Listen to the Audio
Enjoyed this podcast?
Share it with friends now!
Mike Gruen, CISO of Cybrary and Jonathan Meyers, Head of Infrastructure of Cybrary, got the opportunity to interview Josh Lospinoso, CSO and co-founder of Shift5. Josh talks Mike and Jonathan through his experiences as a tech and a business leader.
At the very beginning of the interview, Josh shortly introduces himself. He graduated from Westpoint in 2009 with Jonathan and went to the UK to go to grad school. Later he spent eight years in the Army and co-founded Shift5 with Michael Weigand and James Correnti. Josh has a book out about C++. They talk about his C++ book, how he gets into C++ from Java, and his experiences as a writer. Josh also introduces Shift5, which offers products that defend planes, trains, and tanks from cyber attacks. Shift5’s product is similar to Wireshark but on CAN.
During the interview, Josh shares his thoughts about vehicle buses, and the data run on them and also how to protect that. Apropos of this, they talk about embedded computers, IoT, and traffic encryption. They continue their discussion by exchanging their views on backdoors, which Congress tried to put in law. Josh, Mike, and Jonathan agree that backdoors, required by law enforcement, not increase the security but decrease freedom and these backdoors can be used by malicious intents as well. They agree that there is no need for built-in backdoors, as governments can wiretap the criminals, read their mails, open locks, and safes without backdoors.
Josh is also talking about strong encryption, like TLS. The vulnerability of DNS also comes into question. The plain text DNS queries can be hijacked and intercepted. The solution would be encrypted DNS, DNS over HTTPS, like the DoH project on GitHub.
Mike talks about how cable companies did catch people who were stealing cable.
Josh: Sure. So I'm going to read about myself in the third person.
Jonathan: Would you just tell us who you are, Josh.
Josh: My name is Joshua Lospinoso.
Mike, Jonathan: Hi, Josh.
Josh: I am a co-founder of Shift5 who defends planes, trains, and tanks from cyber attack. Know if you knew you could hack a plane, but you can. I graduated Westpoint 2009 with Jonathan over here and went to the UK to do a grad school, and then spent eight years in the Army as a Cyber Officer making cyber capabilities. And then recently got out and co-founded Shift5. I have a book out C++ Crash Course because the world needed another C++ book. And yeah.
Jonathan: Why C++ book?
Josh: So, when I joined the Army Cyber Commands and started doing security-related things and had like a Java background, a lot of enterprise engineering GE knows a lot about it. And so, you know, understood programming reasonably well, opinions will differ there. And when I came to systems programming, like the things that run our operating systems and low-level computers and things, for the most part, you can't write programs in Java anymore. You have to take more control over what's going on. And so C++ was kind of the lingua franca and the shop that I was in. And I was like, Oh, how hard could it be? The syntax is pretty similar. It turns out pretty hard as the answer.
Josh: And the problem is like the language has been around for 40 years and like, it's evolved a lot, like C++ 11 came out in 2011, kind of changed everything, and so you have all of this book material that it's not clear to the beginner, what's the old stuff, what's the new stuff. And like the language is really complicated, because all these things nest together. It's to give you like a really powerful presentation, but...
Mike: Yeah, I mean, just to stop there, we took, I learned C++ in college.
Jonathan: But I learned this in high school.
Mike: Well, good for you. But we learned C right then, and then we learned C++. And so the C++ that we were learning was more of a bastardized version of C. So just the evolution. It's not just like C++ it's also all this crap that you bring along from C that's still sort of there.
Josh: Absolutely. And it turns out that all the old stuff is like, kind of an anti-pattern now.
Mike: Oh yeah.
Josh: You know, and so like the point of the book is to teach modern C++ directly to people that like to learn kind of brick by brick and like you don't have to learn the evolution of the language it's made for people who already know how to program. And so like, if you're thinking about getting into low level cyber security or embedded controllers or writing any kind of system software. This is like a book for you. If you already kind of know Python or Java or pretty good programmers, it is.
Mike: Yeah, know, I think it did C++ a huge disservice the way that we learned it.
Mike: That order made it very difficult to discern. Like it's not, you're not approaching it as an object oriented program.
Josh: You got it.
Mike: Which is why when at my first job we did C++, and just wrote C like that was.
Josh: Right. It was right. Cause if you're going to write that way, like just write C, right?
Mike: Yeah, for sure. Exactly.
Josh: So, yeah, I will say like writing a book is a terribly painful, lonely process. I've read a couple of blog posts about how much effort is involved in doing it. And I was like, yeah, I'm sure it's not that bad. And like, it's that bad. It just takes an inordinate amount of time to put book material together.
Mike: What was not necessarily the worst part, but the most surprising part.
Josh: The most surprising part was how terrible I wasn't writing. So you go through college and you write thesis and papers and all this kind of stuff. And especially like when you're writing for an academic audience, it's like, okay, to be super in the weeds and kind of out of order with things. But when you're writing a book, so they have this job that I never knew existed called a developmental editor. So these are people with a really their brains work in a really strange way. Like they're not necessarily super technical, but they can read technical writing and tell you how your presentation is off. Like they, that makes sense. So they can like read through and they're like, Hey, this doesn't make sense. Like, it's almost good that they're not subject matter experts because they can just kind of like, be like, this doesn't make any sense. We write this. Or like, I recommend that you shuffle things around this way. Kind of like a, yeah, so I mean, like I just, the first hundred or 200 pages I wrote like the development managers, developmental editors just like sent it back with like dripping and red pixels. And I was just like, I'll never, I'm never going to finish this because I'm a terrible writer and you just, I think you, you really learn how to write in this way and now it's like, I'm ruined reading other books cause that's like, yeah. So, so anyway, that's kind of like the hardest part of writing a book is the writing part. It turns out.
Mike: Cool. So what do you guys? So what's the company that you're doing?
Josh: Yeah. So, I see. So to answer your short question and the most long winded way possible...
Mike: You definitely wanna start off with an introduction that uses even more words to say that it's going to be long.
Josh: Yeah, yeah, exactly. So Mike and James my two co founders are also Army Cyber Officers. And we met at the Defense Digital Service, which is an organization in the Pentagon that like they hire people from private industry and to government to just kind of throw hand grenades everywhere and like fix all the terrible IT infrastructure. And then kind of like going back into private industry. It's like really, really fascinating. Healthcare.gov was like the first example of this, they hired a bunch of people from Silicon Valley, like know how to make websites.
Jonathan: And fix it.
Josh: Yeah. Fix it,
Jonathan: Fix it. Not to do it.
Josh: Right, right. Yeah. Right, right. So I met Mike and James at Defense Digital Service and they were working on some really interesting projects where in my previous experience hacking meant like you look at it systems, information technology things that help you make business decisions, laptops, iPads, these kinds of things. These guys were looking at weapon systems and operational technology things that manipulate the physical universe, they move around the robots, they transport people there, satellites doing all sorts of crazy stuff. And it turns out these things these days for economic reasons have tiny computers all over them. You look at a modern car and there's like a dozen, two dozen computers that are actually driving your car. Like you, when you press the gas pedal, it's not actually putting more gas directly into the engine. It's like, there's a computer. That's mediating, all that. So we spent a couple years just kinda tearing things apart. Because there's no security built into any of this stuff. And we decided like, okay, I mean, I think someone should probably make some cyber security products to help defend this infrastructure from cyber attack, because there's, there's nothing. And so that's what Shift5 does. We have products that defend planes, trains and tanks from cyber attack.
Mike: Yeah. My favorite blackhat talk was by the car hacking guys. I learned a lot and was actually just applicable in general engineering about.
Jonathan: How many years ago was that?
Mike: Three, four years ago.
Jonathan: Yeah. I mean, how do you think the security is adapted in those three to four years, Josh?
Josh: It's not gotten better.
Mike: I mean, there were, I know that it got better prior to them. Like there was a while there that was really bad. And I know that they've been, there's a lot of people that have been working with Detroit on some of this stuff, but...
Josh: Totally, totally.
Jonathan: Yeah. But I mean, I think we were talking about this earlier. It's like, there's this fundamental, like missing information. Like we as technology people and like IT, and software engineers, like we've been on this path to like securing things. And like it's now basically baked in that everybody is thinking about cybersecurity and like everything we do, like multifactor, like all of these things have been added along the way. Whereas it seems like this kind of stuff was kind of forgotten. And those people that were kind of building and doing these systems were so siloed off from like the rest of the world that like nothing ever got done.
Mike: Well, I think, right. I think there's also other reasons for that. I have a friend who works putting satellites into space.
Mike: They have like cutoff dates on technologies and stuff like that. So right. You want to make sure your satellite, you can't go with the most bleeding edge stuff with a satellite. You want to go with the stuff that's been tried and true. And if it was written in the seventies, it's tried and true, but it's probably not secure or as secure as it should be. And I think that there's, I think you're right. These systems, especially when you're talking about planes and cars where people's lives. They don't necessarily think the people who are responsible for you for things are not necessarily thinking about it from a cyber security aspect, but from a no, well, like why would we put something new in that's just probably a smash.
Jonathan: Why would we send these commands not plain texts?
Mike: Well, I mean, there's all kinds of things. I mean, right. The message bus on a car, right. It's really interesting. Like the replay attack stuff was really interesting how they can, you can just write, you can get ahead of the messages. Exactly. Do all kinds of things.
Josh: You can block messages. It's a single violation domain. So yeah. I mean, to your point, the Boeing 737max8 crashes, right? Like you have an aircraft that they strap these huge engines too, right? Big deal. They have to put these like nose cone sensors in to see whether it was going to go into a stall condition and it turns out that safety devices, the thing that crashed these aircraft.
Josh: Right. Faulty sensor sends bad messages on the bus and hundreds of people die. So yeah. There's definitely a conservative nature to like the technology that we put on IoT. And I think generally that's great, but for security, like if you have an active, like attacker against one of these systems, it actually creates an environment where it's incredibly easy to do devastating things.
Mike: Right. And you can be pretty sure that car is going to be on the road for how many years thinking about cars or planes. They don't get a lot of updates. Like it's not like somebody's patching the, like going to do a firmware patch on all of the computers in the car.
Jonathan: So it's like Tesla was the first car company to do that. And that was. That blew people's minds. When, what was that? Like two years ago they patched it, like somebody at Blackhat, like did the exploit on the Tesla and then what did they say? Like 24 hours later? Like all the Teslas had been patched and it's like that, that was like mind blowing that you're like, Oh, but that's like normal, when you talk about computers and IoT devices, you're like.
Josh: Oh yeah.
Jonathan: Firmware update just happened. Like...
Josh: Yeah, sure. Why are they different? Is the big question. Cause there's like a convergence with things that run IT and things that run IoT these days, hardware is incredible. Like the microcontrollers you can buy for a dollar. Like they're insanely powerful. Like you program them in C now. So like software people can now like access things, like look at Arduinos. Right, right. Field programmable gate arrays through these little chips that you can right software. So that the thing acts as hardware, it's like, it's amazing. We're in this amazing world where there's like a convergence of all this stuff. And I think all the lessons we're learning from IT, like we have to bring those into IoT, not just security, but also DevOps stuff. And like just continuous integration and deployment. Like I think embracing those concepts will, will help to make things safer and more secure. For sure.
Jonathan: Yeah. I think we had Casey Ellis, the CTO of Bugcrowd on the podcast. And he was talking about this, that the problem is a lot of this stuff like this infrastructure and like, things like that, like they were never meant to go online. Right. And so it wasn't really a big concern, but what do we do now? We slap a layer of technology and like, Oh, now it's online.
Mike: Right. Let's put a cell phone in here so that we can connect sort of those thinking connect to the internet inside of your car. And yeah.
Josh: And it's not just like the OEMs that are engineering and Internet onto these things. It's like third party stuff that we're putting on our cars. I was telling Jonathan about, if you go on Amazon, they have these like fleet tracker things. So you can like tell where your nanny's going, like in your car. There's just like a hundred dollar port cheating husband or cheating husband or whatever your, whatever. You're like..
Jonathan: They're both in the car together, but the car to get you exactly.
Mike: That's, you're tracking them at the same time.
Josh: At the same time would win two for the two for, so you can buy these things for like a hundred bucks. They have 4G, LTE, GPS and they're connected to the CAN bus in your car.
Jonathan: And what's the CAN bus.
Josh: The control area network in your car is the collision domain. It's the network that all of the devices that operate your vehicle communicate on and it's completely unsecured. Um, you...
Jonathan: When you say unsecure, you mean like plain text? Like I could hook anything up, but just read it. I don't get to.
Josh: You can take over the bus.
Jonathan: I don't have to break ciphers. I don't have to.
Josh: It's like ethernet and well, it's like ethernet.
Jonathan: So I just throw like Ethereal on there or it's not called Ethereal, they changed the name, like 10 years ago. Fuck Wireshark. Yep. You just throw Wireshark on there and you just, you're just going to that's it.
Josh: Yes. So Shift5, one of the products to totally show it's like a Wireshark for the bus, right? So we do full take packet capture so that you can actually do incident response on these things.Yeah, because there's no encryption and there's no security whatsoever. There's no attestation like, Yeah, it's pretty terrifying.
Mike: The way your speedometer knows how fast you're getting the wheels of just sending messages going 75, going 75 going 75. Turn it.
Jonathan: I fell off. I fell off.
Mike: Turning 45 degrees, turning 45 degrees. And it's just these replay messages. Right? They keep sending out more as the thing is going, it's just constantly reminding the runner.
Jonathan: It's like in your basic X class, when you finally learn how to do the servo or not X but EE when you got the servo motors all wired up and it's just sending that same signal every time it's doing. That's how it's doing it.
Josh: No, it's a perfect analogy because like, even on circuit boards, the way that all these like microcontrollers communicate these days is a serial protocol, like SPI ITC, CAN is just another serial protocol.
Mike: Right. And I think that the lesson that I took away from the car hacking thing right. Was. A lot of people approach these things, those systems as well, who's going to get access to this bus. Like it's just this considered, like we have a, we don't really have to worry about it cause it's a contained unit. Nobody's gonna have access. And so when we were read out, we were talking about our ingested pipeline and all of the messages that we're going to be going around. I was like, well, clearly they're like, we can't just assume that there's not going to be something nefarious on this, on the essentially the same type of message and resending things and inserting data into the stream.
Jonathan: Yeah. But I mean, even from an information technology security perspective, like. Five years ago, maybe 10 years ago, we used to be like, Oh, is there a gap? This mine? Yep. So like, even like, we were like, right.
Mike: It's aircraft, it's fine. But you don't realize down the line that somebody is going to put OnStar on there and allow somebody to call your call and luckiest doors.
Jonathan: Shut the engine off. And you're going 85 miles an hour. Cause your dad says you're out past curfew.
Mike: Well, first you have to put it into test mode and then you can, they did pass that. The part in the beginning could just be, you had to do whatever weeds.
Josh: Yeah. I mean, it's one of my favorite things like on the offensive side is if you have, we call it eggshell security, it's like you're, if your defense is the air gap. Like you've made my job very straightforward. Right. Because once you compromise the air gap, it's game over. I think modern IT cybersecurity practices, you have defense in depth, right? Like you, yeah, sure. Like do security through obscurity. That's fine. But like, don't rely on that and also have a strong perimeter you need to monitor for continuously for compromise, assume compromise zero trust networks.
Jonathan: So you're trusting your hardware. Yeah, sure. Sure it was, that was big last year at blackhat. Not well, two years ago. Yep. This year was all military grade.
Mike: Yeah. I don't know what that just means you can drop it and it doesn't break or does, especially you couldn't drop Toughbooks. Could you.
Jonathan: I mean, I dropped one. It didn't, maybe I dropped it a little high. Well, I left it on the hood of a Hummer, drove off.
Josh: Yeah. Yeah, totally. So, I mean, I think it's easy when you live in the security community to be a little bit of a security nihilist. Right. But that can't be the right answer. Like we rely on these things every day. And so I think we're getting better every day, especially in the IT world. It looks like we trust some of our most important relationships online, and we've figured out a way to make something that was not designed with security in mind. Like how IP networks work. And we've figured out a reasonable way to secure that.
Mike: I mean, I think that's right. The whole internet from day one was academics. If you look at every single thing and in the early days, right. It was like, well, why would some, I remember reading about email. I was like this idea of like, well, why would somebody fake an email? Like what horrible person would do something. And so exactly email doesn't have security built in and you go all the way up all the way down, all the way up on it. In the internet and it's...
Jonathan: So do you think we're going back down the slope with Congress trying to put in intentional backdoors to all these types of software? Like, I mean, that seems like a scary ID from a security perspective, but like Congress is much more of an expert on cybersecurity than I am. So like, I trust that they're doing the right thing.
Mike: Well, I mean, obviously there's some way. For technology and government to work together to create secure back doors. Right.
Josh: I feel like you guys are trolling me. Right?
Jonathan: Well, I mean, the government did great, right? Cause like your startup is not about trying to protect these equipment systems that the government has. Right. Cause their shit's all secure. And this is about like commercial stuff, right? Like...
Josh: I mean, so to try to be balanced about this, I mean, I. I think once that San Bernardino shooting is when, like a lot of this stuff keeps me into the light. Right. There's that iPhone that Apple refuses to, so like we just asked some Israelis to look into it and they figured it out.
Mike: But I think they already knew how it wasn't the government didn't want, because then...
Jonathan: Oh, it's going to take me 30 days.
Mike: It wasn't about that. It was that they want to be, they don't want to reveal how they did it so that Apple can't patch it. And if it's in a court case, then they have to reveal it in testimony.
Josh: Right. Right. Absolutely. So like I understand the lay person, it seems really, it doesn't make sense. Like encryption doesn't necessarily make intuitive sense. And I could, I can see a lay person asking the question, like, well, look like we're just trying to keep people safe and like prosecute pedophiles and chat terrorists and these like really bad people. And your technology is enabling them to like, have the safe haven, like what the hell, you know? And then I think sometimes we who know a thing or two about cybersecurity and encryption have a tendency to just say like, you're totally off base. Like, you just don't understand how this works and it comes off very like, it doesn't lend itself. Yeah, exactly. It doesn't lend itself to like, understood shared understanding and compromise, right. The prop now.
Jonathan: And it's also very complex, like talking about encryption, like to actually understand what's happening and things like that is very complicated, very calm. Like you have to be pretty good at math to actually understand.
Josh: Super either. You're super, super good at math, or like you just memorize what the super, the people who are super good at math, like sort of conclusions are. And then you're like...
Mike: Okay, this guy, I just memorize what other smarter people than me have figured out.
Jonathan: Exactly, the Bitcoin.
Josh: It's like Bitcoin. But it's basically, I mean, the fact of the matter is math doesn't care, like who you are, like, whether you're a law enforcement agency or you're like a criminal, like a...
Mike: ...or a state actor.
Josh: ...or a state actor. Right. It just doesn't make mathematical sense to say, well, we're going to just put a back door into this encryption that only the good guys will be able to decrypt. It just doesn't, it doesn't shake out that way. And so...
Jonathan: I mean, are they talking about that in Congress? Like the US using our backdoors against other nations?
Mike: All kinds. I mean, they're already using pact. I mean, that's the thing, right?
Jonathan: No, but I'm saying like, if they're mandating that we put in these back doors and then like, right. They're like, Oh, we're no longer friends with Japan. And then they're just like, Oh, well let's exploit all the phones that we have backdoors.
Mike: Do you think that there's any, I don't think they're talking about it from nation to nation. I think they're really talking about the FBI law enforcement level of, Hey, we know there are these people in the class. That we want to be able to, what I'm saying? Like slippery slopes, like in the old days, right? Like if they were doing it all through mail and locked safes, we could crack those. We could, we didn't need some backdoor into it safe. We could actually just open a safe, like there's ways to always do that, or open people's mail or tap a phone. But, and so, I think law enforcement has this. This is the way we've always done it. So we need to be able to continue being able to do what we've always done in this new encrypted world. So please go ahead and give us the ability to wiretap an encrypted conversation.
Josh: Yeah. I think you're totally right. Like they just, the way the government has historically operated, they have a monopoly on force, right? Like overwhelming forces is how they solve these problems. You get a warrant, you can bust someone's door open and do whatever, but. Like cybersecurity and technology as this, it's a level playing field where, I mean, if you look at the tactics that law enforcement agencies use to spy on people that have good encryption, like they're putting implants on people's phones.
Josh: And so like rootkits and like, so you're using the same exact techniques as criminal enterprises who are stealing Bitcoin or whatever. You just have different intentions. I think it's a very uncomfortable place for law enforcement to be, cause like as to your point, like they just, they're used to being able to do whatever they want as a matter of course.
Mike: Right. I always think of the XKCD with the wrench and the...
Jonathan: Do you think part of the problem is that the people that are kind of in charge and kind of making these decisions are, I don't want to say like too old, but like. They're so removed from this because like, for like you and I, at least, and possibly Mike, cause you've been doing like cyber, like you've done like computer program and stuff for like almost your entire life, basically almost.
Mike: More than half of my life.
Jonathan: Right. But like where Josh and I grew up and like I'm saying like younger people now, like grew up with an iPhone when they were one. Sure. They were playing games on iPads and like, so there's this different understanding of kind of like what's possible. And like, I kind of, it's similar to kind of like what a lot of people face in the military and like why they kind of get out and things like that is like the people that are making these decisions just don't like to innately understand it enough. Right. And like, I don't know if there's a person that could spend enough time to overcome that innate knowledge where it's like, we've just been using it for so much longer that like these people are kind of so far removed that it's like a difficult thing in their mind to even consider the other side.
Mike: I mean, I think it's different than that. I think that the there's in my mind. Right. It's not just the, like the okay, Boomer type responses to people. Right. I think it's, I think it gets more into the, this is how we've done it, and this has worked and we don't see a world where we can do it any other way. Like, I don't think that there's enough people at the highest levels, really looking at well, like, Hey, how can we do this in a way that really works as opposed to trying to just force or enforce the same things that have always worked in the past. When you have somebody who used to be a prosecutor who is now in Congress, and I'm not suggesting and realize that that's a topic now, but that's not where I'm going. Right. And now they're there. They know what worked for them when they were a prosecutor 20 years ago. So I think there's some of that. I think there's more of that than people not really understanding what's capable and what's not capable. I mean, that's clearly part of it as well. I'm curious what your thoughts.
Josh: Yeah. I mean, I think we've just, we've lost a lot of the ability to see where the other side is coming from. And that doesn't get better. When there's a very technical subject involved. So if you're, if you have technologists on one side and you have like old fuddy-duddies on the other.
Mike: Or just lay people in turn...
Josh: Or the lay people in general. Yeah. It's, it's like, we're, we're already in an environment where it's very difficult to talk to each other and come to like some reasoned agreement on both sides. Right, right. But it makes it all that much more difficult because you just...
Mike: I think it actually makes it more difficult because one of the things that it just occurred to me is, so on the one side you have these very technical people trying to explain something technical, to lay people that are...
Jonathan: Maybe not the most receptive.
Mike: Or not just not receptive, but also at the end of the day, like they, it just doesn't matter. Like I don't get it. I don't understand that. If you can do that, I don't understand why they just don't have that level. Right. But the other side, the technical side, probably can wrap their mind around what the other side is trying to say with regard to like, well, no, I get it. You want to stop criminals and blah, blah, blah. So it comes off very dismissive and arrogant from the technologist side to the layperson side, because the lay person's side is much easier for anybody to understand what the intent is. And then you're just basically the technology side frequently just sounds like. No, you just don't understand.
Jonathan: We probably, it's probably super frustrating too, because it's, you're trying to have like the conversation and discussion, but nobody is like close to your level to actually have that kind of conversation. And so you're trying to describe it like a very high level and they're just the ones they keep bringing up are super, super bottom level. And so it's probably super frustrating at that point.
Mike: I mean, I love listening to Congress. I listen to C-SPAN, I'm one of the few people.
Jonathan: Do you, one of the four Watchers?
Mike: Oh no. I listened to it in the car.
Jonathan: Oh, whew. So I mean...
Mike: No, no, but what's interesting, right? I mean like just the way they ask questions, I think sure. C-SPAN in general. I mean, I'd love it because it gives me access, but I also, I think, changed everything because now people are going for sound bites. Right? So you have these people that are now testifying and people who are asking the questions have an agenda and they ask questions in such a way that it's like, I'm sorry, I can't, there's no right answer there isn't an answer. The way you phrase this question, it's like...
Josh: When did you stop beating your wife?
Mike: Exactly. That's the question. When did you stop beating your wife? It's like, how do I answer that? And so. And there's nobody there to say, like I object...
Josh: Right, right, right. So Twitter hasn't made this better. Right?
Mike: Right. Exactly. Nothing.
Jonathan: One. I mean, I don't think, I think the whole, like Zuckerberg in front of Congress didn't make it any better either because you were just like, wow, you can't even, like, it's hard for you to grasp, like when Facebook is literally just talking about like our messages are encrypted and they just don't seem to like, know what the word encrypted means.
Jonathan: And like, I be like there's no hope for like a more technical...
Mike: I mean, right. We're now in this, like this already adversarial space.
Mike: And yeah. There's no, you're not going to bring in a Blackboard and start teaching. Yep. So I know that there's a lot of staffers behind the scenes. There's a lot of people that are trying to inform on both sides. You look at it then there's plenty of organizations out there that are trying to work. I mean, most of what happens in Congress happens. Behind closed doors at staffers, talking to staffers, talking to, you know...
Jonathan: Well, I mean, if we had the encryption backdoor, we would know what's happening behind these closed doors.
Mike: I mean, I feel like we don't need the encryption backdoor because I mean, it's, we know the government and it's super secure.
Josh: Yeah. Yeah. I mean, the other thing is like, look at you. You can't once we know these things about math, like you can't unknow them. And so like you can mandate all these. What are essentially weakening schemes to like the cryptology, cryptography we use. But at the end of the day, like people who are breaking the law anyway, they're going to use whatever strong encryption is.
Mike: Right. I mean, why wouldn't I, why would I, I just will choose not to upgrade, right? Like the signal right now. I know it's secure. I can communicate securely using that.
Mike: Never going to change it to some less secure system. You know what I mean?
Josh: So it's not even clear, it's just not even clear to me what the point is. Like, not even arguing that this is a bad idea. It is, but it's not even clear to me like what the government is trying to get out of it.
Mike: I mean, it gets back to the, I mean the other side, like the gun lobby, right? Like, Hey yeah, if you want to do it, they'll know that if we do all of these things, then the only people who love guns are criminals. It's the same sort of thing. It's not really gonna solve the problem. So let's take a step back from that. Let's not talk about backdoors and I mean like what are some, do you know of any ideas or schemes that are possible that are maybe discussed in terms of other solutions, aside from...
Josh: Hack your kids and hack hack the endpoint.
Mike: I mean, I think about like tor, right? I mean, there's a lot of, well, first of all, we know that there's a lot of government notes, but let's forget about that for a second. People think that because they're using Tor, they're anonymous, they get in. If you don't know what that is, I recommend you just, if you don't know what Tor is, just go online and Google Tor browser.
Jonathan: Duck, duck, go ahead.
Mike: Yeah, that's right. Please. Duck, duck out. That's actually. Yes, facts.So. But you can do signal analysis to figure out, if you, over a long enough period of time, you can see, well, these are people going into this black box and these are people come, and then we see signals coming out of that black box. And based on, certainly we also, we can sort of reasonably say like, Hey, whenever this person's ongoing into it, we see these signals coming out of the black box. And so given enough period of time, you can sort of analyze what's going on and you don't actually need it. Any access to that black box to absorb...
Jonathan: I mean, governments have been doing that for decades, right?
Mike: It's again, human right. I mean, it's the same principles that we apply to astrophysics. Right. We can't see a black hole, but we can observe totally presence. So are there like assume encryptions of blackbox, right? Like, let's just take that as a given. What are things that we can do? I'm curious if...
Josh: So, I mean, we talk about encryption, like it's Bulletproof, right? It was total. I mean, totally. I mean, it's fair. It's a fair point. With cyber bullets is the answer.
Jonathan: Only if you can spin them around dodged...
Josh: Angelina Jolie...throw hard. Yeah, that's it. I mean, but security is really, really difficult and one of the most difficult aspects of securing a system is all a side channel and like information leaks that happen. I mean, just look at Spectre and Meltdown. They are like, even to a technologist, really difficult to explain what that is and how it works. Right. I mean, you've got all sorts of really strange things that you have to worry about. I mean, like even, for example, when, when you're encrypting, on a laptop, the code has to be re like you could have Bulletproof mathematical proofs for how some encryption scheme works. But if the implementation doesn't do all sorts of crazy things, like not having branching instructions in it, you can do timing attacks to reduce the keys. I mean, it's just, it's like, bizarro world. Like it's insane.
Mike: How well, I mean, it also reminds me as you were talking, like I've read a book, I can't remember the name that talked about like how you can, Back in the cold war, they would spy on what was actually being displayed on another computer because of the, just the radio waves that were coming off, just the signal...
Mike: Then they could actually just pull up what the screen was. And so the fact of the matter is at some point the data is decrypted. Then it's in plain text, otherwise for humans...
Josh: On the endpoint.
Mike: Right on the endpoint. Right. And it's gotta be somewhere right on and you have two inputs, there's at least two endpoints. Right.
Josh: Most likely if it's sometimes more, sometimes the ones.
Jonathan: Sometimes there's a guy in the middle, sometimes...
Mike: There's good points in any event. My point being right. Like, so clearly there's places where it can always be attacked.
Josh: Exactly. It's just, it requires more work. Right. But I think, honestly, I think we're, we're getting into an era now where the... The link is going dark, right? Like people are using strong encryption, like TLS has its failings, but it does a really good job at what it does. Pretty soon DNS is going to go dark. Right. We're going to have some solution for that. If it's DNS over TLS or whatever.
Jonathan: Cloud pushing for that pretty hard.
Josh: Yeah. Yeah. ISP hates it for obvious reasons. Right?
Mike: Well, I'm curious why.
Josh: Yeah. Well, so. Yeah.
Jonathan: So for how they make money.
Josh: Yeah. Yeah. So for people who don't know, like in a typical web browsing session, you have like a sequence of packets that come off of your computer. One of the first sequences is to resolve a domain name like google.com or whatever, doctor.go, resolve those like human readable characters into an address that we can, you can switch packets to. And that traffic for various historical reasons is still totally plain text. And actually one of the low hanging fruits for attacking somebody, because you can hijack their DNS session. There's by default its UDP, like you can spoof it or...
Mike: There's a lot of, I mean, ISP is basically already right they set up the DNS.
Josh: Right? Totally. Yeah. They'll DHCP you like their own DNS servers. They can do all of that control. I mean they control the front.
Mike: I mean, Verizon, when you type in a word and you can't resolve to DNS by default, you've opted into the system where it doesn't do it. Doesn't just default to a search. It actually defaults a Verizon search. Wow. Pushes you to some websites. So if I wanted to have, anytime somebody typed in pizza ended up at my website. Yeah. I can pay an ISP enough money where they didn't put in, you know, HTTPS colon slash slash Papa John's or whatever it is. Right. They can...
Josh: They put Papa Johanns I've actually...
Jonathan: Yeah. I've experienced this a lot recently. So since I travel a lot, I'm on a bunch of different networks and a bunch of different countries that are doing a bunch of different things. Right. And so when you're joining wifi networks, for those of us in the know, sometimes the portal, the captive portal doesn't work properly. So you have to go to a website, but since they're blocking traffic, until you agree to their terms of service, it's hard to get an SSL website. So you have to find an inherently insecure website to trigger the captive portal. That is I'm going to have to switch to using that. Yeah. I currently use the Drudge Report. You can use my website. I haven't bothered, which is crazy because, so I've been pulling up Drudge Report just to get the capital portal to work. And it's amazing how many times it does not work. It is not the Drudge Report. And it is just this overwhelming. It's like, kind of like back in the early days, when you would click on a link, to like...
Mike: You thought you were going to Dick's Sporting Goods.
Jonathan: Yeah. And then it was just like pop, pop, pop, pop, pop, pop, Whitehouse, just crazy. And so I've noticed that a lot and it's crazy. Cause it's like, I'm on like, it's obviously the government that's intercepting these things, because it's not like an ISP named server. Like it's, I don't even know how this is happening. Right. And so it's super crazy.
Josh: Well, I mean, so that's a perfect segue into the second part, which is historically. HTTP just goes over an un-encrypted TCP channel. And so if you hijack DNS and at DNS is to a non secured website, the person hijacking DNS can just serve you whatever content they want. Right. Because they respond. Oh yeah. The address is me. And then, Oh, by the way, like here's your webpage with TLS because of the way certificates are supposed to work. There are some issues there, but basically if someone tries to do that to you, like your browser will freak out, as it should so you can see like the whole weak link here is that DNS and that's going dark. So ISPs don't like that for at least two reasons. One is the one that you described, which is like, yeah, they can just hijack your browser. Essentially, and the second thing is even if they're not the ones serving the DNS. So like you've elected to use Cloudflare or Google or whatever, they still sit in the middle of that link and they can slurp up all the DNS traffic. So they know a whole bunch about you.
Jonathan: They can celebrate which is making the other...
Mike: Getting back to Tor. I mean, if you actually read it, when you set it up originally, you had to know also to make sure that all of your DNS traffic was going over that otherwise. You were sort of all pointless.
Josh: That's it. Yeah. And I mean, you can set up like a Socks5 proxy, because the Socks5 will actually resolve DNS for you. At a little project called a DoH, DoH on GitHub.
Mike: Like having an apostrophe. It's dope, man.
Josh: I made it, it was donut themed, so, okay. Graphic design is my passion. Uh...
Mike: Not your skillset.
Josh: Just no, just passion. Yeah. Yeah, so it would be encrypted DNS, DNS over HTTPS. And then basically like you just set the proxy up and then you can point your browser at the proxy and it just works, but right. Yeah. The links are going, like the point is links are going dark. And so it, the challenge to law enforcement agencies and is to find another way around this. Actually I think there's some doubt whether it's like the very expansive collection. Mandate that Congress has given some of the agencies we know about. I'm not sure whether it's going to get renewed. There was some discussion in Congress about basically letting it lapse. So, yeah, I mean, maybe they also see the writing on the wall with 'em. With most traffic getting encrypted anyway, but...
Jonathan: I mean, isn't that a win for the encryption community type situation?
Josh: Yeah. I think it's a win for all of us, honestly.
Jonathan: Well, those of us that agree with encryption and not backdoors.
Josh: Right. And not getting, you know, like...
Mike: Well, I have nothing to hide, so I don't know what's wrong with the rest of you.
Jonathan: You have nothing to hide. He has five Reddit accounts, nothing to hide.
Josh: Throw away Reddit one, two, three, close.
Jonathan: The worst.
Mike: Yeah. I mean, I think so in terms of schemes, I think, I like to think about the way back in the day, when cable companies didn't like the fact that people were stealing cable, and had the scramblers and all kinds of things. Cable companies came up with some pretty ingenious ways to catch people who were doing that. They would have channels that were completely scrambled. So the only people and no one could actually buy a subscription to, but the people who had the descramblers would see them and there, it could be a home shopping channel with lots of really great deals and people would call up and order things and give their name and address. Or I remember what it was, one of the major satellites one. I can't remember.
Mike: DirecTV during the Superbowl, like there was a bunch of hacks that were going on where people were changing the firmware in order to get around things. And it was like this cat and mouse. It was just a seeming cat and mouse game. But if memory serves at some point. You basically, they got you into the situation where when you applied the last patch, you bricked your box.
Mike: Hey, my satellite isn't working anymore. Well, you personally, so right. Or there's all these sorts of others, I think the problem is that people lack that. Like, if you have a way and you have this tool that you've always used I think having it taken away and then just forcing creativity, I think there'll be a way I don't doubt that if I think we have too much of a discussion around one particular point and not enough around. Okay. Let's just assume the blackbox, as you were saying, everything's going dark. What are we going to do in that world?
Josh: You're totally right. I think you're totally right. Yeah. And I mean, necessity is the mother invention and...
Mike: I feel like that's a thing.
Josh: Yeah. I...
Mike: I took it for them.
Josh: I say that. Yeah. And I mean, we, where there's a will, there's a way, and it is a Tom and Jerry game. So like, we will find ways to get. Right. Yup. Yup. I like that. Keep the knowledge.
Mike: That's why we like working together or...