All Episodes
Previous Next
July 28, 2013 - No Agenda
01:23:19
534: The Interview Show
| Copy link to current segment

Time Text
Adam Curry, John C. Devorak.
It's Sunday, July 28th, 2013.
Time for your Gitmo Nation Media Assassination, Episode 534.
This is no agenda.
And we are coming to you live, almost kind of not really on tape, because it is the week that we're off, but we're bringing you fresh content from somewhere in Europe.
I'm Adam Curry.
And from northern Silicon Valley, where I'm on digital tape, I'm John C. Devorak.
That's right, everybody.
It is Sunday, and I'm your half-host, Adam.
And I'm your half-host, John.
And today is the second of our two shows that we're doing this summer, so we can take a little bit of time off, although it turns out it's actually more work than it's worth.
More work to do it this way.
So we have two interviews coming up for you.
The one that we'll start off with is an interview I did just before the release of Daniel Suarez's book Kill Decision.
It's all about drones.
And we also touched briefly on his previous work, which is Demon and Freedom TM. And I hope you enjoy it.
And after that, we have John's interview with some intelligence guy.
What was it again, John?
John Dixon, who's a security expert and also former Air Force intelligence, and so he has some thoughts about the NSA and some of the stuff that goes down.
Interesting interview, to say the least.
Good chat with him.
All right.
We kick it off first with my interview, originally done just before the release of the book, Kill Decision, with Daniel Suarez.
I think probably the most feared man in the military-industrial complex.
We'll be talking to him.
Here's his book.
His latest is Killed Decision.
Daniel Suarez joins us from California.
Dan, right?
I can call you Dan?
Yeah, absolutely.
Thanks for having me.
Well, no, and thank you very much for not only sending me this book, but for writing it.
I've got to tell you, I'm an aviator.
I've been flying airplanes and helicopters.
I've taken a great interest, of course, in unmanned aerial vehicles.
And once again, very much like your previous books that I've read, Demon and Freedom TM, you've nailed it.
You've nailed all the technical aspects.
But also, to me, almost not science fiction.
It's like, this sounds like it's pretty much...
When did you write the book?
When was it completed?
I was completed, oh, I don't know, six, seven months ago, something like that.
So fairly recently.
And it probably took me about, I don't know, 13, 12 months to write.
Most of that, of course, is research.
But really, I do this just over the horizon type thing.
So when you say really not science fiction, definitely so.
I've combined things that if they don't already exist, they will very soon.
Okay.
So let's talk about the story.
First of all, a female protagonist, which was a departure, at least, from Demon Freedom.
It really breaks down the possibility and perhaps the likelihood of unmanned aerial vehicles, i.e.
drones, making decisions on their own and the implications of that and what could happen.
Now, it's always difficult with a book like this, which has some cool twists and turns and some things that pop up that I thought were very unexpected, and then some wildly outrageous things when it comes to big tankers and all kinds of nutty stuff going on, oil tankers or troop carriers, I can't even tell you.
I'm afraid of spoiling parts you wouldn't want to be known, so maybe you can synopsize this for us.
Sure.
Yeah, I've already figured out my kind of, you know, through the minefield of the story to not reveal any spoilers.
But it is essentially about a situation where the United States has itself come under attack, targeted attack by autonomous drones, origin unknown, and it really examines a situation where drones have proliferated to the extent that They are all over the world.
And it becomes very difficult to determine who is attacking you.
And so a very superior military power, suddenly you get into this power imbalance where there's this non-stop sort of low-intensity warfare going on.
And I do think this is headed towards us.
Because again, if you can't figure out who's attacking you, it doesn't matter how powerful you are.
And that's really the situation the story examines.
And it's one that I think is coming very soon because, you know, you look at, because of the global economy, high-tech manufacturing occurs all over the world now.
And those designs, because of cyber espionage and cyber war, a lot of CAD designs and other top-secret designs are also disappearing off Western networks to the far corners of the world.
So the combination of those things, that very cheap design Sort of ubiquitous processing power and manufacturing of high-tech all around the world, combined with designs that support that type of thing, is going to really create a very fractured high-tech military ecosystem.
And that's what the story exam is, is that high concept of the United States is under attack by drones and we don't know who's sending them.
And what I really like as kind of a sub-story is the entire...
And I watch C-SPAN all the time.
I think you can't write that shit.
It's so funny sometimes.
But we've had a lot of Department of Homeland Security, Department of Defense...
A lot of budget conversations in the past six months.
And in the book itself, a lot of this is about the funding and what is going to instigate funding for more drones and indeed these autonomous drones.
Now, I know a little bit about your background.
I know you're basically, at heart, a software engineer, a developer.
Some would call that consultant.
You've done a lot for Fortune 1000 companies, but also for defense, I believe.
So when you put something like that in there, is that based on your own experience?
Is it just what you think it might be or how it'll work, or are you just dreaming it up?
Yeah, a little of all of those things.
Just to be clear, I worked in IT in designing big data systems for companies.
So companies that had, let's say, wanted to do pre-production planning of vast networks of factories and things like that.
So really complex stuff.
Did some defense work as well, especially Y2K remediation, things like that.
Ah, the big scam.
Yeah.
Yeah, well, you know, it's funny.
You take a look at a lot of this stuff.
I had friends and relatives who were like hoarding cigarettes because they were convinced that was going to be the new currency.
I'm like, I don't think it's going to be a problem.
I'm going to be at a party.
I don't know what you guys are doing.
But anyway, I digress.
But basically, I definitely don't take anything top secret.
See, that was one of the things that people ask me is like, how do you do research for this?
Again, because of this technology, you look at what is being able to be done with everything from DIY drones to just consumer tech that you can buy.
What I typically do with my stories is I'll combine those things and then I'll sort of divine what I think is just around the corner based on what I would do, given these possibilities, the better budget.
And also rumors of prototypes that are out there.
So that's basically how I assemble what the tech is going to be, the disruptive tech in one of my tech thrillers.
And as far as government and private industry and the intersection of international corporate malfeasance and otherwise, those things, I think there's a great record for that already.
So...
As a tech writer, you stir those all into a pot and you can pretty much come up with a really, first of all, thrilling, lots of action and other things like that.
So that's generally how I construct these stories.
You said something very important.
This is indeed a thriller.
I mean, these books that you write are thrillers.
And it's kind of funny how when I first read Demon and its successor, Freedom TM, you know, the Google Glasses had not been announced yet.
They were probably already in development.
But that was also only a couple of years' separation, and now here it is.
You know, when I was reading Kill Decision, the technical aspects were so good.
I mean, even in the first, maybe page 30, there's mention of Gorgon Stare, which I don't think anyone knows about.
But that's why I put it there.
It's important to me that people know that these things are really accelerating, and that they are occurring really...
It's not even like they're secret.
It's just that they don't get really very much media attention.
It's one of the driving reasons I write these.
These are fast-moving, sort of nuanced, complex things that are happening that are changing society with this technology evolving.
And I want people to understand it.
So I try to write these thrillers, and I write them as thrillers, so that...
You're really entertained and intrigued as you go along, but you're also learning basically what all this tech is and how it might change society.
That's really one of my goals.
So top priorities make it entertaining and exciting, but then, of course, what interests me is the payload that comes along with it.
Do you worry about this stuff?
Do you worry about the possible future of autonomous drones to such an extent that you say, okay, I have to write this book.
It's important that people understand this.
I'm packaging it in a thriller, in soft science fiction, but I really need to get the...
This is why my introduction said, you know, perhaps the most feared man in the military industrial complex...
It could also be that you're a promoter of it.
You could easily be a shill for them.
I don't know.
I doubt it.
But you're really sending a message.
And to me, it arrived loud and clear.
Well, I'm glad of that.
And I will say this.
Most feared men in the military-industrial complex, I tend to think not.
My encounter with military people has been that there's a split.
There's a lot of people in the military who have similar concerns to society at large, and they sort of get it.
If I have a theme, it's this, that I'm against unaccountable concentrations of power, and I don't care whether it's corporate, military, religious, the Girl Scouts.
I don't care who it is.
And this is one of those brewing unaccountable concentrations of power that I see.
The idea of autonomous weapons.
I mean it used to be that if you wanted to have a war, you had to get buy-in from other human beings to do it.
You could still have secret wars, but it took a hell of a lot of work.
And in the case of Iran-Contra and stuff, things get out because people either get caught or they talk.
But if you get into a situation where you don't need people to conduct war, and this could have a corrosive effect on the foundation of democracy is really how I look at it.
The idea of being able to automate war, and again, insect intelligence drones really are a done deal.
They're working on rat intelligence drones now.
The idea of swarming, all of these things, they're solving, but speaking of intelligence, here comes my cat.
Wait, wait, wait!
A swarm of cats!
Oh no!
That's right, a swarm of cats, my God!
Run for your lives!
Hey Lucy, what's up?
So anyway, hey, what are you doing?
I'm talking!
So, if she's on camera, I know better than to try to stop her.
It wouldn't be the first time a cat has appeared on the show, trust me.
Well, let's face it, 40% of the video online is cats.
It's cats, exactly.
That's why the internet was built.
The cat is sitting there thinking, hey, that's my gig.
What are you doing?
Get out of the way, human.
But in the book that you just mentioned that, there is...
And I'm trying to think, was it a callback to Roman times?
But there is a whole passage about how once you can remove the humans from the equation, then you've really got a great war machine.
What was that piece again?
I can't remember off the top of my head.
It was basically the idea of...
Harkening back to the Middle Ages.
With the knights and the sword.
Would you mind telling us that?
Because that was a beautiful piece.
Absolutely.
And it's interesting you bring that up because that was really a pivotal aspect of the book for me.
So good for you.
I have to admit I read it.
One of those horrible things I do here.
Hey, I would do the same thing.
It helps to illuminate your reading of the book.
But basically it is this, that if we take a look at the structure, the distribution of political power in a society, boy, I'm going to sound really wonky.
No, no, no, I love this.
You're right on my vibe, man, totally.
It is this, that if we go back to the Middle Ages and look at the social structure and how power was very much concentrated at the top, there was no middle class.
And you had all this vast underclass of people who were just subsisting.
And then you take a look at how conflict was resolved in that society.
What you see is that the mounted armored knight was almost invulnerable to pretty much any number of peasants who had a different, almost no meat in their diet, had a different musculature, but they also, knights had armor, and this armor was so expensive that it would cost the equivalent of what a house does now.
You had war horses.
You had constant training.
So it cost a great deal of money to keep a mounted knight available to fight for you.
And so you had this structure where very few knights could exist, but where they were, they basically had absolute power.
And that went straight up through the...
You know, the medieval social hierarchy, the way you have barons and dukes and then kings.
And so it's a very, very narrow pyramid at the top.
And this changes when gunpowder comes into effect.
When you no longer have to have somebody trained for six, seven, eight years and have a privileged background and upbringing as a page and all that stuff, in order to resolve conflicts, you just need to give a guy a gun.
Maybe a few hours, a day or two of training, and suddenly anybody who has this tube could kill a mounted knight in armor.
And that shifts everything.
Suddenly, over time, successive decades, it's how many people you bring to the battlefield determines who wins, not who you bring.
And so suddenly...
Leaders need buy-in from people at large.
They need people to cooperate.
Like, I need all you guys out here with a gun, aiming at those guys with a gun.
And if I don't do it, they'll do it.
Yeah, we need you to be all that you can be.
Yeah.
Well, yeah, in an early form.
I think it was on a tapestry in those days.
Yeah.
He can be.
But no, it was basically this, that if you look at the size of battles from the Battle of Crecy and Auxiancourt onto the Battle of the Somme in World War I, you can see battles, Waterloo, they progressively got larger and larger and larger and more people, and logistics started to become a big issue.
And nationalism rises at around this time.
And it's interesting that the concept of real nations, as opposed to individual kingdoms and regions, starts to come into play.
And then parliaments and representative democracy.
Basically because leaders could not ignore their people anymore.
If they ignored the mass of people, they would get killed.
So they had to cede some power.
And so in some ways, it is technology.
And it's weapon technology that made that possible.
So what we're doing now, what we're seeing, is a shift again towards centralization of power.
Because to some extent, I don't want to say a special forces warrior, because it's not just them, but the idea of an elite warrior who has access to a data network, to air support, to all of these things, and autonomous drones, can pretty much defeat any number of people opposing them in a regular manner.
So again, we've gone back to almost this mounted knight, where if you have access to all of those resources, numbers don't matter.
And in many ways, it's re-centralizing authority and power.
And if we think that the way human beings resolve conflicts shapes society, and I do, that's what makes that a big concern to me.
And it's something that I don't think a lot of people are thinking or talking about.
It's in particular why I wrote this book on autonomous drones.
A lot of people think, well, it's about drones like the Reaper and the Predator.
No, it isn't.
Those are obsolete platforms right now.
They're not even making the Predator anymore.
And the idea of remotely controlling a drone to me, that's really a limited-use thing.
I know that sounds funny, but we're using them against largely tribal cultures.
If you try to use a remotely piloted drone against a more sophisticated adversary, they'll jam your radio signal.
They'll cut it off.
We saw what happened with the RT-170 Sentinel over Iran.
I mean, they essentially...
Disconnected us from our drone and hijacked it.
And that's the problem with having a drone that is remotely controlled.
And that's why there's a lot of pressure to push that decision-making onto the drone itself.
And so this is really what I'm dramatizing in this book, is that very accelerated push to make the machines make more decisions.
So you, of course, are not the only smart guy who has figured this out, particularly if you look at the history, and so it does seem that this is indeed, this has got to be a big push, not just perhaps for drones, although drones make a lot of sense, it's quite easy to operate, but for all types of autonomous warfare robots.
Yeah, and cyber war as well.
So bots that will go off and do software bots that will go off.
You know, the cyber war thing, I'm continuously amazed when I hear the generals talk about this.
And who was it?
The guy who was a major general in Afghanistan in 2010.
He had a whole bunch of cyber warfare going on.
But when you hear how...
Uninformed they speak about the technology.
These guys, they must have the guys at the bottom knowing what they're doing, but the generals, you know, they really don't understand what the hell they're talking about.
They really don't.
Quite a few of them don't, but there are those that do.
Take my word for it.
There are some that get it, and whether they admit that in media or not, there are some that do.
Intelligence agencies especially do.
As a matter of fact, I did an interview with Michael Hayden for an article that I eventually wound up not finishing, but it was at a conference.
But in that article, or in that interview, he was essentially saying that when nations around the world were solicited by, I think, a magazine or a newspaper on who they were most afraid of on the internet, the United States was listed as number one.
Because we have a really robust cyber war and cyber espionage campaign.
As has recently come to light, and as we've recently admitted.
So, you know, a lot of people in the United States especially think of China.
And of course, the geopolitical contest has definitely begun there, but the United States is very active in this area.
What's your feeling about all that?
Are you a pacifist?
I mean, where do you stand?
I would definitely say I'm not a pacifist.
I'm a realist.
I understand that when it comes to nations, geopolitics and the great game, that happens.
And that power is always sought by those who have a will to power.
And the best way to avoid real trouble...
It's to try to distribute power among a reasonable number of people.
And I think our founding fathers had this principle, the idea of checks and balances.
And it's really that's what I look at.
I don't think in the main we're ever going to make things perfect or even close to it, but that's the best you can do.
I think if you have branches of government and individuals who share power...
That's best.
It's when we start to see this lockstep collusion or secrecy that allows conflicts to occur in secrecy without anybody having any knowledge of it or even the right to know.
That's when I think things get dangerous.
So am I a pacifist?
No.
If we were attacked, I'd want us to strike back.
But I'm not convinced that's what we're doing now.
I am also somewhat concerned that what we're doing now is self-defeating.
I mean, I touch upon this a bit in the book through the biologist character, the idea that cooperating organisms succeed better than those that are constantly in Darwinian conflict.
This has a lot to do with Alfred Russell's concepts about evolution and natural selection, that many, many organisms don't just kill each other, they cooperate in a symbiotic way with each other, and they thrive for that reason.
Except for humans.
Well, you know, we do cooperate.
We do.
We kill each other, too.
We do.
But again, it's not all or nothing.
It's not a binary equation.
But yeah, of late, I'll tell you, we've gotten really good at that.
And I do think there is a more mainstream movement to try to get more sustainable, to make things more local and comprehensible.
And so I'm an optimist.
I'm definitely, you know, I'm not a pacifist.
I'm not a hawk.
I'm kind of right about in the middle.
I understand that people are this way, that we're kind of like shaved apes.
We're trying to shake off this.
We're only recently the capability technologically to really do serious harm to the entire planet.
And we're trying to get our heads wrapped around that.
And so I think if more people have their hand on the tiller, we're less likely to go definitively in a bad direction.
We'll kind of ambulate around for a while, but hopefully we'll work it out.
So the real futures view in the book, which you can at this point probably call science fiction, but yeah, for how long?
Yeah, that's right.
Is the fact that when you have autonomy coming into the picture, particularly with the drones, it's no longer which country is the biggest badass, but which company is the biggest badass.
Which individual?
Or an individual.
All you need is money.
And once you have the money, then you can basically, you could create a war, win it, and no one would know who the hell you are, and you could have anything go the way you want it to go.
And that, I think, to me, that was the message, like, oh, wow, we've been just looking at, you know, we have a president who apparently, you know, loves to use drones, loves to view the tapes.
You know, now we have countries all over the world and on a local level.
We have in the United States, of course, police forces and, you know, all this will be opened up in 2015.
But that's nothing.
That's nothing compared to, you know, someone who has a big pile of cash with an agenda.
They can just get in the game whenever they want.
And especially if they either have no history of respect for human rights.
Or they just definitively do not care.
Because at that point it's completely optional.
If people were upset about what you're doing and you don't care.
Again, it really in some ways empowers authoritarianism.
And that's what concerned me.
So again, I'm optimistic in the sense that I sort of look at what I do in terms of writing thrillers as looking out for icebergs.
Because I like technology.
As a matter of fact, I love it.
I've made my whole career on it.
It's just that, you know, you want to keep an eye ahead and say, oh, let's turn a little to the right, let's turn a little to the left.
That doesn't mean abandon all, you know, technology.
It means just try to think ahead.
We've done this in the past.
We've invented technologies that caused us problems.
And we have tried to deal with them.
Nuclear, biological, chemical weapons, they were going to be world killers.
The human race, but we created international treaties, and as imperfect as they are, we're still here.
I mean, these are weapons that by all rights really should have wiped us out if we were, you know, crazy.
So I think in Maine, we're sort of like a bell curve.
Most people just want to get through their day, raise their kids, and that's what's going to save us, is the fact that most of us Have our heads screwed on at least semi-straight.
And as long as we can start to build things and get through our day, we'll be fine.
It's when you allow just a few people to completely upset everything.
And that's why you want to try to avoid these concentrations of power.
And lethal autonomy, as it's called, the idea of robots making killing decisions, that is definitely one of these centralizing things that I don't think a democracy should ever allow.
I don't think we should ever allow machines to make a decision to kill people.
Now, let me parse that.
I don't mean...
We would never send a machine specifically like a targeted munition to do something.
That's different than sending a machine into this area to terrorize it or to try to maintain order and decide who lives and who dies.
That's a very different thing.
And you will see that, I think, in authoritarian nations sooner than later or in conflict zones or in narco-trafficking zones, basically where people are grasping for power and have some money.
You're going to see them first.
Well, I think, personally, I believe that there's going to be an even bigger call for really ace pilots because we're going to have to be up there defending because, you know, at a certain point, I think a human is still for a long time going to be better than some machine that has performance limitations, perhaps.
Or mental limitations.
Oh, now we're getting into brass tacks, though, because this is great because now I'm talking to a pilot, somebody who...
And so, not to be just devil's advocate, but...
The thing that concerns me there is what do you as a pilot do against a swarm where the individual members of that swarm don't give a damn whether they survive or not?
Right.
So, of course, we already had this kind of, if you look at the Japanese Zeros, we had suicide bombers.
In general, that, of course, is a problem.
But I mean, in my head, I'm seeing, you know, Independence Day, I'm seeing Star Wars, I'm seeing there's just all this crap coming at you, and you just got to spray and pray.
As many evasive maneuvers as possible.
But just from a cost perspective, there's going to be maneuverability issues that just won't...
You're not going to be able to pull 20 G's?
Well, no, I don't think so.
Not that pilots are great at that.
Let's just hope it doesn't get to that.
Anyway, I'm available, though.
Put me in the machine, I'm available.
I will say this, though.
The thing that I think we need to be doing is developing a legal framework.
And a moral framework.
And a moral, ethical framework.
You're absolutely right.
And I always say that it's because what would inspire leaders, international leaders to do this is they are liable to be the prime targets of these things.
By the way, we've got a drone with your name on it.
Right, right, right.
I want to get back to the book for a second, because besides the topic, etc., your characters are beautifully developed.
I think this is the first time you've had a female protagonist.
Great job.
Well, I had Phillips in Demon.
She was one of many protagonists.
Right, right.
I took some lumps from people who thought I was misogynist, which confused me, because I'm absolutely not.
Yeah, I know.
I thought, well, okay.
Well, I like that.
She had the relationship with her dad, if I can remember correctly.
She was quite a talented...
I mean, she was the most brilliant person there was.
Of course, yes.
Whatever.
But I did like the idea of having...
Someone who had more of a, you know, well, let's put it this way, less of the He-Man attitude in it.
I really wanted that to soften the edge of the story.
Yeah, throughout the whole thing, she's sexy.
I mean, I'm just feeling her being really, really sexy.
Good.
And you even put a sex scene in for me, which is my favorite part of any book.
I'm like, yeah, finally, we get something done here.
That's really why I write these things for me.
But your writing really is outstanding, and I've always been a big fan of writers in other professions, lawyers.
We've had several on the show who turn out to be excellent writers of fiction.
So you, of course, know how to write code, which a lot of people think is just some kind of thing.
You go to school, you learn it, and it's like, oh, and here's how it works.
No.
You can write code just as poorly as a crappy book.
You can write yourself into corners.
You can approach the problem from many, many directions.
None of them necessarily right or wrong.
So when you started writing...
Did you approach it from a software perspective?
Were there any analogies in that?
I'd just love to know your process.
So then we're going back to Demon, which is a book I wrote between 2002 and 2004.
I actually wrote that book as a result of some software I'd written.
So yes, the answer is very much yes.
Can you elaborate on this software?
Yeah, sure.
I'm going to geek out now.
Nice.
I'll establish my geek cred.
I wrote a software.
So at the time, it was after the Y2K remediation thing and the dot-com boom had started easing up.
Now, I never really got involved in that.
I was always a data guy.
Yeah.
But nonetheless, my business slowed down a little at the time, and I started thinking, you know, I want to take a little time and do something that would be interesting to me.
I wanted to create some software, some custom software.
And I was a gamer for a while.
You know, everything from video games, D&D, and stuff like that.
I'd always wanted to automate this weather system that I'd created for my games.
So this is a role-playing game weather system.
But of course, I wouldn't just do a simple weather system.
I have to do one that has an orbital mechanics module in it and all this stuff.
So...
I think it's been bit torrented, too.
It's called Weather Master, right?
So I write this program, and I get further elaborate without it.
I put a polymorphic encryption wrapper around it so that you can try it for 30 days, and at that point it re-encrypts itself so you can buy it online.
This is like, you know, again, around the year 2000, something like that.
And what happened was I got pulled into a project, and a couple months later I come back, and Turns out this thing is selling in like 38 countries around the world.
People are trying it and buying it.
And there's like this money there in this account that I had set up.
And I had it set up to pay for the website, for some advertising.
So it was sort of like this automated thing.
And I started thinking, wow, if I got hit by a bus, this thing would just keep going.
And then I started thinking, wow, what else can you do if you're dead in modern society?
And it turns out you can do like 70% of the stuff you normally do every day.
Which, of course, is exactly the core nucleus of the book.
That's fantastic.
So you can see.
So it came from software in a very literal way.
I was like, wow.
And that was really the core of the book, as you said, that you have a A designer of a massively parallel online game who creates a program that keeps an eye out for the appearance of his own obituary online, at which point all sorts of things start to execute and start to tear the fabric of society apart.
So, yeah, that's where that came from.
And in terms of the plotting and design of a thriller, I guess I do follow a software model, only because I try...
I guess if you write code long enough in a corporate environment, at least one where you have really good quality teams, there's some pressure to make lean, maintainable code.
And to some extent, I like to think that carries over into my writing.
I try not to have lots of extraneous details.
I try to have what I need there and to propel the story forward.
And what I'm told is that my stories do propel people forward, so I don't know.
I feel I might have succeeded at that.
We'll see.
I do follow some of the skills that I picked up in writing clean code, I think, help in that regard.
And certainly in terms of structure.
Structure is very important to me in a story, in terms of pacing, different threads.
So yeah, I guess my stories are multi-threaded too.
There you go, multi-threaded, yeah.
So yeah, I would say yes.
What's your IDE for writing your books?
That's right.
Yeah, Emacs, this plugin.
No, it's...
That would have been, you would have blown me away if that were true.
No, I don't.
I'll tell you though, if you wrote one, if you wrote a plugin for Emacs, it would sell like crazy.
It would be so ridiculous because it's like front-end to notepad, essentially.
But it highlights the colors of your character.
Of course, of course.
There you go.
Don't even get me started.
I got you thinking, didn't I? I just wasted six months of my time.
Were you just a word guy, or how did you do it?
I actually have an English literature degree.
I don't have a computer science degree, so I got involved in computers in the early 90s, 90, 91, something like that.
Back in the day, when you could do things in a corporation, because people didn't take data and the internet especially, seriously at all.
And so if you started connecting sites and moving data around in the unofficial way, but you got things done, you just got more authority and more access and more promotions.
And I look at things now.
I mean, sure, I later got certifications and all sorts of things.
But I laugh now because I wonder, since people going for IT jobs, their resumes are scanned automatically looking for keywords and certifications.
I mean, I have really great experience building huge systems, but I wonder if I would have been able to easily get my start today.
Because again, on paper, when I was starting out, I was an English literature guy who had a real passion for tech, and I always used to mess around with paradox databases and stuff like that.
And I don't know that it's as easy to just dabble around.
And some of the most interesting people that I've met in tech in Silicon Valley, very successful people, don't have a straight computer science background.
No, bass players.
Yeah, we're all these musicians, mathematical minds.
And that type of mathematical mind really serves you in good stead in software design.
So, is this really your main vocation, writing?
Is that what you're doing?
You still consult some stuff on the side?
Or, I mean, is there enough money in books today still?
Can you still make a living off of this?
Well, you know, I'm very fortunate.
I had two book deals with Dutton that were very good.
And, you know, Demon, I think, at this point, has been translated into 18 languages.
There's a film deal with Paramount, stuff like that.
So, I've been...
I've been doing pretty well so far.
Wait, put the brakes on.
Film deal with Paramount?
Back it up?
What are we talking?
Sure, yeah.
Actually, what's funny is, back up to Demon again.
I couldn't get Demon published.
You were self-published, right?
Initially, yeah.
And of course, again, I made it a big technology project because I couldn't just self-publish it and hand it over to somebody.
I'm like, no, I'm going to typeset it and I'm going to adjust the kerning.
Yes, kerning, lovely, yeah.
I did the cover in Photoshop, all that stuff.
And being a logistics software guy, I didn't want any middle men between me.
So, of course, I went right to the source, Lightning Source, which is a company that other publishing companies use.
Anyway, long story short, I basically made it a technology project and then got the book out there on Amazon in probably 2006.
And then people, I started reaching out to people, tech bloggers and tech journalists who I'd read for many years, and I could demonstrate a knowledge of what they'd done, and I just said, I want to send you this book.
You can throw it away or use it to level a coffee table, whatever you want to do, but I just wanted to say thanks.
Actually, by doing that light touch, I got probably 30% of the people writing back and saying, hey, yeah, I read it, I really liked it, and they passed it on to others.
And eventually got into Microsoft and Google and all these other companies and started to take off.
So the funny part of that is, I got a film deal before I even got a publishing contract.
Oh, really?
A phone call from Walter Parks.
Of course, Walter Parks co-wrote War Games.
It's like a seminal film for me.
One of the reasons I really was interested in tech.
So it's funny when you get a phone call from somebody like that, because the first thing you say is, Bullshit!
Yeah, clear clause!
Exactly!
And then finally, it was made aware to me that he was actually the guy.
And we started negotiating a film deal, and it was at that point that I think I got into Wired Magazine, and then, good lord, everybody started coming out of the woodwork.
I started selling thousands and thousands.
I was already selling thousands of copies, but I started selling many more.
And that's how I got the mainstream publishing contract done.
I got a two-book deal there.
I wrote Demon and Freedom TM. And now I've got a second two-book deal.
Kill Decision is the first one of that.
I've got one more book I'm working on now.
I'm interested in tech, though.
I am.
I'm interested in getting back involved.
I have not consulted in a number of years.
Probably three or four years now.
Or four years.
And I'm interested in games, too.
Right.
So can you tell us what the next book will be about?
Do you know what it is?
I have a rule that I don't discuss projects I'm working on.
I don't know.
It's almost superstition.
No, that's cool.
That's totally cool.
It keeps this energy.
Like, if you start talking about a book...
Yeah.
Too much anticipation.
But on the Paramount deal, I mean, has this been any form of green lights flashing anywhere?
I mean, it's been a while now.
Is this moving forward?
Is Angelina Jolie going to be in it?
I don't know.
And this is what I discovered now, having gone through this whole Hollywood experience, is that...
Once it goes into Hollywood's large intestine, you just sort of have to wait.
Big box, right.
And I'm told that there's really only a couple of authors on Earth who have any significant input.
One is probably...
Dan Brown and, oh god, I can't believe, Harry Potter, Harry Potter.
I think I've listed all of them right there.
You probably have significant input on what goes on in Hollywood.
So no, I don't have any news.
I don't know.
Well, it would obviously be great for you, but personally, being a real lover of books, I have everything in my mind's eye, and you do a great job with your writing and really painting a picture, which is really, really awesome.
And I really appreciate all the time you've taken with us today.
This, for me, has been highly anticipated because I really, really like your writing.
And I hope this just does dynamite for you.
And, you know, it's not just a great book, but it could save the world.
So, you know, people, get some consideration here for Kill Decision.
Daniel, thank you again for all your time.
I really appreciate it.
Oh, this was a lot of fun, Adam.
Thank you.
Daniel Suarez, their interview that I did with him a couple months ago before the release of his book, Kill Decision.
Nice guy.
Nice guy.
Yeah, it was a good interview, too.
Thank you.
You don't hand out confidence easily.
Your energy was higher back in the day.
Yeah, well, I was probably high.
You're all jacked up.
This is long after you stop smoking.
Yeah, I know.
And besides, smoking doesn't make you high.
It actually makes you low.
So we're recording this.
We are, of course, pre-recording this to make this nice little interview show as I'm still in Europe.
And we have one more interview coming up.
And then after that, we'll be back again live on Thursday.
We do want to remind everybody that we still need your support.
We need executive producers, associate executive producers.
You'll get full credit in the show notes for this episode, but also we'll thank you on the Thursday live show on August 1st.
Right.
So go to Dvorak.org slash NA and help us out there.
Also, Dvorak, channeldvorak.com slash NA, nogendashow.com and nogendanation.com.
There's a donate button on both those sites.
Now, my interview is with John Dixon, who is the former Air Force intelligence guy who runs the Denim Group out of San Antonio, Texas.
They do security software.
Actually, they help people developing software, put security in the software.
But he's also got a lot of opinions.
A lot of times you interview these guys who are CEOs and the like.
Dixon is one of the principals of the company.
And they tend to be dull, or they just self-promote.
Just boring.
Believe me, I did enough of these over the years, and people would always say, oh, what does the guy do?
Is he the CTO? The CTOs are usually pretty interesting.
No, he's the CEO. And the guy, especially if it's a public company, they can't say anything, they can't do anything.
They're very dull.
This guy's interesting, and I had a good time chatting with him.
And let's play it.
All right, but first I need to program everybody's brain.
Dvorak.org slash N-A.
I'm chatting with John Dixon of the Denim Group, and I want to get right into it.
First of all, welcome to No Agenda.
What do you think of all these revelations about the NSA that have been coming to light?
Let's start right there.
Well, I wonder how long this is going to play out, first of all.
I think the phrase or cliche that comes to mind is, the hits just keep on coming.
Some of the observations that I've had are kind of...
The reality that we assume that, at least for the hosted email providers, that they were probably sharing our information with at least advertisers.
And maybe in the back of our heads that we thought that they were sharing with law enforcement.
I think it's the confirmation of that and the The specific nature that has been probably gotten a lot of people's attention.
And so that's the particulars that have probably kept this as a front page story for some time.
Yeah, one of the reasons I wanted to talk to you is because since you're in a community of people who do this sort of work, security work, on the computer, there has to be gossip that goes around.
And so I'm sure that everyone has talked to each other, or in fact, even within the company, you've probably talked and you probably have some contacts outside the company that are interesting.
Well, I don't know.
I think in one way, I'm reacting like other Americans.
In another way, I have a little bit more background and insight.
Being a security professional, I'm also used to be an intelligence officer and dealt in this world.
But I can say most of my experience predates the electronic stuff.
It's more in the old, what they used to call signals intelligence.
So we've got friends and colleagues that are in the I think there's a couple of observations.
And one is, if you remember what happened after September 11th with the September 11th Commission, there was, you know, a lot of hand-wringing, a lot of, you know, why did we miss this, and stovepipes of information.
So there was a...
Certainly a direct and indirect, I think, consensus that we don't want to miss another event.
We don't want to have that happen, another September 11th event.
And then how that was interpreted by the different agencies is what we're starting to see right now.
What does that mean?
Does that mean that we want to give up all of our information, that we want to have our travel restricted?
Some of those things played out in public.
Some of them played out in private.
And what I'm hearing is that You know, maybe six or seven weeks ago, on the heels of the Boston incident, there was a lot like, how do we miss this?
Why did that happen?
And now the pendulum has swung the entire way.
The other way is, how can we possibly have permitted this?
So I think that's an interesting one.
The other thing that's fascinating, and I think you pointed out a couple of things about the tech industry, is how long...
The telephone companies, the legacy bell companies, the AT&T's and Verizon, have been very comfortable and have had a long history of working with governments and law enforcement because of wiretaps or for the monitoring side and that the different reactions of companies that are more technology or Silicon Valley based.
Some pushing back, others not.
I think And then the gap between their public pronouncements of privacy and their privacy guarantees and, you know, what's happening in practice.
I think that puts them in an uncomfortable position now that that's out in public domain.
And the final thing is...
I think you've alluded to it at least one piece is this competitiveness nature.
Okay, think of it this way.
It's one thing if it's the NSA that's looking at our hosted email or, you know, the intelligence agencies that are in the U.S. You know, you can make the argument that if I've got nothing to worry about or I'll do anything wrong, you know, who cares?
But a lot of that hosted email is from people that are non-US citizens, obviously.
And if you were a UK company that did hosted exchange for Microsoft, not just Microsoft products, but hosted email.
And if you look at the small and medium-sized business world, most of that email is starting to migrate from data centers and companies to the cloud.
So that's the part that I think that if you look at hosted exchange, not just email, but hosted exchange, a lot of companies have that.
It's like, okay, what's my implication?
What are my expectations of privacy?
Think about the NSA thing.
Think if we were British citizens and the roles were reversed, or you're a U.S. citizen and you find out the German intelligence agency is looking at all of our email.
You would view that differently, I think.
Maybe, maybe not.
But I think this is just a fascinating thing that's playing out in a very public way.
And the other thing is that, you know...
One end is illuminating, it's interesting, it's asking us to ask questions of ourselves and what are our expectations.
But on the other end, I mean, he did give some information to the Russians and Chinese that are absolutely not going to help us.
I mean, there's no way that's a good thing.
What specifically do you see there that does that?
Well, first of all, I'm not in the team that's doing the damage assessment project at Fort Meade, but my suspicion is what they call sources and methods of the surveillance.
So you have two things, first of all.
One is the surveillance side, but he also has put out information about the attack side or the cyber security and the electronic cyber attack side.
We have been very public with the Chinese about their efforts in this particular space.
And my experience is, and within the security community, is that is a very, very tangible threat.
When you hear the term nation-state threat, you can substitute Chinese.
They are actively surveilling and attacking, not government entities, but also commercial entities.
So that happens all the time.
What this does is it You know, the charge that the U.S. is doing it to kind of weakens our claims, or at least our protestations, that's happening to us and we're not doing it.
So that's an interesting thing, too, is that revelation has come up.
We do not know as citizens what the impact has been or will be, but my suspicion is this has handed us over to governments that are less than friendly to us, so that can't be dismissed either.
Well, I've always felt that we have issues with the Chinese insofar as being, I wouldn't want to use the term hypocrites, but I know the Chinese are not happy about the fact that we call them out for their prison camps and all the rest of it.
Well, we are the country that has the most prisoners per capita and in total.
And the same thing with this.
And so it's like we're kind of like asking for trouble if we are always accusing them of stuff that we are also doing.
It seems to me that it doesn't bode well for the relationship, which really is an economic one that needs to be, it really shouldn't be too adversarial since they make almost level of products right now.
Yeah.
And we've done a little about that.
Yeah, we're so tied together that it's a very interesting dance between us and them right now.
But I think part of the attractiveness of doing the cyber stuff is they can do things without it coming up to the surface level and it being attributed back to them and vice versa.
So on one level, we're friends and we're conducting commerce and we're doing these things.
And the other, below the surface, we're knocking the heck out of each other.
I think there's some plausible deniability there that allows them to do that.
And again, this revelation is making it more of an even playing field.
Wouldn't we be better off spending our time securing these systems a little better than we've done?
That's the classic argument.
Absolutely.
I mean, like, I, as a security guy, see the, you know, products and capabilities that get put, you know, thrust out there on the web or mobile apps.
And Many times security is considered, but most of the time not.
And I'll give you two great examples of things that scare me.
Number one is the smart grid where there's this headlong rush for all the electrical providers to essentially make their legacy electrical distribution connected to the TCP IP or the internet.
And that's one thing.
And number two is these health information exchanges and insurance exchanges where you have all of this private healthcare data that's out there on us.
And those are two industries.
That have healthcare and the electrical that have been less rigorous in their security compared to like the financial industry.
So you've got these, you know, oh we need to put data up, you know, on the web for this, we need to do that.
I would still say that always, always features and functionality will outstrip security.
And so yes, there's going to have to be some substantial bloody noses before that changes.
Well, I know my doctor had to recently upgrade his whole office of doctors.
They upgraded their system because the government requires now that they have electronic health records, and so they've had to retrofit everything, and then they have a website that...
The patients can go to and fool around on.
And it's so mediocre, because I've gone to the website, I mean it's so low-end crap, to be honest about it, that I can't imagine the security being any good at all.
Yeah, you might be on to something there.
But depending on the size of the clinic and the doctor's background, there's something called HIPAA, and there's another one, a healthcare regulation called HITECH that's come out, and they're supposed to prescribe ways of doing things.
But that is issue number five or six or seven in the planning consideration.
There are still high-profile cases where hospital systems insurers are losing customer data.
And if you see something that looks clunky or kludgy like that, it probably doesn't have a sophisticated security backend either.
So your intuition probably serves you well, although I can confirm that.
Yeah, well, I'm sure it's a model I've always used, which is the Gestalt model, which is if everything looks like crap and cheap and doesn't look like a professional did it, you have to assume that the whole product is that way from front to bottom, top to bottom.
I would not doubt that.
So when you see, do you actually look at Chinese attacks and does the denim group go out and help companies when they say, I think these guys have been looking at our stuff or something like that, a company for example?
We spend most of our time in the upfront part where we help companies with the security of their software or building software systems that are resilient to start with.
But from time to time we get called and when we do it's usually this time on a Friday afternoon and something is weird.
It depends on the target.
So if you're a financial institution You're probably going to be attacked by the Eastern European hacker gangs, you know, because they're looking for money.
They're looking to steal money and fraudsters, many of whom are in Belarus or Russia proper or Ukraine.
It's the nation-state threats.
Again, the Russias, the Chinas, the Irans of the world, who are more likely to go against infrastructure.
Those are the ones that we get called in from time to time.
Here's the challenge.
The real good ones, and the nation-state guys are really good, are exceptional at covering their tracks.
Now, they do make mistakes, but they're pretty darn good and pretty sophisticated.
So usually what we do is we're able to find out where They originate from or kind of can deduce where they come from.
At that point, if you say, well, we think it's coming from Ukraine, that's kind of the end of discussion because you either have to turn it over to law enforcement because most of these countries don't have the rule of law or don't have the rule of law in this area.
You really have zero capacity to prosecute or to litigate.
So it's like, yeah, it started off in this country.
Yep, we think it came from there.
If you can get that far.
But the logical outcome is it's a loss.
And we did a little bit of a response maybe two years ago for a water system and a real low-level kind of utility system.
And one of their wire transfer people had actually downloaded what's called a bot, or an automated system, and it scanned her hard drive.
I found out that she was the payment processor.
She did all the wire transfers with the utility, and they, sure enough, went out.
We created a computer overseas and then moved $25,000.
They tried to move $50,000, $75,000, a bunch of other money, and they didn't catch it.
The internal fraud filters of the bank that was transferring the money said, wait a second, this is fishy.
What the guys were doing is they had had a compromised shell account with another bank in Florida.
So they didn't move the money from San Antonio to Belorussia.
They moved it from San Antonio to Florida, and then it was the second one that they moved it offshore.
So that's one of the things that these guys are good at, is covering the tracks and doing multiple hops.
So we can suspect that it was a nation-state threat.
Really, we're less empowered.
So one of the things that's interesting, I think one of the outcomes that The FBI wants companies like ours to cooperate and say, you know what, we think that this attack happened from Russia, and there's nothing we can do as a consultant and a company based in South Texas.
There's nothing we can do.
So their encouragement is, hey, why don't you cooperate?
At least let us know what this happens, so maybe at the international level we can prevent or warn others.
I see as an outcome for this particular thing less and less cooperation or suspicion between...
Of the NSA thing.
The outcome of the NSA thing is in general, there is no law that compels Denim Group or General Electric or USAA or name any in San Antonio rack spaces here, any of the big companies.
There's nothing that compels me.
To cooperate.
However, there's an incentive because there's a certain point where we can't do anything.
Well, let's at least let the law enforcement know that we had a loss here and that for insurance purposes we might need to report it with Very few expectations to get anything back or even resolution.
That's going to be harder to do now because it's just going to be harder to do.
I think people are going to be more reluctant.
That's one of the weird outcomes.
I don't know if you followed the debate prior to this in BC, but it was all about information sharing.
Can the FBI and DHS share threat information with industry and then vice versa?
Because most of the critical infrastructure in the U.S. is in the private sector, not in the public sector.
So we're going to see things on our end that in aggregate might be a trend that would be very important to DHS. So we'll see something in San Antonio.
You'll see something in the West Coast.
Guys like us are going to see lots of little pieces or evidence that something might be going on.
It is the only way that the DHS or others might see that from a cooperation standpoint is if we cooperate through sharing.
There's groups that do kind of industry sharing with law enforcement.
That might be a casualty of this whole process.
Yeah, that would actually make sense because I think I just wrote a column that ran today on PC Magazine that suggests if anyone should be annoyed about this NSA problem, it should be the Commerce Department.
Yeah, I actually caught that right before, and I agree, and I think this is the second one I would add to this.
So after I read your article, I thought a couple things.
First of all, we don't know all the other things that are going to happen.
Like, we're starting to imagine, what are the unintended outcomes of this?
And I think that's one, the competitiveness issue.
I mentioned it's one thing if Americans are being surveilled by the NSA in North America.
If you have your hosted exchange in the data center in North America and you're a German company, that's a little different angle, right?
And the second thing is, you know, industry cooperation in general, security cooperation in general with law enforcement and guys like DHS on legitimate issues around critical infrastructure.
Again, most of the critical infrastructure, particularly energy and pipelines and electrical distribution, are in the hands of the private sector.
DHS can't compel most of these companies to share information on vulnerabilities.
So what has happened is that it's very much a one-way...
Well, the argument has been it's a one-way...
Information sharing.
We share with the government.
They don't give anything back to us.
You know, that'll even be worse now.
So, you know, I would add that as issue number two from this security guy's perspective, and that is, you know, an increased distrust or potential distrust between industry and law enforcement and national agencies.
And that may happen particularly in the Silicon Valley companies, I think, who have a more They have more to lose.
They have bigger brands to lose.
And again, I wrote this piece and I'll have to share it with you afterwards.
We're doing a fun piece for the Black Hat conference coming up in Vegas at the end of this month.
And I came up with a top ten things to ask General Alexander if you bump into him at Black Hat.
So he's a keynote.
He's going out to keynote this hacker conference.
Which is very interesting.
And one of the funny questions, it was all in jest here, but one of the questions he came up with was, you know, ask him if NSA can collect data faster than Facebook can give it away.
So you have, you know, Facebook is, you know, on one end of the spectrum, doesn't have a really great reputation for privacy and all that.
But others have kind of staked out a stronger claim for that.
I think that this casts a doubt on some of those claims.
So the funny thing is, though, you know, again, Americans in the U.S., U.S. companies...
In a U.S. intelligence agency, you know, people have asked me, if you're not doing anything wrong, what do you have to worry about?
It's like, okay, you know, yeah, I get that.
That's always been an argument that's really annoyed me because it doesn't really account for the real problem with the loss of privacy, which is blackmail.
And, in fact, I would have to – one argument is that I don't think there's a person out there that – It has absolutely nothing to hide, because if you're a human being, there's probably something you've got to hide.
Do you want your medical records out there?
Do you want insurance companies jacking up your rates because they know that you have high blood pressure?
I mean, there's a lot of things that you don't really want in the public domain, including your body measurements, in fact.
So that argument has never sat well with me.
But in fact, even if you didn't have anything to hide, Do you think it's okay to have a congressman, for example, that's been compromised through some blackmailing system, and they're voting against what is your best interest?
Is that okay with you?
So you just hit on one thing, and this is the David Petraeus scenario you just threw out, which is, you know, having a relationship with a reporter...
The FBI investigates that reporter because of perceived harassment.
In the course of that investigation, they find out that she's having an affair with David Petraeus.
Well, the problem was it was David Petraeus.
If she was having an affair with you or I, which wouldn't happen, You know, who cares?
But it's with the director of the Central Intelligence Agency, and it's the issue of leverage.
So, you know, that instance was one where I see more of those type of things happening, where they trip across this and they find something else.
I mean...
And here's the other thing I would throw out there, is that don't anticipate bureaucracy's ability to make mistakes on data.
Think of the TSA watch list and travel issues and getting Arabic names right.
Right, or the fact that Ted Kennedy couldn't get on a plane once.
I think this is an important point.
I think our ability to collect data has always outstripped our ability to analyze it and put it to work.
Always, always, always, always.
If you want to draw on another analogy, you look at the U.S. Air Force and the military's ability to collect full motion video with drones out in Afghanistan.
They have apparently years worth of A video that they've never been able to analyze.
Their ability to collect it outstrips their ability to analyze it.
I think that'll be the case here.
The other one that I like to reference is the Mumbai attacks by the Lashkari Taiba Mujahideen guys in Pakistan.
If you've ever seen that HBO video, the documentary Terror in Mumbai, The Indian intelligence actually had the entire operation attack recorded.
They had seeded prepaid cell phones in a bunch of marketplaces in Pakistan, hoping that the Mujahideen would get these things, and in fact they did.
What happened was they used them, these prepaid and seeded phones, as the means of communication for that attack in Mumbai.
Guess what happened?
The Indian intelligence didn't figure it out until after the attack.
They weren't able to put two and two together and correlate that information until after the attack.
So the other side of this is that's what the intelligence guys are worried about.
They're worried about not having access to the data or catching it in time.
It's great to find the guys after they've done something.
Boston, Mumbai, September 11th.
It's another thing.
So that's the other bit of the dynamic that is tough that I struggle with as an ex-intelligence guy.
You're asking our people that are trying to do the right thing, they might be efficient or inefficient, to find needles and needle stacks.
They're making the haystack bigger.
Yeah, they're making the haystack really, really big.
And the question that I ask is, what percent level of protection do you want?
Do you want a 90% guarantee that we'll never have a terrorist attack or 100%?
Because 100% is a completely authoritarian state.
Right.
It's called a risk-free society.
It's impossible.
And here's the other thing.
I've said this before.
If there is another Boston attack like this next week, this whole story goes away.
And the pendulum swings back the other way.
So, I mean, that's the other thing, I think, to realize, is that this is...
Discussion will continue to play out and perceptions will change depending on current events.
I'm not using that to justify anything.
The other last point I would make is a guy that was part of this community a long time ago.
We're getting the tip of the iceberg, and it's very difficult to make real strong decisions based upon the information that it's getting out.
Now, we have the information that is being leaked out.
Many times it's not within context, so you're kind of getting the tip of the spear.
You don't know whatever.
So that's one thing that I worried about.
Back when I was doing that kind of work, you always would wonder if a certain key event would make it in the news, and it never would.
Or it would make it in the news.
You're like, that's not how it actually happened.
So, I mean, the chance for distortion both from the leaker and the responders is off the charts.
So, I mean, that's the other kind of tough thing throughout this discussion.
But the general fact that this is happening at the level it is is the big, big point.
And now this is a public domain discussion that will happen In a public way, and I think that'll be healthy.
I don't think anybody...
I don't know.
I'm very interested to see how this plays out as somebody, both as a security practitioner, American, and also ex-former intelligence officer.
I can see why some of them...
I understand General Alexander's point.
It's the breadth and scale that is...
Very, very amazing.
Yeah, it's quite something.
Getting back to the smart grid situation, which is something I've always been skeptical of, because it seems to me that your best power grid would be a local one where the guy could throw a switch by hand, or should, as opposed to something interlinked into the Internet.
Which always seemed like a sketchy...
I mean, I like the idea of grids that are not subject to cascade effect collapse, but at the same time, I'm not liking the idea of one giant grid that smart...
because these things are always not foolproof.
What the allure for the smart grid is and the business reason these guys are doing it, I mean utilities in general, electrical utilities, is they are able to dampen demand during peak times in August, specifically July and August.
So if you look at the way you build an electrical network, it has to be for the capacity for peak times, and that's happening now.
If you can go in and dampen demand in certain houses or buildings by essentially, remotely lowering the temperature from 72, or excuse me, raising the temperature from 72 to like 77, you essentially save billions of dollars of electrical infrastructure.
By having to build redundant transformers and redundant lines.
So that's the allure is to basically make every one of these remote devices in the households, every thermostat, essentially an IP addressable device because you can, during the 1% or 2% scenario on the network, you can turn down demand for air conditioning.
The challenge is now everything's an IP-enabled device.
It's a computing device.
And every capability that you create has an ability to tear down or to exploit that capability.
I worry that the headlong rush to make sure that You know, everything is part of the smart grid is in certain instances is being done with, you know, little consideration with security implication.
The real problem with the electrical guys, too, is Who would care to attack or disrupt them from an attacker's standpoint?
It's not going to be the Eastern European hacker gangs.
It might be Anonymous or the hacktivist gangs.
It would most likely be a nation-state threat.
And I got to sit through an interesting session in D.C. back in the January-February timeframe where a bunch of industry folks were talking to Representative Mike McCall, who's chairman of the House Well, he's responsible for cybersecurity things as chairman of the House of Homeland Security Committee.
And one of the attendees was a vice president at the electrical company there around D.C. She said, when we get brought down by a nation-state threat, who is going to knock on our door?
I mean, of the 20 federal agencies that knock on our door, who do we listen to first?
NSA, DHS, FBI, NERC, FERC. She just went down this list.
And the point is that if you're a federal, if you're the electrical people around D.C. or other critical areas, you're planning that this might happen.
And if they do happen, it's going to be the Chinese, or it's going to be the Iranians, or it'll be a nation-state threat.
And when that happens, there's a mismatch between the sophistication of the attackers And their ability to withstand that.
And so that's something that has a lot of people concerned.
Again, the private sector controls most of that infrastructure, and it's a fairly abstract and maybe distant threat.
But when it happens, it'll be those guys, and that'll be real tough.
It's nothing to look forward to.
In your dealings with some of these agencies that you bump into quite often, I'm guessing, I used to work for a government agency and it was a regional agency.
And kind of the rule and what kind of worked the most in terms of our thinking was the regional agency was very, very good.
And then when you went to the state version of the same agency, which oversaw everything else, they were kind of dumb.
And then when you took it one layer higher to the feds, they were to the point where they were essentially stupid.
And of course this is reflected in a lot of TV dramas and the rest where you have the idiots from the FBI, let's say, interfering with a police investigation in some cop show.
What's your experience with these agencies without naming any of them?
Or you could if you want, I don't care.
I would say pockets of excellence and then pockets of incompetency, too.
Particularly in our area, the cybersecurity area, there is thin talent across the board.
So you'll have some pretty sharp folks.
I would say probably like the FBI. I imagine in the FBI San Francisco Bureau, they've got a pretty crack team.
If you go to other places, maybe that's inconsistent.
And I have a general rule of thumb.
And this is not fair, but a general rule of thumb in Texas is that if I'm doing security incidents, I'm not going to call law enforcement guys with cowboy hats.
And that's not fair.
But I'm assuming that if you're a county sheriff that you probably...
Are not a crack forensics guy.
That is probably not fair to them, but it's probably true.
So what the impact there is we tell our clients, step one if you're having an incident is not to call law enforcement because once you engage them, they treat this as a big deal and you have to kind of think and be ready to manage them and interface with them because You know, their goals are different from your goals, and it changes things.
So, like, they come in and, oh, we got the FBI. They're trying to find out who did what to whom and prosecute, and you're trying to get your network back up and running.
Those are not the same goal.
So again, widespread talent level.
Same thing with DOD and DHS guys.
There's some super sharp ones that we work with and then a full spectrum after that.
I don't know if that's a nice way of saying it.
Yeah, well, that's, I would think, would be the litany with anyone who works for the government.
I didn't see, like, at the local level, I've never, I've not experienced that, where at the local level they were fantastic and then they were dumber the higher up the food chain they went.
I've seen some pretty sharp ones, well-meaning, and then, but just inconsistent because this industry has grown, or the demand for the talent has grown, where the, you know, the amount of people doing it has remained not too much different.
Yeah.
Well, I think the difference, I think insofar as my thesis, which is local smarter than the bigger it gets, the dumber it gets, is I think valid based on specialty type of agencies.
So if you had a local cyber terrorist threat operation, which may be actually represented by a small company like yours, That would be ideal.
I don't think you can generalize about, let's say the health department also can't, which would be a small local health department, which would not really do well with the police either.
No, I think in cybersecurity stuff, it's the opposite.
I mean, the higher up the food chain you go, the more likely they are going to be real technical and pretty sharp.
San Antonio Police Department and the County Sheriff probably have one or two guys that are okay.
What I would see, and I would confirm with you, is there is a chasm between the private sector and the public sector in general.
I mean, most of the hardcore talent is probably working at the banks and the commercial entities.
That's somewhat reflective of salaries and ability to keep guys like that happy, but I think if you look, there is a gap between the private and public sector on talent, big time.
If you think about it, if you are a security person, who's getting attacked most of the time?
Many times it's the banks, and they have some of the interesting work to do.
I've seen, for example, the head of Bank of America's group is an ex-Air Force guy.
The head of the Sabre and Travelocity security group, ex-Air Force guy.
A lot of these guys migrate and end up there because it's interesting work.
They're always under attack.
And oh, by the way, the compensation is pretty darn good, too.
Yeah, I would suspect so.
And that's where all the money is, and that's where they have to have the talent.
Yeah, and they're constantly under attack.
So it's not like it's a boring, you know, hey, quit your great government job for a boring, you know, job in the private sector.
No, these are pretty dynamic jobs.
Is there anything else?
What else do you guys work on at the denim group?
Well, again, we are focusing on the whole area of software security.
So it is the issue of helping people build the software right the first time.
And so we're always spending time prospecting.
So you're working at the development level?
Exactly, at the software development level, both in mobile and in mostly web applications.
So like T-Mobile would give you guys a call and you'd help them put together some app or what?
Yeah, mostly big companies like that.
So the big companies that are looking to extend their reach out to Android and iOS apps on the mobile side or web applications on the website.
So the key, what we try to do is help them do it right the first time to build secure and resilient apps so they don't get this stuff and put it out and just get their teeth kicked in when it's published.
And you see all these vulnerability reports and all these things.
Oh, these guys put this up and they got, you know, that's what we're trying to do is show them how to do it the right way the first time so that they don't go through that process.
How secure are these mobile phones?
You always hear about, oh, well, you know, they can turn them on remotely.
Wow.
That's a great question.
Well, it depends.
None of them are created equally.
I would say that the interesting thing is that iPhone and the Apple devices have a closed system.
So it's kind of a little bit more of a known in that the handset and the operating system is created by Apple, made by Apple, put out there.
So there's a little bit more regimen to that, and they have to go through, you know, apps have to go through some process, not really rigorous, but they have to go through a process to get on in the iTunes store.
The Android side, it's a little bit more wide open.
There's a wider spread.
There's some secure implementations, and there's some that are pretty wide open, and you've got every device under the sun.
The bigger challenge that we see now is, again, how do you understand what the software is doing on your device?
Is it actually sending data or location data that you don't know?
What is it doing?
In fact, when you load almost any of the apps on these phones, they essentially ask you to turn on everything.
That's by default, and that's bad.
So what's happened right now is I'm not going to know.
You're not going to be able to know, hey, what is this software doing on my phone?
Is it secure?
Is it creating a risk for me?
Is it sending data that should be?
You don't know that.
So what's happened up to this point is people are trusting the brands.
They say, look, that's an app from Wells Fargo or from Bank of America or from USAA. I know those guys.
They are a trusted brand.
I like those guys.
I'm assuming that they've done the right thing and have checked the security it is.
So that's the proxy up to this point has been the brand more than the actual software itself.
So there's no rating scale, like restaurant rating scale.
There's nobody auditing these apps.
And kind of the joke about the iPhone world is that Apple checks for a set of things to make sure that, number one, that you don't I actually blow up the phone network that you don't put on objectionable material, and most importantly, you don't compete with Apple.
So that's what they're checking for.
They're not checking whether or not there's backdoors there.
You're septiciously sending data to somewhere offshore.
It's not doing any of that stuff.
It just simply is not.
All right.
Well, I think that should wrap it up, unless you think there's a question I should have asked.
No, John, I enjoyed it.
And my thoughts on this whole NSA, Eric Snowden thing, continue to evolve.
And I think there's a lot more that's going to come out, not only in the data that he releases, but probably more importantly, the unintended consequences.
And I think your piece on the economic competitiveness one is just one facet of that.
So, I mean, I'll continue to write about that and think about it.
And like I said, I'll...
I'll make sure to give you my two cents from Black Hat when we're out there in three weeks.
Yeah, I'd be very interested in what happened.
Okay, John.
Okay, thanks.
Have a great weekend.
Yeah, same to you, John.
Bye.
Thank you.
Bye-bye.
That was John Dixon of the Denim Group, also a security guy that felt like chatting about the NSA with me, and I appreciate that, and I hope you guys enjoyed that.
I enjoyed it.
Yeah, I bet you did.
In Florence.
I would enjoy anything in Florence.
Hey, you should have come in to visit me.
I can't believe that you're in Detroit right now.
Well, since I'm on tape, digital tape, I'm really not in Detroit, but hopefully I will be.
We're going to be back on Thursday, August 1st.
I will be back in Amsterdam, back in the ghetto, somewhere three stories up, but we're going to have a whole bunch of stuff to talk about.
Live show.
We have like a week's worth of material you're going to gather throughout Europe.
Yeah, I'm going to have a lot of stuff to talk about.
Yeah, no, I'll have a lot of stuff to talk about.
And you would have gone to the party by then.
The party?
With the elites.
Oh yeah, no, no.
The party with the ambassador of Barbados and all that.
No, no, it's going to be cool.
We'll have tons of stuff.
Right, guys that have narcolepsy and all that kind of thing.
Sounds exciting.
Make sure you support us by going to Dvorak.org slash NA. You can get in for an executive producership or associate executive producership or even an episode club membership.
We look forward to talking to you then.
And until then, coming to you from somewhere in Europe on my way to the lowlands, I'm Adam Curry.
And from northern Silicon Valley, I'm John C. Dvorak.
I'm glad you remembered.
Export Selection