right time, great expertise, but but how'd you pull that off. How'd you get them to trust someone Workin out of centuries basement. Hope you all
had worked as consultants before for four at six. So a couple, those relationships were preexisting problem,
most important Microsoft right, so I had done it
point a lot of work at Microsoft for at stake. This is right after you of the famous
letter from Bill gates out to the entire company the trustworthy computing memo where he said. Yes, we
you're, going to pivot to build software that is more secure and more trustworthy. Well, there's a lot of invention that has to take place. Take, for example, the issue of privacy
that holds a lot of people back in using the internet. How are you,
describe to user, say when they provide their credit card or they do a transaction.
How do you described in them in a simple way? How that for me
it is going to be used. So that say, when they come back to that site, it'll be cost
eyes for their use, that's to their benefit, but in
you can come up with a way of describing it and really
showing them then people?
will always under use what's possible on the internet, so privacy is a perfect example of something that we need. Really,
work and not just man, hours, take the idea of
you get email to interrupt you, some email with super important and you should be interrupted and other email you should get when you're, not
busy consign beside me. I e mail. You should never got and why
the computer do that. Well, it's not just man hours to solve that problem. We have, I think, brilliant people on it, but it's not
If they can write down. Ok, that's five hundred hours of work there. They ve got to invent an that's
why it's a research topic to be part of that was then Microsoft hiring outside hackers to come in and help them thick stuff, and we had done a bunch of that work already and then the day of the announcement that semantic was by this older. This company microbes
kicked off the consultants off because they were already in some kind of antitrust law suit or something with was Symantec. It's over
this opportunity of Europe. They knew us. We gave them a huge discount. This laboratory,
for them to pick up some talent cheaply in it. It worked out really well so mixed up this kind of our cornerstone client for a while, but then you guys are we
reputation and those that we did. We did a lot of public research and that, I think, still
in same for
consultants in new security experts, starting out, is to get out there and do
original research in a new kinds of vulnerabilities, new classes of issues and then go talk about them publicly prefer
ethical way in a way that actually helps things
We did a lot of that. That was a really good kind of marketing and sail strategy for us, and I are our paths overlaps in a way, although we didn't meat but with the Aurora attacks,
they were going to spend a moment reminder listeners could get. You explained the Aurora attacks and in what happened to you
about early twenty ten are coming
we're doing lots of work for Google. They had
We brought us into work on that ship software, so at the Google had made that transition from me
web only company to shipping opera.
Systems, and they had known that. We have done a lot of work for Microsoft, on operators from security in its actually.
a different model of the kinds of things you do
We're doing allow work for Google. We are also doing
a decent amount of its response. Work for companies had been broken into and I get a call from
who will folks in and go over and they
plain to me that they had uncut
a breach in Google that had lasted for quite a long time and in investigate
that. They had found a command and control system,
that was behind a dynamic, DNS name and they had gone and taken that over and an pointed it at their own,
and when they did so, the other goal was to find all of the infected machines inside of the Google network, but where they found was,
There is over twenty other companies that had been hacked to buy the same campaign and that they had traced it back now that they had control of that kind of intermediate system,
China, and they believe that this was relate to the chinese military late last year. A student group that criticizes China's rule into bed learnt
emails were being sent in their name and some of their email accounts provided by Google had been hacked.
it's true. I was startled,
I couldn't do that. Someone
an unknown. Stranger could happen to my account so easily. Last week, Google trace the sabotage back to China and says to break ins, were part of a pattern of cyber attacks on human rights activists who criticise China, and
in their just for second, you recall another prior to that case, where a company of size scale, reputation of Google publicly accused China and its government.
happy now. This was this was a landmark moment for a number of reasons, like you said. Yes, like Google
doubt, they publicly admit that they've been hacked, which was very avant garde right for people to proactively say that the time it was seen as you don't shameful. If you would been attacked ITALY, one publicly come out with that,
to that, it was against the entire tech industry really get really disappointed heard about chinese attacks against defence contractors and government agencies and defence industrial base
but to go against a huge chunk of Silicon Valley all at once. This was the kind of the first public knowledge of that and, yes in the fact
provided attribution was a totally new and then they now we say to it,
it's in China. They threatened to pull out of the country and what? What's your view of both that thread and what
really happened. The relationship of the United States and China is obviously incredibly complex and, from my perspective, the People's republic is the place that Silicon Valley, ethics go to die right,
that you have these companies that are very high minded in their corporate missions. In the statement,
they make in the way they relate to democracies that then, when it
was to China. The combination of kind of the the skill
the chinese government in manipulating companies and gaining leverage the amount of effort, the Chinese put into hacking into infiltration
and then the overall economic importance of the country
combination that, for
whatever reason, companies often forget all
things they have said in other places, and they they act in a way that completely contrary to their permission and
this time I had a search engine that was available in mainland China. That was censored now that the time the Google made the argument and not a horrible boy-
that is better for Google to exist and nothing, but the I think,
this was seen by them as if they are going to cooperate with the Chinese on chinese law openly to have the pr see
Then turn their intelligence. Agencies against the inside network of Google was a step too far and that they were
the cut off official in my understanding is that they turned off that censored version and then the the p r C blocked the rest of Google's products via the great firewall, and there has been this
cultural relationship between Google in China. Since then, where's China is still incredibly important.
because that's where most Android phones are built, Google's Android products are still
remembering. System is very popular, their powers, the vast majority of phones, although often in unofficial capacity. Anyway, that's not licence from Google
so there's like this real complicated back and forth. That is continued since then, but I think at the time
it was a very big statement and I thought it is
For the last time that we can, I can think of a big tech company really standing up to China publicly in the meat. It would take a step back and we ve covered decent
span of time now and you to quote when you were to be given new lecture series dividing art our time into different heiress, comparing two thousand one, where very compared to now few people had
that access semi securities gone from being a fun games like a basic life safety issue.
right like into doesn't one. I don't know what the number is, but also making can probably look it up. What we set up here,
but one into doesn't want you couldn't automatically solve barbette like that. Just by looking at your phone, you had. Actually, you look it up later, but but also
You know what, like a billion people, peddler access, or seventy million people, or something like that
imagine ninety nine at some point to mention a man. He was like a hundred million people had access rights and for those people didn't, it was like a fun thing where they can do some research just reading, and now the internet is a critical part of the lives of close to three billion people right
and, and so it's securities gone from something we're like you, don't win them.
We're sworn happened in the entire internet shut down. Nobody died right. That would not be true today. If the internet you stopped working or if we had a worm that infected ninety percent of internet connected devices, people would die or people would lose.
Jobs or their beaten. There'd, be mass chaos and securities gone from something that's kind of like fun. Do something that's responsibility? I didn't mean it can't be fun when you do it, but you have to get a sometimes stepped back and be like. Oh man,
Actually, you are having a real impact right and then you referred to for four prosecutor.
law enforcement case. That's always discuss the moorish worm, which is really the first time, I'm tempted to
play criminal law to an intrusion. This was a self propagating code,
in nineteen. Eighty eight that shut down the internet- and you said that when them
Earthworm happened, the entire internet
shut down and nobody died. That would not be true today, the internet just stopped working or if we had a worm that infected ninety percent of internet connections
but would die or people lose their jobs or there would be mass chaos till dummy low. Explain that court a little bit
Where were you think we are now
here too, where we were when it comes to internet related threats, yeah, I'm so one in that speech. I can talk about the progression of are profession, of people who
work in computer security or cyber security as you go CNBC or infamy
security, as we say in the West Coast as your first, a hobby
then a job just like any
there. I t job right. That is like important to support things that people are doing, but not to be critical to effectively becoming a priesthood right. That.
security has become this. They met under wise, a huge chunk of our lives and its because
of the success of the insertion of technology to every aspect of people's lives top to bottom that the same people may be doing it and we will be doing the same things but the
The importance of what we do around us has completely changed and
Yes, I was using the moors farmers, for example, because that was a warm. As you pointed out, that was an amazingly
for the time it had, multiple payload could in fact multiple different incompatible computer architectures and it infected ate a big chunk of of the then nascent internet, and it was like a story among I t people in universities button.
nobody died, there is no actual impact and because of the way we have inserted technology and embrace lives. That is not true anymore and in kind of him from my perspective,
No, the tech industry overall were really really good at making technologies will for people to the point where they start to rely upon it, but then we're not very good at making that technology
worthy for them right than in theirs, multiple levels, so that there is a traditional security issue, this kind of the privacy issues which are about
how you decide to gather updated use it.
you're, so that what you might call the trust and safety issues which is here we build these technologies were bad things can happen, and we often do so first and we get them important. Firstly, we figure out how can people abuse them later and I think that's like they're, a fundamental problem in the structure of how we build technology
Silicon Valley is at all of the thinking about the downsides, happens way too late in the process, and it makes it very difficult to fix it up after work here,
at Yahoo and then where he had won the biggest thefts ever maybe the biggest theft ever of email related
information by russian criminals links to in taking tasks from the russian state. You then move to Facebook
and are there as your confronting an unprecedented attempt to manipulate the way individuals are thinking using such social media
oh you're, at Stanford and Tom, a little bit about what what you're doing at Stanford and high working to tackle some of the problems that you you ve, observed and confronted first hand and you're different industry jobs. Training do a couple of things, its effort, one
is your team is doing research in the misuse of the internet that I'm trying to get the sweet spot between it being done
in a timely manner and being quantitative and
qualitatively supportable enough
really inject a better level of accuracy.
into the discussion of these abuses right until it like a specifically in the disinformation world,
Unfortunately, since twenty sixteen, there has been a belief among people that by people I mean really just kind of mostly the: U s- media,
that. Any kind of disinformation activity is immediately impact. Vulcan can have all of these downstream impacts, inner, maybe and measurable.
For that, you should do almost anything to stop it right in that. That's not how we can handle any kind of abuse right like we have to really understand how do these abuses work? What kind of him
Does it have to them? We can calibrate what our responses to it are. There's a lot of good economic groups doing this kind of work, the
is the majority of them are on publisher, perish kind of models where they have to be in.
Review journals and the like and see you talkin about, maybe something coming out a year or two afterwards, and so we ve built this team to be
do in the short term. What is much more journalistic work of hears us explore
in uncovering a russian this information campaign in Africa and getting it taken down
so we have impact immediately. That, then, can turn
into a political science journal paper
a year or two later by that the peach these who were on that team
one of our goals is to try just kind of inject a little more realism into the discussion of these abuses. The second is to expand the discussion of what should be considered the responsibility of tat companies beyond the traditional information security into all of these other areas. It bears a parallel.
or with any talk about of where we were like an elite Monday's early. Two thousands of security, which is security, was
super specialised field that was often the corner. There was something you did last that was not deeply in agreeing to the products by cycle and they didn't have an economic component, wasn't training
regret right and in that's where I feel like we are on the broader trust in safety issue, unless my trust in safety we're talking about abuses of technology
generally, the technically correct use of technology to cause harm without any.
king or violation of the rules of the system. Hacking is usually about making a computer do something it doesn't want to do,
Abuse is making a computer do exactly what it is built to do, but the outcome of that is, somebody gets hurt and so
one of these were trying to do. Is we're trying to make that part of underground
education and we're doing that by I'm teaching a class at Stanford Called Trust in safety, engineering and my lectures
all those other things that aren't really hacking right? We have a lecture on hate, speech, bullying and harassment. We talk about suicide and self harm and suicide clusters online and people encouraging each other to committee.
side. We have two lectures on child sexual abuse, which I know
you have dealt with, but the most people who don't haven't worked addressing safety or law enforcement have never been kind of exposed to that. The true
or of what actually happened, not mine every day for children. We talk about terrorism and the like.
Were putting that class together, we're gonna make it free were riding a textbook that the book will also be free. They'll, be a paper copy that you'll, be we have free online in the goal, is to kind of capture,
of this stuff that we know about how do the products we built? How they ve been abused.
after that, the next generation can make at least different mistakes than the general. My general
It is important that no one is
can on my broken in going back to early criminal cases,
and down cover ousted shocked by
how many mistakes were repeated, because people were not learning lesson in some of the same tactics and techniques it knew that gone back.
earlier conversation that there were prevalent in the eighties are still successful here in twenty twenty here right
Then we had this problem and securities less of a problem in kind of traditional information security. Now, because you have enough people whose
We're is around security and they ve studied the stuff in the past, and what we really need is a real companies, a bill. These products,
need to have somebody on staff that has said
kind of tribal knowledge of all of the things have happened before and then can look at what
you're doing right now and then synthesize. Oh, this is how it affects us right and natural public Stanford in
What the reason I'm doing at Stanford is that there is proper
university in the world.
that has more responsibility than that, the current state of Silicon Valley than Stanford right and that the
where's he keeps on graduating out these twenty year olds, mostly men who can
and, like oh, I have an idea. I want to make it app where you can take vote.
Rose and then anonymously send those photos to an infinite number of women or can possibly go. Let's go
Well, here's the list
Let me move to a real life Casey working on,
so here we are in a pandemic. Everyone's working fur from home schools are suddenly teaching classes from home mean
kids are using some services, the head.
Video chat and away they never had before along with employees, and you have doom, which take example, a company that was relatively small and just explodes in turn,
of usage- and I know they ve- they probably brought you on as a consultant and wondering in terms of tribal knowledge, to use your phrase, it seems
soon is being exploited in in many ways it that one could predict. Although the explore
Jennings users from ten million to over two hundred million, and you know that a period of a couple months, I think that was a little harder. That was a larger predict that right
There's there's really two totally different issues resume so, like you said
They brought me under the consultant, so your full disclosure M Pei consultant for the ceo of Zoom, and I got that.
because I was tweeting
about the opposite effect.
twitter has been good for my career
tweeting about, like the mistakes made in how I'd seen this pattern of companies before in hell
effectively. Zoom now needed to speed run in six months. What a Microsoft and Facebook did over years and years right that they had this need to build up in
So I end up the next day gain a call from the ceo. He had called her
some friends found myself a number from from a joint friend, and we.
Long discussion about all the things we could do, something nice big email and then he ends up announced
that they're gonna do a bunch of stuff that we had discussed, and I thought that was like one. That was somewhat me from my previous yo see so jobs. It was somewhat unique to have a ceo who put security first,
hopes. That was like a unique experience for me decision whose that, but it became clear
That means they saw this as both an existential issue, as well as a potential form of long term competitive advantage over their other companies.
And if you want a company to care about security, safety, entrust and privacy, then you want
to see it as a positive competitive advantage in a boat. They can build that so it again invested somebody way. There's this deal kind of two classes.
One is international security problems right and so Jim had a bunch of bugs in their climbed such.
the truth is that the bugs-
generally,
to those bugs. Are the kind of thing
find in mid size, enterprise companies all time for my consulting days? If we went into any you know successful, but not
household name, enterprise company and looked at their software. That's exacts off we'd fine, like local privilege, escalation
some remote code, execution using old libraries in the stuff like that, so I may just walk through that a little bit further for audience who's who's. Next in background, so you're saying this is this is what you should expect, essentially from a lot of midsize car
he's in the problems included things like the way the zoom was installed, took over admin, privileges, which means the highest privilege say, could have on a user's computers. You could get rude access,
control that computer and that would allow someone to who wanted to abuse it. To use your turn to serve it, to put in bad programmes without the users, knowledge, including the type a scheme with both seen a lot of which has taken over webcams or microphones
and then it also was found early that it was sending data to Facebook. Even if you weren't logged into a facebook account and routing some traffic through China
wants to users, and then there was in their encryption issues where the default encryption, this probably more complicated one. When you talk about it, but it the default is not the end to end encrypt, which means that people could
the messages in transit could be vulnerable and then, finally, the one that I think that the most publicity departed
as a good name, was
bombing where people were fine
open meetings to join, and then they were flashing
prior fear, other things down from the kids, etc. That got a lot of other media attention
focus on those in one to walk through. Some of the issues were because the document an important and provocative point witches yeah. This got exposed because you,
grew so quickly, but this is actually businesses as
You're from here, you right for a lot of medium. Sized companies write to them
Last part, Zimbabwe is a totally different problem. That's kind of my point took, but on that kind, of course, security issues. Yes, it
you. You said this is what we expect. Unfortunately, our expectations of this offer of enterprise security or wait you poor. We should accept that it better but
Is it there's a massive disparity between the top ten tech companies that people can name and the ten thousand
companies that build the software that all our lives run on, perhaps unbeknownst to us right
You used to be in that second category and that the people before covered
new about Zoom, where ceos and enterprise video conferencing teams and the folks who go out
a big off between weather.
a blue Jeans MAX off teams and zoom and then make a decision
in a kind of enterprise big off it wasn't a product of people using every day and yes,
though those kinds of products, often have these problem.
if you're, not part of like a Google or Microsoft or a company that has thousands of security engineers based upon in that
he comes for those big companies. Could they had a existential issue for Microsoft? Came the early two, thousands with a trustworthy computing memo with Google. It came after Aurora YO that the er attacked we're talking about caused a huge amount of investment by Google insecurity, but veterinary.
This is a mean junction. I've done that like they should have invested more insecurity earlier, but those locked up,
solving those problems is a little more pedestrian, because what you have to do their job to build up a good team. You have to improve,
you're softer about the lifecycle, so that security is built into multiple parts of this security lifecycle. You have to be able to handle outside bug reports more efficiently. So that's all the kind of stuff that I've been working with them.
and they have hired eleven. You see so there were new head of application security, their building up their application security team. They ve fixed up their bogged down in a bunch of ways, and so there is still work to be done there, but that's kind of traditional invoked
But the the other issue there facing is much closer and where's talking about about the class, the trust and safety issue, which is that when Zoom went because of covered from being mostly in enterprise product that was provisioned and met in bought and managed by eighty professionals to something that MRS Smith,
for her fourth grade class would just go, get a zoom account and then go all the sudden move, a bunch of children onto zoom,
and that is not what the product was built for- and that is that is the safety issue, which is, it turns
that the Zimbabwean or the meaning disruption problem. Almost
everything you needed to prevent that from happening,
existed in zoo at the beginning of this year? It just people didn't know it was there. Some of that stuff was buried in different ideas
adding some of it was available to consumers, but not unlike the normal interface in a we ve talked about that allowed and lots of different context for companies. But this this goes to the whether or not you should have seen,
charity by default, essentially right right and end up the core
problem. The djinn priest on this was they offer premium product. They offer a self service, you can put a credit card product and then the offered and oppression
Or almost all their money is made on the enterprise product right, it's made by selling a bank, a hundred thousand seats right and then
Zella Bank. A hundred thousand seats. That bank is gonna, use single sign on they're gonna. Have there
team go and set all the little bits in the interface to make the default secure, they're going to do the right things if either.
Milk is. Just one thing seemed data. They gave out a always free account to schools, and so
kind of created this problem for themselves in all this out, and they gave all these
Two schools, where you might have the one I t person, who might be a volunteer parent or might be part time. One of the teachers who you're just was totally slammed, did not know how to use the product. They know any of the staff and in by default it did not walk them through. This is what
we think it so the other issue kind of for the schools, especially but a number of other institutions like churches and such is. They didn't have communication links, set up two securely communicate out when this incredible transition started happening in March.
I'm. So this happened at our school where they,
Actually our kids school, where they are
started just putting the links to zoom meetings on the public website and the public
under because there's no other good way to kind of get it in front of people and then so, you have
all of these people who were home
in board and malicious. Who would go and do things expand the internet scan through Twitter and Facebook
We look for anything. It looks like a zoom link and then go trade that in private groups on discord, private groups on Facebook. What's up,
and those in the lake, and they would trade these links back and forth and they would go disrupt them right jump in.
hopefully do something like just be annoying in the worst case.
do things like show illegal in our child exploitation, content right and that this is this is
and if that the core issue presume, was that a lot of their product management was focused on the space for which they made
money, which is what you generally see from enterprise products, was that the security features built for enterprises,
and becoming kind of a household consumer product overnight, completely changed what their focus had to be so
the work we are fortunately because allow these features of this. It was mostly about redesigning the interface and redesigning the user experience so that, when you said
an account by default, the settings, arms
more restrictive and you have to turn them down and that putting the interfaces. Something bad happened to make it much easier used to be very hard to report that something bad happened. Now, it's much easier to say this
and did something bad. I want them, kicked out and what the reported resume and then they had to build up there
safety team with people investigate that stuff and then work with law enforcement is a break it down?
but now we have to number one. You have a product that you can raises the market and a company's building out, and it has security flaws in it. For me, there's a Princeton professor who
who characterized zoom and said: let's make this simple: zoom is malware and there he was referring, I think, to security flaws.
That would allow you to get access to things like the ability to use someone's, webcam or microphone without the permission, so that one bucket
So I know that professor. I think he peed massively overstated that, like things like local privilege escalation, so there's something like three or four
New York Times articles that mentioned zooms installer?
local, privileged escalation in the West, ten
free time there's a a dot release of Makko S,
It's like a dozen local, privileged escalation. Pox right, so we like yes, they actually
exactly. What I want to push on a little bit is: is how'd you d, taken it up a level. What do we do in terms of policy so that
because this is one example that got well publicized because the company exploded over overnight, right and so letterpress attention, but you
there's thousands and thousands of other companies who have similar issues. What do we need to change the default so that
Turkey is there before it arrives and needs to be fixed on the consumer's computer?
yeah. It's really tough ill. I think in the first is
We one of the problems we have in the beers carry world. Is you hear about a handful of the failures like this that our public, because
now the vast majority of security failures are secret right, like this week, a bunch of companies are gonna get broken into
the information they got stolen is not going to touch the p. I definitions of Espy thirteen, eighty six in the other state laws that require the disclosure breaches, the touch personal information. You say there, the p, the Pii
identifiable information and that allow
the laws are really triggered.
Whether someone gets things like your name was your social security number. But that's not the issue here.
Try in you, and I have both worked a bunch of cases where companies have had important information taken. But it's not personal information. So therefore they will have a disclosure
parliament and kind of culturally and legally nobody's.
Courage to admit, like Google, did back and wait
nobody is encouraged to admit we had a breach, even if that breach was was caught halfway or something.
The first thing we need do is we need to build a kind of a cultural and legal permission for people to be honest about these issues and the industry, I think we should continue to look for, and I'm not the first person to say that's but like the industry that does incredibly technically complex things and so safely and as a culture of continuous improvement.
Is the airline industry right and parliament is regulation
is that they have a regulator that actually understand stuff. So you have the national transportation. Safie board has a level of technical knowledge of how aeroplanes work in a way that there is not a single institute
and maybe other than the inner or cyber command in the. U S: government that has the same level of technical knowledge on the interest world right so
they have a regulatory structure of people who will experts and
have a culture of continuous improvement right. So you, obviously, if a plane crashes, there's a massive Antaeus, be investigation. There's all this stuff that happens, but even on the close calls, if something brakes. If there's a human mistake, there is a culture of that being filed that be looked
that being discussed and the legal structures to allow that to happen exist in the regulatory structures. I think
We need to move to a world much closer to that on. The security work side, whereas when these mistakes happen, there is a discussion,
what went wrong and I use actually example that you brought up so when I was at Yahoo. Actually, the biggest breach of Yahoo stuff happen way before I got there, but there was as a separate attack a couple of months after I got
that started. Couple months have very got there by a group of hackers working for the efforts, be
russian intelligence that had broken and at first looked for a targeted set of people related to Lee near abroad, russian Ex soviet state, oil and gas
history. But then, once we found them that turned into them trying to grab as may pass from the possible while we keep him out the network right. So this was,
a small group of pretty good hackers who were able to break in, but there's a lot
of reasons why they were first able to break into Yahoo and there's another set of complex reasons of why they are able to stay. It took us. We,
and we get rid of them a lot of those reasons go back basically in the age of the company and a male investment insecurity over a decade. But after this breach comes out, there is a set of lawsuits against Yahoo, as is known
and I end up, as you can imagine getting subpoenaed for bunch of these until I end up in going and having
he's very long discussions
tons of lawyers in the room which four people have been the deposed. I can't recommended right, but you don't. You
you're sitting there in the videos. Looking at you and everybody embrace part
every single word. You sad and then there's twice
people in the room and every other person the rims getting paid to be there except you until you're sitting there and
they're. Asking me all these were deeply questions. They got thousand
thousands of emails and documents in their putting these emails in front of me in these documents. For me, and through this process of of doing this with me and dozens of other people who are involved in these breaches, you can
to build out this idea of ok. What were the root causes that caused the the
for these people to be able to break in Yahoo, and then the difficulty in taking them out I'll get a fantastic
that is, that is really useful knowledge right cause. These efforts be hacked
a couple them arrested, but that the main guys actually still at large, well protected by Russia, heard affected by exactly right right now we can talk
are our joint friend Alexey. So it's it would be super useful for everybody else to understand what happens at Yahoo. What happened to all of those transcripts? All of this?
arguments everything. Well, they do a deal where the the class action lawyers
forty five million dollars and we're fees.
a bunch of Yahoo users and of getting like free credit monitoring,
exceptionally no sense for you who preach. Plus I got a gift card. I think, and then all that stuff could sealed up by the court right so that, like as a society, if you have something of failure like that to make that just than part of what is effective,
like a legal game. Just true move money around with some class action attorneys in Florida and then all of the fact finding is then sealed up
made useless once the money is moved around. That is just like the silliest,
way to try to address incredibly complex issue like imagined
in thirty seven MAX crashes and that's how
we handled
and we have no idea of what actually failed on some thirty seven. There's no Antaeus be report. Everything because when we ended up
off the lawyers in Florida, we would find that ridiculous.
Airlines would be much less secure, and so I think that's like one of the core
kind of regulatory things we got to do is we ve got it, make the discussion of what went wrong public and we also have to create a model
where people are encouraged to come out when they have a close call or when they have a breach that
in touch p, I but maybe touched some kind of intellectual property. We we need to have both a curate of certain protections. Maybe
and you're better position to have opinion on this, but maybe you have kind of
it worried penalties for certain kinds of breaches in sexual. It's not like a four year class action lawsuit, but we need
have an encouragement of a carrot and then you have to have a stick. If people keep it secret and then we really what I
of the sea. Is there really should be a four hundred page report and what happened the because an
we also agree that it be like. Oh man, now I see the things I have to do to prevent this and in fact
with Yahoo as well, and we see this is according to reporting this gap between what year
finding a recommending as chief information security officer and what the ceo, whose
a lot of pressures about a business, that's losing customers. I did in terms of security, and I think you said earlier that you and your career, you have not worked for a lot of sea owes, for whom security was the top the top priority right in that
That's kind of that was also people have talked about and how exactly calibrate this, I think so complicated by think it's a good direction, effectively a Starbucks
for security, where you make the board and you make the ceo liable in a personal way for security, that they are right now, you're talking about the Sarbanes Oxley,
the essential said that you have the personally sign as an officer of the of the company they are meeting certain financial
well is essentially in your saying. We need some type allow like that. It makes seals aboard personally accountable for secured s right yeah. I think so, because what keeps on happening is the compensation structure Foresee owes is built only around financial metrics, and so this is just a tourism for any
history right, but you you get what you measure and to the detriment of everything you dont measure and you dont bonus right and so of your own
bonuses based upon the shore.
Term financial metrics and not upon the longer term risks then you're, gonna end up. You'll management is going to go all one way in
Our companies where security is integral it just its extremely rare honestly, like the vast majority of companies, there is a the existence of a cease
is in some ways negative because you ve created this executive through whom you kind of place. All of this risk
They don't have the ability to make the decisions have actually been the risk right, and so it you'll from my perspective, a sea. So
can be. The person was the risk manager that the rich managers,
the see yo and the owners of the product lines and a big enough company, its author, CEO. It's the people
on the business right who make the real business decisions of former see so says, seesaw shouldn't get fired after securities
at once. I mean I'm using museum like we're in this weird place, where you have this executive, whose only job is to think about the downside, but they
never have the ability to make kind of the big picture. Decisions of balancing kind of wandering growth against Russia. Now, I think, that's that's really an important point in us. There's this in its part of the big change we ve seen in and our lifetimes is of less than fifteen years. First, there really wasn't the chief information security officer and then
the sea and Caesar was supposed to indicate that there were in the sea sweet and a most companies there, not really in an embassy sweet,
and even in the sea sweet. What you're saying is day they need to be empowered and then they require creed.
By law to familiarize regulatory or other risk that cod
forces accompany when doing a rational, calculus too, to prioritize security, and given the authority they needed to meet reached the right risk decisions, not just for the company but for society yeah. Now,
but that much better than me. I don't want a numbers and ask me: how do you Alex? How do I become a sea so one day my answers? Don't like that the place you want to be like this
your director of security role, where you can run a large team. You have huge impact, but you're not seen as having that responsibility has been a sea so and twenty twenty is like
imagine, if you receive oh and Sarbanes Oxley is passed, but you haven't invented double entry accounting. Yet
Everybody is allowed to spend whatever money they want, and you can just advice like this.
Companies work right, like the CFO
moves, all the money in a public corporation like you or not,
loud to spend ten cents without some kind of infrastructure they have put in place a proving that, but the sea so sit over in the corner in his
almost all reactive and it's very difficult to know
even know the decisions that are being made at any moment that are gonna crew, a huge amount of security risk and that's the kind of thing that we have to address is rightly you'll every big company, as this secret meetings that secret, but has, as I can
the small meeting, usually on Monday morning to the beginning of the week, usually in the
conference room with the ceo and those of the Bee
We actually run the company there, not necessarily-
The direct reports to the ceo right, but it's like the inner circle, the cabinet of people were making them
and it is extremely rare- to hear about a sea so or
we any executive who handles downside risks being in that meeting and if you're, not in that meeting, then in the end you're. Just there for the clean up your not able to actually been the curve, let's let s move actually to Facebook.
and I wanted I want to do the same divide. We did a little bit when talking about zoom, which is you have a serious?
fishes and we'll talked about them with with Yahoo that really have to do with the security of a product, and then you have abuse
of a product, are being used in ways that you didn't anticipate at Facebook. You had more authority on paper you're, the chief chiefs,
ready officer and while you're there, you end up in
wondering at is remarkable
with russian interference in the twenty sixteen election and seeing it
a type of meddling there. I think we'd seen on smaller scales, but really never unskilled like this before in part, because there was never platform that that had the cyber impact
like Facebook did so tell me little bit why your proposed approach would be to deal with russian Interference and how that differed from the approach of other executive
and also just going to our accommodation. Were you in
meetings or at the table. So they had a chance to hear from you. So I
the vast majority of my job at Facebook was the traditional information security job right and in that was actually an inch
ways much easier than it was at Yahoo, because Facebook had money. A lot of the core problems at Yahoo is the family
who was effectively a dying company by the time I joined, but by time, Mercer,
ratio.
We may that nobody could have turned the Ottawa around, but the weather- that's true or not. By that point,
investment in technology had really start out for about a decade, and that was in truth, Facebook. Facebook was at the height of
yeah and continuing to grow up, had all
Technology had built all this stuff internally did not have you couldn't get you? There was a sir
that had been rebooted for ten years, which about people like really proud.
That meant about the year. The quality
data centre. The fact that had lost power in ten years, intermediate like we're just means you're not enforce in any kind of patch policy right if like this, is
you're not patching for ten years, and that was accurate, Facebook right, like there's much more of a culture of kind of the core security, so that was most my job, but
That's where I got pulled him with Russia. Stuff was because one things
I inherited and then really grew as we had a threat intelligence team whose entire job it was to look for advanced attackers. First attacking the company rights, just looking for exactly kind of attack that the Chinese did against Google, but then also abusing the platter,
because harm and coming out of twenty sixteen like one of my core beliefs
the society. We have really messed up,
not having the equivalent of a nine eleven commission look at what happened in twenty six
because actually this fascinate,
and other smaller report right. Yes, I'm I've. I've heard of it
a couple of the footnotes. I think I'm not even in the footnote. Yes, it's
it's amazing, the things that we do like that we think are not gonna, be then born and then are gonna, be enshrined in history forever. I'm sure you're in the same place. Do we need another report or do we need to mandate that people read the Mulder report?
there's more information be discovered. Well, I think it's too late. Now. I think
as you and I know, Robert Mowers goal, was to understand what happened, to look for criminal behaviour
Mueller team did not do kind of a top to bottom analysis of what are the root causes that allowed this to happen right and that
what the nine Eleven Commission did after September eleven. That fact that one of those lives as a result, actually wasn't that commission, as it was a different commission that doubling
commission, but that the division I let it just for masquerade vision- was created. As one of those
a real I'm reckon recommendations. So I take your point yeah, that its
you need a top to bottom and think about how both government structure, how the private sector's structured and we still have done, and we haven't found
this is interesting parallel between twenty sixteen and then eleven, which is you, the nine eleven imports at this
it is about the failures of government to communicate internally right and there's a whole section on the lack
of institutionalized imagination that their work, people who were thinking ahead of you,
what are all the bad things it can happen, and how should we preach? Preemptively think about the ways. Are our adversaries
act and we have the exact same thing happened in TWAIN. Sixteen accept your name
like the responsibility. There is almost completely in the public sector right like protecting. That are
tree from terrorists protect
keeping you from getting on planes with weapons, that was clearly a government responsibility
twenty! Sixteen. Now you have this much more distributed responsibility between folks in the government, but also the private sector
forms, but also that the media and the campaigns themselves hoop raptured report. If somebody
Your reaches out to them from the russian embassy in there was a failure.
Institutional imagination and part of it was that the kind of
the belief of what was what was a government going to do in attacking technology was based upon what we have seen in the past
has taken over accounts, sending malware spear fishing gear
into private groups of dissidents right that kind of secret police. Slash yell, Aurora type attacks was the focus of the threat until team that we hadn't Facebook is the focus of the entire kind of in your threat, intelligence, private sector, that the mandates in the crowd threats like and was the
focus of the? U S, intelligence services, which makes sense, because a lot of people actually come from kind of the same pipeline, a folks and so like that was kind of
core professionals, we had people who are looking for all those
the danger a very successful we covered up,
a revolutionary Guard core attack against the state Department that we spotted and then helped wrap it up in a bunch of places. We we had a bunch of kind of different attacks against power infrastructure that we discovered by a number of different actors, and so were
really good at that, and then we and nobody Else- was paying attention idea of suddenly
nebulae deem the conversation through completely non technical means just by cretin, fake accounting, creating means, and they all spicy conversation come in.
That is kind of a failure of institutionalized imagination, both within my team but then
kind of in general is well yeah,
had uncertainties. There's there's a memo
orderly written by you. That was leaked that says,
while you're still at Facebook. That says we need to listen to people.
including internally, when they tell us a features, creepy or point out a negative,
pact we're having the world? We need to de prioritize short,
growth in revenue and to explain to Austria why that is ok, we need to be willing to pick sides when there are clear, more
or humanitarian issues, and we need to be open, honest and transparent about our challenges and what we are doing to fix them and when I wonder, is on that quote, you don't
Why would a private company do that? The convention, I love. What changes do we need structurally to make that in in the interests of a private company doors, its is or is
it's something that a private company will ever do. Do we need some others. Lucian yeah
Survivors of this is how you know facebooks becoming a government is that all of our private interpretations are leaking. Welcome to the club, I remember is dated assent. Transparency and, I would say,
you, I think everything I've ever say becomes for rice exactly
one day they will be a mark Zuckerberg presidential Library, they'll? Have only email in it it'll be unless for is a right. There's a corporate facebook that is reflected in Silicon Valley is again you get what you measure right and in what does a company like Facebook once in a while
we'll products that people like it wants to be. Impact for rights like this is the term here in Silicon Valley on time is impact we're having impact ravening, backed right in
pact is generally measuring progress of how many people are using it, how often their usual it and then maybe some better.
About whether there and enjoying it or not, right returned.
None of those metrics measure, whether or not your product is good for evil or what
Not your accruing risk that maybe it's good for people for a while and then all the sudden there's some kind of blacks, one of it happens and you're really bad for people and that you weren't, you didn't notice that risk had been including that entire time- and I think that is a core problem at Facebook. It was built that was embodied in tinkled. The growth team, which is
product team, whose job it was to get people to want to use facebook in and also did it to get the more use of the product around the world now
most of the. U S, issues I think, are less about growth, but that is like the core
a lot of the international issues such as violence in southeast Asian, like was the expansion of the product out into
all of these use cases languages that we are not ready for well before. We should have an end, not kind of predicting the kinds of ways people use the product and in understanding the GEO, political and cultural
issues that really existed. But in the U S a lot of it was you know what we're gonna do.
What they want, and if you give people it turns out what people want is not necessarily what's good for them. Did you let your kids use? Some of these products on Monday
I will not unmonitored right on the kid issue. I think that's a hormone within that because of I'd know how does for you guys, but we have blown through our screen time allotment through twenty twenty seven. At this point, your had yielded to the inevitable exactly your eye.
This is where I think the I read some good stuff.
I totally agree with a kind of in the spring of parents need to forgive
Selves for not be invent, hasn't parents right now is we're we're living through history, and we have to do the best we can just environmentally safe. If that means your kids are watching you tube, that's ok
Now we're transition that maybe this is the new normal for quite a while and would have to come up with a better kind of rules. So I mean
you, kids, using technology things actually much more complicated. I'm not one of the people just like if there in front of a scream period that there
in the brains, but there is certainly positive things
be doing, even if they are fun things like playing a video game that actually is
Let your mind verses, just kind of media consumption right, but a lot of stories about
the designers, not letting their kids use these products because they are designed to a that
That's how you build users and its particularly powerful with children whose branches stop developing. What are you with which your view and when we put limits
screen time? I mean, I think, that the most addictive thing that my kids are allowed to do, that we try to limit, is Youtube because it's it's here. It's passive media consumption,
and Youtube is very, very good at
their machine money, is very good at putting media in front of you that in front of kids, that is that they want to see, and so that's the kind of thing either you actually have to set limits on the winners pro about Facebook. In Russia, that was more about adults of adults, wanting kind of information that reinforces
their own beliefs, right that ukrainian information environment, where people are able to seek out and look
within a bubble.
Information that only reinforces their own beliefs that that's it
and that was not being measured in that was very powerful how'd. You distinguish between them
This information, misinformation, fake news azured as were using some of these terms. First, is what I think, you're tagamet, when searching for things that
from your unbiased. That may be real news, and really,
nation but you're only seeing a piece of it like the old analogy with
elephant by men in the off in your only touching one, one piece is hard from that: determined was true. That's right in
yes, and I think this is all a much more complicated kind of philosophy
discussion. Then people generally given credit for which is.
vast majority of russian activity in TWAIN. Sixteen was not what you can we
Billy. Call fake news right so near there's, really
big chunks to their information operation. One is the
your online operation by the internet, research agency and other related organizations which was more
not about the election was mostly about political topics in the
ask me during their output, is not force. Claims of fact right, like
they're doing things, are creating fake accounts of part of it
immigration group and then their sane, making kind of extreme political statements about immigration. That, for the most part, are not things are false, viable right, and so it is
This information, in that these people are working
needed fashion too high,
their identities and then to amplify their message well beyond what would normally be seen by people. But it is not fake news and it is not like a lie.
And then the other part of the big information operation with the g. Are you operation the hacker leak right and again the core facts that they
able to put out were true right, like they had really mail from jumpin ass. They had real emails from Debbie Watchman shorts. It is that the way
these selective leaking of things to tell a story was part of the disease.
Basically, we live. They worked faking. These documents that they were able to kind of framing up
they are also able to dry
if a level of coverage of those topics well beyond what they should have now
This is why I also talk about like this. Is it also?
Anything because the real target of the deer you haven't leak was the mass media. It was not social, just like North Korea with Sony right. Yes, exactly exactly himself in both
cases even called this information because of the enough antiquity of the identities of pushing it and their ability to get the coverage, but in both cases, was based upon, like an actual true fact- and this is why I think people over discuss things like deep fakes and stuff about the creation of truly false pieces of evidence, because the most of the most useful are the most effective information operation that we have seen examples of are based upon ACE kernel of truth. That is then spun amplified and too.
did in a way that is difficult to coffee. You know you ve, said before the one of the fundamental issue that Facebook faces is that there is no law to tell them or any other social media platform what is or is not allowed that there's no fundamental privacy.
In the United States. It would that extends to these content issues as well and is better if the government is setting rules in this area that that treads on freedom of speech, or should it be up to
I've had social media platforms. I mean that's a complex question, I think just realistically United States in the vast majority of content that people
dont, like on social media, is first member protected rights were never realistically gonna end up with direct government regulation in this space. I think
The place where the government regulation would be good would be to encourage the companies to be more thoughtful about the impact of certain abuses that are not about political speech.
Except the misinformation destination is the hardest place, because you have this spectrum, the spectrum of disinformation to political speech within the Overton Window,
is incredibly blurry and it is very dangerous for a government
in a democratic society. To say this is where the light as well. Then we push on then just first sack as you you ve said, Mark Zuckerberg is mistaken in his view that interfere with post by politicians amounts to censorship. What do you think of twitters policy, which has gone in a different direction to say there? There are facts
really use a fact: checking label uncertain tweets yet- and I actually think twitters policy here has been much smarter, I think, is everyone's gonna do an offensive crouch and that he's been really waiting.
Stubborn about the poor
Susan around labeling politician tweets from my perspective, one. I do think we have to be careful about
have trillion two trillion dollar corporations taking down speech by
candidates in elections or democratically elected leaders that that that's a very dangerous place to go, but that doesn't mean that the companies dont have their own first amendment right to label speech as they see fit.
I think that the twitters at least their announced model. I don't think their enforcement is incredibly good, but at least are announced model of we
Allow a piece of speech generally to exist as
Is it not causing direct harm this differently? So we are calling for a person to be harmed or something, but if a political statement, that is a mistake in the fact that it can exist, but we have been
to use the product afforded says that allow to be amplified. You turn off your retreats and stuff like that.
And we're gonna use our first amendment right to label it is we believe this is not true. You can separate out silence in them
the people in an ad in your own voice to it, because you think it's wrong. I think the companies need to think a lot more about that second option
what about the new reference, the size of the company's just switching topics bonanza
because I think it is driving some of the movement me is his facebook. A monopoly is too big. Should it be
up. So I may I not, as you
for he will now I'm neither lawyer nor an address experts. So I'm not going to speak to like how you define a monopoly. What I will say is there are some platform abuses that scale with size
In sum that don't- and so I think this is actually really complicated analysis here- because
the of the bigger companies, have more resources and the ability to have had to spend that fixed cost on investigations. Team. On an l team,
nearing team in product management to fight abuses and in a case where the Abbe,
This does not necessarily scale with the size of the network that can be really effective, but then things like this information do and so it they don't think, there's like a simple answer here. I feel
one of the problems we have a society is we're only paid attention to like three platforms: theirs
little discussion of all the bad things that happened on other platforms and part of this is because
a lot of what we know about these abuses come from the companies themselves. The live just, firstly, is the engine.
Competitive you, ve been inside it, and you had a quote saying: you can't solve climate change by breaking up Exxon, mobile and making ten Exxon mobiles. You have to address the underlying issues which about was was interesting. So I think in that quote right your suggestion,
that again, we need some fundamental regular
about what's aloud and what's not allowed and doesn't have to do a size of companies. The pointed at one side is their competition, and in social media is wasted it healthy from what you can see. What I mean there is
competition. I think, but yes, it is true that it is very difficult to compete against Facebook right and, I think, there's probably
there's, not a lot of venture capitalist on central road. There now throw a bunch of money at a company, that's it
wanna go direct at Facebook. You will see them back like musically, which became Tik Tok
in other companies and have like a totally new direction, but those visas
also thinking to themselves one of the ways
paid out. Is we make this threatening enough to Facebook? That's Zuckerberg make rest a check on the on the site.
This summit was a reference. The Mauro report
pretty much everything. The Mulder report that is about Facebook came from our team right. It didn't come from Mahler people like we found it.
stuff. The jeer you activity, the IRA activity. Did this big.
Estimation sent a
to go brief. Special council office swore out an affidavit special Council office comes back with
warrant, and now we had this whole package that we are able to turn over the special councils office. Of all the
in that becomes a big chunk of the of
but now I visited tons of work in other areas in terms of work of explore
conquered management the like, but of the actual
It happened on Facebook. I don't think, there's a thing:
back in there that didn't from our team finding it internet turning over voluntarily. That is,
the challenges of having this discussion is that when you read them
report you only read about a handful of companies is because those companies that have through intelligence, investigation teams that went and proactively turn stuff over. We just had this report last year of a tackled secondary infection,
k, which was a six year. Russian operation that hit three hundred different platforms right and so part of the problem of this discussion. Is we assume that it's only on the big plan
worms when it turns out, that's not true we're just only looking at the data from the platforms, because a smaller coming
doesn't have a team going and turning the stuff over proactively. So when it comes to security of too big to fail, but
security and muttering social media. You may be too small to succeed well see this is. The promise is like, I think, its a bit. It's difficult analysis, because once a year when people have,
brilliant facebook, they talk about integration, what's up being broken off right, which I think is the most realistic. It's not so realistic to break up instrument would sell for break up the facebook ab, but you can break the core
a company the size of what would be an independent instagram should be able to afford to have this capability
right. The promises there's not a lot of encouragement to do so, and in fact, the way things have moved since twenty sixteen is theirs
companies have had massive disinformation. Promising alike have never said anything.
and they ve never got a notice, and so it's working up pretty well for them not to have people looking
think we need to have an incentive structure that the smaller
Companies have an essential
have teams that are practically working on this, we probably need
industry led coalitions to make this easier right. This is something I think your face.
We have not done well enough is building the equivalent of like the efforts. I sack
for the tech industry, where you have as the financial services
Grim from sharing and analysis centre at a flat, acronym absorb and that's an that's, been codified by law. There are legal protections for sharing information through the structure of, and I set to prevent anti trust
concerns section exemption from Anti trust right and actually, I think,
We probably need legislation here, because there is an extra sba issue either as issues was different kind of privacy laws around the company, sharing anything that could be user data, and so
We probably need the carve out of the ability to companies work together, but I would like to see a model where the big companies
much more aggressive about helping the smaller ones out with their work and in the way,
to figure out like a reasonable way for the governments involved. Now that's actually really hard here. Please it's difficult
to think of a way that a government agency can do these investigations under yet without giving them a massive transfer of data. That
We have rejected as a society, especially posts noted, and so that that I
is the much more difficult work and because there is not enough to cover as Racine or else of this significant when it comes to social media platforms. Extraordinarily significant action that the that the President has taken prisoner trump in using executive order to ban to the largest competing foreign social media platforms Tiktok and which had would you think of that action?
yeah right. There are absolutely legitimate concerns about chinese companies making acts that are used by a wide variety of american consumers. There's a lot
legitimate issues around
structure companies in us buying
while we routers the problem is, I think, in a
Democracy. We create rules. We are finding the fact and then things come
the end- and it's pretty clear here that the president just wanted Tik Tok on and everything else was a pole
rationalization and so
I actually really dismayed by what I see common administration, because this is a legitimately important issue and its being turned
into a bit of a joke and something that is not to be respected. As setting intern
your norms, because it there's also this component of a kind of a clear path,
no bias of Trump against the people and Tiktok that don't like him, and my hope is that in a next him industry, so that this is something we can have like a much more rational process. Road dad's obey.
Ultimately, I ve been a correct result, but process matters, fairness matters and you don't see it here. Right process matters. If only because the over the last decade the United States
alongside our tech, companies have been fighting for the idea of an open internet where
companies are allowed to operate overseas and so you'll. If we're going to have
data protection rules that we enforce, then that's great, and then that means that there will be
countries that will negotiate than how that works. For us, just to say, we're, gonna forced the local sale of an american subsidiary
the fact that the european regulators who have been waiting for years, the indian regulators- they are loving this right, because the United States is pretty successfully pushed back on the idea that
You have to national eyes every multinational that operates out of Silicon Valley in Trump has overturned a decade
work on the open internet on its head. Yet fastness, if you think about it as the big strategic battle you of the? U S, championing open, open internet. That data should
free and you have China championing a model that says it needs to be within your
patients, boundaries and that data is more secure. If you don't allow it to travel and in some ways we ve we have this tactical move.
Here, but strategically it's moving the world towards the chinese model and I'm curious. Just as is we rap on this. This happens at the time. It's your roughly two weeks after the shrimps two decision. So this is a land mark Kay
in the EU about the rules by which companies can transfer data? And the European Union has said you can't transfer data to the United
AIDS, because the legal regime in the United States is not sufficiently protective of of privacy concerns, which also seem to be an opinion
Then moves towards a world of walls and data localization. The timing with this in the shrimps two decision, I think, is amazing and demonstrates that there is an alternate universe in which the EU
Satan Europe, let go of the narcissism,
small differences and came up with a unified data protection ideal
the free world in an enforced that against countries like China that have a completely different view of free expression and freedom from surveillance and instead we're doing this kind.
slap movement against China. We're not getting the Europeans to follow us in so working
the worst of both worlds- and I think it is
a really bad way for us to try to maintain the competitiveness of our industry into to make an internet that reflects the norms. The democratic norms that we like Alex demonstrates been great. Having you with us today
and covered a wide range of issues, but I think it becomes critic unclear why we need people like you who are both fluent in policy
and also understand the technology. Thank you uncle thanks drawn, I feel,
the same about you looking forward to having a discussion like this again
cyberspace is presented by cafe. Your host is John Carling. Executive producer is tomorrow, supper. The senior audio producer is David TAT ashore, and the cafe team is Adam. Waller, Matthew, Billy.
samples, restated David curl under no ass Alai, Calvin Lord justifies and men Chris Boil, and John Walls and Margo Mowing theme music by break master cylinder. Today's episode was brought you in collaboration with Brooklyn LAW, schools, lip clinic and I'd like to thank the man, the Kurdish Isabella Rousseau, Tc Alice.
apple, Megan Smith, James Anderson and Rhine Bomb, for their help research. I hope
found Johns conversation with Alex steamers informative to listen to future episodes of cyberspace.
Consider joining the insider community. You'll get access to the full slate of exclusive content, including the weak,
How can I co host within Milgram the United Security Podcast, hosted by law
Monaco and CAN Wednesday the words matter. Podcast hosted by
Barlow and Joe Lacquered bonus material from stay too
audio essays from me and early honing and more. You can try the membership free for two weeks of cafe dot com, slash insider and get access to the full archive of content. That's cafe dot com, slash insider
Transcript generated on 2021-09-09.