Bounty Smarter Not Harder

Season 01 // Episode 01

With guest Katie Moussouris



This episode was original streamed on Thu, 20-May-2020 to multiple platforms. You can watch the streams (along with the comments) on-demand on:

Report card with check marks showing progressTranscript

[00:03:00] Rik: Well, good morning, good afternoon, good evening, good night, wherever you are. we are here on the inaugural first ever episode of Let's Talk Security.

I'm your host, Rick Ferguson. this, live vlog, video cast, whatever you want to call it, initially started life as an idea called Let's Talk Threats. Then of course, coronavirus hit, the global pandemic, hit all of us in different ways.

And we kind of thought that, maybe talking threat at a time like this, wasn't really what people wanted to hear about. So we've decided to call it, Let's Talk Security, and we have, an absolutely fantastic, roster of guests to bring you. we're streaming live on Trend Micro's LinkedIn, on YouTube, and on Twitter.

So welcome to all of you joining us in all of those platforms. We welcome your input, your comments. if you want to, send us your live questions, your live input, we'll attempt to, to get through those, as much as we can.

[00:04:20] But, so the show is initially conceived, we're going to have a run of, six episodes, this being the first one. possibly seven. I have a, I have a fantastic ... and actually Trend Micro don't even know it, it's possibly seven yet. So Trend Micro, possibly seven.

I have a fantastic roster of guests. Most of them are actually people that I've never had the chance to meet in person, including today's guest. they, who they are, they're people who, who have a, a long and storied history, within the information security industry.

But over and above all, they're people, who set a great example and, whose work and involvement I deeply admire, and respect. So this series is gonna be as much a pleasure for me as I hope it is, for you.

[00:05:05] With that, I'll introduce the, the first guest, to you. It's a, if you've seen the, the tweets previewing the show, you know, it's a lady by the name of Katie Moussouris.

As I said, someone with a long and storied history within information security. someone who self described yesterday to me as basically three squirrels in an overcoat. Katie, why, three squirrels in an overcoat? Welcome.

[00:05:32] Katie: Well, thank you so much for having me. It's honestly, it's, it's an honor to be your first guest. It's an honor to be a guest, of the Trend Micro podcast.

And, we are also going to be joined by my cat Scapi because he is right next ... Here he is. This is happening already. This is happening.

[00:05:47] Rik: So Katy made it clear that there was a risk of the cat joining us, and, and there's a risk of cat puke I understand.

[00:05:54] Katie: Yeah. He already made some overtures, but we're gonna hope that, that he just is distracted by our melodious voices long enough to not throw up right now on my keyboard.

This is where the aim would be, but the three squirrels and a trench coat, you know, is really about the fact that many of us in the security industry who happen to be good in this space, have what people refer to as neuro atypicality.

And my flavors of neuro atypicality are absolutely in attention. they call them, disorders. But I believe that there's an evolutionary purpose for retaining these qualities in the genome while everyone else could perfectly well, you know, concentrate on raising food.

Those of us with, attention disorders as they say, we're able to spot, you know, a tiger about to pounce on everyone because we notice everything, including this little guy who is, 15 years old and basically old furry man who I live with who decides to do whatever he wants.

[00:06:49] Rik: So I know, I know that, actually, you know, diversity in employment from a conversation that you and I had yesterday actually, diversity, employment and opportunity in employment, is important for you.

And I, you, th- what you were talking there about what people sometimes refer to is, you know, disorders like attention disorders and so on, is a part of that diversity question.

You now are in a, in a great position as you know, the CEO and founder of your own company, and you get to put your own, spin on the opportunities that you provide for the people that, that come and work for you at Luta Security.

So why don't you tell us a bit, first of all about what Luta Security does 'cause I think people know you as the vulnerability person over and above all.

[00:07:26] Katie: Right.

[00:07:26] Rik: But I know that that's not 100% of you, right? There's plenty more to you than just the vulnerability story.

So why don't you tell us a little bit about what you're doing right now with, with Luta and how you deal with, with the people that come and work for you?

[00:07:38] Katie: Well, those are both great questions. Luta Security is a consultancy that works with governments, large organizations like Zoom is one of them. and it's been in the news recently, but we basically work on the internal processes that enable strong, solid vulnerability management and vulnerability disclosure programs.

I was a long suffering editor and coauthor of the two ISO Standards that govern vulnerability disclosure and vulnerability handling processes internal to an organization. So a lot of people think, "Oh, you do bug bounties?"

And I say, "No, actually Luta Security mostly advises against bug bounties because most organizations do not have the operational capacity internally to handle incoming bug reports."

So effectively, you know, we try to make you pretty on the inside, no bug bounty botox is allowed in Luta Security, and we make sure of that with our customers. we've worked with the UK government in designing their government wide vulnerability disclosure program. prior to forming my company, I was responsible for bringing the Pentagon to, fruition in terms of offering the United States government's-

[00:08:45] Rik: Right.

[00:08:45] Katie: ... very first bug bounty. And all of that was based on internal work first. And, and then your second question about hiring. honestly it was funny at the beginning of my hiring process as I was growing my company, I was joking with my, with my staff saying, "We're going to have to find a white man because we don't have any yet," you know, and everything.

So I think it's, it's, a lot of it is about your networks, right? Who, who do you rely on, who do you trust and everything ? And plenty of my peers and my mentors are white males, but plenty of them aren't, right? So, I'm lucky enough that, that I have binders and binders of non white, just had white males, to choose from.

And we do have white males also on the team. So there's, there's representation all around.

[00:09:26] Rik: But what, what you were talking to me about yesterday was, the opportunities that, that you provide in terms of you'll bring someone on and the first contract is almost like a probationary period-

[00:09:35] Katie: Yeah-

[00:09:35] Rik: ... and you'll get, you're more of our offering an opportunity to progress insecurity than saying, "Hey, you must come work for me, but you're welcome to."

[00:09:43] Katie: Yeah. I think one of the things as we're dealing with, you know, the economy and especially the way that this pandemic has affected the economy is that we've needed to take a long, hard look at labor and labor inequality for a long time.

Some of you probably know that I am the lead plaintiff in the, attempted class action gender discrimination case against Microsoft. And you know, that case is ongoing, but it was denied class status despite a ton of data that showed paying promotion inequity, right?

And, when I think about labor, you know, writ large, I think about the fact that I couldn't do what I do as effectively or with as many companies w- if I didn't have people working with me. So why would I put restrictions on their work?

I look at it as, you know, labor mobility is one of the things that I find to be a fundamental right of labor, right? You should be able to work wherever you want in whatever capacity you want. So come onboard as a contractor. If we like you and there's room for you, we can keep you.

[00:10:44] Rik: Right.

[00:10:44] Katie: If you like the client that we've got you deployed in, it's all up front that you're allowed to move into that client with no restrictions.

Because for me, you know, if, if that's a better fit for the individual, great. They may hire Luta back in Sunday. So it's win-win for us. And we think that rethinking labor in all of its capacities really makes a lot of sense right now.

[00:11:07] Rik: And speaking of your clients, you mentioned, briefly, Zoom. Obviously, they are an organization with the lockdown, you know, the glo- effectively global lockdown and almost all of our live audience right now will be in one form or another of, of lockdown.

So hey, we hope we're, we're entertaining you somewhat during that, that period. Zoom is a company who reached a completely new audience during this lockdown period.

Obviously they had their enterprise customers, and they were in fairly widespread use through, through a lot of companies throughout the globe.

But with, lockdown, they suddenly found themselves being used by educational establishments, by people meeting up with friends and family in this country people running, their version of pub quizzes.

[00:11:48] And obviously I think I wrote something like, with great deployment comes great scrutiny and that definitely was the case with Zoom, whether that's, misuse and abuse [00:12:00] of, poor configuration by new and inexperienced or even sometimes experienced users of the platform.

But also, you know, there have been, vulnerabilities published. were you working with them prior to this or were you brought on board as a result of this? And, and I know you may not be able to say too much. I appreciate that. what's your feeling for how things are going at Zoom right now?

Is it a hair on fire situation?

[00:12:22] Katie: Well, no, my hair is on fire as you can see. This is [crosstalk 00:14:58]-

[00:12:26] Rik: [laughing] Even, even in a volcano, that's going to happen.

[00:12:28] Katie: Right. Well, there's lava behind me. Can't you see that? No. we're, we were actually asked to come and help Zoom, starting last summer.

So we, Eric, the CEO called me up and it was after a disclosure event that, that caused some headlines. I'm, I'm one of the judges of the Pony Awards, which is, you know, our industry's combination of the Oscars and the Razzies all in one.

And you know, they were nominated for lamest vendor response back in the summer, because of a disclosure by my friend Jonathan who had found, you know, that issue where you could, where you could, you know, have a proof of concept URL and, and everybody, everybody's camera would be turned on without them giving permission, et cetera.

And there were some other vulnerabilities associated with his find.

[00:13:07] So Eric the CEO had been told by multiple people that you're having disclosure problems, there's only one way ... there's only one person and one company that you can go to for help and it's Luta Security.

So he called us up and you know, contracts work, you know, onboarding into the vendor system being as it is, we didn't kick off that engagement until into the winter, right?

And so we were doing a maturity assessment of their internal processes, giving them a baseline and recommendations. And that's normally how our engagements work, right? We are normally not in firefighting mode with a client because we are a strategic advice.

We tell them how the process is supposed to work. We give them, implementation guidance for new tools, new processes, new technology. because a lot of them, you know, a lot of our clients actually haven't really done, the, the work in terms of a secure development life cycle.

[00:13:58] Rik: Right.

[00:13:58] Katie: So a lot of the recommendations that we have are, you know, these strategic like you need to build these capacities and we measure across five capability areas.

So we were actually wrapping up that baselining engagement when the pandemic just started, you know, really increasing people's use. And I think Sue had said that they increased from 10 million active users a day to 200 million in the span of a couple of weeks. So I think-

[00:14:24] Rik: Well, I mean, certainly according to them they were one of the first organizations that actually went out there and offered their, their services to a certain extent free of charge,

[00:14:31] Katie: [00:14:31] Yeah.

[00:14:31] Rik: ... as a response to, to what was happening globally. So you know, it's, they have to be given credit for that kind of action as well.

[00:14:39] Katie: Absolutely. I mean, the, the thing is, there are incredibly dedicated people who are working at Zoom right now. And it's not just the outside consultants that you've heard about, you know, like myself and others, you know, we've got, Leah Kissner, we've got Matthew Green working on the end to end encryption.

We've got Alex Stamos, we've got Trail of Bits, Bishop Fox, NCC Group. It's not just all of us sort of named security people. There are tons of internal people, engineers, security people in every department who are literally meeting all the time to try and make the security better.

So I know there is, I know from obs- observation that there is a sincere effort going on. And you know, we're all there to help.

[00:15:20] So right now, you know, Luta is in a new position with them where we're actually helping them to physically build out their capacity. So, which is actually hiring right now. and we'll, we'll have a careers page up probably later and I'll tweet a link to it. But essentially-

[00:15:35] Rik: Very cool.

[00:15:36] Katie: Yeah, it's very cool. And it's exciting because, you know, coming from Microsoft, and watching the biggest software company in the world struggle to refine its capabilities in this area.

Even though I joined when it already had a fully functional Microsoft security response center, I'm lucky enough that some of the people on my team were the founders of that original security response center.

So they've seen, you know, from the very first beginnings of this new threat model that Zoom is under, and we're able to bring that kind of knowledge and experience, you know, to their, in creating their new vulnerability response program.

[00:16:13] So right now there's no operational changes. Right now I think they're, they're running on a few different bug bounty platforms right now and all of those operations are still the same.

But we are kind of doing this backend build out and we're gonna have recommendations for changes and you know, differences in right now the bug bounty programs are private. You know, there'll be a time in which we should be able to make them public.

Right? Right now it's just Zoom disclosure is public and bug bounties are still invitation only. But we're working on all those things. So it's exciting. It's really exciting.

[00:16:43] Rik: So you, you've, it definitely sounds like ... and you've, you sound quite passionate about it as well. it sounds like that's a company that does get to say we take your security seriously?

[00:16:52] Katie: Yeah, well they're definitely taking it very seriously. It's not, it's not just, bringing us all in and having us, you know, not do anything.

[00:16:58] Rik: Right.

[00:16:58] Katie: It is, it's a lot of work and it's exciting work. So we're all really happy to be there.

[00:17:03] Rik: I followed you on Twitter for a long time and obviously you know, you, you are like it or not your, your backstory, your history within the industry anyway is intertwined with, bug bounty programs, vulnerability disclosure. that's, you know, that's totally your track record.

So I've been consistently surprised because you and I haven't had the chance to have a conversation face to face or even do karaoke, which I would love to do. I've been surprised to, to see you tweet on more than one occasion, advising against bug bounty programs.

[00:17:34] Katie: Mm-hmm [affirmative].

[00:17:35] Rik: It's not always, you know, a panacea. It's not, it's not always the solution to every problem. W- why is that? What, what, what is wrong with running a bug, bug bounty program?

[00:17:44] Katie: Well, look, it, think of it like a, like a human body, right? If you lack the digestive system for what you're already dealing with, like every organization has to deal with vulnerabilities [00:18:00] in deployed products, right?

Not even products that, that they are writing or creating, but the technology that they use, right? If they're running a website, what is, what is underlying that? And they need to maintain the patches.

If they're lagging behind it, even their vulnerability management or patch management for technology, they don't even create, they don't have really the digestive system that is capable of managing sort of this ongoing bug reporting.

[00:18:28] I mean, I was a penetration tester for seven years and it was in the earliest part of the security industry. So I remember this arc of, oh, if we just tell them about the bugs, they'll get better at it and magically it will, you know, they'll, they'll fix them and they won't make those same mistakes again.

But quarter after quarter, every client who was having the same, not just even the same instances of bugs, they haven't gotten around to fixing, but they were continuing to make the same coding mistakes or deployment mistakes and having the same classes of issues show up.

So when I say don't do a bug bounty until you can handle the vulnerabilities you already know about, I'm talking about that. I'm talking about the fact that people don't have, you know, their, their digestive system in order. And then I call it bug foie gras. You do not want that happening [laughing].

[00:19:15] Rik: [laughing] So I remember there was a big move and I can't remember how long ago it was now, but I do remember it definitely being a thing for, for a while, which was no more free bugs. You remem- you remember when that was a-

[00:19:27] Katie: Yeah.

[00:19:28] Rik: No, no more free bugs.

[00:19:29] Katie: [00:19:29] Yup, [crosstalk 00:22:16].

[00:19:30] Rik: Th- that, this is the type fact that you're going to have people paying for, for, bug disclosure, right? That, that if there's no more free bugs, then people want money for the, the research work that they've done and that's totally normal. but there's a question of pricing and value and market distortion.

[00:19:47] Katie: Mm-hmm [affirmative].

[00:19:48] Rik: you know, obviously at Trend Micro, we run the ZDI which is another, bug bounty program, one of the, one of the biggest in terms of numbers out there and we have a pricing structure for that. I know that you, you have spoken in the past about, I think it was the million dollar bug bounty that was offered for, for iOS, vulnerabilities and how you were saying that's absolutely not tenable. this, this kind of thing does far more, creates more harm than good.

What's the story there? Why, what's the story of pricing? And the reason I f- I'm asking the question is, 'cause I, it's interesting to try and work out ... 'cause I know that you, you instigated I think the Microsoft, BlueHat prize-

[00:20:23] Katie: Mm-hmm [affirmative].

[00:20:23] Rik: ... the, the grand prize there at the time and it was a few years ago now-

[00:20:26] Katie: Mm-hmm [affirmative].

[00:20:27] Rik: ... it was like $200,000-

[00:20:29] Katie: Yeah.

[00:20:29] Rik: ... was one single grand prize, right? So what's reasonable, where's the line and why is too much too much?

[00:20:36] Katie: That, those are all great questions. So I, I was, lucky enough to be able to do some academic research along with colleagues at MIT Sloan school and Harvard Kennedy school a few years back on the vulnerability economy and exploit market.

And one of the key issues that, one of the questions that we wanted to tackle was actually based on, do you remember Dan Geer did an amazing keynote at BlackHat. I think it was [00:21:00] 2013, 2014, something like that.

[00:21:02] Rik: Mm-hmm [affirmative].

[00:21:03] Katie: And part of what he said was, if vulnerabilities are dense in software, as in there's a lot of them, then outbidding the black market or buying up all the bugs won't really make a dent, right?

But if software has a low density of vulnerabilities, then it might be possible to buy up the most critical bugs and maybe offer 10 times the amount of, let's say, the black market. I hate using the black market term. It's actually the offense market. It's-

[00:21:33] Rik: Yeah.

[00:21:34] Katie: Law enforcement could be part of the offense market. This isn't illegal-

[00:21:37] Rik: Yeah. Governments, probably one of the biggest consumers, yup.

[00:21:40] Katie: Right. Yeah, exactly. Well, no. So ZDI is in the defense market because you're buying the bugs and you're giving them to the vendor to fix.

[00:21:48] Rik: Yeah.

[00:21:49] Katie: So any buyer who is giving the bug to the vendor to fix, this counts as defense market and then any buyer, whether lawful or unlawful, who is buying the bugs in order to use them to exploit something and doesn't want the vendor to fix it quite yet, or if at all, is in the offense market.

[00:22:06] Rik: Sure.

[00:22:06] Katie: So I, I take issue also when people say you either do a bug bounty or you're a bad person. I think there's, there's a lot of misalignment as to what, what makes you a bad person [laughing]. And, and-

[00:22:19] Rik: Why, why would anyone say that? That sounds like the weirdest [crosstalk 00:25:17]-

[00:22:22] Katie: Because they're assuming that [crosstalk 00:25:17] is all criminal, right? Or, or foreign nation states or you know, or whatnot. So they're assuming that there's only one good way to sell bugs and that's just not true. but back to the pricing, right?

[00:22:37] Rik: Yeah.

[00:22:37] Katie: So pricing, is important. So one of the things that we addressed was looking at it as a complex system, right? No market is simply, you know, one lever, price up, price down, supply and demand. No market is that simple, right?

So this is actually a system dynamics exercise. And what we found in our system dynamics research and our, our, looking at some of the models that we created was that if you think of, the most effective lever to tip the scales in favor of defense, it's not price price.

You have a logical limit. If you go above a certain price in the defense market, you start cannibalizing other functions of the defense market. Other functions like finding the bug or-

[00:23:24] Rik: It can be [crosstalk 00:26:20].

[00:23:25] Katie: Right. Well, other, other functions like finding the bugs before they're released to the public, right? writing more secure code in the first place.

[00:23:33] Rik: Right.

[00:23:33] Katie: So pure development, testing, all of those things that should happen in house before you start paying outsiders, right? Because paying outsiders like professional penetration testers and everything, and even bug bounty hunters, if you're putting the, the prices sky high, it becomes the least efficient and most expensive way for you to ve- invest your security dollars.

So you create a perverse incentive. Gilbert had a cartoon about it in 1995, you know, with the point of haired manager saying, "I'm going to offer a bug bounty for every bug," and Dilbert and his friend go up and say, "I'm gonna write me a minivan," you know.

[00:24:05] Rik: Yeah.

[00:24:05] Katie: So they're gonna put bugs in the code to then, you know, maybe collude with an outsider or something or, or maybe if the bug bounties offered internally just collude with other employees to essentially mint money.

So we have to watch these incentives really carefully and not just assume you can outbid or you need to raise prices or all of these things. Those are …

[00:24:24] Rik: You missed a line. How, how, does a company, how does a company decide the right price to offer, the right value to put on a head?

[00:24:33] Katie: Well, that's one of the things that Luta helps them understand, right? We look at what are you doing to prevent these bugs in the first place?

Do you have the tools and do you have the processes and do you have the people t- with the knowledge to actually run these and make them effective? And if the answers are no, they can keep pouring money into their bug bounty program, but they're gonna keep making those same mistakes over and over again.

So it kind of makes no sense. So we help redirect some of their resources and in appropriate way because for us it's more important to see them get better over time, right?

[00:25:03] Right now I think the bug bounty platforms are caught in one business model, which is everyone must bounty all, all, you know, all roads lead to bounty.

And what that does is that because they don't have any other, you know, sort of service offering there, basically they do better the least mature their customers are, right? So as long as their customers are, have a lot of low hanging fruit bugs, their bug bounty hunters have a lot of fishing ground, right?

Fertile fishing ground, and you know, they're not really incentive to help their customers get better and make smarter investments over time. You should be going from a lot of low hanging fruit bugs to few and fewer bugs that are more and more complex, right?

You should be going from bug density to bug scarcity. And that's, that's what we try and help people figure out.

[00:25:51] Rik: And would you, would you advise your customers in general terms that when you're in the, the bug density phase, that's not the time when you start instituting bug bounty programs. You've got a whole lot of other stuff to fix before you start going down that road.

[00:26:04] Katie: Yes, and I think that a lot of people, and we're seeing the, we're seeing the cracks in the facade of the marketing, you know, bug bounty platforms, you know, where, we're now, four years after Hack the Pentagon, which really kind of opened things up for, for a lot of people because it was, you know, it was not just a major government, it was the biggest military-

[00:26:24] Rik: Yeah.

[00:26:24] Katie: ... you know, the world has ever known, right? Saying, "Actually we need help from hackers." so that was a big deal. So we, we're four years from that inflection point.

And what we're seeing is that, you know, a lot of the marketing strategy is just start a private bug bounty program and, and see, and you have no risk because it's not, you know, it's all under NDA and it's private and everything, and then you can see where, you know, the holes are and then go fix it.

The problem with that mentality is that the majority stay in private mode. So what does that do to vuln disclosure? A lot of these companies don't understand that having only one front door and it's locked by an NDA on a bug bounty platform means that the majority of high value researchers will refuse to ever report a vulnerability that they find.

So guess what? You're gonna be limited to the pool of researchers who are willing to sign that NDA and just kind of get paid a little bit of money and not worry about whether or not that bug gets fixed. A lot of-

[00:27:23] Rik: So the NDA is ... you're talking about an agreement that says, we're never going to talk about this and neither are you. Like there'll be no-

[00:27:29] Katie: Yeah.

[00:27:30] Rik: ... disclosure whatsoever. That kind of NDA or something different?

[00:27:33] Katie: Yeah. No, the, the bug, many platforms all have a terms of service NDA.

So if you sign up for an account and decide to report a vulnerability through them, even if it's to have own disclosure program, not a bug bounty program, like even if there's no cash exchange to you as the, the reporter of the issue, the terms of service require you to get permission from, you know, whoever it is who's running the, the vuln disclosure program before you publicly disclose.

Now that includes things that the customer may have rejected as saying, I'm not going to fix that or we don't think it's a security bug. You're still bound under NDA-

[00:28:09] Rik: Mm-hmm [affirmative].

[00:28:10] Katie: ... on those platforms. And so a lot of researchers absolutely refuse and frankly it's creating friction where it was supposed to be removing friction from the vuln disclosure process.

And that's honestly, that's, that's a tragedy. It's, it's something that didn't need to happen and didn't need to kind of grow that way. But I think that it is because there, there is no other way to get new customers, who aren't ready, right, for the full vuln disclosure, public program or bug bounty program.

There really isn't a way to get them unless you offer them this private NDA, which frankly your money is better spent with professional pen testers. If you're gonna have researchers NDA, under NDA, just hire some pen testers.

[00:28:50] Rik: Inspire them, right.

[00:28:51] Katie: Yeah.

[00:28:51] Rik: And reduce that density till you're at, at the place. I can see some stuff coming in, questions coming in. Marco, from LinkedIn wants to know, this is unrelated to what we were just discussing, but it's an interesting question 'cause I have some skin in the game.

I don't know about you. what do you think about, certifications, you know, industry certifications, info security certificates, certifications, that require you to pay year on year to maintain the certification that you've already earned? I guess I just asked a really loaded question there.

I think my own opinion shown threw in the question they asked. I've been public about it in the past. I, I, through the course of my career, which has gone on for, for, for, for many years, have done various different certifications and it's slowly began to grate on me personally.

[00:29:35] So this is my opinion Marco. It's slowly began to grate on me that I had to pay dues, every year for something which I had already demonstrated, that I deserved under the terms of the, the certification and I'm still working in the industry.

So, you know, why should I have to, prove that I'm maintaining my knowledge and over and above all prove that I'm giving you money every year? I let, personally I've let every single one [00:30:00] of those laps and I'm not a certified anything anymore.

Other than I think, I don't think MCSC expired and I don't think, Cisco Networking Essentials, expired. And I think that's about the only ones that are probably still current. What, what do you think Katie?

[00:30:14] Katie: Well, I think I got a CISSP I think in 2000 or 2001. and I was an independent penetration tester. So back then, it was useful to have my name listed, you know, as a, an official, yep, this, you know, this certificate number checks out because I would do a lot of freelance work and hiring managers and HR departments back then were the same as they are right now, which is they don't have a really good way to screen for people. And so that was just a tool that I used in my independent,

[00:30:43] Rik: [00:30:43] Right.

[00:30:43] Katie: ... penetration testing. So as soon as I had joined @stake, which, actually, when you were mentioning no more free bugs, I was, I was saying, yeah, that was one of my former @stake colleagues Dina [crosstalk 00:34:03].

[00:30:54] Rik: All right.

[00:30:54] Katie: ... who, and, and, Alex Sederoff, who's actually at Trail of Bits with the other, with the, you know, some of the consultants here. So anyway, but the, the point is once I joined @stake and I didn't have to market myself.

@stake was taking care of the marketing, I found it unnecessary to maintain that certification. Now, just so you know, I never uploaded any CPE credits. I just paid the money and they kept my name up there. So there you go.

[00:31:17] Rik: Interesting. Okay. That's a n- nice insider tip. Yeah. I used to religiously do my credits all the time, last minute of course. I mean, that's the only way to do your CPEs I think last minute. but I guess you're right. It, it was useful. It's not, it's, it's really unfair for me to go.

That was totally useless thing. I wish I'd never done it. I did a CSSP, I did the ISSAP, concentration after that. I did a CEH, some other stuff. It was useful to me at the time for sure.

[00:31:43] Katie: At the time.

[00:31:43] Rik: And it definitely enabled me to get roles, because all of my, my background was all technical. It was, I spent over a decade in tech support fixing broken stuff in a backroom and, and didn't interface with anybody beyond the customer whose problem I was fixing.

So to be able to break out of that and do something, I moved into, architecture, security and privacy architecture design stuff. I couldn't have done that without those certifications, without something in my hand that said, "Here's my proof that I can do this, give me a job."

But I think there comes a point where you have to look at that stuff yourself and say, "Am I still getting value for money?" And if you're not, don't be afraid of stopping paying.

Don't be afraid, afraid of letting it lapse, right? We've, I guess we've both done it then in that case.

[00:32:24] Katie: Yeah. And I think, I think that's really what it is kind of back to picking up the thread on labor mobility. I think it's, it's an important part of how our current system works, especially given that computer science itself is one of the youngest sciences and computer security as a discipline is even younger than that.

And you know, I'm in my mid forties, but we were, you know, we were among the first generation of professional, security professionals, right? and I think that the certifications are sort of the shortcut way, to, to provide that, that piece of paper for, for job mobility, for, for, you know, expanding your roles and expanding the things that you can do. do I wish there was a better way?

Will I work on a better way? Of course I will work in a better way, but until then ... and it will not be certificate-based I can tell you that.

[00:33:09] Rik: Yeah. And I think, you know, it's interesting you talk about the first generation of, of, computer security professionals. I'm, I guess I'm slightly older than you. I'm going to reach my half century this year. So that's a scary proposition.

[00:33:22] Katie: [00:33:22] We still [crosstalk 00:36:42] school together. So we're close [laughing].

[00:33:24] Rik: Right. I got big bands of gray under here. That's why the long hair keeps it all, keeps it all hidden.

[00:33:31] Katie: Oh no, great hair. Oh, you can't quite see it. It's gray and-

[00:33:32] Rik: [crosstalk 00:36:53], one of the few things I haven't had to worry about that I've heard so many people complaining about during the pandemic is hairdressers. I do n- I couldn't care less.

[00:33:41] Katie: [laughing].

[00:33:41] Rik: There's nothing to do here [laughing].

[00:33:44] Katie: No, this is something I, I am incapable of dealing with myself. So it's just gonna be what it is.

[00:33:50] Rik: That color looks like a, a work of art color in itself though, like doing color matching on that, I, I, I wouldn't fancy my chances.

[00:33:57] Katie: No. This, I think I might, might've mentioned, I don't have to really dye this very often because it's so damaged, it's practically a tattoo. So that's pretty much how it's pink for now [laughing].

[00:34:08] Rik: How has lockdown been for you? And how long has it been and how has it been?

[00:34:11] Katie: Oh, it's been a long time. It's it started the day after I got back from RSA, because I live in Washington State and, this is, you know, was initial COVID outbreaks.

[00:34:21] Rik: Right.

[00:34:22] Katie: So, yeah, lockdown has been pretty intense. I finally ... Oh, I think if my Amazon is telling me correctly that I might receive my very first toilet paper shipment of the entire lockdown today.

[00:34:37] Rik: Oh, my words.

[00:34:38] Katie: I know [crosstalk 00:38:01].

[00:34:38] Rik: It sounds like it should be an emergency situation after [crosstalk 00:38:04].

[00:34:41] Katie: Yes. No, no. I was already a toilet paper hoarder, but you know, my supplies were running below my comfort level [laughing].

[00:34:47] Rik: This is, this is like another reference to squirrels only this time with toilet paper.

[00:34:50] Katie: Yeah.

[00:34:50] Rik: You've been squirreling toilet paper.

[00:34:53] Katie: I really have. Yeah.

[00:34:54] Rik: Yeah. You know what, we have an Amazon subscription for, for that as well and-

[00:34:57] Katie: Mm-hmm [affirmative].

[00:34:57] Rik: ... ours arrived, a giant box of it arrived the week before lockdown started so I could walk along the aisles of empty shells, taking photos and tweeting them and thinking it was hilarious.

But I don't know, I guess sales of those Japanese toilet seats must have really gone up during this period of time. You know, the kind that I mean?

[00:35:14] Katie: Yes, the ones with the automatic, the day functions and everything.

[00:35:18] Rik: My, my favorite toilet, toilets in the world are in Japan. I didn't expect this broadcast to go down this avenue, but as soon as we're here, well done Japan, your toilets are, are fantastic. keep it up.

[00:35:29] Katie: [laughing].

[00:35:29] Rik: another question is this one has come, on LinkedIn and actually refers back to something you said earlier on about secure development lifecycle. this is someone who heard you, speak, about secure coding practices, the impact software security, and what changes you have seen over your professional lifetime in the area.

Are people ... are we getting better? Is it improving or do you still throw up your hands in horror and, and, and thank, thank the Lord for more customers?

[00:35:54] Katie: Well, all of the above, right? I, I think people are improving because no developer wants to write bad [00:36:00] code, right? They, they don't wake up every day and say, "Why don't I write a completely insecure function today?"

So people wanna get better. They're often not sure how actually in the old days of @stake, we taught an application security class and the way we taught it was presumed that they have no prior background in security and explained, you know, vulnerability classes, how they're exploited, and then let them try it.

And then when you let them try it, it tends to kind of be this big aha moment and and, and they tend to take it more seriously and want to prevent those kinds of bugs.

But, so yes, they're getting better with education and, and training, especially if it's hands on training showing them how to use, how to use even an exploit framework is, is eyeopening for a lot of IT professionals who've never run Metasploit, right?

[00:36:45] Rik: Mm-hmm [affirmative].

[00:36:45] Katie: But what ha- what's happening, and this actually came out in our labor markets study, you know, MIT Sloan, Harvard, Kennedy School, is that there's an influx of new people and they are absolutely green and they're cutting and pasting from the same stack overflows snippets of code and they're flawed, right?

So we actually get more vulnerabilities from code reuse, which is why actually I think GitHubs, solutions to that. And yes, they're owned by Microsoft now, but I remember when they were coming into play of trying to build in things that made it really hard for developers to, for example, include out of date libraries in their code.

[00:37:23] Rik: Right.

[00:37:23] Katie: It would throw up a warning and say, "Nah, nah, we're gonna replace it automatically with the, with the newer version and everything."

So I think education is part of it. But you, you know, you're constantly educating all the new developers who are coming in. I think building better frameworks, things like what Git- GitHub is doing, in terms of making it harder for developers to make the same classes of mistakes when they're coding.

That is also incredible, offered. But we, we still have a long way to go. And I think all the coding boot camps that are teaching people to code and opening that job up for many more demographics than were ever able to access the profession are great.

But I worry that they're probably just like universities not teaching secure development…

[00:38:02] Rik: …element of it. Right? Just-

[00:38:06] Katie: Yeah. Just getting it, it coded right, it, it doesn't often include any security knowledge. I think when I testified before Congress on the Uber data breach, one of the things ... you have to tell Congress what to do at the end you say, "Here's why you have me as an expert. This is what I think of this issue and here's what Congress should do," right?

So in the, here's what Congress should do part, one of the things I said was, publicly funded universities should have a requirement for at least computer science majors to take a security class.

I think it was the survey that I had, had stated said that of the top 10 US universities computer science programs, none of them required security. And, I think only three of them had them even as electives.

[00:38:49] Rik: Wow.

[00:38:49] Katie: So we don't even have the educational pipeline to build secure coders. We're, we're building bug writers, not software developers, right?

[00:38:57] Rik: And I th- I think there's another side to it too. Certainly [00:39:00] what we see at Trend Micro when it comes to, cloud, and, and the development of cloud as a platform, through infrastructure service, to, you know, platforms or service through Docker and, and then true serverless deployments, as the coding models that people are using, the infrastructure behind those coded models, changes, then you're subject to, new elementary mistakes that you didn't know existed.

And the vast majority of, vulnerabilities per se, not, not code vulnerabilities, but vulnerabilities, any way that can be exploited, in cloud deployments are through misconfiguration, are through, reuse of vulnerable code libraries, or are through people accidentally leaving secrets within, containers or images or whatever it may be.

So I think there's, as well as the fact that people are not learning security in coding, the ground is constantly shifting under professionals anyway, and obliging them to, to, to apply security in completely new formats on an ongoing basis. And that's, that's never going to change, I guess.

[00:40:01] Katie: Yeah. And I think, a lot of stuff that we've learned from watching, actually the most recent one that I can think of was WannaCry, right?

[00:40:09] Rik: Mm-hmm [affirmative].

[00:40:09] Katie: And the patch available ahead of time or ahead of a worm outbreak, people hadn't-

[00:40:14] Rik: Yes, right.

[00:40:15] Katie: Right. People hadn't applied it and then the worm, you know, ripped its way through the internet. Now, post WannaCry, you would think that SMB version one would just kind of disappear from the internet because you're vulnerable to, to WannaCry with that enabled.

But I think to your point about cloud, I think a lot of people said, "Ooh, we don't want to be vulnerable and we don't wanna be responsible for the upkeep. So let's just put stuff in the cloud." What's interesting is that people didn't understand that, you know, they had to be specific about the type of management that they wanted in the cloud.

So we actually saw an increase in exposed SMB version one subsequent to, a lot of cloud migration.

[00:40:56] Rik: Yeah.

[00:40:56] Katie: So that's a very interesting point about, you know, people thinking the cloud is gonna solve all their problems, but they haven't actually, you know, taken advantage of the, you know, the, the cloud feature of having the security managed for you.

[00:41:09] Rik: Yeah.

[00:41:10] Katie: I think the, I think a lot organizations assume it's just included, right?

[00:41:13] Rik: It's something that my colleague [inaudible 00:44:57] has spoken a lot about in the past and actually he has his own, he, he started this Let's Talk series with Let's Talk Cloud.

He's done a couple of seasons already. and something that I have heard him speak about on multiple occasions is the lack of understanding of the shared responsibility model. People just assume that, hey, I, I'm using cloud now-

[00:41:33] Katie: Right.

[00:41:33] Rik: ... security is their responsibility. I should be cool. After all, I can rely on provider X, right?

[00:41:39] Katie: Yeah.

[00:41:39] Rik: And, and not deploying the, the technology. So there's another, another question come in. and this again refers back to what we were talking about earlier on, what you called bug density and, and somebody has, added in an element of, of COVID-19 to the question as well.

What is the best way for people to flatten the bug density curve? Nicely worded question.

[00:41:58] Katie: Right. Actually he said, what is [00:42:00] the best time. I'm reading it right here. What is the best time [crosstalk 00:45:48].

[00:42:02] Rik: Oh, that's me not ... I'm deliberately not wearing my glasses because that's my vanity shining through.

[00:42:06] Katie: [laughing] okay, so the, the best time to flatten the bug density curve. ideally, you are doing education of your developers on secure coding before even the design phase, but most organizations have not done that, right?

They throw some code up, they're fast to market and then they kind of deal with security bugs in the, in, in the reverse order of what the ideal is, right? They deal with the flood of what they missed. And that's their vuln response program that usually goes into effect well before their secure development life cycle program does.

These are just ... I'm not judging anyone, I'm just saying these are facts of the market. [

[00:42:45] Rik: [00:42:45] crosstalk 00:46:33].

[00:42:46] Katie: Yeah, it's just, it's just occurs, right? I mean it occurred with Microsoft too, right? They had a rude awakening with the earliest, you know, waves of worms ripping-

[00:42:54] Rik: Yeah.

[00:42:54] Katie: ... through very early internet and their first move was stop the bleeding. So stop the bleeding is part of that bug density curve flattening, but you're never going to catch up and you're always gonna be playing lack a bug if you don't then go in and start putting, you know, putting security into every step of your secure, of your software development lifecycle.

A lot of people also think that, well that works great, you know, in the old fashioned waterfall, you know, development style, Microsoft but we're agile and everything. There's, there are guides on how to fit secure development, you know, into appropriate places in agile as well.

[00:43:35] So I think being practical about bugs and bug density, it's, stop the bleeding, deal with your vulnerability response situation and then investigate areas where you can improve and start eliminating classes of vulnerability.

That's actually part of the maturity assessment we do. You know, we, we show you your baseline and then we tell you, "Well, if you do X, Y, and Z, then you're actually going to be reducing the overall number of bugs that you have to deal with and ideally they won't be as serious," right?

[00:44:07] Rik: Okay. And h- so, one of the big changes in recent years, from a coding perspective and with its massive knock on effects into security as well, has been adoption of DevOps type processes c- within, coding organizations.

What types have you seen that having?

[00:44:23] Katie: Well, I mean, it can be good or bad, right? If it's too fast in terms of deploying, you know, potentially a fix that is not complete, right? If the investigation of the vulnerability that they're trying to address is, you know, doesn't identify the correct root cause or it only addresses one vector to exploit that root cause and misses a bunch of others, DevOps, if, if executed sort of to shoot from the hip, insecurity can be a detriment, right?

So you really do need that, you know, need that technical knowledge in your team, especially among your software engineers, not just the security people who are over here and the software engineers who are over here, but you really need embedded software security architecture.

And engineers who know the code base and who can understand, you know, how to best service that code even in a rapid deployment, continuous deployment type of environment.

[00:45:22] Rik: Speaking of code, you had deep involvement in, in Wassenaar, if, if Wikipedia is to be believed?

[00:45:27] Katie: [laughing] Yes. So the Wassenaar Arrangement, for those of you who have not been abused by, that term before is, it's a, it's basically, it's a nonbinding agreement.

So it's not an official treaty that apparently matters in matters of states. but it is a non binding, agreement between 41 countries. I think now 42, because India was added a couple of years ago, that basically has them agree on export control of certain technologies.

So this isn't export control of nuclear weapons. It's export control on, you know, essentially sensitive systems. So think advanced radar technology or certain kinds of lasers, that kind of thing.

So all of these countries get together a few times a year and have technical experts discuss what should be on their lists of exports that require licenses.

[00:46:20] And back in the s- the winter of 2013, so about six months after I launched Microsoft's bug bounty programs, the Wassenaar group had basically, agreed to include something called intrusion software and intrusion software technology on the list of items that would require export licenses.

Okay. Translated into what we're talking about, ultimately, they were trying to basically get, you know, sort of regulation around command and control type of malware, not the endpoint malware. They didn't wanna catch victims in this dragnet, you know, of who needs to apply for an export license when they cross borders, whatnot.

But they didn't actually understand the unintended consequences of what they had written. And the unintended consequences were, you would ... as written originally you would have to get an export license to report a vulnerability if it included intrusion software or intrusion software technology describing great info.

[00:47:15] Rik: Right.

[00:47:16] Katie: You'd also have to do it for let's say the WannaCry response. Or if you remember, it was strangers on Twitter sharing samples in real time that helped bring that thing under control.

[00:47:26] Rik: Yup, sure.

[00:47:27] Katie: There was no way to predict ahead of time, gee, I think I might need an export license to England right now or to Slovenia to talk to this other researchers.

So what we did, was so many of us around the world basically kind of wrote into our government saying, this is a bad idea and you're basically gonna stop all security work in its tracks because your dragnet is too wide.

So fast forward, I had just started my company, this was summer, or this was spring of 2016.

[00:47:57] Rik: Yup.

[00:47:57] Katie: I had been advising the commerce department and various departments in the United States [00:48:00] on getting, you know, changing the US's mind on their stance. Right?

That was step one, working with a whole bunch of other people to change the United States mind. And then June of 2016, I get an email from the state department saying, "Katie, we would like you to join the official US delegation to go help us to renegotiate the Wassenaar Arrangement yourself."

And I was like, I have just started to start up. I have no…”

[00:48:25] Rik: Yeah, yeah. I did not expect this.

[00:48:28] Katie: I am going to Vienna now. Now I am going to Vienna. So that was an honor. It was a privilege to be able to be part of the US delegation. myself and you know Holland, who was at, the Armor.

At the time, we were the two technical experts that the US brought with them as you know, as the ones who were making the technical arguments to the other fellow technical experts from all the other countries.

That's another thing too that people misunderstand. These people are not, you know, just much like a, you know, software developers who write code with security vulnerabilities, these regulators and lawmakers around the world, they're writing legal code with vulnerabilities as well. And they need …

[00:49:06] Rik: Absolutely, oh yes. Yeah.

[00:49:08] Katie: So they're not doing it maliciously. It's, it's kind of, it was actually a mutual education process because now I know way too much about how export control works.

I really do. I never wanted to learn these things.

[00:49:18] Rik: Yeah. We s- I mean, there's a, a great, many great examples I think of, the perils of, of, poorly threat modeled, legal solutions to problems. and one of, one of them that, that really struck me recently was GDPR.

[00:49:32] Katie: Yeah.

[00:49:32] Rik: G- GDPR, obviously one of the things that, that we rely on, one of the, the databases or tool sets that we rely on with insecurity research is, domain name registration databases. not necessarily because criminals tell the truth all the time and therefore make it easier to find out who they are, but because they often make mistakes-

[00:49:51] Katie: Mm-hmm [affirmative].

[00:49:51] Rik: ... and they will often do things like register multiple malicious domains using the same credentials, or the s- yet the same, name and address type or email address, or there are things or commonalities that tie things together and allow you to, to classify something as malicious before it's ever used in a malicious campaign for example.

One of the, unintended effects of GDPR, that we've seen globally is a lot of those, registry is going dark, so that it's impossible because they hold all of this PII, they don't want to go out and get every individual's permission to make sure that it's published in a public register anymore.

The easiest and safest thing for them to do to make sure that they stay on the right side of the law is simply to stop publishing that information.

[00:50:29] So actually, while GDPR has done an awful lot of good things, there has been unintended negative consequences to it.

And it's because legislation or regulation like that very often doesn't involve professionals from the industry, which is why your involvement in, in Wassenaar was so instrumental to having, which was significantly more useful than it was before you were involved, I guess.

[00:50:52] Katie: Well, I mean, at least we know that, you know, competitions like Pontone for example, that the ZDI runs, which I [00:51:00] also refer to as an exploit Artwalk.

I love that competition. but you know, that's an annual exploit competition, you know, done in, Canada and Japan as part of CanSecWest. And, and what is, what is the Japanese version of CanSec called?

I'm forgetting right now because the squirrels ruined that.

[00:51:15] Rik: [laughing].

[00:51:16] Katie: What is it?

[00:51:17] Rik: And we did it in Florida too, we did, we did, an industrial, industrial IT one, down in, in, in Florida.

[00:51:23] Katie: Mm-hmm [affirmative].

[00:51:23] Rik: that was the most recent work pre, pre this year's CanSecWest, which was done all remotely for obvious reasons, but it still went ahead and the, you know, we had the, we had ZDI staff on site, running the exploits that they were being, instructed to run by the competitor.

So we still find a way to make it work remotely. but yeah, prior to that we did an industrial one, which was the first time ever. And then, this year and last year, we obviously had the, the Tesla as one of the things to, to be hacked.

[00:51:50] Katie: Mm-hmm [affirmative].

[00:51:50] Rik: So it's been going from strength to strength. You know, it's, it's weird. the tipping point acquisition, I forget, I'll get crucified at Trend Micro.

I forget which year it happened, but we made the acquisition of Tipping Point, that was a really sensible thing for Trend Micro to do. It's fantastic technology, but we were also prepared to put investment into it and ZDI came as part of that position.

And you know, I've been in the industry for, like 25 years and f- the industry in various forms anyway for that time. and I saw a tipping point go from home to home to home and it really feels like Tipping Point and ZDI have kind of found their spiritual home.

Trend is a very special company with a very special culture and Tipping Point has just dropped right into to, to being a part of that Trend Micro family. And it's great to see the investment that's gone into something like ZDI.

'Cause I remember, I think it was Pwn2Own mobile was at risk of, of not happening anymore. This was pre-acquisition, right? Because of Wassenaar.

[00:52:45] Katie: Yes.

[00:52:46] Rik: It was the one that was happening in Tokyo.

[00:52:48] Katie: I think it might've been canceled at one time, but yeah, it was-

[00:52:50] Rik: Yeah, it was.

[00:52:51] Katie: Yeah, it was canceled because of Wassenaar because it was unclear. And actually we had, you know, we had a hacking competition that was run by Hack in the Box, over in, Abu Dhabi, just this last October.

And Luta Security was actually brought in to help make sure that nobody violated export controls-

[00:53:11] Rik: Right.

[00:53:11] Katie: ... because this was in a country that's outside of all the Wassenaar countries. So we knew that there was going to be export control situations no matter what happened. especially it, it matters in the exemptions that we got, what your role is, right?

So we had to, we had to do a lot of segmentation, work on the fly to make sure that, for example, even the judges who were from different countries and everything were not actually getting direct access. No, no technology transfer to the judges occurred. Right?

Because we created an impromptu skiff, we basically like collected people's devices, you know, before they went into the room.

But there was a lot of this physical segmentation that we had to do in order to make sure that only the reporter of the bug and the recipient of the bug were the ones who got the bugs and the exploits directly.

[00:54:01] We watched the demonstrations, but we saw no code and we received no code. We did no pass through. Right? Because unlike ZDI, ZDI actually does the coordination. ZDI is exempt. Right?

[00:54:13] Rik: Yeah.

[00:54:13] Katie: They're involved in coordination and getting the bug fixed. They're exempt. So no matter where in the world ZDI is, you know, you guys are fine in terms of Wassenaar.

This was a little bit different. There wasn't a central coordinating body involved and the judges weren't going to do that job after the competition. Right?

[00:54:30] Rik: Yeah.

[00:54:30] Katie: so we had to basically kind of wind our way through Wassenaar. And a talk I was really looking forward to giving before the pandemic-

[00:54:37] Rik: Yup.

[00:54:37] Katie: ... and at conference I was really looking forward to, 'cause it's one of my favorite conferences. It's the SAS, was canceled. It was supposed to be in Barcelona in April-

[00:54:45] Rik: Yup.

[00:54:45] Katie: ... and I was going to give a talk called Wassenaar, Are You Serious? [laughs]. Like, who said dads are, get all the dad jokes. Okay. I'm just saying. but, but it was going to be about that competition and the, the, the leading, the abstract said, have you ever found yourself almost accidentally becoming an international cyber weapons dealer in the middle East?

We did. Right? So that was the lead in to, to the adventure. That was that competition. But yeah, everything about expert control, you never wanted to know.

[00:55:14] Rik: That's a shame. You're gonna keep that presentation on hand I hope for, for other events when events resume, whenever that may be or-

[00:55:20] Katie: Yeah, [crosstalk 00:59:47]-

[00:55:21] Rik: ... maybe for a big virtual pla- it sounds like a very cool presentation.

[00:55:24] Katie: Well, and you know, a lot of conferences have gone virtual, but frankly, I'm virtualed out.

I decided to do this with you because it was live and I could just, you know, just existentially like deal with it and everything. But yeah, I've said no to pretty much everything else. So you got it, you know.

[00:55:39] Rik: Yeah. I, I feel your pain. I, you know what? I was, I, because this was the first, episode of the first season and, and the first time I've done a live internet broadcast of any description, I thought I was really nervous about this.

Having a chat with you last night really helped. It turns out, why, the reason why I was nervous about today's 'cause I had a webinar to do this morning and I just hate doing webinars.

It's, you can make all the greatest content in the world and, and I thrive on trying to inject a little bit of humor in my presentations to bring the audience along, but you need to be able to look people in the eyes and, and feel the emotion in the room and kinda take people with you. so webinars challenge me.

[00:56:17] I, I really admire the people who are really skilled at them. We have a couple of, within Trend Micro John Clay being a, a great example.

Does, does, regular webinars for trend micro and he is a consummate professional. I, I just find this difficult to find my pace. Apologies if anybody watching was on the webinar this morning.

It was great because we had a live Q&A afterwards and webcams were on and stuff. So that was all good. But, I, I find it really hard, so I feel your pain, fully feel your pain. net-net, Wassenaar, good, bad, worthwhile, not worthwhile help, hindrance?

[00:56:48] Katie: So net-net, we got the ex- exceptions that we needed to operate. In the meantime, there are still unanswered questions and areas that could, could use improvement in, and clarification in the existing language.

For example, there's still no real clarification on tools, right? we've gotten, you know, the exemptions for intrusion, software intrusion software technology or you know, but, but not tools and tools. Think of tools like Metasploit and other things.

[00:57:18] Rik: Yeah.

[00:57:18] Katie: Even customs scripts that will, you know, do some of the actions that are described in the Wassenaar Arrangement, are potentially licensable through export control. And we haven't quite gotten those ambiguities sorted out.

So I think there's more work to do, but it's also kind of like we've got the most important bits done and I think the will to continue to go back to that same, you know, piece when that group handles. Like I gave a couple of examples, right?

Advanced radar, lasers, all kinds of other things, drones, you know, there, there's so much to work on in that group and I think that, you know, the priorities have shifted for sure. But we'll, you know, that's the same group by the way, that, gave us the crypto wars back in 1900 [laughing].

[00:58:02] Rik: Right. Yup, yup, for sure.

[00:58:03] Katie: That was pretty much, you know, the cohort and it was interesting because they remembered that differently than we do. Right? So they…

[00:58:12] Rik: I was I was working for PGP at that time.

[00:58:14] Katie: Mm-hmm [affirmative]. Yeah, oh…

[00:58:15] Rik: So, you know, that was, that was a big deal for us back then. Yeah.

[00:58:18] Katie: Well, the, the folks in the, you know, in the, the Wassenaar group remembered it differently because they were saying things like, "Well, yes, we, you know, we've heard your complaints before security industry and we worked through them with you and eventually came to where, you know, where we are today with it."

And I said, "Yes, but in the meantime, you realize what happened with that temporary ban that you had and restriction was that you forced down leveling of all browser encryption.

[00:58:47] Rik: Yeah.

[00:58:47] Katie: And that made eCommerce very, very insecure for a very long time. And, and, you know, as an industry and society, it took us longer to recover from that than what your vision is seeing, which is, oh, no, we wrote the rules a little bit too, too narrowly, and then we opened them up a little bit and everything's fine now. And I'm like…”

[00:59:04] Rik: Yeah, we fixed it and it's all good. Don't worry about it. There was no negative outcome. Everything's fine.

[00:59:08] Katie: Yeah. So, I mean, you know, they, they also thought that since they've regulated software before that regulating software in the same manner, you know, that they were doing, starting in 2013 would be, you know, similar maybe painful adjustments at the beginning, but they get to a good place.

Whereas the way they had written it, it was essentially what computers do. You know, [laughing] it was what ... it wasn't how they had written it, it was like, no, this is how…

[00:59:31] Rik: Yeah…

[00:59:31] Katie: ... actually, you know.

[00:59:33] Rik: So I'm conscious that we're coming up on the hour and I've taken up a lot of your time and I'm really grateful for it. I just wanted to ask one question, which has literally occurred to me just now.

So I haven't given, if I ... this been unfair and I haven't given you any warning of this at all, but this whole, as soon as this is, let's talk security, the lockdown sessions, this is a societal situation which is unfamiliar to all of us. It's a family situation that's unfamiliar to all of us.

We all have different concerns and, and, and different things going right and different things going wrong. What lessons, have you learned, whether it's personally, professionally, socially, whatever, what lessons have you learned from this completely unique experience that we're going through right now, that you would hope to carry over, once we're through the darkest part of the tunnel?

[01:00:22] Katie: That is a, that is a really good question. you know, one thing that, that I, I know that a lot of parents like me are struggling with is doing your day job while caring for your kids when you have no help.

And I'm a single co-parent, which means when my kids are with me half the time, that's it. You know, I have to balance all of these things and I think that, you know, myself as an employer of other people, the way that I've been able to, you know, live our company values and live my own personal values with the employees is just making sure that, you know, they have everything they need.

If they have any, you know, pandemic related concerns or issues they need to deal with, it's just kind of no, no question, just go deal with it. And honestly, I am seeing people, not just at my company, but other companies, they're focusing themselves in a very different way.

[01:01:15] It's not about, presenteeism at work anymore because it's not when you showed up at the office and when you left, it's more about drawing boundaries around when is working time and when is family time, when it's all occurring in the same physical space.

So I try to make room for that and for myself and for the people who work for me. And I'm seeing and, and cheering on the people who are doing it for themselves. And really, you know, there's never a work life balance.

That's a lie. It's all trade offs. But I'm seeing people choose the most important people in their lives, myself included, as the priority. So I have hard s- start and stop times for my workday and my-

[01:01:54] Rik: Yup.

[01:01:54] Katie: ... my people's workday. And I get mad when people bug me on the weekend, even my own team, I'm like, stop it, leave me alone. It's family time [laughing].

[01:02:01] Rik: And, and, and you and you try and I guess project that to them as well that says you need to, when you check out, you need to be checked out.

Stop, you know, don't, don't live in your, in your email account, don't live in your, you know, professional, social, whatever. Check out, look after the people that count. That's, that's exactly what's ... I mean, I, I'm the parent of a one year old and my workdays have been turned on their, on their head.

And I just have to apply the rule that says at the moment when, you know, when my daughter's awake, then that's not work time and when she sleeps, then that's work time [laughing]. And that's the, the only things I can apply right now.

[01:02:35] Katie, it's been a real pleasure. I, I'm, I'm only sad that we, we got to do this before we got to meet your person. I have no idea why that's never happened. probably because I'm a, a, a horrible recluse at events. so, but, I, I really hope that we can catch up in person. you've been fun, engaging, informative, everything, that I hoped you would be.

And I am super grateful f- to you for agreeing to be the first guest on, on Let's Talk Security. Thank you so much for taking part.

[01:03:03] Katie: Thank you so much, Rick. This was a pleasure. And, unlike a lot of things where I have to be on camera, I don't feel brained. I feel energized. So thank you so much for starting. This is the start of my day, so thanks a lot for that.

[01:03:14] Rik: H- have a great day, Katie. Cheers.

[01:03:17] Katie: Thanks, bye.

[01:03:18] Rik: that's it. So yes, thank you Katie for being, being our guest on this first episode of, of Let's Talk Security. it's been engrossing. The live feedback has been testament to, the fact that you've been engaging with, all of the great content that, that, that Katie has been sharing with us. thank you for joining us live.

If you are watching this on Catch-up then I'm really sorry that we had to remove Katie's karaoke rendition of Slayer's Reign in Blood for copyright purposes. So you will have totally missed that. so make sure you join the live stream next time.

You never know what's gonna happen, on, Let's Talk Security, be sure to subscribe for notifications of upcoming broadcast.

And, with that, I've been Ron Burgundy. stay classy, San Diego.